Free stock photo, credit Pexels.com Safeguarding the privacy and security of myself and my clients’ data — while still allowing me to execute a penetration test is the goal. Having concluded in September that , I have adopted Windows 10 Pro v1607 as my offensive platform. Qubes OS was best suited as a portable lab This article was modified in July ’17 to include several v1703 pitfalls. Apply these hardening techniques to your personal Windows 10 system, drastically improving your security posture and keep your affairs private. www.securitystreak.com About the Author is a vendor-neutral IT Security Professional. He performs professional audits, penetration tests, and risk assessments. He designs and engineers high-assurance systems in the Cloud. Andrew Douma secure networks You can connect with him on GoodReads , LinkedIn , Medium , and Twitter . More stories by Andrew Buying a professional penetration testing laptop for 2017 | E valuating QubesOS as a Penetration Testing Platform | Finding the right exploit code | Antivirus in 2017: Why? Which? How? | Full Disk Encryption with VeraCrypt | Hacker to Security Pro! On the Shoulders of #InfoSec Giants | Securing an Android Phone or Tablet (LineageOS) Password (IN)SANITY: | Intelligent Password Policy & Best Practices Distrust Microsoft has made much progress improving (OS). However, their and forcing software installation/upgrades, the security capabilities of their Operating System pervasive use of “telemetry” has cost them the trust of their customers. Other hardware/software corporations are also installing telemetry software that calls home (Intel, , ). and here to stay. Nvidia Lenovo Corporate surveillance is big business On principle, I never want to see any persistent outbound UDP connections that I did not setup myself. I also do not want my network captures polluted. So here we are: I trust neither my OS nor my hardware vendor. Welcome to my Windows 10 hardening guide. Installation Media A best practice is to format the hard drive and install legitimate and still supported software. Windows 10 Anniversary Edition (v1607), for better or worse! Used systems with pre-loaded software may contain malware. It is not unheard of this being the case for a newly store-bought laptop. It only takes one tech savvy person in the supply chain. Make sure you have the latest version of Windows. If insist you do not have a Windows installation USB/CD, to find any . Most will allow you to download a recovery image or order one free of charge. If possible, cryptographically verify that your installation image is authentic. use a search engine recovery options our vendor provides Proceed to create a bootable USB with one of the or system/vendor provided (command line) tools. many graphical Software Piracy As cyber security professionals, let’s start treating this topic like Sex Ed: Torrenting sites are designed to make money. Their into installing malware — many host malicious ad campaigns that contain exploit kits with 0day drive-by exploits. UI/UX is often designed to trick people Pirated operating systems and (security) software found on torrent and other file sharing sites all contain malware. Attacks are becoming more and more destructive. It is child’s play to fool your Antivirus. , many vendors offer cost-reduced software licenses (email them if they do not list it on their website) — and you can usually buy Windows for next to nothing at your Campus Technology Store. Get a Windows 10 Education or Enterprise license if you can. If you are a student , please proceed with caution! Download these files from within a VM — run any cracks, patches, keygens from — download trials from the vendor website and install those inside a dedicated VM. You cannot trust your software. If you insist on being a member of the Pirate Party a disposable VM Malware will spread via your network, shared folders, and in some cases, even break out of the VM and compromise your host operating system. Always keep VMWare/VirtualBox and its guest-OS up to date. , you cannot be doing this; you are part of the cyber security problem! Learn how to reverse engineer software yourself if you really cannot afford the license fees. You will soon discover you have solved both problems. Force yourself to . If you are an IT professional adopt secure routines Full Disk Encryption (FDE) You have several options to secure your “data at rest” by encrypting it before writing it to disk. It is even possible to combine all three. FDE only protects your data entirely when your system is completely powered down. Crypto is only as strong as the weakest link. Take the time needed to generate that random data pool and use a strong passphrase. Hardware-based (SED) You can enable your Self-Encrypting Drive (SED) by setting a secure password when configuring your BIOS. This is not the same as ! setting a supervisor password Transparent full drive encryption on your Solid State Drive (SSD) has almost no performance downside. I do not have enough to rely on it solely. trust in Lenovo Keep in mind that the encryption keys are kept , which is unlikely to survive Protect yourself by making regular backups. inside your TPM chip a destructive hardware attack. Microsoft BitLocker is only licensees of Windows 10. The keys are also kept inside your TPM chip. I so some separation of duty seems in order. BitLocker