Free stock photo, credit Pexels.com
Safeguarding the privacy and security of myself and my clients’ data — while still allowing me to execute a penetration test is the goal.
Having concluded in September that Qubes OS was best suited as a portable lab, I have adopted Windows 10 Pro v1607 as my offensive platform. This article was modified in July ’17 to include several v1703 pitfalls.
Apply these hardening techniques to your personal Windows 10 system, drastically improving your security posture and keep your affairs private.
Andrew Douma is a vendor-neutral IT Security Professional. He performs professional audits, penetration tests, and risk assessments. He designs secure networks and engineers high-assurance systems in the Cloud.
You can connect with him on GoodReads, LinkedIn, Medium, and Twitter.
Buying a professional penetration testing laptop for 2017 | Evaluating QubesOS as a Penetration Testing Platform | Finding the right exploit code | Antivirus in 2017: Why? Which? How? | Full Disk Encryption with VeraCrypt | Hacker to Security Pro! On the Shoulders of #InfoSec Giants| Securing an Android Phone or Tablet (LineageOS) | Password (IN)SANITY: Intelligent Password Policy & Best Practices
Microsoft has made much progress improving the security capabilities of their Operating System (OS). However, their pervasive use of “telemetry” and forcing software installation/upgrades, has cost them the trust of their customers.
Other hardware/software corporations are also installing telemetry software that calls home (Intel, Nvidia, Lenovo). Corporate surveillance is big business and here to stay.
On principle, I never want to see any persistent outbound UDP connections that I did not setup myself. I also do not want my network captures polluted.
So here we are: I trust neither my OS nor my hardware vendor. Welcome to my Windows 10 hardening guide.
A best practice is to format the hard drive and install legitimate and still supported software. Windows 10 Anniversary Edition (v1607), for better or worse!
Used systems with pre-loaded software may contain malware. It is not unheard of this being the case for a newly store-bought laptop. It only takes one tech savvy person in the supply chain.
If insist you do not have a Windows installation USB/CD, use a search engine to find any recovery options our vendor provides. Most will allow you to download a recovery image or order one free of charge. If possible, cryptographically verify that your installation image is authentic.
As cyber security professionals, let’s start treating this topic like Sex Ed:
Torrenting sites are designed to make money. Their UI/UX is often designed to trick people into installing malware — many host malicious ad campaigns that contain exploit kits with 0day drive-by exploits.
Pirated operating systems and (security) software found on torrent and other file sharing sites all contain malware. It is child’s play to fool your Antivirus. Attacks are becoming more and more destructive.
If you are a student, many vendors offer cost-reduced software licenses (email them if they do not list it on their website) — and you can usually buy Windows for next to nothing at your Campus Technology Store. Get a Windows 10 Education or Enterprise license if you can.
If you insist on being a member of the Pirate Party, please proceed with caution! Download these files from within a VM — run any cracks, patches, keygens from a disposable VM — download trials from the vendor website and install those inside a dedicated VM. You cannot trust your software.
Malware will spread via your network, shared folders, and in some cases, even break out of the VM and compromise your host operating system. Always keep VMWare/VirtualBox and its guest-OS up to date.
If you are an IT professional, you cannot be doing this; you are part of the cyber security problem! Learn how to reverse engineer software yourself if you really cannot afford the license fees. You will soon discover you have solved both problems. Force yourself to adopt secure routines.
You have several options to secure your “data at rest” by encrypting it before writing it to disk. It is even possible to combine all three.
You can enable your Self-Encrypting Drive (SED) by setting a secure password when configuring your BIOS. This is not the same as setting a supervisor password!
Transparent full drive encryption on your Solid State Drive (SSD) has almost no performance downside. I do not have enough trust in Lenovo to rely on it solely.
Keep in mind that the encryption keys are kept inside your TPM chip, which is unlikely to survive a destructive hardware attack. Protect yourself by making regular backups.
