SetupSwarm

Overview of Windows Security
While there are many features of the Windows OS that are useful, many of them are left dorment and take up space. While active it eats away at your RAM, makes Volume Shadow Copies in the System Volume Information folder, dumps logs of your activities, fragments your MFT, facilitates drive-by downloads, provides another avenue for crackers or black-hat hackers to intrude/infiltrate your system, and sometimes allows them get right under (or through) your firewall/security system (especially in the case of the BITS service).

Worst of all is unbeknownst to the user, Windows can also install patches and collect data covertly without notifying the user as seen in the 2006, 2008-09 incident where Windows was under the scrutiny of the public eye for the installation of a patch (Windows systems were vulnerable for 17 years before it came to light). Now we can take action to protect ourselves from those potential threats.

Here are some practical preventative procedures to secure your Windows Operating System (OS).
If you feel something is unfathomable or outside your comfort zone, simply skip the procedure because you’d know your system more than I do here in Australia. For security reasons, making a recovery disc is necessary to save yourself from unnecessary trouble. Ultimately, it’s your best judgment in the matter.

System Hardening

---

Background
Below are a number of tools that I find have been useful to make your Windows OS less visible on the Internet, particularly from those zombies controlled by bot net servers and those who lurk in the dark net. I will also mention two methods to secure your Windows OS in case you have not patched your system.

Security Tool
The Windows Worm Door Cleaner is a non-install free application that closes and prevents access to the most commonly targetted ports which are open by default on Windows systems. These are 135 (RPC), 137-139 (file-sharing), 445 (Server Message Block: SMB) and the Windows Messenger service port (SPAM). It’s no surprise why it was removed from later Windows releases (post XP*).

This program was hosted on the firewallleaktester website, but now is provided on other security webportals.

Download
Here is the download link and the checksum verification code:-
http://hotfile.com/dl/45142301/d866a84/wwdc.exe.html (51KBs)
Company: gkweb
File Version: 1.4.1.0
MD5checksum: 999f6e5c8d5c81f48afbdab7f8777323 wwdc.exe

Implementation
Simply execute the program (right-click -> Run as Administrator), close all the ports, and restart your computer.

For Windows Vista or higher, if there is a pop-up that informs you the value for the Windows Messenger Service in the Windows Registry cannot be found, click OK to proceed. The reason is because it is not installed (see above*).

To undo any changes, run the program again and click Open Ports to re-enable these services.

Verification
To verify that the vulnerable Windows ports are now closed, open a Command Prompt window (cmd.exe or conhost.exe for Windows 7) and type:

netstat -aonbv, or

if you are not operating with Administrator privileges:

netstat -aon

This will list all the “listening” ports on your computer.

---

Follow-up
For people who find it difficult to close port 135 after using the Windows Worm Door Cleaner, you can use the tool created by the Gibson Research Center called the DCOMBobulator.

This will effectively close port 135, stopping one more port that an intruder might use to compromise your system.

Download
Here is the download link and checksum verification code:-

http://hotfile.com/dl/45143403/27ef5d0/DCOMbob.exe.html (29KBs)
Company: Gibson Research Corp.
File Version: 2.0.1.0
MD5checksum: bd10d5383d9f1851cca46d4a5f5f4c03 DCOMbob.exe

---

Background of malware propagation via physical mediums
Today, a lot of malware is actually spread via USB transactions. In retrospect, floppy disks used to overwrite the boot sector, hence boot sector virus. Now with the advent of the Universal Serial Bus (USB), Firewire and people being more “networked”, simply plugging in a USB drive into a running OS is enough to allow the malware to propagate. Here is one method of mitigating these attacks by stopping malware from writing to “autorun.inf”. The next section deals with ways to prevent executable files from running in ‘undefined’ pathways.

Security Tool
Panda Security has released a program called the Panda USB Vaccine and its purpose is to set an autorun.inf file that cannot be overwritten easily through convention means. The safest option is to format your USB before using the program and be certain that any malware or data that may have been contained in your $Recycler or areas on the drive are cleared.

Then install the Panda USB Vaccine to vaccinate your computer. The current version supports File Allocation Table (FAT) 16/32 drives, but not full support for New Technology Files Systems (NTFS). However, as with all the applications above, you can undo any changes made by re-running the program and selecting “remove vaccination”.

