Penetration Testers’ Guide to Windows 10 Privacy & Security

62,090 reads

Free stock photo, credit Pexels.com

Safeguarding the privacy and security of myself and my clients’ data — while still allowing me to execute a penetration test is the goal.

Having concluded in September that Qubes OS was best suited as a portable lab, I have adopted Windows 10 Pro v1607 as my offensive platform. This article was modified in July ’17 to include several v1703 pitfalls.

Apply these hardening techniques to your personal Windows 10 system, drastically improving your security posture and keep your affairs private.

About the Author

Andrew Douma is a vendor-neutral IT Security Professional. He performs professional audits, penetration tests, and risk assessments. He designs secure networks and engineers high-assurance systems in the Cloud.

You can connect with him on GoodReads, LinkedIn, Medium, and Twitter.

More stories by Andrew

Buying a professional penetration testing laptop for 2017 | Evaluating QubesOS as a Penetration Testing Platform | Finding the right exploit code | Antivirus in 2017: Why? Which? How? | Full Disk Encryption with VeraCrypt | Hacker to Security Pro! On the Shoulders of #InfoSec Giants| Securing an Android Phone or Tablet (LineageOS) | Password (IN)SANITY: Intelligent Password Policy & Best Practices

Distrust

Microsoft has made much progress improving the security capabilities of their Operating System (OS). However, their pervasive use of “telemetry” and forcing software installation/upgrades, has cost them the trust of their customers.

Other hardware/software corporations are also installing telemetry software that calls home (Intel, Nvidia, Lenovo). Corporate surveillance is big business and here to stay.

On principle, I never want to see any persistent outbound UDP connections that I did not setup myself. I also do not want my network captures polluted.

So here we are: I trust neither my OS nor my hardware vendor. Welcome to my Windows 10 hardening guide.

Installation Media

A best practice is to format the hard drive and install legitimate and still supported software. Windows 10 Anniversary Edition (v1607), for better or worse!

Used systems with pre-loaded software may contain malware. It is not unheard of this being the case for a newly store-bought laptop. It only takes one tech savvy person in the supply chain.

Make sure you have the latest version of Windows.

If insist you do not have a Windows installation USB/CD, use a search engine to find any recovery options our vendor provides. Most will allow you to download a recovery image or order one free of charge. If possible, cryptographically verify that your installation image is authentic.

Proceed to create a bootable USB with one of the many graphical or system/vendor provided (command line) tools.

Software Piracy

As cyber security professionals, let’s start treating this topic like Sex Ed:

Torrenting sites are designed to make money. Their UI/UX is often designed to trick people into installing malware — many host malicious ad campaigns that contain exploit kits with 0day drive-by exploits.

Pirated operating systems and (security) software found on torrent and other file sharing sites all contain malware. It is child’s play to fool your Antivirus. Attacks are becoming more and more destructive.

If you are a student, many vendors offer cost-reduced software licenses (email them if they do not list it on their website) — and you can usually buy Windows for next to nothing at your Campus Technology Store. Get a Windows 10 Education or Enterprise license if you can.

If you insist on being a member of the Pirate Party, please proceed with caution! Download these files from within a VM — run any cracks, patches, keygens from a disposable VM — download trials from the vendor website and install those inside a dedicated VM. You cannot trust your software.

Malware will spread via your network, shared folders, and in some cases, even break out of the VM and compromise your host operating system. Always keep VMWare/VirtualBox and its guest-OS up to date.

If you are an IT professional, you cannot be doing this; you are part of the cyber security problem! Learn how to reverse engineer software yourself if you really cannot afford the license fees. You will soon discover you have solved both problems. Force yourself to adopt secure routines.

Full Disk Encryption (FDE)

You have several options to secure your “data at rest” by encrypting it before writing it to disk. It is even possible to combine all three.

FDE only protects your data entirely when your system is completely powered down.

Crypto is only as strong as the weakest link. Take the time needed to generate that random data pool and use a strong passphrase.

Hardware-based (SED)

You can enable your Self-Encrypting Drive (SED) by setting a secure password when configuring your BIOS. This is not the same as setting a supervisor password!

Transparent full drive encryption on your Solid State Drive (SSD) has almost no performance downside. I do not have enough trust in Lenovo to rely on it solely.

Keep in mind that the encryption keys are kept inside your TPM chip, which is unlikely to survive a destructive hardware attack. Protect yourself by making regular backups.

Microsoft BitLocker

BitLocker is only available for Pro, Enterprise and Education licensees of Windows 10. The keys are also kept inside your TPM chip. I do not trust my OS either, so some separation of duty seems in order.