BitLocker is only available for Pro, Enterprise and Education licensees of Windows 10. The keys are also kept inside your TPM chip. I do not trust my OS either, so some separation of duty seems in order.
There are advantages to using BitLocker though:
To enable BitLocker: File Explorer > Right click C > Turn on BitLocker.
I use VeraCrypt, a free and open-source (FOSS), cross-platform that passed an independent audit. You too can learn to memorize a 32+ character passphrase.
VeraCrypt supports encrypting non-system GPT partitions/drives.
VeryCrypt a free & open-source disk encryption solution
To encrypt your entire drive, you need to partition your disk as an MBR (Master Boot Record) disk and not the default GPT (GUID Partition Table) format.
Converting later will require a full reformat or purchasing commercial partitioning software. You can also choose to use a VeraCrypt encrypted file container on top of BitLocker/SSD FDE.
The above information combined with the documentation should be sufficient for you to accomplish this. Read their security model to understand what it does and does not protect you from.
Your Basic Input Output System (BIOS) is the codebase which initializes your hardware and loads the files that boot your Operating System.
If you are not planning on using VMWare, dual-booting Unix nor use VeraCrypt for FDE:
Device Guard, when configured, locks your device down so that it only runs trusted applications you have defined through your code integrity policies. More information is covered by this Microsoft Technet article.
Since I am planning on using VeraCrypt FDE, and dual-booting Windows 10 Pro with the future Qubes OS 4:
Save and exit settings to reboot from your Installation Media.
I would only recommend installing v1703 fresh, as the built-in upgrade process resulted in a hobbled and inconsistent OS.
None of the Windows recovery options or troubleshooting tools resolved this; I ended up using the “Reset this PC” functionality.
I’ve pushed on and am now single-booting Windows 10 “Redstone 2” with TPM 2.0, Device Guard and Bitlocker enabled.
As stated, I recommend everyone to start with a fresh installation of Windows 10. Modern malware is very persistent, bootkits and rootkits are hard to detect, Microsoft upgrades have always been buggy.
During installation and setup please:
Your system remains offline.
I highly recommend side-loading essential applications, vendor drivers, and Windows updates.
When you first boot up, Windows is far from trustworthy. It is full of holes and reporting back to its overlords. At the very least you are vulnerable to local MITM attacks.
WSUS Offline Update Tool
Complete the above installation tasks. Your system remains offline.
Until we get into Group Policy Editor and Windows Firewall territory, I recommend running a few consumer tools to kick off the process:
Unless manually enforced using a Group Policy Object, Microsoft will re-enable telemetry, firewall rules, and unwanted features during the next Feature upgrade or if you ever run System File Checker (sfc).
You would be wise to update & re-run your preferred privacy tools after a major Windows 10 release — these projects do a good job staying on top of things. Check their compatibility first!
They all seem to behave slightly different. Use Process Monitor to reverse engineer their actions if you want to enforce it using Group Policy/Scripts (or across AD connected workstations).
Your system remains offline.
One of the best things you can do to improve your security is install and configure the Enhanced Mitigation Experience Toolkit (EMET).
Carnegie Mellon University recently argued its continued benefits for Windows 10 users despite Microsoft announcing its End of Live by July 31, 2018. They have incorporated some of its protections in v1703.
At time of writing, I had a small issue with Chrome after enforcing EMET’s Popular Programs via Group Policy. The solution was to configure it via the GUI and turn off ‘EAF: Extended Table Access Filtering Plus’ for Chrome only.
I also like the idea behind 0patch.com.
Your system remains offline.
We want to reduce our systems’ attack surface as much as possible: which means removing features and outdated capabilities we will never use.
Control Panel > Turn Windows features on or off
You will want to go over which Windows Features to turn off.
I enabled the Hyper-V and IIS Management Tools as well as a few Device Lockdown features.
But removed .NET 3.5, SMB v1 and PowerShell 2. You could go much further.