Download
http://hotfile.com/dl/45316700/1109413/USBVaccineSetup.exe.html (828KBs)
Company: Panda Security
File Version: 1.0.1.4
MD5checksum: 58cc5b530fc552c8e31870f90db425ed USBVaccineSetup.exe

---

Secure RPC service (for unpatched Windows versions)
I am fairly certain that every person in the IT security industry has heard of the Conficker worm, also referred to as Downadup. To prevent the B variant from installing on your system, you need to set a rule to block the Conficker entry, essentially securing the RPC service.

Simply open a Command Prompt window and enter the entries below where [X:\>] refers to your drive letter:-

X:\>netsh>rpc
X:\>netsh rpc>filter
X:\>netsh rpc filter>add rule layer=um actiontype=block
X:\>netsh rpc filter>add condition field=if_uuid matchtype=equal data=4b324fc8-1670-01d3-1278-5a47bf6ee188
X:\>netsh rpc filter>add filter

Verification
X:\>netsh rpc filter>show filter

Basically “actiontype=block” is a rule that will block an entry on the condition (in the case that) the entry equals that data block.

Adding the filter enforces the rule.
You can remove the filter with the remove parameter.

---

Additional notes
For Windows XP SP3 and Windows 7 Users – Below we explain a method to restrict the execution (running) of programs in unspecified areas. You can use this to stop the WAT service before it logs all your activities in the Windows Registry and reports to Microsoft Servers (Enterprise, Professional and Ultimate versions)
We know of tools like RemoveWAT225 which are capable of removing the WAT, but this method is to teach you how to stop executable files from running without your implicit instructions.

---

Using the Group Policy Objects (GPO) to enforce security policies is a very powerful tool – in fact, it can even stop any executable file from running such as shortcuts or extensions like vbs, msc, bat, com etc…

Simply execute gpedit.msc via the run command (windows button + R, or start menu)

or find it in your %systemroot%\system32 folder, or for x64, \windows\syswow64 folder

e.g. C:\Windows\System32\gpedit.msc | C:\Windows\Syswow64\

When the Microsoft Management Console (MMC) opens, navigate to Software Restriction Policy:-

Local Computer Policy > Windows Settings > Security Settings > Software Restriction Policy

Right-click on the folder and ‘Add Security Policy’

Double-click on the folder ‘Additional Rules’ in the menu bar select Action (Alt right-key, down-key),
click on New Path Rule

Under Path: type in C:\Windows\System32\Wat or C:\Windows\syswow64\Wat

(replace C:\ with the system partition drive, or simply replace it with %systemroot%\)

The Security level should be set to Disallowed (default value to prevent execution)

Restart your computer and the WAT service will no longer be running.

To undo the changes, simply remove the GPO Path Rule
Alternatively, you can delete the Registry entry that enforces the GPO rule.
HKEY_LOCAL_MACHINE\Microsoft\Policies\Safer\*

To remove some restrictions to allow you to easily navigate your system you need to remove the extension or set the appropriate permission in each case as shown below.

---

The Windows Hosts file
The hosts file is, by default, located on your Windows OS at: %systemroot%\system32\drivers\etc
Its function is to define the addresses that you request. Basically, it’s your map to where you want to go on the Internet. Ordinarily, a website has a domain name like www.setupswarm.com, but its IP (Internet Protocol) address is like the Map/GPS coordinates that helps you find your way around the Internet.

However, thanks to the versatility and powerful computer languages being able to execute functions in different environments, users like us are more vulnerable to “tricks” such as spoofing, phishing attempts (fake e-mail requesting user information), even VoiP Vishing (Voice over IP) and DNS cache poisoning (classic), malformed iFrames, Man-in-the-middle attacks – the list goes on.

The rising trend in malicious activity comes in the form of “drive-by” downloads. If you or I just visit a website like CNN or ABC, our computer could be compromised. We can protect ourselves by redirecting the malicious sites to your local host (127.0.0.1).

What this means is, your computer doesn’t try to find the address on the Internet, it tries to find it on your computer. These private addresses are inaccessible from the Internet because it’s like trying to find a museum on your residence. Hence, it will not “resolve” itself, and you won’t be caught in harms way.

Security Tool
A number of people have posted “blacklists” on sites such as MVPS, hosts-file, malwaredomainlist and so on. Using an application known as Hostsman will help you optimise your use of the Windows hosts file to prevent access to known malicious sites.

Troubleshooting
If you suddenly experience slow browsing and the DNS Client service is still running, open a command prompt window and type:
ipconfig /flushdns
net stop dnsclient
Alternatively, in Administrative Tools > services.msc (right-click > Run as Administrator)
Disable the DNS Client service
Restart

Exceptions
You can also add an “exclusion” to access a site. One of the limitations of using the hosts file is that the address specified must be static. As an example, malicious sites must be defined – “baddykkp.info”, “baddykkpx.info” and the list goes on. Since malicious users will just change the name anyway, we need to find a work around.