available for Pro, Enterprise and Education do not trust my OS either, There are advantages to using BitLocker though: Its compatibility with helps ensure only trusted code runs on startup. UEFI SecureBoot Its integration with Active Directory Domain Services (AD DS) helps guarantee access to work files, even after you had to fire someone on the spot. You can still store all business related data on VeraCrypt containers for additional security. or external drives To enable BitLocker: File Explorer > Right click C > Turn on BitLocker. VeraCrypt a free and open-source (FOSS), cross-platform that You too a 32+ character passphrase. I use VeraCrypt, passed an independent audit. can learn to memorize VeraCrypt supports encrypting non-system GPT partitions/drives. VeryCrypt a free & open-source disk encryption solution To encrypt your entire drive, you need to partition your disk as an MBR (Master Boot Record) disk and not the default GPT (GUID Partition Table) format. Converting later will require a full reformat or You can also choose to use a VeraCrypt encrypted file container on top of BitLocker/SSD FDE. purchasing commercial partitioning software. The above information combined with the documentation should be sufficient for you to accomplish this. Read their security model to understand what it does and does not protect you from. Bios Configuration Your is the codebase which initializes your hardware and loads the files that boot your Operating System. Basic Input Output System (BIOS) Do not be intimidated by its old DOS-like interface and cryptic options. to investigate options unique to your variant and version. Use a search engine Visit your vendor’s website and download their tool to update your BIOS to the latest version . (repeat this quarterly) IT professionals may want to take a look at NIST 147/147b. If you are not planning dual-booting Unix nor use VeraCrypt for FDE: on using VMWare, Enable if you have Windows 10 Education or Enterprise version. Device Guard Automatically enabling Intel Virtualization Technology & VT-d, UEFI Secure Boot, and OS Optimized Defaults. Device Guard, locks your device down so that it only runs trusted applications you have defined through your code integrity policies. More information is covered by when configured, this Microsoft Technet article. Disable Intel AMT, unless your organization uses this Intel vPro feature. There is a third option to disable it forever, which cannot be undone. Enable Intel PTT (TPM 2.0) as it supports SHA-2 and elliptical curve cryptography, . amongst other things Decide yourself what to do about Intel SGX . (1) (2) (3) (4) Some are growing suspicious of Intel altogether. Since I am planning on using VeraCrypt FDE, and dual-booting Windows 10 Pro with the future : Qubes OS 4 I disabled Intel AMT, Device Guard, and Intel SGX. Intel is working on SGX Linux support, but I worry it might hinder me during my reverse engineering course. I disabled Flash BIOS updating by End-Users and enabled Secure RollBack Prevention. I enabled Data Execution Prevention (DEP). I enabled Intel Virtualization Technology and VT-d. I disabled my Integrated Camera and Microphone as I will not be using them. I disabled Computrace Absolute Persistence (a commercial Anti-Theft rootkit) I disabled Intel PTT (TPM 2.0) as most Windows security features will work with TPM 1.2. However, Qubes OS’s Anti-Evil-Maid feature requires Intel TXT, which TPM 2.0 does support. Changing TPM will reset the chip, including any SSD encryption keys present! I set high-entropy Boot, User, and Master passphrases everywhere, enabling SSD FDE. Note that Lenovo does not permit the use of special characters. I disabled SecureBoot and enabled both UEFI and Legacy Boot (Qubes & VeraCrypt FDE both require a legacy MBR Disk). Even though I cannot use SecureBoot, I can protect my system using MBRFilter. I disabled all Boot devices except for my SSD and USB devices. Upon successful installation, I disabled those as well. Network Boot is set to my hard drive. Save and exit settings to reboot from your Installation Media. v1703 — Creators Update Notes I would only recommend installing v1703 fresh, as the built-in upgrade process resulted in a hobbled and inconsistent OS. None of the Windows recovery options or troubleshooting tools resolved this; I ended up using the “Reset this PC” functionality. I’ve pushed on and am now single-booting Windows 10 “Redstone 2” with TPM 2.0, Device Guard and Bitlocker enabled. Backups, backups, backups!! Ensure you backup the BitLocker recovery key! Windows Installation As stated, Modern malware is very persistent, and are hard to detect, Microsoft upgrades have always been buggy. I recommend everyone to start with a fresh installation of Windows 10. bootkits rootkits During installation and setup please: Delete all existing partitions and completely format your hard drive. Do not connect to your wireless or wired network. Skip any Microsoft.com account creation. Do not connect with an existing Microsoft account either. Select advanced options. Disable all “recommended” settings. Name your account after your favorite SyFy or Disney character, not your legal name. and no (NIST 800–63–3). Use a decent password useful password hint Say “no thanks” to Windows Hello. Say “not now” to Meeting Cortana. Do not connect to your wireless or wired network after