For the v1703 remake, I disabled all Windows features and hadn’t had an issue yet.
Your system remains offline.
When you run Sysinternals Autoruns with administrative privileges, it becomes a great tool to start managing the programs and services that are set to run at one point or another.
For now, under Administrative Tools > Services (or by running ‘services.msc’) I disabled Geolocation for privacy and a few services that are vulnerable to Bloodhound and Responder:
Unfortunately, with the v1603 Anniversary Update, Microsoft removed our ability to enforce this from Group Policy.
Your system remains offline.
There are a few modifications to we should make to our Wifi Settings and Network Adapters.
First, make it more difficult to track your location across WiFi networks:
You could use Technitium MAC Address Changer’s command-line to accomplish this for your Ethernet LAN interface.
Right-click on any Network Adapter > Properties and uncheck:
In that same window, select ‘Internet Protocol Version 4 (TCP/IPv4)’ and click the Properties button. From there click the Advanced button, uncheck ‘Register this connection’s addresses in DNS’ on the DNS tab, and select ‘Disable NetBIOS over TCP/IP’ on the WINS tab.
Repeat these steps for all appropriate networked adapters. Your system remains offline.
I run most of my tools from inside a Virtual Machine. I have both Oracle VirtualBox and VMWare Workstation installed. You are advised to do the same.
Those files I receive via my mail client and open up with my favorite office suite pose the highest risk. Let alone the malicious samples I eagerly download with my web browser!
I do have a few tools I use outside of a VM:
3 Billion devices: a terrifying thought.
I quickly uninstalled the following:
*I grabbed the latest drivers for my network card from Intel.com (Lenovo is always behind). For these drivers I choose not to install Software Extensions nor the Administrative Toolkit.
A reboot may be required. Keep your system offline.
Ever since OpenDNS rebranded itself as an enterprise security company and finally implemented RFC compliant DNS (no custom redirects, no ads), they have become a great alternative over your ISP’s or Google DNS
You can increase your internet speed and improve your security posture by setting the DNS servers (on your device and router) to these IP addresses:
208.67.222.222
208.67.220.220
By default OpenDNS blocks resolution of known malicious domains only.
If you sign up for a free account, you can shield your networked devices even further, useful when you have kids or a Social Media addiction.
This does not stop a Man-in-the-Middle (MiTM) attack. Your “URL to IP address” translation requests are not encrypted!
The Domain Name Service (DNS) is the reason your Internet Service Provider (ISP) knows exactly which websites you are visiting.
SimpleDNSCrypt
Many countries, including Germany, the United Kingdom, and the United States, allow their Federal police to hack their citizens.
DNSCrypt is an excellent way to verify that responses originate from the chosen DNS resolver and have not been spoofed.
It does not provide encryption, prevent “DNS leaks”, or a third-party DNS resolver from logging your activity.
Higher level TLS protocol, as used in HTTPS and HTTP2 (SPDY), also leak websites host names in plain text, rendering DNSCrypt useless as a way to hide this information.
SimpleDNSCrypt is the most up to date implementation for Windows 10. I opted to disable IPv6 and will revisit the hidden (virtual) NICs at another time.
Restart your system. It should be ‘OK’ to take it online now.
Your internet history is accessible for at least 48 institutions without a warrant in the United Kingdom. Other countries are doomed to follow.
“Privacy is a transient notion. When people stopped believing God could see everything, governments realized there was a vacancy open.” — Roger Needham
It is strongly recommended to encapsulate all network traffic beyond your own country’s borders using a Virtual Private Network.
At best a VPN provides more privacy. Do not count on it for anonymity:
Personally, I run a hardened Linux instance with Algo VPN that sets up a secure personal IPsec VPN for my mobile devices, and for when I’m connecting over a public WiFi.
We use Streisand for instances we tear down at the end of the day. It generates a user-friendly HTML file with instructions to connect to the newly provisioned server running L2TP/IPsec, OpenSSH, OpenVPN, Stunnel, and a Tor bridge. Easy to share with others.
