Windows Hardening Guide

Collaborative post by @0xdabbad00 (0xdabbad00.com) and @insanitybit (insanitybit.com)

 

Audience

This guide is focused on Windows Vista, 7 and 8 systems for personal use.  This guide is not concerned with the following:

– Not Windows XP or earlier because they simply do not have the security features necessary to securely use.  A lack of ASLR and SEHOP, no integrity levels, a kernel with exposed attack surface, and a general lack of privilege separation makes securing XP a task best left to science fiction.

– Not enterprise environments, though some of this information can certainly translate over

– No IDS, DNS log monitoring, or other network related activities that are usually only reasonable to spend time on in enterprise environments.

Strategy

Disrupt, deny, and degrade attacks through reduction of attack surface area and implementation of modern mitigation techniques.  Finally, prepare for the worst, assume APT.

Reduce Attack Surface

Vulnerabilities require one thing – code; if the code exists, so will vulnerabilities. The best way to avoid being exploited is to ensure there as few vulnerabilities as possible for the attacker to exploit.  The simplest and most effective way to do that is to minimize the amount of software on the system – less running code means less places for your attacker to poke at.

There are some key areas that are commonly attacked:

1) PDF Reader:  If possible uninstall Adobe Reader and use Chrome or Firefox’s built in PDF reader.  If you must use Adobe Reader ensure that Javascript is disabled and that Protected Mode is enabled in the security settings. There will be other steps in the guide for hardening your PDF reader further.

2) Java: Java is one of the most highly exploited programs on Windows systems. It’s a very easy target for attackers, and this is unlikely to change for a long time. If you can’t remove Java altogether I highly suggest changing your browser settings to “Click To Play Plugins”.

3) Windows Services: Windows, like any other mainstream OS, comes with a ‘default compatible’ attitude – it has to work for everyone. That means it comes with a large number of services running by default. These services are exploitable, and have been used for local privilege escalation in the past. Disable any Windows services that you don’t need. Deciding which services you do or don’t need requires a bit of research, as different users require different things.

For other software you’ve installed, such as an instant messaging client or torrenting client, always ensure that you have the latest version and keep track of security releases.  Many software applications have their own auto-update mechanisms, make sure you enable it if you don’t think you’ll stay on top of patching yourself.  You can also use software like Secunia’s PSI which will scan the software you have installed to ensure it is up-to-date.  Secunia PSI can be useful to install once and check for out-of-date software, but it’s somewhat awkward to use and have running regularly, so I uninstall it after running it once. Alternatively you can use the FileHippo updater, which is portable and will check for any out of date software in its repository.

 

Disrupt Exploits

Given the possibility that your software may be vulnerable to 0-day threats or known threats that have not yet been patched, the next line of defense is to use techniques that disrupt exploits from being successful.  This is what EMET does.  It takes a bit of configuration, so use insanitybit’s write-up as a guide: http://www.insanitybit.com/2012/07/26/setting-up-emet-3-5-tech-preview-9-2/

 

If an exploit does manage to get execution, the next line of defense is to break it’s ability to work correctly by denying it access to different APIs.  The best solution for this is AmbushIPS by @scriptjunkie1  This will protect best against ROP based exploits (which usually disable DEP as one of their steps which AmbushIPS check for), but also against exploits which have obtained full arbitrary execution.  If the attacker knows your are using AmbushIPS, he could likely modify his exploit to work around it, so to some degree this is security through obscurity, but setting up an IDS/IPS can prove very beneficial to those willing to manage them.  You can also write your own signatures for AmbushIPS to check for, which adds further unknowns for attacks.

 

AmbushIPS cannot only block exploits, but it can also log chosen Windows API calls to a remote server.  This could be helpful in identifying when an attack occurred and how, post-mortem.