There are advantages to using BitLocker though:

Its compatibility with UEFI SecureBoot helps ensure only trusted code runs on startup.

Its integration with Active Directory Domain Services (AD DS) helps guarantee access to work files, even after you had to fire someone on the spot.

You can still store all business related data on VeraCrypt containers or external drives for additional security.

To enable BitLocker: File Explorer > Right click C > Turn on BitLocker.

VeraCrypt

I use VeraCrypt, a free and open-source (FOSS), cross-platform that passed an independent audit. You too can learn to memorize a 32+ character passphrase.

VeraCrypt supports encrypting non-system GPT partitions/drives.

VeryCrypt a free & open-source disk encryption solution

To encrypt your entire drive, you need to partition your disk as an MBR (Master Boot Record) disk and not the default GPT (GUID Partition Table) format.

Converting later will require a full reformat or purchasing commercial partitioning software. You can also choose to use a VeraCrypt encrypted file container on top of BitLocker/SSD FDE.

The above information combined with the documentation should be sufficient for you to accomplish this. Read their security model to understand what it does and does not protect you from.

Bios Configuration

Your Basic Input Output System (BIOS) is the codebase which initializes your hardware and loads the files that boot your Operating System.

Do not be intimidated by its old DOS-like interface and cryptic options. Use a search engine to investigate options unique to your variant and version.

Visit your vendor’s website and download their tool to update your BIOS to the latest version (repeat this quarterly).

IT professionals may want to take a look at NIST 147/147b.

If you are not planning on using VMWare, dual-booting Unix nor use VeraCrypt for FDE:

Enable Device Guard if you have Windows 10 Education or Enterprise version. Automatically enabling Intel Virtualization Technology & VT-d, UEFI Secure Boot, and OS Optimized Defaults.

Device Guard, when configured, locks your device down so that it only runs trusted applications you have defined through your code integrity policies. More information is covered by this Microsoft Technet article.

Since I am planning on using VeraCrypt FDE, and dual-booting Windows 10 Pro with the future Qubes OS 4:

I disabled Intel AMT, Device Guard, and Intel SGX. Intel is working on SGX Linux support, but I worry it might hinder me during my reverse engineering course.

I disabled Flash BIOS updating by End-Users and enabled Secure RollBack Prevention.

Flash BIOS updating by End-Users and enabled Secure RollBack Prevention. I enabled Data Execution Prevention (DEP).

I enabled Intel Virtualization Technology and VT-d.

Intel Virtualization Technology and VT-d. I disabled my Integrated Camera and Microphone as I will not be using them.

my Integrated Camera and Microphone as I will not be using them. I disabled Computrace Absolute Persistence (a commercial Anti-Theft rootkit)

Computrace Absolute Persistence (a commercial Anti-Theft rootkit) I disabled Intel PTT (TPM 2.0) as most Windows security features will work with TPM 1.2. However, Qubes OS’s Anti-Evil-Maid feature requires Intel TXT, which TPM 2.0 does support. Changing TPM will reset the chip, including any SSD encryption keys present!

I set high-entropy Boot, User, and Master passphrases everywhere, enabling SSD FDE. Note that Lenovo does not permit the use of special characters.

I disabled SecureBoot and enabled both UEFI and Legacy Boot (Qubes & VeraCrypt FDE both require a legacy MBR Disk). Even though I cannot use SecureBoot, I can protect my system using MBRFilter.

I disabled all Boot devices except for my SSD and USB devices. Upon successful installation, I disabled those as well. Network Boot is set to my hard drive.

Save and exit settings to reboot from your Installation Media.

v1703 — Creators Update Notes

I would only recommend installing v1703 fresh, as the built-in upgrade process resulted in a hobbled and inconsistent OS.

None of the Windows recovery options or troubleshooting tools resolved this; I ended up using the “Reset this PC” functionality.

I’ve pushed on and am now single-booting Windows 10 “Redstone 2” with TPM 2.0, Device Guard and Bitlocker enabled.

Backups, backups, backups!!

Ensure you backup the BitLocker recovery key!

Windows Installation

As stated, I recommend everyone to start with a fresh installation of Windows 10. Modern malware is very persistent, bootkits and rootkits are hard to detect, Microsoft upgrades have always been buggy.

During installation and setup please:

Delete all existing partitions and completely format your hard drive.

Do not connect to your wireless or wired network.

Skip any Microsoft.com account creation.

Do not connect with an existing Microsoft account either.

Select advanced options.

Disable all “recommended” settings.

Name your account after your favorite SyFy or Disney character, not your legal name.

