Microsoft Windows7 - Hardening Guide (Manchester - 10.04.2012)
Author: Rafal Rajs (ElessaR) (email: elessar1@poczta.wp.pl)
Introduction
Welcome everybody in my next hardening guide of a Microsoft Operating System. This time I will focus on Windows7.
In comparison to my previous guide about Windows Vista, this article is going to be a more complete solution. This can happen thanks to two tools Microsoft released recently, which improve the hardening process quite significantly.
Firstly, Microsoft Security Compliance Manager. An impressive tool, which allows finally to apply hardening templates as GPO objects to standalone computers. The tool includes many templates, not only for Operating System, but also for Microsoft Office and Microsoft Internet Explorer. Templates can be easily customized and exported to different formats, which can used to harden other computers. If we also consider another Windows7 feature, which allows applying GPOs to specific users or groups only on standalone machines, we will find that we can harden a standalone machine in a very flexible way.
Secondly, Enhanced Mitigation Experience Toolkit. The tool allows implementing security mitigation technologies system wide or per a specific application. The technologies include DEP, SEHOP, ASLR, NullPage and HeapSpray protections and a few others. Although this protection does not replace a securely developed application of course, it makes exploiting a security vulnerability much more difficult.
Let's proceed to the guide. The article content is as follows:
1. Security Compliance Manager tool and customized templates
2. Level of User Account Control (UAC)
3. Enhanced Mitigation Experience Toolkit (EMET)
4. Windows7 built-in firewall
5. Functionality worth disabling
6. Reviewing System Features
7. Optimising Services
8. Some network and usage tips
Security Compliance Manager
Let's start with Microsoft SCM. I personally installed it in a virtual machine. The installation adds to your machine a Microsoft SQL database and I prefer to keep my systems as 'light' as possible. Along with SCM, the Local GPO tool will be also installed. You can use this tool to install SCM templates on machines, which do not have SCM installed. Really neat solution.
Backup:
Before doing anything, it is good to backup your current GPO settings.
1. You can use for this purpose the LocalGPO tool by issuing the command:
C:\Program Files (x86)\LocalGPO>cscript LocalGPO.wsf /path:"C:\GPO - Backup" /EXPORT
2. Next you can also enable SCE extensions, so you can see in your GPO console new specific security settings not available in the default configuration. You can do that by issuing:
C:\Program Files (x86)\LocalGPO>cscript LocalGPO.wsf /ConfigSCE
If you need to restore the backup you will need to issue the following commands:
1. First, you need to reset your GPO settings to default ones:
C:\Program Files (x86)\LocalGPO>cscript LocalGPO.wsf /RESTORE
2. Next restore your settings:
C:\Program Files (x86)\LocalGPO>cscript LocalGPO.wsf /path:"C:\GPO - Backup\[GUID]"
Windows 7 Templates
When configuring security templates I like the approach to set the most secure environment and then customize it to my needs. Therefore, I will use the most secure templates: Specialized Security - Limited Functionality (SSLF).
You can find them in the SCM tool. Settings in these templates are divided into:
- Win7-SSLF-Desktop
- Win7-SSLF-Domain
- Win7-SSLF-Laptop
- Win7-SSLF-User
As I am configuring a desktop machine I will ignore Win7-SSLF-Laptop template. Also the Win7-SSLF-Domain, which contains mostly password and account lockout policy, can be ignored at home environments.
Win7-SSLF-Desktop:
In this template, you should check the following settings, whether they suit your requirements:
Audit Policies
The Audit Policies in the SSLF templates have Sensitive Privilege Use and Detailed Tracking enabled. I found that the amount of produced logs is reasonable. But you may not agree with me.
Internet Communication settings - Turn off Windows Update device driver searching
Security Options - MSS: (AutoShareWks) Enable Administrative Shares
If you don't use Windows Sharing, disable this option.
Security Options - MSS: (AutoReboot) Allow Windows to automatically restart after a system crash
Security Options - Enable the System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing setting
The FIPS setting can cause problems. For example: connecting to the default Windows XP remote desktop service is not possible!
Security Options - Configure the User Account Control: Behavior of the elevation
Security Options - Configure the System cryptography: Force strong key protection
User Rights Assignment - DEBUG programs
User Rights Assignment - Settings concerning Remote Desktop
User Rights Assignment - Process Working Set
You probably will want to add the standard Users group to the Process Working Set.
SYSTEM\LOGON - Do not process the legacy run list
SYSTEM\LOGON - Do not process the run once list
SSLF settings will break most applications here, so you will want to disable them.
Windows Components - Enumerate administrator accounts on elevation
Windows Components - Require trusted path
Windows Components - customize WINDOWS UPDATE
You may consider the "Notify First" setting here.
Win7-SSLF-User:
The settings in this template are very restrictive. As an advanced user you may ignore them. The most helpful setting in this template is the "Display for user setting" group.
Application Templates
As I mentioned before, SCM templates also contain Internet Explorer and Office templates. Let's have a look at them.
IE9 - Computer Security:
Also in this template, you should check the following settings, whether they suit your requirements:
Prevent ignoring certificate errors
If you are an advanced user, you may want to disable it.