 

Block Payloads

Although the stage in which an attacker launches their payload is both optional and late in the game, those looking to improve their security may look into AppLocker, an Anti-Executable security solution available for the more enterprise oriented Windows editions (Windows Server 2008 R2, Windows 7 Ultimate and Enterprise, Windows Server 2012, and Windows 8 Enterprise). Anti-Executable software works by preventing processes from launching based on a whitelist and blacklist. If Firefox.exe is running, and it tries to run evil.exe, and evil.exe is not whitelisted, then it will not run. This is most helpful for preventing malware that uses legacy techniques, and making it more difficult for an attacker to gain persistence.

AppLocker rules come in three types: path, hash, and my favorite, publisher.

A path rule is really quite weak. It basically says that ‘only files from this path can execute’, which means that all an attacker has to do to bypass that rule is write to the path and execute.

Hash rules are much more difficult to get around, but they’re also horribly difficult to maintain. Every time your program updates you need a new hash.

Publisher rules are based on certificate information. This is much easier to deal with, as it’ll only allow specific programs to run, but it won’t have to be updated for every program update.

While AppLocker is not enough for any attack that accounts for it, it can be useful when layered on top of other techniques. Just be sure that you realize its shortcomings.

 

Prepare For The Worst

Given the possibility that your laptop could just simply be stolen, encrypt your data with TrueCrypt (free) or Windows BitLocker (if you have Windows Enterprise or Ultimate editions).  Any and all sensitive information (ex. proprietary code for your company if you are a software developer) should generally be stored in some type of encrypted container.  Be aware that if you try to only encrypt specific data, Windows will still save a hibernation file (a copy of the RAM) to the system partition which may contain your sensitive information.

Here are guides for TrueCrypt and BitLocker.

 

Security advice not specific to Windows

Your browser is your main attack surface on a personal system, so take efforts to secure that by using various extensions (NoScript and HTTPS-Everywhere). You can find guides for securing Firefox and Chrome here and here. As a user if you secure your browser you’re securing the area that most attackers will attempt to exploit.

Many websites now offer dual-factor authentication, such as GMail and Facebook.  Take advantage of these, so you don’t end up getting locked out of your own email and social network sites if you ever get owned.

Do your banking from a different computer that you use infrequently, but still keep up-to-date on patches!  Have your various website accounts send password resets to an email account that you only access from this banking computer. Make sure you’re connecting to these websites through a secure and trusted network.

 

Conclusion

There is a lot of security software for Windows out there: Some legitimately adds protection, and some unfortunately exposes you to more attacks than it protects you from.  It’s impossible to cover it all in a single post, so we tried to stick to the built-in and free tools that are most important.

If you follow this guide you’ll be making an attackers job much more difficult. Though there is no silver bullet, and Windows security software is somewhat limited, you can use this guide to significantly improve your chances when facing the latest 0-day exploit in your browser.

As always, if you have suggestions for the guide, corrections, or general comments, please feel free to leave that all in the comments section and we’ll have a look.

 

Windows 8 With EMET Is Surprisingly Stable

I’m using Microsoft Windows 8 and I have been since just a few days after the official release. Naturally EMET (click here for more info) is one of the first programs I install on any Windows OS and with ATI now supporting ASLR with the 12.7 and up drivers I’ve set my system to the maximum settings for all categories.

Image

Essentially the three major exploit mitigation techniques, DEP, ASLR, and SEHOP, are forced on all executables on the system. The default setting for both DEP and ASLR is Opt-In, which isn’t very secure (though all new programs ship with DEP at this point due to compiler default flags) so by ignoring program settings and forcing these techniques system wide EMET makes the system more secure.

The downside is potential compatibility issues. So far I’ve only had issues with CCleaner’s installer, which does not like ASLR, although CCleaner itself does work fine with ASLR enabled.

Anyone looking to really secure a Windows system against attack should consider setting EMET up this way. To see how to enable ASLR to Always On via EMET just click here.

Remember, to get the full benefit of EMET you should also make use of the per-application settings, which will enforce multiple techniques other than DEP, SEHOP, and ASLR. And if you don’t mind Metro you should consider moving to Windows 8 as it has significantly improved ASLR.