Use a decent password and no useful password hint (NIST 800–63–3).

Say “no thanks” to Windows Hello.

Say “not now” to Meeting Cortana.

Do not connect to your wireless or wired network after login.

There will not be much benefit to creating a non-administrative user.

Your system remains offline.

Side-loading updates

I highly recommend side-loading essential applications, vendor drivers, and Windows updates.

When you first boot up, Windows is far from trustworthy. It is full of holes and reporting back to its overlords. At the very least you are vulnerable to local MITM attacks.

WSUS Offline Update Tool

Format and prepare a USB stick from within a disposable VM.

Download all relevant Microsoft updates using WSUS Offline Update. Installing these will take some time.

Visit your vendor’s website and download their tool to bring the system BIOS up to date, as well as all other drivers.

If you have a SSD, I recommend updating its firmware as well. With some vendors, this requires an internet connection, if you are concerned about your privacy, postpone for now.

Download and run essential privacy applications and security software we discuss below.

Depending on your threat model, cryptographic verification of executables you download is essential.

Complete the above installation tasks. Your system remains offline.

Security & privacy tools

Until we get into Group Policy Editor and Windows Firewall territory, I recommend running a few consumer tools to kick off the process:

Unless manually enforced using a Group Policy Object, Microsoft will re-enable telemetry, firewall rules, and unwanted features during the next Feature upgrade or if you ever run System File Checker (sfc).

You would be wise to update & re-run your preferred privacy tools after a major Windows 10 release — these projects do a good job staying on top of things. Check their compatibility first!

They all seem to behave slightly different. Use Process Monitor to reverse engineer their actions if you want to enforce it using Group Policy/Scripts (or across AD connected workstations).

Your system remains offline.

Exploit Mitigation

One of the best things you can do to improve your security is install and configure the Enhanced Mitigation Experience Toolkit (EMET).

Carnegie Mellon University recently argued its continued benefits for Windows 10 users despite Microsoft announcing its End of Live by July 31, 2018. They have incorporated some of its protections in v1703.

Install EMET 5.5x.

Use the Recommended Settings when prompted.

A new system tray icon will appear, click it to open up the user interface.

Select the Maximum Security setting under Quick Profile and enable Early Warning.

Restart your system.

At time of writing, I had a small issue with Chrome after enforcing EMET’s Popular Programs via Group Policy. The solution was to configure it via the GUI and turn off ‘EAF: Extended Table Access Filtering Plus’ for Chrome only.

I also like the idea behind 0patch.com.

Your system remains offline.

Turn off Windows Features

We want to reduce our systems’ attack surface as much as possible: which means removing features and outdated capabilities we will never use.

Control Panel > Turn Windows features on or off

You will want to go over which Windows Features to turn off.

I enabled the Hyper-V and IIS Management Tools as well as a few Device Lockdown features.

But removed .NET 3.5, SMB v1 and PowerShell 2. You could go much further.

For the v1703 remake, I disabled all Windows features and hadn’t had an issue yet.

Your system remains offline.

Turn off Windows Services

When you run Sysinternals Autoruns with administrative privileges, it becomes a great tool to start managing the programs and services that are set to run at one point or another.

For now, under Administrative Tools > Services (or by running ‘services.msc’) I disabled Geolocation for privacy and a few services that are vulnerable to Bloodhound and Responder:

Right click on a Windows Service > Properties

Stop the “WinHTTP Web Proxy Auto-Discovery Service” (WPAD) and set its ‘Startup Type’ to Disabled — removing a method

The IP Helper service depends on WPAD and will be stopped, disable it as well.

Disable TCP/IP NetBIOS Helper, any file-sharing is done over SMB nowadays.

The debloat-windows-10 and the chill-out-windows-10 Github projects have more suggestions.

Unfortunately, with the v1603 Anniversary Update, Microsoft removed our ability to enforce this from Group Policy.

Your system remains offline.

Turn off Networking Capabilities

There are a few modifications to we should make to our Wifi Settings and Network Adapters.

First, make it more difficult to track your location across WiFi networks:

Go to Settings > Wi-Fi

Switch ‘Use random hardware addresses’ on.

This will cause minor issues in environments where Static DHCP or MAC Filtering is in use.

You could use Technitium MAC Address Changer’s command-line to accomplish this for your Ethernet LAN interface.