Turn Off Encryption System
You may want to customize it to choose only certain protocols like TLS 1.x.
Download signed ActiveX controls
If you want to use ActiveX, you may want it enable it.
Security Zones: Do not allow users to change policies
Security Zones: Do not allow users to add/delete sites
Security Zones: Use only machine settings
Use SmartScreen Filter
You may want to disable it.
Prevent Bypassing SmartScreen Filter Warnings
Prevent users from bypassing SmartScreen Filter's application reputation warnings
Turn off Managing SmartScreen Filter for Internet Explorer 9
Disable security page
Disable advanced page
If you are an advanced user, you may want to disable these policies to have access to these pages.
Java permission for Internet zone
If you want to use JAVA, you need to change the SSLF setting.
IE9 - User Security:
You may ignore this policy as it disables some basic functionality as "Changing certificate settings", "AutoComplete for forms" or "Save this program to disk option". You may need those as an advanced user.
Office2010 User Setting:
In this template, you should check the following settings, whether they suit your requirements:
Check Macro Settings
Disable VBA for Office applications
If you have to use Visual Basic in the Office, you don't have much choice but to change the SSLF template setting.
Disable access to updates, add-ins, and patches on Office.com
Read e-mail as plain text
Office2010 Computer Setting:
Consider changing:
Disable VBA for Office applications
Customized Templates
The SCM manager allows you not only to change settings in the default templates, but also to add your own settings and save them in your customized templates.
I have disabled the following components in my custom templates:
- LINK-Layer Topology
- Link-local Multicast Name Resolution (LLMNR)
- IPv6
I have managed to do that by changing the following settings:
- In order to disable NETWORK DISCOVERY (LINK-Layer Topology)
Disable - TURN ON MAPPER I/O DRIVER
Disable - TURN ON RESPONDER DRIVER
- In order to disable Link-local Multicast Name Resolution (LLMNR)
Enable - TURN OFF MULTICAST NAME RESOLUTION
- In order to disable IPv6
Enable - 6to4 State - and Set DISABLED STATE
Enable - ip-https State - and Set DISABLED STATE
Enable - isatap State - and Set DISABLED STATE
Enable - teredo State - and Set DISABLED STATE
Generally, you should not run any components, especially network based, if you do not use them. By disabling them, you decrease the exposure of your system against future vulnerabilities and attacks.
You can download my custom templates from here:
Win7 SSLF Computer
IE9 Computer Security
Office 2010 SSLF Computer
Office 2010 SSLF User
Relaxed Environment
For more relaxed configuration (for example: for home), you may want to use file sharing, remote desktop and maybe you don't want to type password in UAC control each time. Then you should consider changing these settings:
- Enable remote desktop and file sharing
- Interactive logon: Do not display last user name
- Interactive logon: Do not require CTRL+ALT+DEL
- User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
- Windows Components\Credential User Interface: Enable Require Trusted Path for Credentials Entry
- Deny log on through Remote Desktop Services
and Allow log on through Remote Desktop Services
Level of User Account Control (UAC)
Control Panel\All Control Panel Items\User Accounts\Change User Account Control Settings
There are 4 levels of UAC in Windows7, the default level 3 indeed produces less window prompts, but unfortunately due to that it is much easier to bypass it completely. Therefore, I recommend to use the strictest level 4 ("Always Notify"). You should be always informed, when an application uses administrator privileges.
Enhanced Mitigation Experience Toolkit (EMET)
In EMET, system wide you should set DEP to "opt out", SEHOP to "opt out" and ASLR to "opt in". This way, you will have a chance to exclude certain applications, which do not work correctly with these mechanisms. Next, choose 'configure apps' to implement full EMET protection on programs, which access the Internet. I used it on the following applications:
- Internet Explorer, and any other browsers (FF, Chrome etc)
- Gadu-Gadu Communication (+Open FM)
- Skype
- ACDSEE
- ADMUNCH
- APPLE SOFTWARE UPDATE
- Driver Genius
- Google update(r)
- Jdownloader
- Logitech update
- Microsoft Games Live
- Quicktime
- Secunia scanner
- mtorrent
- Windows media player
- Sidebar
- Adobe Reader
- iTunes
- Windows Explorer
- Total Commander
- Java
You can read about OPT OUT mechanisms here:
http://blogs.technet.com/b/srd/archive/2009/06/12/understanding-dep-as-a-mitigation-technology-part-2.aspx
http://blogs.technet.com/b/srd/archive/2009/11/20/sehop-per-process-opt-in-support-in-windows-7.aspx
Windows7 built-in firewall
You want to use the built-in Windows7 firewall if you care mainly about inbound traffic. Of course you have options to filter outbound traffic. But there is no notification mechanism implemented to configure outbound traffic, which makes configuration pretty difficult and time consuming. There are better 3rd party products in this field. However, if you want to block outgoing specific traffic or application, the built-in firewall will still work fine.
You can review the following points, when you use the built-in firewall:
1. verify the general policy (inbound and outbound filtering):
Windows Firewall with Advanced Security -> Properties
Firewall state: On
Inbound connections: Block(default)
2. verify inbound rules. Use the "FILTER BY STATE: ENABLED" to quickly check what rules are enabled and what profiles they apply to.