login. There will not be much benefit to creating a non-administrative user. Your system remains offline. Side-loading updates I highly recommend side-loading essential applications, vendor drivers, and Windows updates. When you first boot up, Windows is far from trustworthy. It is full of holes and reporting back to its overlords. At the very least you are vulnerable to local MITM attacks. WSUS Offline Update Tool Format and prepare a USB stick from within . a disposable VM Download all relevant Microsoft updates using . WSUS Offline Update Installing these will take some time. Visit your vendor’s website and download their tool to bring the system BIOS up to date, as well as all other drivers. If you have a SSD, I recommend updating its firmware as well. With some vendors, this requires an internet connection, if you are concerned about your privacy, postpone for now. Download and run essential privacy applications and security software we discuss below. Depending on your threat model, cryptographic verification of executables you download is essential. Complete the above installation tasks. Your system remains offline. Security & privacy tools Until we get into Group Policy Editor and Windows Firewall territory, I recommend running a few consumer tools to kick off the process: Debloat and tweak your base system with /r/tronscript. Save these as HOSTS.TXT in your folder and apply it to your system. WindowsSpyBlocker hosts Blackbird Blackbird is currently not compatible with v1703, modify the C:\Windows\System32\Drivers\etc\hosts file manually. Reboot, and apply the remaining tweaks. This tool is currently not compatible with v1703. Fix Windows 10 Privacy Optionally; evaluate and v1703 users are advised to Destroy Windows 10 Spying (DWS) O&O ShutUp10. evaluate WPD. Take control of your USB ports with or tools. Note that you can also control this using Group Policy (discussed further down). BiniSoft ElevenPaths Take a close look at what Beamgun can do to protect you against LAN Turtles and Rubber Duck . Not compatible with v1703 at time of writing. Pick your if Windows Defender isn’t it. preferred AntiVirus Consider using or to alert you when updates are available for the software you have installed. This tool shares some information with a 3rd party (a U.S. IT security company). Personal Software Inspector Heimdal FREE Download the extremely useful Sysinternals Suite! Unless manually enforced using a Group Policy Object, Microsoft will re-enable telemetry, firewall rules, and unwanted features during or if you ever run . the next Feature upgrade System File Checker (sfc) You would be wise to update & re-run your preferred privacy tools after a major Windows 10 release — these projects do a good job staying on top of things. Check their compatibility first! They all seem to behave slightly different. Use to reverse engineer their actions if you want to enforce it using Group Policy/Scripts (or across AD connected workstations). Process Monitor Your system remains offline. Exploit Mitigation One of the best things you can do to improve your security is install and configure . the Enhanced Mitigation Experience Toolkit (EMET) Carnegie Mellon University for Windows 10 users despite Microsoft announcing its . They have incorporated some of its protections in v1703. recently argued its continued benefits End of Live by July 31, 2018 Install EMET 5.5x. Use the Recommended Settings when prompted. A new system tray icon will appear, click it to open up the user interface. Select the Maximum Security setting under Quick Profile and enable Early Warning. Restart your system. At time of writing, I had a small issue with Chrome after enforcing EMET’s Popular Programs via Group Policy. The solution was to configure it via the GUI and turn off ‘EAF: Extended Table Access Filtering Plus’ for Chrome only. I also like the idea behind 0patch.com . Your system remains offline. Turn off Windows Features We want to reduce our systems’ attack surface as much as possible: which means removing features and outdated capabilities we will never use. Control Panel > Turn Windows features on or off You will want to go over which Windows Features to turn off. I enabled the Hyper-V and IIS Management Tools as well as a few Device Lockdown features. But removed .NET 3.5, SMB v1 and PowerShell 2. You could go much further. For the v1703 remake, I disabled all Windows features and hadn’t had an issue yet. Your system remains offline. Turn off Windows Services When you run with administrative privileges, it becomes a great tool to start managing the programs and services that are set to run at one point or another. Sysinternals Autoruns For now, under I disabled Geolocation for privacy and a few services that are vulnerable to and : Administrative Tools > Services (or by running ‘services.msc’) Bloodhound Responder Right click on a Windows Service > Properties Stop the “ ” (WPAD) and set its ‘Startup Type’ to Disabled — removing a method WinHTTP Web Proxy Auto-Discovery Service The IP Helper service depends on WPAD and will be stopped, disable it as well. Disable , any file-sharing is nowadays. TCP/IP NetBIOS Helper done over SMB The and the Github projects have more suggestions. debloat-windows-10 chill-out-windows-10 Unfortunately, with the v1603 Anniversary Update, Microsoft removed our ability to enforce this from