Go to Settings > Ethernet > Ethernet > Change adapter options

or Control Panel > Network and Sharing Center > Change adapter settings

Right-click on any Network Adapter > Properties and uncheck:

Client for Microsoft Networks

File and Printer Sharing for Microsoft Networks

QoS Packet Scheduler

Microsoft Network Adapter Multiplexor Protocol

Microsoft LLDP Protocol Driver

Internet Protocol Version 6 (TCP/IPv6)

Link Layer Topology Discovery Responder

Link Layer Topology Discovery Mapper I/O Driver

In that same window, select ‘Internet Protocol Version 4 (TCP/IPv4)’ and click the Properties button. From there click the Advanced button, uncheck ‘Register this connection’s addresses in DNS’ on the DNS tab, and select ‘Disable NetBIOS over TCP/IP’ on the WINS tab.

Repeat these steps for all appropriate networked adapters. Your system remains offline.

Uninstall Software

I run most of my tools from inside a Virtual Machine. I have both Oracle VirtualBox and VMWare Workstation installed. You are advised to do the same.

Those files I receive via my mail client and open up with my favorite office suite pose the highest risk. Let alone the malicious samples I eagerly download with my web browser!

I do have a few tools I use outside of a VM:

3 Billion devices: a terrifying thought.

I quickly uninstalled the following:

Adobe Flash, Java, Skype & all Windows Store apps.

All Lenovo apps, except for On Screen Display and Power Management Driver.

Intel Management Engine Components & Intel Security Assist (Intel ME).

Intel PROSet/Wireless Software* (provided by Lenovo).

Intel WiDi (support ended October 2016).

*I grabbed the latest drivers for my network card from Intel.com (Lenovo is always behind). For these drivers I choose not to install Software Extensions nor the Administrative Toolkit.

A reboot may be required. Keep your system offline.

OpenDNS

Ever since OpenDNS rebranded itself as an enterprise security company and finally implemented RFC compliant DNS (no custom redirects, no ads), they have become a great alternative over your ISP’s or Google DNS

You can increase your internet speed and improve your security posture by setting the DNS servers (on your device and router) to these IP addresses:

208.67.222.222

208.67.220.220

By default OpenDNS blocks resolution of known malicious domains only.

If you sign up for a free account, you can shield your networked devices even further, useful when you have kids or a Social Media addiction.

This does not stop a Man-in-the-Middle (MiTM) attack. Your “URL to IP address” translation requests are not encrypted!

DNSCrypt

The Domain Name Service (DNS) is the reason your Internet Service Provider (ISP) knows exactly which websites you are visiting.

SimpleDNSCrypt

Many countries, including Germany, the United Kingdom, and the United States, allow their Federal police to hack their citizens.

DNSCrypt is an excellent way to verify that responses originate from the chosen DNS resolver and have not been spoofed.

It does not provide encryption, prevent “DNS leaks”, or a third-party DNS resolver from logging your activity.

Higher level TLS protocol, as used in HTTPS and HTTP2 (SPDY), also leak websites host names in plain text, rendering DNSCrypt useless as a way to hide this information.

SimpleDNSCrypt is the most up to date implementation for Windows 10. I opted to disable IPv6 and will revisit the hidden (virtual) NICs at another time.

Restart your system. It should be ‘OK’ to take it online now.

Virtual Private Networks

Your internet history is accessible for at least 48 institutions without a warrant in the United Kingdom. Other countries are doomed to follow.

“Privacy is a transient notion. When people stopped believing God could see everything, governments realized there was a vacancy open.” — Roger Needham

It is strongly recommended to encapsulate all network traffic beyond your own country’s borders using a Virtual Private Network.

At best a VPN provides more privacy. Do not count on it for anonymity:

Personally, I run a hardened Linux instance with Algo VPN that sets up a secure personal IPsec VPN for my mobile devices, and for when I’m connecting over a public WiFi.

We use Streisand for instances we tear down at the end of the day. It generates a user-friendly HTML file with instructions to connect to the newly provisioned server running L2TP/IPsec, OpenSSH, OpenVPN, Stunnel, and a Tor bridge. Easy to share with others.

Not all VPS servers are alike — Lin-ode is a personal favorite of mine.

UnGoogled Chromium

I consider Google Chrome one of the more secure (by design) browsers.

Because there is an open-source version, someone created UnGoogled Chromium stripped free of Google integration, resulting in a more private (and so much faster!) browsing experience.

If you opt for a more traditional approach and fire up your Microsoft Edge browser to download Chrome or Firefox, be sure to ignore Bing’s and Window’s attempts to dissuade you!

Configure your browser to deny 3rd party cookies.

Remove any bundled plugins/extensions installed by default.

Disable any location/prediction/spellcheck services.

Set StartPage as your homepage and search engine.