Update For EMET 3.5 AllROP.XML

I’ve updated the AllROP.XML file to include Java 7. I’ve also disabled Anti-ROP techniques for Explorer.exe – you can reenable at your own risk but I think some programs that add context menus can break explorer when incompatible. Also disabled EAF for explorer.exe.

For more information on Emet 3.5 Tech Preview read here.

You can download the new AllROP.XML:

http://www.mediafire.com/view/?88w7vas5zvyvf0l

Someone’s Bypassing EMET

EMET is the Exploit Mitigation Enhancement Toolkit. It basically forces programs to make use of a number of mitigation techniques. The idea of EMET is not to make programs invincible to exploitation, no single technique is incredibly powerful. The idea is to use all of the techniques in combination to make generic bypasses of EMET impossible or at least incredibly difficult. Each payload has to be designed to bypass EMET – you can’t just wrap it up a special way.

But that’s exactly what someone is trying to do. They’re not modifying the payload at all and they’re working to bypass EMET. It’s pretty cool – part 1 and 2 are already out.

Here’s part 1.

I think this quote sums up the project and why EMET is still a powerful tool.

There are two main areas we need to concern ourselves with when trying to bypass EMET: the exploit and the Metasploit payload. Obviously, the exploit needs to be crafted so as to bypass EMET. This cannot be generic – we can’t find a solution that will automatically work for all exploits, as the intrinsic details of the exploit are important to accomplish successful bypassing. It might be a different story when we consider the Metasploit payloads. Sure, we may be able to tweak each payload to bypass EMET, but that’s really missing the point. We would like to have a generic solution that enables all unmodified payloads to work for a specific exploit.

As you can see right off the bat it’s said that a generic bypass for the individual exploits is impossible – this is obvious as the exploits themselves work in specific ways. This focuses on the payloads.

I’m excited to see the work continue.

Looks Like CERT Reads InsanityBit

Only joking, of course but coincidentally CERT.org has written a post highlighting something I’d mentioned a few days ago. There’s the bit about EMET for Full ASLR, which I wrote about here and AMD/ATI using a hardcoded address space, which I wrote about here.

I’m really happy to see this getting attention from CERT, which is just way more legit than my blog. Hopefully they’ll get ATI to fix their crap.

P.S. CERT, tell them to fix the overflow in 12.3 as well. It’s annoying.

Java Exploits Will Continue To Rise

Before I want to start I want to say that as a language I like Java and all animosity I ever express towards Java is likely really meant for Oracle.

Oracle is officially promoting Java 7 (u4) to users now. It offers no real security benefits in terms of system compromise but it does depreciate a few broken hash methods like md4. There’s some performance improvements as well but it’s Java so, yeah.

And, once again, they’re not removing old versions of Java when they update users to 7. Yep, Java 7 installs to the side of Java 6. That’ll work out well.

Java already makes up the vast majority of exploits used against Windows systems and now users will likely have two versions installed without realizing it. Not only is that two versions of software that’s exploited daily, they probably won’t even realize the first version wasn’t overwritten so they’ll likely not patch it either. The Java Updater is pretty broken, requires you give it UAC (task scheduler wtf) permissions when it runs, and it’s on like… a 1-week schedule or 1-month by default agh it’s actually painful to talk about.

Incidentally Adobe Flash Player 13 for Firefox is going to be sandboxed by default similar to what Chrome does. It’s not a super strong sandbox but unlike Oracle Adobe actually gives a damn about security (I know, I know) and they’re made really big progress with improved ASLR and this new sandbox, which has involved serious cooperation with vendors.

So, Flash, which is the most exploited software after Java, is now going to be significantly more secure on ~20-30% of computers. Attackers could break the relatively weak sandbox given enough time but why the hell bother? You’ve now got two Java versions sitting on systems ready to be exploited.

And, because it’s Java, exploit once – run anywhere! In a study by (I believe) Sophos they actually found quite a few pieces of Windows malware on OSX machines. The OSX users weren’t infected but they’d run into an exploit that had dropped a Windows payload. I’m betting you can guess which program was dropping them.