Group Policy. Your system remains offline. Turn off Networking Capabilities There are a few modifications to we should make to our Wifi Settings and Network Adapters. First, make it across WiFi networks: more difficult to track your location Go to Settings > Wi-Fi Switch on. ‘Use random hardware addresses’ This will cause minor issues in environments where Static DHCP or MAC Filtering is in use. You could use ’s command-line to accomplish this for your Ethernet LAN interface. Technitium MAC Address Changer Go to Settings > Ethernet > Ethernet > Change adapter options or Control Panel > Network and Sharing Center > Change adapter settings Right-click on any Network Adapter > Properties and uncheck: Client for Microsoft Networks File and Printer Sharing for Microsoft Networks QoS Packet Scheduler Microsoft Network Adapter Multiplexor Protocol Microsoft LLDP Protocol Driver Internet Protocol Version 6 (TCP/IPv6) Link Layer Topology Discovery Responder Link Layer Topology Discovery Mapper I/O Driver In that same window, select and click the . From there click the , uncheck on the DNS tab, and select on the WINS tab. ‘Internet Protocol Version 4 (TCP/IPv4)’ Properties button Advanced button ‘Register this connection’s addresses in DNS’ ‘Disable NetBIOS over TCP/IP’ Your system remains offline. Repeat these steps for all appropriate networked adapters. Uninstall Software I run most of my tools from inside a Virtual Machine. I have both and installed. You are advised to do the same. Oracle VirtualBox VMWare Workstation Those files I receive via my mail client and open up with pose the highest risk. Let alone the malicious samples I eagerly download with my web browser! my favorite office suite I do have a few tools I use outside of a VM: / / / / / / / / / / / / / / / / / / / / / / / / / / / Bandizip BleachBit CherryTree Divvy GPG4Win Greenshot Glary Hash Explorer herdProtect HitmanPro KeePass MacDrive Navicat Nmap paint.NET Pritunl Tmac Resilio Sync SimpleDNSCrypt Sublime Text SunsetScreen VLC VirtualBox VMWare Workstation WinSCP Wireshark Xmind XnViewMP Freemium apps tend to ‘offer’ to install additional software or change your Browser’s homepage. Always choose to customize your install. I block all outbound connections using my Windows Firewall, and I only whitelist those apps that to do so automatically. check for updates over HTTPS For added security do not install apps that are not digitally signed. 3 Billion devices: a terrifying thought. I quickly uninstalled the following: , , & all Windows Store apps. Adobe Flash Java Skype All Lenovo apps, except for On Screen Display and Power Management Driver. Intel Management Engine Components & Intel Security Assist ( ). Intel ME Intel PROSet/Wireless Software* (provided by Lenovo). Intel WiDi (support ended October 2016). *I grabbed the latest (Lenovo is always behind). drivers for my network card from Intel.com For these drivers I choose not to install Software Extensions nor the Administrative Toolkit. A reboot may be required. Keep your system offline. OpenDNS Ever since as an enterprise security company and finally implemented RFC compliant DNS (no custom redirects, no ads), they have become a great alternative over your ISP’s or Google DNS OpenDNS rebranded itself You can increase your internet speed and improve your security posture by setting the DNS servers (on and ) to these IP addresses: your device router 208.67.222.222 208.67.220.220 By default OpenDNS blocks resolution of known malicious domains only. If you you can shield your networked devices even further, useful when you have kids or a Social Media addiction. sign up for a free account, This does not stop a Man-in-the-Middle (MiTM) attack. Your “URL to IP address” translation requests are not encrypted! DNSCrypt The Domain Name Service (DNS) is the reason your Internet Service Provider (ISP) knows exactly which websites you are visiting. SimpleDNSCrypt Many countries, including Germany, the United Kingdom, and the United States, allow their Federal police to hack their citizens. is an excellent way to verify that responses originate from the chosen DNS resolver and have not been spoofed. DNSCrypt It does not provide encryption, prevent “DNS leaks”, or a third-party DNS resolver from logging your activity. Higher level TLS protocol, as used in HTTPS and HTTP2 (SPDY), also leak websites host names in plain text, rendering DNSCrypt useless as a way to hide this information. is the most up to date implementation for Windows 10. I opted to disable IPv6 and will revisit the hidden (virtual) NICs at another time. SimpleDNSCrypt Restart your system. It should be ‘OK’ to take it online now. Virtual Private Networks Your internet history is in the United Kingdom. Other countries are accessible for at least 48 institutions without a warrant doomed to follow. “Privacy is a transient notion. When people stopped believing God could see everything, governments realized there was a vacancy open.” — Roger Needham It is strongly recommended to encapsulate all network traffic beyond your own country’s borders using a Virtual Private Network. At best a VPN provides more privacy. Do not count on it for anonymity: The problem with most “VPN providers” is that you do not know on what is really going behind the scenes. I can, therefore, not endorse any VPN solution. Personally, I run a with that sets