99.9% of web exploits, tracking and fingerprinting starts with malicious JavaScript execution hosted by known malware domains

Review the options of every browser you have installed, including Internet Explorer/Edge. Take the time to configure each plugin on ‘expert’ mode!

Group Policy Editor/Objects

Windows Updates (and upgrades) tend to ‘flip settings’ back to their insecure defaults. Microsoft only seems to respect settings enforced using central Group Policy Objects (GPOs).

Even if you are not a seasoned IT professional — you will love being able to manage most settings for all user accounts from a single program (‘gpedit.msc’). An up to date settings reference for Windows 10 is available in Excel format.

This interface can be uncovered by executing ‘gpedit.msc’

You can extend the capabilities of your Group Policy Editor by deploying Administrative Templates (.adml & .admx files).

For example, to control EMET with a GPO:

From C:\Program Files (x86)\EMET 5.5\Deployment\Group Policy Files\

Copy the .adml file to C:\Windows\PolicyDefinitions\en-US\

Copy the .admx file to C:\Windows\PolicyDefinitions\

Repeat this for this set of Administrative Templates provided by Microsoft (the v1703 templates can be downloaded here)

Download the Windows10-ADMX.msi file

From C:\Program Files (x86)\Microsoft Group Policy\Windows 10\PolicyDefinitions\

Copy the .adml file to C:\Windows\PolicyDefinitions\en-US\

Copy the .admx file to C:\Windows\PolicyDefinitions\

Templates are also available for Microsoft Office 2010 / 2013 / 2016 / 2007, LibreOffice as well as Chrome and Firefox.

If you get an Access Denied error, you’ll have to take ownership of the PolicyDefinitions folder first:

Right-click on the folder, go to Properties, then Security tab.

Click on Advanced, Owner tab and change the owner to your account.

Don’t forget to tick the ‘Replace all child object permissions’ box.

We will use some of these extended capabilities to lock down the system, making it harder for anyone to disable your protections.

A reboot may be required to load these extensions.

Secure Host Baselines

Several well-funded organizations give advice on what makes a configuration “secure.”

Establishing a Secure Host Baseline (SHB) is one of the NSA’s top 10 mitigation strategies.

DoD Secure Host Baseline

I like the DoD Secure Host Baseline project on Github. It is a collection of PowerShell scripts that are relatively painless to apply.

Hit the Windows Key + X keyboard shortcut and launch Windows PowerShell (Admin). Run all the commands below from there:

Set-ExecutionPolicy Unrestricted

Download the repository as a ZIP file, and unlock it:

cd $env:USERPROFILE\Downloads

Unblock-File -Path '.\Secure-Host-Baseline-master.zip'

Extract the ZIP file, remove “-master” from both directories created.

In the PowerShell terminal, navigate down to the directory, and import the Group Policy PowerShell module:

cd $env:USERPROFILE\Downloads\Secure-Host-Baseline

Import-Module -Name '.\Secure-Host-Baseline\Scripts\GroupPolicy.psm1'

You will need to extract the Microsoft Local Group Policy Object (LGPO) utility to a known location. Make sure to reference full paths in the command below to avoid any errors.

I have no need for cryptographic DoD certificates:

Invoke-ApplySecureHostBaseline -Path 'C:\...\Secure-Host-Baseline\' -PolicyNames 'Adobe Reader','AppLocker','Chrome','EMET','Internet Explorer','Office 2013','Windows','Windows Firewall' -ToolPath 'C:\...\LGPO.exe'

You will notice that, for example, more of your Chrome settings are now enforced using group policy — some of which I will reverse.

That said, it is not perfect:

I had to manually delete an old set of ADMX/ADML files to launch my Local Group Policy Editor error free.

Chrome has most of its plugins disabled, the search engine is locked to a faulty version of Google SSL, and my homepage is now a .mil site.

A reboot is required to apply all changes successfully.

Microsoft Security Compliance Manager

Microsoft has released an excellent tool which allows you to apply their “Microsoft ”Recommended Security Baselines.”

This tool will soon be replaced by the DSC Environment Analyzer (DSCEA), likely before the v1703 security baselines is ready for production, so keep that in mind.

Install and configure Security Compliance Manager 4 (SCM). Be aware that this tool requires .Net Framework 3.5 (Includes .Net 2.0 and 3.0) and installs SQL Server 2008 Express (x86) — increasing your attack surface.

Once installed, under the ‘Get knowledge’ column, you can download Microsoft baselines automatically for Windows 10 v1607, Internet Explorer 11 and Office 2007/2010/2013.