Not all VPS servers are alike — Lin-ode is a personal favorite of mine.
I consider Google Chrome one of the more secure (by design) browsers.
Because there is an open-source version, someone created UnGoogled Chromium stripped free of Google integration, resulting in a more private (and so much faster!) browsing experience.
If you opt for a more traditional approach and fire up your Microsoft Edge browser to download Chrome or Firefox, be sure to ignore Bing’s and Window’s attempts to dissuade you!
99.9% of web exploits, tracking and fingerprinting starts with malicious JavaScript execution hosted by known malware domains
Review the options of every browser you have installed, including Internet Explorer/Edge. Take the time to configure each plugin on ‘expert’ mode!
Windows Updates (and upgrades) tend to ‘flip settings’ back to their insecure defaults. Microsoft only seems to respect settings enforced using central Group Policy Objects (GPOs).
Even if you are not a seasoned IT professional — you will love being able to manage most settings for all user accounts from a single program (‘gpedit.msc’). An up to date settings reference for Windows 10 is available in Excel format.
This interface can be uncovered by executing ‘gpedit.msc’
You can extend the capabilities of your Group Policy Editor by deploying Administrative Templates (.adml & .admx files).
For example, to control EMET with a GPO:
Repeat this for this set of Administrative Templates provided by Microsoft (the v1703 templates can be downloaded here)
Templates are also available for Microsoft Office 2010 / 2013 / 2016 / 2007, LibreOffice as well as Chrome and Firefox.
If you get an Access Denied error, you’ll have to take ownership of the PolicyDefinitions folder first:
We will use some of these extended capabilities to lock down the system, making it harder for anyone to disable your protections.
A reboot may be required to load these extensions.
Several well-funded organizations give advice on what makes a configuration “secure.”
Establishing a Secure Host Baseline (SHB) is one of the NSA’s top 10 mitigation strategies.
I like the DoD Secure Host Baseline project on Github. It is a collection of PowerShell scripts that are relatively painless to apply.
Hit the Windows Key + X keyboard shortcut and launch Windows PowerShell (Admin). Run all the commands below from there:
Set-ExecutionPolicy Unrestricted
Download the repository as a ZIP file, and unlock it:
cd $env:USERPROFILE\Downloads
Unblock-File -Path '.\Secure-Host-Baseline-master.zip'
Extract the ZIP file, remove “-master” from both directories created.
In the PowerShell terminal, navigate down to the directory, and import the Group Policy PowerShell module:
cd $env:USERPROFILE\Downloads\Secure-Host-Baseline
Import-Module -Name '.\Secure-Host-Baseline\Scripts\GroupPolicy.psm1'
You will need to extract the Microsoft Local Group Policy Object (LGPO) utility to a known location. Make sure to reference full paths in the command below to avoid any errors.
I have no need for cryptographic DoD certificates:
Invoke-ApplySecureHostBaseline -Path 'C:\...\Secure-Host-Baseline\' -PolicyNames 'Adobe Reader','AppLocker','Chrome','EMET','Internet Explorer','Office 2013','Windows','Windows Firewall' -ToolPath 'C:\...\LGPO.exe'
You will notice that, for example, more of your Chrome settings are now enforced using group policy — some of which I will reverse.
That said, it is not perfect:
A reboot is required to apply all changes successfully.
Microsoft has released an excellent tool which allows you to apply their “Microsoft ”Recommended Security Baselines.”
This tool will soon be replaced by the DSC Environment Analyzer (DSCEA), likely before the v1703 security baselines is ready for production, so keep that in mind.
Install and configure Security Compliance Manager 4 (SCM). Be aware that this tool requires .Net Framework 3.5 (Includes .Net 2.0 and 3.0) and installs SQL Server 2008 Express (x86) — increasing your attack surface.