up a secure personal IPsec VPN for my mobile devices, and for when I’m connecting over a public WiFi. hardened Linux instance Algo VPN We use for instances we tear down at the end of the day. It generates a user-friendly HTML file with instructions to connect to the newly provisioned server running L2TP/IPsec, OpenSSH, OpenVPN, Stunnel, and a Tor bridge. Easy to share with others. Streisand Not all VPS servers — is a personal favorite of mine. are alike Lin-ode UnGoogled Chromium I consider Google Chrome one of the more secure (by design) browsers. Because there is an open-source version, someone created UnGoogled Chromium , resulting in a more private (and so much faster!) browsing experience. stripped free of Google integration UnGoogled Chromium has pre-built packages available. It comes with “secure defaults” but a few caveats. Plugins/extensions require manual installation. FIDO U2F security keys will not work without this extension. It does not notify you when visiting malicious sites. Does it auto-update? I can’t tell. If you opt for a more traditional approach and fire up your Microsoft Edge browser to or be sure to ignore Bing’s and Window’s attempts to dissuade you! download Chrome Firefox, Configure your browser to deny 3rd party cookies. Remove any bundled plugins/extensions installed by default. Disable any location/prediction/spellcheck services. Set as your homepage and search engine. StartPage 99.9% of web exploits, tracking and fingerprinting starts with malicious JavaScript execution hosted by known malware domains Remember that plugins increase your attack surface. Many exist, but for me: other privacy extensions In UnGoogled Chromium, try out , , , ScriptSafe Ublock Origin uMatrix HTTPS Everywhere (direct download links!) For Chrome, , , install ScriptSafe Ublock Origin HTTPS Everywhere. I also like (Chrome). Relevance — a private tab organizer With Firefox, , , install uMatrix Ublock Origin HTTPS Everywhere. Consider blocking unencrypted web traffic and ultrasound audio. Review the options of every browser you have installed, including Internet Explorer/Edge. Take the time to configure each plugin on ‘expert’ mode! Group Policy Editor/Objects Windows Updates (and upgrades) tend to ‘flip settings’ back to their insecure defaults. Microsoft only seems to respect settings enforced using central Group Policy Objects (GPOs). Even if you are not a seasoned IT professional — you will love being able to manage most settings for all user accounts from a single program (‘ ). An is available in Excel format. gpedit.msc’ up to date settings reference for Windows 10 This interface can be uncovered by executing ‘gpedit.msc’ You can extend the capabilities of your Group Policy Editor by deploying Administrative Templates (.adml & .admx files). For example, to control EMET with a GPO: From C:\Program Files (x86)\EMET 5.5\Deployment\Group Policy Files\ Copy the .adml file to C:\Windows\PolicyDefinitions\en-US\ Copy the .admx file to C:\Windows\PolicyDefinitions\ Repeat this for this set of (the Administrative Templates provided by Microsoft v1703 templates can be downloaded here) Download the file Windows10-ADMX.msi From C:\Program Files (x86)\Microsoft Group Policy\Windows 10\PolicyDefinitions\ Copy the .adml file to C:\Windows\PolicyDefinitions\en-US\ Copy the .admx file to C:\Windows\PolicyDefinitions\ Templates are also available for Microsoft / / / , as well as and Office 2010 2013 2016 2007 LibreOffice Chrome Firefox. If you get an error, of the folder first: Access Denied you’ll have to take ownership PolicyDefinitions Right-click on the folder, go to , then tab. Properties Security Click on , tab and change the owner to your account. Advanced Owner Don’t forget to tick the ‘ ’ box. Replace all child object permissions We will use some of these extended capabilities to lock down the system, making it harder for anyone to disable your protections. A reboot may be required to load these extensions. Secure Host Baselines Several well-funded organizations give advice on what makes a configuration “secure.” (DoD) Australian Department of Defense (CIS) Center for Internet Security Microsoft Security Guidance Blog (NCSC) U.K. National Cyber Security Centre (DoD) U.S. Department of Defense (NIAP) U.S. National Information Assurance Partnership (NIST) U.S. National Institute of Standards and Technology (NSA) U.S. National Security Agency Establishing a (SHB) is one of the NSA’s . Secure Host Baseline top 10 mitigation strategies DoD Secure Host Baseline I like the project on Github. It is a collection of PowerShell scripts that are relatively painless to apply. DoD Secure Host Baseline Hit the Windows Key + X keyboard shortcut and launch Windows PowerShell (Admin). Run all the commands below from there: Set-ExecutionPolicy Unrestricted as a ZIP file, and unlock it: Download the repository cd $env:USERPROFILE\Downloads Unblock-File -Path '.\Secure-Host-Baseline-master.zip' Extract the ZIP file, remove “-master” from both directories created. In the PowerShell terminal, navigate down to the directory, and import the Group Policy PowerShell module: cd $env:USERPROFILE\Downloads\Secure-Host-Baseline Import-Module -Name '.\Secure-Host-Baseline\Scripts\GroupPolicy.psm1' You will need to extract the to a known location. Make sure to reference full paths in the command below to avoid any errors. Microsoft Local Group Policy Object (LGPO) utility I have no need for cryptographic DoD certificates: Invoke-ApplySecureHostBaseline -Path 'C:\...