Check out the Attachments\Guides section for the SecGuide ADMX/ADML to install and any supplemental documentation. You have to Duplicate a baseline before it can be customized.

Microsoft SCM 4.0

If you wish to apply any SCM baseline to your system, you can export a GPO backup folder and use the LGPO tool’s /g switch.

Microsoft Policy Analyzer

Another tool to geek out over is the Microsoft Policy Analyzer tool, which shows the differences between your local policy/registry and as many GPO backups as you Add & select.

In the Policy Viewer, the information displayed can be filtered and searched, or exported to Excel format. Conflicts are shown in yellow.

The DoD Secure Host Baseline template has the more secure defaults in most cases, but you will find that a hybrid of both fits your particular use-case.

Customizing Group Policy

There is no substitute to manually stepping through my options with the Group Policy Editor (by running ‘gpedit.msc’). Improve its readability by sorting the ‘Setting’ or ‘State’ column.

The wording for some settings can be very counter-intuitive. Luckily each option has a clear description.

Most of the relevant settings are found under these Policy Paths:

Computer Configuration > Windows Settings > Security Settings

Computer Configuration > Administrative Templates > System

Computer Configuration > Administrative Templates > Windows Components

User Configuration > Administrative Templates

Apply any changes by execution the command below in any admin shell:

gpupdate.exe /Force

It can be very insightful to repeat this step as new CIS benchmark documents are released.

Merging Baselines

The information the Policy Analyzer gives me allows me to quickly combine the best of two baselines together and customize my settings as desired.

I eased my Account Lockout Policy (duration).

I require VMWare compatibility to do my job (a nonissue in v1703)

I disabled Windows Defender (and SpyNet) for privacy reasons.

I white-listed my desired Chrome Extensions and relaxed other settings.

I disabled program execution from removable drives.

Despite primarily working from VMWare, some settings aimed at improving security would interfere with me during a penetration test. Such as those limiting the number of simultaneously active network adapters or prevent me from creating a layer 2 MAC bridge between them.

Less Telemetry

As you are stepping through your options, you will not only discover Chrome has a Dinosaur Easter Egg Game, but that many apps have some form of:

Advertising ID

Cloud Sync

Error Reporting

Experience Improvement

Customer Experience Improvement Program (CEIP)

Telemetry

Usage Statistics

The DoD baseline has done a good job disabling most, but not all. Note that unless you have a Windows Enterprise or Education license, you will not be able to disable Telemetry entirely.

Strict policy reapplication

Make sure to enforce strict reapplication of critical policies:

Adm. Templates > System > Group Policy.

Enable: ‘Process even if the Group Policy objects have not changed’.

For: Folder redirection-, IP security-, registry-, scripts-, security-, Services preference-, software installation-, wired-, and wireless- policy processing.

Deny access from the network

I will never need to remotely login to my workstation:

Adm. Templates > Windows Settings > Security Settings > Local Policies > User Rights Assignment

Add ‘Local account and member of Administrators group’ to:

‘Deny access to this computer from the network’

‘Deny log on through Remote Desktop Services’

Windows DNS Client

Windows 10’s DNS Client just accepts whichever response it receives first, not necessarily the one from your intended DNS server.

Adm. Templates > Network > DNS Client.

‘Turn off smart multi-homed name resolution’ to prevent “DNS Leaks”.

‘Turn off multicast name resolution’ to disable LLMNR.

‘Turn off smart protocol reordering’ for good measure.

We can later enforce this policy using Windows Firewall as a technical control.

Windows NTP Client

Configure the Windows Network Time Protocol (NTP) Client to use trusted, non-Microsoft, servers — perhaps even authenticated ones. At least till Google’s ‘roughtime protocol’ is synchronizing our clocks.

SSL/TLS Standards

You can enforce the use of modern TLS standards system-wide:

Adm. Templates > Network > SSL Configuration Settings.

To determine which ECC curves are supported on your system, use the following command:

CertUtil.exe -DisplayEccCurve

This usually breaks older applications like SQL Server 2008 Express (Windows Event Viewer is your friend).

Lucky for us Google Chrome is state of the art:

Adm. Templates > Google > Google Chrome.

‘Disable the SPDY protocol’ (HTTP2), set ‘Minimum SSL version enabled’ ’ to TLS 1.2 and set ‘Enable WPAD optimization’ to Disabled.

Review the Control Panel > Internet Options > Advanced tab and uncheck ‘Use HTTP2’, check ‘Send Do Not Track requests’. Disable WPAD on the Connections tab > LAN Settings > uncheck ‘Automatically detect settings’.

Additional Privacy

Adm. Templates > Windows Components > Internet Explorer.