Once installed, under the ‘Get knowledge’ column, you can download Microsoft baselines automatically for Windows 10 v1607, Internet Explorer 11 and Office 2007/2010/2013.
Check out the Attachments\Guides section for the SecGuide ADMX/ADML to install and any supplemental documentation. You have to Duplicate a baseline before it can be customized.
Microsoft SCM 4.0
If you wish to apply any SCM baseline to your system, you can export a GPO backup folder and use the LGPO tool’s /g switch.
Another tool to geek out over is the Microsoft Policy Analyzer tool, which shows the differences between your local policy/registry and as many GPO backups as you Add & select.
In the Policy Viewer, the information displayed can be filtered and searched, or exported to Excel format. Conflicts are shown in yellow.
The DoD Secure Host Baseline template has the more secure defaults in most cases, but you will find that a hybrid of both fits your particular use-case.
There is no substitute to manually stepping through my options with the Group Policy Editor (by running ‘gpedit.msc’). Improve its readability by sorting the ‘Setting’ or ‘State’ column.
The wording for some settings can be very counter-intuitive. Luckily each option has a clear description.
Most of the relevant settings are found under these Policy Paths:
Apply any changes by execution the command below in any admin shell:
gpupdate.exe /Force
It can be very insightful to repeat this step as new CIS benchmark documents are released.
The information the Policy Analyzer gives me allows me to quickly combine the best of two baselines together and customize my settings as desired.
Despite primarily working from VMWare, some settings aimed at improving security would interfere with me during a penetration test. Such as those limiting the number of simultaneously active network adapters or prevent me from creating a layer 2 MAC bridge between them.
As you are stepping through your options, you will not only discover Chrome has a Dinosaur Easter Egg Game, but that many apps have some form of:
The DoD baseline has done a good job disabling most, but not all. Note that unless you have a Windows Enterprise or Education license, you will not be able to disable Telemetry entirely.
Make sure to enforce strict reapplication of critical policies:
I will never need to remotely login to my workstation:
Windows 10’s DNS Client just accepts whichever response it receives first, not necessarily the one from your intended DNS server.
We can later enforce this policy using Windows Firewall as a technical control.
Configure the Windows Network Time Protocol (NTP) Client to use trusted, non-Microsoft, servers — perhaps even authenticated ones. At least till Google’s ‘roughtime protocol’ is synchronizing our clocks.
You can enforce the use of modern TLS standards system-wide:
To determine which ECC curves are supported on your system, use the following command:
CertUtil.exe -DisplayEccCurve
This usually breaks older applications like SQL Server 2008 Express (Windows Event Viewer is your friend).
Lucky for us Google Chrome is state of the art:
Review the Control Panel > Internet Options > Advanced tab and uncheck ‘Use HTTP2’, check ‘Send Do Not Track requests’. Disable WPAD on the Connections tab > LAN Settings > uncheck ‘Automatically detect settings’.
Re-configure Microsoft EMET for maximum security:
At time of writing, I had a small issue with Chrome after enforcing EMET’s Popular Programs via Group Policy. The solution was to configure it via the GUI and turn off ‘EAF: Extended Table Access Filtering Plus’ for Chrome only.
It is recommended to configure additional LSA Protection to defeat tools like MimiKatz.
Go back and enable ‘LSA Protection’ if all your drivers are properly signed.
WDigest Authentication should already be disabled to prevent transmission of credentials across the network as a weak MD5 hash or message digest.
If you are installing Microsoft Office outside of a VM (not recommended!):
You should also disable Office OLE Automation for Outlook. Note that an attacker can still embed code inside Office documents.
Registry changes require a reboot.
Run the NetCease PowerShell script to mitigate against a method Bloodhound uses.
cd $env:USERPROFILE\Downloads
Unblock-File -Path '.\NetCease.zip'
.\NetCease\NetCease.ps1
Restart the Server service (or reboot).