\Secure-Host-Baseline\' -PolicyNames 'Adobe Reader','AppLocker','Chrome','EMET','Internet Explorer','Office 2013','Windows','Windows Firewall' -ToolPath 'C:\...\LGPO.exe' You will notice that, for example, more of your Chrome settings are now enforced using group policy — some of which I will reverse. That said, it is not perfect: I had to manually delete an to launch my Local Group Policy Editor error free. old set of ADMX/ADML files Chrome has most of its plugins disabled, the search engine is locked to a faulty version of Google SSL, and my homepage is now a .mil site. A reboot is required to apply all changes successfully. Microsoft Security Compliance Manager Microsoft has released an excellent tool which allows you to apply their “ ” Microsoft ”Recommended Security Baselines. This tool will soon be replaced by the likely before the so keep that in mind. DSC Environment Analyzer (DSCEA), v1703 security baselines is ready for production, Install and configure Be aware that this tool requires .Net Framework 3.5 (Includes .Net 2.0 and 3.0) and — increasing your attack surface. Security Compliance Manager 4 (SCM). installs SQL Server 2008 Express (x86) Once installed, under the ‘ ’ column, you can download Microsoft baselines automatically for Windows 10 v1607, Internet Explorer 11 and Office 2007/2010/2013. Get knowledge Check out the section for the SecGuide ADMX/ADML to install and any supplemental documentation. You have to Duplicate a baseline before it can be customized. Attachments\Guides Microsoft SCM 4.0 If you wish to apply any SCM baseline to your system, you can export a GPO backup folder and use the LGPO tool’s /g switch. Microsoft Policy Analyzer Another tool to geek out over is the tool, which shows the differences between your local policy/registry and as many GPO backups as you Add & select. Microsoft Policy Analyzer In the Policy Viewer, the information displayed can be filtered and searched, or exported to Excel format. Conflicts are shown in yellow. The DoD Secure Host Baseline template has the more secure defaults in most cases, but you will find that a hybrid of both fits your particular use-case. Customizing Group Policy There is no substitute to manually stepping through my options with the Group Policy Editor (by running ). ‘gpedit.msc’ Improve its readability by sorting the ‘Setting’ or ‘State’ column. The wording for some settings can be very counter-intuitive. Luckily each option has a clear description. Most of the relevant settings are found under these Policy Paths: Computer Configuration > Windows Settings > Security Settings Computer Configuration > Administrative Templates > System Computer Configuration > Administrative Templates > Windows Components User Configuration > Administrative Templates Apply any changes by execution the command below in any admin shell: gpupdate.exe /Force It can be very insightful to repeat this step as are released. new CIS benchmark documents Merging Baselines The information the Policy Analyzer gives me allows me to quickly combine the best of two baselines together and customize my settings as desired. I eased my Account Lockout Policy (duration). I require to do my job (a nonissue in v1703) VMWare compatibility I disabled Windows Defender (and SpyNet) for privacy reasons. I white-listed my desired Chrome Extensions and relaxed other settings. I disabled program execution from removable drives. Despite primarily working from VMWare, some settings aimed at improving security would interfere with me during a Such as those limiting the number of simultaneously active network adapters or prevent me from creating a layer 2 MAC bridge between them. penetration test. Less Telemetry As you are stepping through your options, you will not only discover Chrome has a Dinosaur Easter Egg Game, but that many apps have some form of: Advertising ID Cloud Sync Error Reporting Experience Improvement Customer Experience Improvement Program (CEIP) Telemetry Usage Statistics The DoD baseline has done a good job disabling most, but not all. Note that unless you have a Windows Enterprise or Education license, you will not be able to disable Telemetry entirely. Strict policy reapplication Make sure to enforce strict reapplication of critical policies: Adm. Templates > System > Group Policy. Enable: ‘ Process even if the Group Policy objects have not changed’. For: Folder redirection-, IP security-, registry-, scripts-, security-, Services preference-, software installation-, wired-, and wireless- policy processing. Deny access from the network I will never need to remotely login to my workstation: Adm. Templates > Windows Settings > Security Settings > Local Policies > User Rights Assignment Add to: ‘Local account and member of Administrators group’ ‘Deny access to this computer from the network’ ‘Deny log on through Remote Desktop Services’ Windows DNS Client Windows 10’s DNS Client just accepts whichever response it receives first, from your intended DNS server. not necessarily the one Adm. Templates > Network > DNS Client. ‘ to prevent “DNS Leaks”. Turn off smart multi-homed name resolution’ to disable LLMNR. ‘Turn off multicast name resolution’ for good measure. ‘Turn off smart protocol