I’d say EMET + Java = enough but that’s a lie. JIT and EMET don’t go together, it’s irrelevant really for a lot of the exploits. DEP/ASLR/EAF helps only because it’s the JVM that’s so broken and I absolutely still recommend running EMET with your Java (see my guide) but your best bet is to just uninstall it. Seriously, you can’t rely on EMET here – uninstall it.

Linux users just AppArmor Java (see my guide) and you’ll be fine. Updates are handled by the OS so patching isn’t an issue anyways. Feels good.

You Don’t Need An Antivirus With Windows 8

With Windows 8 out a lot of users are wondering whether they need antivirus with Windows 8, or if they need to pay for an antivirus, or do something else entirely. In my opinion if you’ve been paying for an antivirus for Windows XP, Vista, or 7, you can consider cancelling that next subscription if you’re moving to 8. In my last post about Windows 8 security I glazed over Microsoft Security Essentials and I wouldn’t call what I said ‘positive.’ For my quick non-security oriented review of Windows 8 Release Preview click here.

This post will highlight why MSE is the type of antivirus a consumer needs and why it might be the right choice for Windows 8 users.

Microsoft Is Best Suited For The Job

The fact is that Microsoft created Windows. It’s a closed source project and antivirus companies spend a ton of money just trying to figure it out. Microsoft has a massive advantage here. They know what their code is like, they know where there’s most likely to be a hole, they have the ability to “tap” systems with crash reports or opt-in data collection on a level no antivirus company can ever match. They simply have the most data.

The fact that only Microsoft has access to the source code is one major reason why you should be trusting them to secure your system.

Years Of Practice

We’re a long way away from Windows XP. Windows is not so full of holes as it used to be, Vista brought many security mitigation techniques and a new MAC system to the operating system and Windows 8 expands further on that with new techniques and a new MAC system.

The Windows system has been hacked and torn apart for years and Microsoft has not sat idly by. The company has created new tools such as EMET, which are very effective at what they do. They’ve seriously improved their patch response time and there simply is no comparison between Windows 8 security and Windows XP.

Microsoft has seen years of malware. They know what they’re up against and at this point you’d better believe they know a few ways to fight back.

Reinforced Throughout The Operating System

Microsoft has made it clear that Microsoft Security Essentials is just one layer. Windows 8 also includes SmartScreen, a reputation based heuristics filter that acts system wide to inform and protect users from unknown files that are potentially dangerous. The focus of SmartScreen is on 0day malware and samples that an antivirus might normally not catch.

Where MSE stops SmartScreen begins, picking up slack. Antiviruses are inhibited by their inability to deal with the unknown, something that they will always struggle with. SmartScreen aims to specifically deal with the unknown using heuristics based on file reputation. File reputation essentially checks how “popular” the file is – how many systems it’s been seen on. Only a major company could pull off something like this and Microsoft is absolutely the best company for it – no antivirus can be installed on more Windows systems than exist.

Windows 8 Was Built With MSE In Mind

The fact is that Microsoft didn’t built Windows 8 thinking “let’s create a system that works great with Sophos and Mcafee” they built a system to work with MSE and they built MSE to work with the system. Layered security means understanding which layers are important and which needs to be covered, having full control over every layer leads to a potentially more secure system.

Consistent Heuristic Scores And Low False Positives

AV-comapratives.com “grades” antivirus software and Microsoft Security Essentials does fairly well. It’s not amazing but it’s not terrible, and that’s fine because it’s reinforced by other areas of Windows. What it is, consistently, is quiet. Heuristics is basically a way of “guessing” something – you use heuristics for spam filters, antivirus, language analysis, anything where you need to guess. Naturally this is going to lead to wrong guesses and in an antiviruses case that’s a false positive. MSE has very few false positives, often the lowest or second lowest compared to other antiviruses. Almost all of the antiviruses that get higher heuristic detection scores also have tons of false positives (you can see the correlation) and I think that having few false positives is just as important as having high detection rates.