I granted myself the privilege to delete my IE browsing history.

Adm. Templates > Windows Components > Location and Sensors.

I turned off all Sensors.

Microsoft EMET

Re-configure Microsoft EMET for maximum security:

Adm. Templates > Windows Components > EMET

Set System DEP to ‘Always On’

Enable ‘Default Protections for Popular Software’

At time of writing, I had a small issue with Chrome after enforcing EMET’s Popular Programs via Group Policy. The solution was to configure it via the GUI and turn off ‘EAF: Extended Table Access Filtering Plus’ for Chrome only.

LSA Protection

It is recommended to configure additional LSA Protection to defeat tools like MimiKatz.

Under: Adm. Templates > MS Security Guide (a custom template from SCM4) enable ‘Lsass.exe audit mode’.

Reboot and check the Windows Event Viewer for event codes 3065 and 3066 — those are drivers that do not meet security standards.

Sysinternals Autoruns will show unsigned drivers in a different color, under Options > Scan Options you can enable code signature verification and submission to VirusTotal.com.

Go back and enable ‘LSA Protection’ if all your drivers are properly signed.

WDigest Authentication should already be disabled to prevent transmission of credentials across the network as a weak MD5 hash or message digest.

Microsoft Office

If you are installing Microsoft Office outside of a VM (not recommended!):

Customize your install and do not install potentially vulnerable extensions.

The DoD and Microsoft Baselines do not have a policy for Office 2016 yet, copy the settings from an earlier version.

Double check the Security Settings & Telemetry Dashboard for each of the Microsoft Office suites under User Configuration > Administrative Templates. I disabled Telemetry & all ActiveX and VBA.

‘Block macros from running in Office files from the Internet’ under Options > Security > Trust Center for each Microsoft Office product.

You should also disable Office OLE Automation for Outlook. Note that an attacker can still embed code inside Office documents.

Launch the Windows Registry Editor (regedit.exe)

Browse to: HKEY_CURRENT_USER > SOFTWARE > Microsoft > Office > # > Outlook > Security (# = 12.0/14.0/15.0/16.0)

Create a new ‘DWORD (32-Bit) Value’ called ‘ShowOLEPackageObj’ and set it to ‘0’.

Registry changes require a reboot.

Net Session Enumeration

Run the NetCease PowerShell script to mitigate against a method Bloodhound uses.

cd $env:USERPROFILE\Downloads

Unblock-File -Path '.\NetCease.zip'

.\NetCease\NetCease.ps1

Restart the Server service (or reboot).

Web Proxy Auto-Discovery Protocol (WPAD)

We already disabled the ‘WinHTTP Web Proxy Auto-Discovery Service’ service and unchecked the ‘Auto-detect settings’ Internet Options property.

Launch the Windows Registry Editor (regedit.exe)

Browse to: HKEY_CURRENT_USER > SOFTWARE > Microsoft > Windows > CurrentVersion > Internet Settings > Wpad

Create a new ‘DWORD (32-Bit) Value’ called ‘WpadOverride’ and set to ‘1’

Browse to: HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Services > Tcpip > Parameters

Set the existing ‘UseDomainNameDeveloution’ to ‘0’.

Registry changes require a reboot.

Windows Script Host (WSH)

Malware often abuses functionality that allows apps and processes to be automated; Windows Script Host is a classic example.

We can disable most of the Windows Scripting capabilities:

Launch the Windows Registry Editor (regedit.exe)

Browse to: HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > Windows Script Host > Settings

Create a new ‘DWORD (32-Bit) Value’ called ‘Enabled’ and set it to ‘o’

Disabling WSH may prevent you from running .bat batch files.

Windows Firewall with Advanced Security

Windows Firewall (WFAS) is our technical security control that enforces our intended policies and supplements them when needed.

For example, we cannot use Group Policy to reinforce that our DNS requests are only sent to the local DNSCrypt proxy or specific OpenDNS servers.

I have extensively experimented with various alternatives and graphical Windows Firewall front-ends to speed up my workflow — all had significant usability or security flaws.

You can see every existing Firewall rule using the ‘Windows Firewall with Advanced Security’ desktop app (or by running ‘WF.msc’).

Firewall settings and rules are best created using the now familiar Group Policy Editor. Under Computer Configuration > Windows Settings > Security Settings > Windows Firewall with Advanced Security.

First add a rule that blocks all outgoing and incoming traffic:

Click ‘Windows Firewall Properties’.

For each profile (Domain, Private, Public) use the drop-down to ‘Block’ all Outbound connections.