Download
http://hotfile.com/dl/45320798/0b55c5d/hm_3.2.73_installer.zip.html (1.89MBs)
Company: Abelha Digital
File Version: 3.2.73 (stable release)
MD5checksum: de2e19040d44b78180c0c9f40cb06a0b hm_3.2.73_installer.zip

Limitations and Development
Over time, things have developed to a point where people believe that blacklists just don’t cut it. Just like a firewall that stealths all ports by default, there should be a “whitelist”, a list of trusted sites that we can access instead of “blacklisted sites” that number in the billions. I have avoided this feature because I’m not very paranoid and don’t want to be oppressed by “parental controls”.

Instead, we can use PACs (Proxy Auto-Config). It tells your browser what to avoid by using wildcards. Wildcards means that everything before and/or after this entry is Disallowed. For example, *.pokemon.* tells the browser not to go to any site with pokemon in its domain name, so www.ieatpokemonforbreakfast.biz would not resolve.

These can be found at the website below:
http://securemecca.com/pac.html

Troubleshooting
When your browser reports that a page could not resolve, open the file “proxy_en.txt”,
Ctrl + F to find a keyword (usually in the URL address), and remove it.
Save, exit your browser, and try again. Alternatively, use the Reload feature.

I only know that the Mozilla browser supports this reload feature, so please inform me of any other browsers that support the PAC reload function.

Future Expectations
Despite our best efforts, there is always the fear that human error will undo all these safeguards. Here, the ingenious laboratory mad scientists are developing the Blade Defender which is a robust system with a 100% success rate of preventing drive-by downloads by testing and stopping 0-day attempts at compromising systems. However, it is still under development so it has not been officially released. I’m looking forward to seeing this protecting us in the future.
www.blade-defender.org

It is likely that virtualisation in hardware form will become more prominent for the end-user. In the mean time, you can run programs in a Sandbox and any changes made will not affect your system – unfortunately, misconfiguration and “undiscovered” features may present unforeseen consequences.

Therefore, I recommend that you backup your system, have a Live recovery disk (preferably Linux), a system image backup (plenty of open-source software to be found at sourceforge.net), and if you feel up to it, complete drive encryption, TPM and the works.

There may be articles in the future if I am permitted to post again after this mammoth article, but hopefully it has helped you to understand more of what is happening in your computing environment. Never download screensavers, and if you like playing with toys and testing things out (I know I do!), try using a Virtualualised Environment to work out all your experiments. VMWare (free or commercial), VirtualBox (free and open-source) and others can solve many problems with having only one or two PCs.

I have done my best to avoid all the technical jargon, but if you feel that there are any steps that need clarifying or too parsimonious, please post a comment below and I will help however I can.

Final notes
All Operating Systems have their advantages and limitations, so it would be a mistake to assume any one OS is more secure than another. It is a human creation and will be imperfect if another human were to introduce “bugs” and “tweaks” during development; the notorious patch; the seemingly innocent sister; the lithesome fingers that work the dvorak/qwerty keys; and the infamous beta. If you must use beta software, please try to avoid using it on your work PC. It might bring out unprecented consequences and make your system more vulnerable.

If you would like to setup a system that rollbacks any changes made have a look at Shadow Defender, Returnil (I experienced some BSODs so I avoided this one – beta, later editions possible fixed issues) and others.

I have decided against suggesting Harden-It as a security tool, but feel free to try it. For post-XP systems, you need to run and set Compatibility Mode as Windows XP (SP2). It basically adds Windows Registry Entries to secure your network. I believe it works on servers also. Use SSL1.0, 3.0, TLS 1.1, 1.2, etc… but not SSL v2.0 since there has been talk of vulnerabilities concerning that protocol.

Just a reminder, installing plenty of security software won’t protect you more. It’s like stacking yourself with ironclad armor, then a copper-stove onto your head. You’ll be blinded, tired from the heavy CPU load, a bit queasy from loss of RAM, and potentially fatal… flatulence? Try to limit real-time scanners to one, support open-source since it helps developers make free and transparent software, and don’t go overboard because we’re all liable for our own actions.

I’d like to thank everyone here at setupswarm and the inspiring, hard-working individuals that made the security tools discussed above. Any comments from people not suffering from a… consideration defecit, are duly welcome.

Windows Security - How to Harden it, 3.0 out of 5 based on 2 ratings