If my AV is constantly telling me that files that I know are good are actually bad I won’t trust it. And when the time comes and the file I think is good is actually bad and my AV alerts me I simple won’t believe it. We’re all familiar with The Boy Who Cried Wolf, same principal here.

So Is Windows 8 Impregnable?

Well, while I’m very pleased that Microsoft has stepped up its security I think there is still need for some set up to get the system closer to where it should be. I still don’t consider Windows 8 to be as secure as my own configured Linux system but there are significant improvements and for the average user I think we can expect things to go smoothly.

Much of what’s in Windows 8 is untested and may not work out well in the real world. I’m optimistic about some features and not so much about others. Time will tell. I’ve had the Windows 8 Developer Preview, Consumer Preview, and now Release Preview all installed so I have a fair bit of experience with it though.

And, of course, as Windows 8 popularity rises so will hackers interest in bypassing its features so it’s still important to take the extra measures and to keep up with patches. MSE has consistently had decent heuristics with low false positives, which I think is very important.

Universal ASLR Bypasses And How To Solve Them

Address Space Layout Randomization is an exploit mitigation technique that focuses on preventing Return Oriented Programming attacks. It’s become one of the “must have” tools for a secure program (like DEP) and it’s preset in all modern user-oriented operating systems.

Mitigating ROP is pretty important as most modern exploits take advantage of it. And ASLR would be entirely effective in an ideal world where every single part of address space is randomized and 64bit address space is impossible to bruteforce and heapspray doesn’t exist. We don’t live in that world and there are universal ASLR bypasses for Windows and Linux, heapspray does exist, and the majority of users are stuck in a 32bit address space (and 64bit vanilla ASLR isn’t necessarily impossible to bruteforce).

Windows is actually pretty on top of things with ASLR (as of Windows 8) and /FORCEASLR but there’s always going to be a way around it (unless some things seriously change.)

So what’s the answer?

Well, for non-performance critical applications perhaps a solution like Gadgetless Binaries would be a viable option. Gadgetless binaries would compile code in such a way that an attacker would be unable to make use of static address space instructions to form their attack.

There is a performance hit here so I’m not saying to compile everything with it, but for security critical applications why not? There are specific areas of Windows address space that are loaded in the same exact place every time – why not compile that area with gadgetless binaries and avoid situations like this?

There’s also a somewhat less effective In-Place Code  Randomization technique and even less effective (though still welcome) EAF, which is what Microsoft has implemented.

Perhaps I’m just missing something. Maybe this would require paying out or some such thing but it seems like a great idea to me as ASLR isn’t going to solve every problem. At least not with current implementations (outside of PaX ASLR, which makes use of many other features via Grsecurity to prevent attacks against ASLR).

Sources:

http://iseclab.org/papers/gfree.pdf

A Tip For Those Looking To Lock Down Windows

In my last post I explaining why I won’t be buying ATI until they fix their insecure drivers. This reminded me that Windows does actually have a little-known ability to run the entire system with ASLR enabled. Of course, this can lead to instability and in the case of those of you running ATI cards you will BSOD immediately but if you’re willing to take the risk it’s one more way to lock down Windows.

First, I suggest you take a look at this guide for securing Windows and this guide for setting up EMET.

This short guide will get your ASLR Always On setting enabled in the EMET User Interface.

If you’ve followed the guides you can:

1) Open Regedit

2) Navigate to HKEY_LOCAL_MACHINESOFTWAREMicrosoftEMET

3) Change ‘EnableUnsafeSettings’ to ‘1’

4) Go to your EMET GUI and System Settings – turn ASLR to Always On. If it isn’t there you may need to reboot first.

5) Reboot

Your system might crash in which case you need to go into Safe Mode and disable this. It should go without saying that this risk falls on you, I’ll feel pretty bad if I break your computer but there’s fair warning here.

So now instead of applications having to explicitly opt into using ASLR on Windows your entire system should be running with it. This will probably break a few programs but if it works, great, you’re somewhat potentially more secure.