Explore the Settings and Logging customization options for each.

Important: by default Windows Firewall has a legion of local inbound and outbound exceptions (‘WF.msc’). Disabling these in ‘WF.msc’ is only a temporary fix.

Unless you create an explicit Block rule for each or disable merging of local firewall rules for each profile’s settings using Group Policy (‘gpedit.msc’), Microsoft will re-enable them after a major update. Further more applications often create their own exceptions.

Now let’s allow our Windows DNS Client to function:

Under ‘Outbound Rules’

Right click > New Rule…

Rule type: ‘Custom’

Program path: ‘%SystemRoot%\System32\svchost.exe’

Protocol type: TCP

Remote port: Specific Ports / 53

Scope > remote IP addresses > Add > Predefined set of computers: DNS servers

Allow the connection / for all profiles / give it an appropriate name

Repeat the same steps for ‘svchost.exe’ to allow our Windows NTP Client (UDP / 123) and Windows Update (TCP / 80,443).

A few examples of processes I allow to make outbound TCP connections:

%ProgramFiles% (x86)\Google\Chrome\Application\chrome.exe

%ProgramFiles% (x86)\Google\Update\GoogleUpdate.exe

%ProgramFiles% (x86)\Samsung Magician\Samsung Magician.exe

%ProgramFiles% (x86)\VMware\VMware Workstation\vmware.exe

%ProgramFiles%\HitmanPro\HitmanPro.exe

%ProgramFiles%\Windows Defender\NisSrv.exe

%SystemRoot%\syswow64\vmnat.exe

My inbound rules consist solely of Core Networking and specific application exceptions.

Force yourself to apply the principle of minimal privilege. GoogleUpdate and HitmanPro should only connect to port 443 over TCP. ‘Connected User Experiences and Telemetry DiagTrack’ should be explicitly blocked.

AppLocker

One of the most powerful defense strategies is whitelisting which applications are allowed to run with Windows AppLocker.

By now AppLocker is already running in ‘Audit only’ mode — all processes executed by users are logged to the Event log, including the full path of the program.

As a first step you could blacklist your home and temporary directory, as well as others paths a regular user has write access to.

Next, only allow the execution of files in directories you trust (i.e. %ProgramFiles% and %WinDir%). Use AccesEnum to verify there are no user-writable directories there (like MS-SQL’s ‘ErrorReporting’!)

All AppLocker policies are created and managed using Group Policy under:

Computer Configuration > Windows Settings > Security Settings > Application Control Policies > AppLocker

Your goal is to whitelist only those applications you trust, by path but preferably by their digital signature.

For the paranoid

Despite dedicating over 6,000 words to the topic, there is always more we can do and new attack vectors are published every month.

Windows Spy Blocker

I want to revisit the WindowsSpyBlocker GitHub project, as it has a robust approach to the problem and is continuously updated. Installing an application layer proxy and generating a unified hosts file yourself is strongly recommended. I will probably incorporate this with Blackbird.

Sysmon

Sysmon is another free tool from Windows Sysinternals.

It is a background monitoring tool that logs to the Windows event log — is very feature rich — and gives you more visibility into the live state of your endpoint.

See the author’s presentation “How to go from Responding to Hunting with Sysinternals Sysmon” and this write-up by the founder of Graylog and webcast by BHS.

MBRFilter

In the fight against ransomware, bootkits & rootkits, Cisco’s Talos has released the MBR Filter Driver. This essentially sets your Master Boot Record to read-only.

It is relatively easy to install. Read the original blog post here. This tool is not for UEFI/SecureBoot systems.

OSSEC HIDS

A free and open-source Host-based Intrusion Detection System with very powerful correlation and analysis engine:

Log analysis

File integrity checking

Windows registry monitoring

Central policy enforcement

Rootkit detection

Real-time alerts

Active responses

We monitor all our Linux, OpenBSD, MacOS and Windows hosts with it. If you want to run it locally, you will need to set it up in a host-only Linux VM as Windows support is limited to an installable agent. Works great in combination with Graylog!

Two Factor Authentication

Solely relying on a username/password or even out-of-bound SMS authentication using your cell phone will not be secure enough in 2017 (NIST 800–63A/B/C). U2F security keys are your best hope against account takeovers.

I highly recommend buying and learning how to use a Yubikey. The YubiKey 4 is now closed-source but the NEOs are still using open-source code others can independently verify. It integrates well with Windows 10.

Do you have any advice? Corrections or additions?

Do not hesitate to reply. Feel free to share your experiences, advice, and questions in private or through the comments section.

Click the ♡ to recommend this article.

Tags