We already disabled the ‘WinHTTP Web Proxy Auto-Discovery Service’ service and unchecked the ‘Auto-detect settings’ Internet Options property.
Registry changes require a reboot.
Malware often abuses functionality that allows apps and processes to be automated; Windows Script Host is a classic example.
We can disable most of the Windows Scripting capabilities:
Disabling WSH may prevent you from running .bat batch files.
Windows Firewall (WFAS) is our technical security control that enforces our intended policies and supplements them when needed.
For example, we cannot use Group Policy to reinforce that our DNS requests are only sent to the local DNSCrypt proxy or specific OpenDNS servers.
I have extensively experimented with various alternatives and graphical Windows Firewall front-ends to speed up my workflow — all had significant usability or security flaws.
You can see every existing Firewall rule using the ‘Windows Firewall with Advanced Security’ desktop app (or by running ‘WF.msc’).
Firewall settings and rules are best created using the now familiar Group Policy Editor. Under Computer Configuration > Windows Settings > Security Settings > Windows Firewall with Advanced Security.
First add a rule that blocks all outgoing and incoming traffic:
Important: by default Windows Firewall has a legion of local inbound and outbound exceptions (‘WF.msc’). Disabling these in ‘WF.msc’ is only a temporary fix.
Unless you create an explicit Block rule for each or disable merging of local firewall rules for each profile’s settings using Group Policy (‘gpedit.msc’), Microsoft will re-enable them after a major update. Further more applications often create their own exceptions.
Now let’s allow our Windows DNS Client to function:
Repeat the same steps for ‘svchost.exe’ to allow our Windows NTP Client (UDP / 123) and Windows Update (TCP / 80,443).
A few examples of processes I allow to make outbound TCP connections:
My inbound rules consist solely of Core Networking and specific application exceptions.
Force yourself to apply the principle of minimal privilege. GoogleUpdate and HitmanPro should only connect to port 443 over TCP. ‘Connected User Experiences and Telemetry DiagTrack’ should be explicitly blocked.
One of the most powerful defense strategies is whitelisting which applications are allowed to run with Windows AppLocker.
By now AppLocker is already running in ‘Audit only’ mode — all processes executed by users are logged to the Event log, including the full path of the program.
All AppLocker policies are created and managed using Group Policy under:
Your goal is to whitelist only those applications you trust, by path but preferably by their digital signature.
Despite dedicating over 6,000 words to the topic, there is always more we can do and new attack vectors are published every month.
I want to revisit the WindowsSpyBlocker GitHub project, as it has a robust approach to the problem and is continuously updated. Installing an application layer proxy and generating a unified hosts file yourself is strongly recommended. I will probably incorporate this with Blackbird.
Sysmon is another free tool from Windows Sysinternals.
It is a background monitoring tool that logs to the Windows event log — is very feature rich — and gives you more visibility into the live state of your endpoint.
See the author’s presentation “How to go from Responding to Hunting with Sysinternals Sysmon” and this write-up by the founder of Graylog and webcast by BHS.
In the fight against ransomware, bootkits & rootkits, Cisco’s Talos has released the MBR Filter Driver. This essentially sets your Master Boot Record to read-only.
It is relatively easy to install. Read the original blog post here. This tool is not for UEFI/SecureBoot systems.
A free and open-source Host-based Intrusion Detection System with very powerful correlation and analysis engine:
We monitor all our Linux, OpenBSD, MacOS and Windows hosts with it. If you want to run it locally, you will need to set it up in a host-only Linux VM as Windows support is limited to an installable agent. Works great in combination with Graylog!
Solely relying on a username/password or even out-of-bound SMS authentication using your cell phone will not be secure enough in 2017 (NIST 800–63A/B/C). U2F security keys are your best hope against account takeovers.
I highly recommend buying and learning how to use a Yubikey. The YubiKey 4 is now closed-source but the NEOs are still using open-source code others can independently verify. It integrates well with Windows 10.
Click the ♡ to recommend this article.