If you don't use IPv6 you may disable many inbound rules, to be honest you may disable all rules apart:
DHCP-IN
Destination Unreachable, Fragmentation needed ICMP4-IN
IGMP-IN
If you enable the FILE SHARING, 8 rules will be activated. However, if you don't need any local name resolution and want to use IP addresses in file sharing,
only 1 firewall rule will work just fine for this purpose:
File and Printer Sharing (SMB-In)
You can apply this rule only for PRIVATE profile, which should mark only 'trusted' networks. You need to remember that the access to the port allowed by this rule (TCP 445) will allow an unauthenticated user to enumerate your OS version and its service pack level.
You can disable the REMOTE ASSISTANCE rules, if you are not going to use them. You can consider enabling the REMOTE DESKTOP rule (and limit it to the PRIVATE profile), if you are going to use this feature.
Note:
If your username/password is important (as in a business network) you may consider to block SMB (445 and 139) outbound traffic to prevent Internet Explorer UNC PATH attacks.
Functionality worth disabling
If you don't use the FILE SHARING, disable it. You can do that by setting:
Control Panel -> Network and Sharing Center -> Change Advanced sharing settings -> Turn off file and printer sharing
Disable NETBIOS:
Control Panel -> Network and Sharing Center -> Change adapter settings -> Properties of Network Interface
-> Properties of Internet Protocol Version 4 -> Advanced -> WINS tab -> Disable NETBIOS over TCP/IP
Disable IPv6, if you don't use it:
Control Panel -> Network and Sharing Center -> Change adapter settings -> Properties of Network Interface
-> Uncheck TCP/IPv6 and Link-Layer options
Review System Features
Control Panel -> Programs and Features -> Turn Windows features on or off
Remove unneeded components, for example Tablet PC Components etc.
Optimising Services
Any service, which you do not use should be disabled. This way you reduce the attack surface and increase the system performance at the same time.
Here is my suggestions. If you also don't use these services, feel free to disable them.
Certificate Propagation
Copies user certificates and root certificates from smart cards into the current user's certificate store, detects when a smart card is inserted into a smart card reader, and, if needed, installs the smart card Plug and Play minidriver.
Computer Browser
Maintains an updated list of computers on the network and supplies this list to computers designated as browsers. If this service is stopped, this list will not be updated or maintained. If this service is disabled, any services that explicitly depend on it will fail to start.
Distributed Link Tracking Client
Maintains links between NTFS files within a computer or across computers in a network.
Function Discovery Resource Publication (Homegroup)
Publishes this computer and resources attached to this computer so they can be discovered over the network. If this service is stopped, network resources will no longer be published and they will not be discovered by other computers on the network.
IP Helper
Provides tunnel connectivity using IPv6 transition technologies (6to4, ISATAP, Port Proxy, and Teredo), and IP-HTTPS. If this service is stopped, the computer will not have the enhanced connectivity benefits that these technologies offer.
Network List Service (Homegroup)
Identifies the networks to which the computer has connected, collects and stores properties for these networks, and notifies applications when these properties change.
Offline Files
The Offline Files service performs maintenance activities on the Offline Files cache, responds to user logon and logoff events, implements the internals of the public API, and dispatches interesting events to those interested in Offline Files activities and changes in cache state.
SSDP Discovery
Discovers networked devices and services that use the SSDP discovery protocol, such as UPnP devices. Also announces SSDP devices and services running on the local computer. If this service is stopped, SSDP-based devices will not be discovered. If this service is disabled, any services that explicitly depend on it will fail to start.
UPnP Device Host
Allows UPnP devices to be hosted on this computer. If this service is stopped, any hosted UPnP devices will stop functioning and no additional hosted devices can be added. If this service is disabled, any services that explicitly depend on it will fail to start.
TCP/IP NetBIOS Helper
Provides support for the NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution for clients on the network, therefore enabling users to share files, print, and log on to the network. If this service is stopped, these functions might be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
Some network and usage tips
1. In order to access to WINXP share using Windows7 with SMB Signing, you need:
- disable SIMPLE FILE SHARING at WINXP
- assign a user a password
- enable at WINXP the following security option in the Local Security Policy: MICROSOFT NETWORK SERVER: Digitally sign communication (if client agrees)
2. In order to access to Linux SAMBA share using Windows7 with SMB Signing, you need:
- set "server signing = mandatory" in smb.conf of the SAMBA package
3. Use the Sysinternals Suite tools.
This will help you to understand the Operating System better and improve your control over it. For example:
- Use autoruns.exe to verify what starts with your system, what drivers are loaded, what IE components are used etc.
- Use procexp.exe to verify what applications you ran and get details about them.
- Use Procmon.exe to trace applications to troubleshoot problems and to trace their activity if you suspect it is a malware.
- User ShellRunas to add the "Run as different user" command to the context menu.
END
Alright. This is everything I wanted to write in this article.
I hope you enjoyed it. If you have any comments, let me know please.
best regards
Rafal Rajs