reordering’ We can later enforce this policy using Windows Firewall as a technical control. Windows NTP Client Configure the Windows Network Time Protocol (NTP) Client to servers — perhaps At least till Google’s ‘ ’ is synchronizing our clocks. use trusted, non-Microsoft, even authenticated ones. roughtime protocol SSL/TLS Standards You can enforce the use of system-wide: modern TLS standards Adm. Templates > Network > SSL Configuration Settings. To determine which ECC curves are supported on your system, use the following command: CertUtil.exe -DisplayEccCurve like SQL Server 2008 Express (Windows Event Viewer is your friend). This usually breaks older applications Lucky for us Google Chrome is state of the art: . Adm. Templates > Google > Google Chrome (HTTP2), set and set to Disabled. ‘Disable the SPDY protocol’ ‘Minimum SSL version enabled’ ’ to TLS 1.2 ‘Enable WPAD optimization’ Review the tab and uncheck , check . Disable WPAD on the uncheck Control Panel > Internet Options > Advanced ‘Use HTTP2’ ‘Send Do Not Track requests’ Connections tab > LAN Settings > ‘Automatically detect settings’. Additional Privacy Adm. Templates > Windows Components > Internet Explorer. I granted myself the privilege to delete my IE browsing history. Adm. Templates > Windows Components > Location and Sensors. I turned off all Sensors. Microsoft EMET Re-configure Microsoft EMET for maximum security: Adm. Templates > Windows Components > EMET Set System DEP to ‘Always On’ Enable ‘Default Protections for Popular Software’ At time of writing, I had a small issue with Chrome after enforcing EMET’s Popular Programs via Group Policy. The solution was to configure it via the GUI and turn off ‘EAF: Extended Table Access Filtering Plus’ for Chrome only. LSA Protection It is recommended to to defeat tools like configure additional LSA Protection MimiKatz. Under: (a custom template from SCM4) enable Adm. Templates > MS Security Guide ‘Lsass.exe audit mode’. Reboot and check the Windows Event Viewer for event codes 3065 and 3066 — those are drivers that do not meet security standards. will show unsigned drivers in a different color, under you can enable code signature verification and submission to VirusTotal.com. Sysinternals Autoruns Options > Scan Options Go back and enable if all your drivers are properly signed. ‘LSA Protection’ to prevent transmission of credentials across the network as a weak MD5 hash or message digest. WDigest Authentication should already be disabled Microsoft Office If you are installing Microsoft Office outside of a VM (not recommended!): Customize your install and do not install potentially vulnerable extensions. The DoD and Microsoft Baselines do not have a policy for Office 2016 yet, copy the settings from an earlier version. Double check the for each of the Microsoft Office suites under I disabled Telemetry & all ActiveX and VBA. Security Settings & Telemetry Dashboard User Configuration > Administrative Templates. under for each Microsoft Office product. ‘Block macros from running in Office files from the Internet’ Options > Security > Trust Center You should also disable for Outlook. Note that an attacker can still embed code inside Office documents. Office OLE Automation Launch the Windows Registry Editor (regedit.exe) Browse to: HKEY_CURRENT_USER > SOFTWARE > Microsoft > Office > # > Outlook > Security (# = 12.0/14.0/15.0/16.0) Create a new called ‘ and set it to ‘DWORD (32-Bit) Value’ ShowOLEPackageObj’ ‘0’. Registry changes require a reboot. Net Session Enumeration Run the PowerShell script to mitigate against a method uses. NetCease Bloodhound cd $env:USERPROFILE\Downloads Unblock-File -Path '.\NetCease.zip' .\NetCease\NetCease.ps1 Restart the Server service (or reboot). Web Proxy Auto-Discovery Protocol (WPAD) We already disabled the service and unchecked the Internet Options property. ‘WinHTTP Web Proxy Auto-Discovery Service’ ‘Auto-detect settings’ Launch the Windows Registry Editor (regedit.exe) Browse to: HKEY_CURRENT_USER > SOFTWARE > Microsoft > Windows > CurrentVersion > Internet Settings > Wpad Create a new called and set to ‘DWORD (32-Bit) Value’ ‘WpadOverride’ ‘1’ Browse to: HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Services > Tcpip > Parameters Set the existing to ‘UseDomainNameDeveloution’ ‘0’. Registry changes require a reboot. Windows Script Host (WSH) Malware often abuses functionality that allows apps and processes to be automated; is a classic example. Windows Script Host We can disable most of the Windows Scripting capabilities: Launch the Windows Registry Editor (regedit.exe) Browse to: HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > Windows Script Host > Settings Create a new called and set it to ‘DWORD (32-Bit) Value’ ‘Enabled’ ‘o’ Disabling WSH may prevent you from running .bat batch files. Windows Firewall with Advanced Security Windows Firewall (WFAS) is our technical security control that enforces our intended policies and supplements them when needed. For example, we cannot use Group Policy to reinforce that our DNS requests are only sent to the local DNSCrypt proxy or specific OpenDNS servers. I have extensively experimented with and Windows Firewall to my workflow — all had significant usability or security flaws. various alternatives graphical front-ends speed up You can see every existing Firewall rule using the desktop app ( ). ‘Windows Firewall with Advanced Security’ or by running ‘WF.msc’ Firewall settings and rules are best created using the now familiar Group Policy Editor. Under Computer Configuration > Windows Settings > Security Settings > Windows Firewall with Advanced Security. First add a rule that blocks all outgoing and incoming traffic: Click ‘Windows Firewall Properties’. For each profile (Domain, Private, Public) use the drop-down to ‘Block’ all Outbound connections. Explore the Settings and Logging customization options for each. ( ). Disabling these in is only a temporary fix. Important: by default Windows Firewall has a legion of local inbound and outbound exceptions ‘WF.msc’ ‘WF.msc’ Unless you create an explicit Block rule for each or disable merging of local firewall rules for each profile’s settings using Group Policy ( ), Microsoft will re-enable them after a major update. Further more applications often create their own exceptions. ‘gpedit.msc’ Now let’s allow to function: our Windows DNS Client Under ‘Outbound Rules’ Right click > New Rule… Rule type: ‘Custom’ Program path: ‘%SystemRoot%\System32\svchost.exe’ Protocol type: TCP Remote port: Specific Ports / 53 Scope > remote IP addresses > Add > Predefined set of computers: DNS servers Allow the connection / for all profiles / give it an appropriate name Repeat the same steps for ‘svchost.exe’ to allow our Windows NTP Client (UDP / 123) and Windows Update (TCP / 80,443). A few examples of processes I allow to make outbound TCP connections: %ProgramFiles% (x86)\Google\Chrome\Application\chrome.exe %ProgramFiles% (x86)\Google\Update\GoogleUpdate.exe %ProgramFiles% (x86)\Samsung Magician\Samsung Magician.exe %ProgramFiles% (x86)\VMware\VMware Workstation\vmware.exe %ProgramFiles%\HitmanPro\HitmanPro.exe %ProgramFiles%\Windows Defender\NisSrv.exe %SystemRoot%\syswow64\vmnat.exe My inbound rules consist solely of Core Networking and specific application exceptions. Force yourself to apply the principle of minimal privilege. GoogleUpdate and HitmanPro should only connect to port 443 over TCP. should be explicitly blocked. ‘Connected User Experiences and Telemetry DiagTrack’ AppLocker One of the most powerful defense strategies is whitelisting which applications are allowed to run with Windows AppLocker. By now AppLocker is already running in ‘Audit only’ mode — all processes executed by users are logged to the Event log, including the full path of the program. As a first step you could blacklist your home and temporary directory, as well as others paths a regular user has write access to. Next, only allow the execution of files in directories you trust (i.e. %ProgramFiles% and %WinDir%). Use AccesEnum to verify there are no user-writable directories there (like MS-SQL’s ‘ErrorReporting’!) All AppLocker policies are created and managed using Group Policy under: Computer Configuration > Windows Settings > Security Settings > Application Control Policies > AppLocker Your goal is to those applications you trust, by path but preferably by their digital signature. whitelist only For the paranoid Despite dedicating over 6,000 words to the topic, there is always more we can do and new attack vectors are published every month. Windows Spy Blocker I want to revisit the , as it has a robust approach to the problem and is continuously updated. Installing an and yourself is strongly recommended. I will probably incorporate this WindowsSpyBlocker GitHub project application layer proxy generating a unified hosts file with Blackbird. Sysmon Sysmon is from Windows Sysinternals. another free tool It is a background monitoring tool that logs to the Windows event log — is very feature rich — and gives you more visibility into the live state of your endpoint. See the author’s presentation and and “How to go from Responding to Hunting with Sysinternals Sysmon” this write-up by the founder of Graylog webcast by BHS. MBRFilter In the fight against ransomware, bootkits & rootkits, Cisco’s Talos has released the This essentially sets your Master Boot Record to read-only. MBR Filter Driver. It is relatively . Read the original This tool is not for UEFI/SecureBoot systems. easy to install blog post here. OSSEC HIDS A free and open-source Host-based Intrusion Detection System with very powerful correlation and analysis engine: Log analysis File integrity checking Windows registry monitoring Central policy enforcement Rootkit detection Real-time alerts Active responses We monitor all our Linux, OpenBSD, MacOS and Windows hosts with it. If you want to run it locally, you will need to set it up in a host-only Linux VM as Windows support is limited to an installable agent. Works great in combination with Graylog! Two Factor Authentication Solely relying on a username/password or even out-of-bound SMS authentication using your cell phone will not be secure enough in 2017 (NIST 800–63A/B/C). against account takeovers. U2F security keys are your best hope I highly recommend buying and The YubiKey 4 is now closed-source but the NEOs are still using open-source code others can independently verify. It integrates well learning how to use a Yubikey. with Windows 10. Do you have any advice? Corrections or additions? Do not hesitate to reply. Feel free to share your experiences, advice, and questions in private or through the comments section. Click the ♡ to recommend this article.