ssj100's Security Setup

View previous topic View next topic Go down

ssj100's Security Setup

Post by ssj100 on 16/4/2010, 06:31

Windows XP Professional 32-bit

The Security Setup:

Limited User Account (LUA) and SuRun:

LUA is self-explanatory. There’s not much more to say about it. If you’re not sure what LUA is or how to set it up, Google is your friend. If there’s one link I had to choose, I’d go with this one, but be aware that it can be a fairly confusing thread. I’d recommend reading the thread in its entirety if you seriously want to go all the way: http://www.wilderssecurity.com/showthread.php?t=196737.
SuRun is really there mainly for convenience and doesn’t have much to do with my actual security. Regardless, if there was one link I had to choose on how to setup SuRun, I’d go with this one: http://www.dedoimedo.com/computers/surun.html . However, there’s just one problem in that tutorial – please don’t strip an administrator account down to a limited account with SuRun. Instead, just SuRun an already created limited account.

Software Restriction Policies (SRP):

Again, self-explanatory and if you’re not sure how to set it up, Google is your friend (if there’s one link I had to choose, I’d go with this one: http://www.mechbgon.com/srp/
In addition, here are some extra rules I would suggest adding to your SRP deny list with path rules:
To deny scripting execution: cscript.exe, wscript.exe, scrobj.dll, vbscript.dll
To deny registry access: regedit.exe, regedt32.exe
To deny command prompt execution: command.com, cmd.exe (if you’re using Sandboxie like me, make sure to read and carry out step 16 below. This is because Sandboxie relies on cmd.exe by default to delete the sandbox. You will therefore need to tell Sandboxie to use a different command instead)
To deny formatting: format.com
To deny running with elevated privileges: runas.exe
Other: debug.exe

With a fresh installation of Windows XP Professional, there are seven folders that allow writing by default, even in a Limited User Account:
C:\WINDOWS\Tasks
C:\Windows\Debug\UserMode
C:\Windows\system32\spool\PRINTERS
C:\Windows\Registration\CRMLog
C:\Windows\Temp
C:\WINDOWS\pchealth\ERRORREP\QHEADLES (this is only created if you have left Error Reporting on and an error occurs)
C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF (this is only created if you have left Error Reporting on and an error occurs)

Therefore, you can add the above seven folders to the SRP deny list with path rules.

Hardware Data Execution Prevention (DEP):

Have a read here: http://support.microsoft.com/kb/875352
Turn on DEP for all programs and services with no exceptions.

Sandboxie:

Please note that the following is simply a guide, and there are other viable variations to use at each step:

1. Create as many separate sandboxes as is required for your internet facing applications. Try to have one separate sandbox per internet facing application.
2. In each sandbox, use the appropriate start/run and internet access restrictions and only allow your program to start/run and access internet within its sandbox. You may also need to allow other programs depending on whether the application interacts with other processes.
3. In each sandbox, block file access to any areas of your computer containing sensitive information (eg. “My Documents”).
4. In each sandbox, configure Read-Only access to C:\WINDOWS
5. In each sandbox, force the relevant application to always run in its sandbox
6. Do not use any OpenFilePath rules for any internet browsers (note there are a few exceptions here, like enabling an OpenFilePath rule to allow direct access to Firefox phishing database)
7. You will need at least 2 browsers. One browser will be used for everyday browsing and other non-critical/sensitive activity.
8. The other browser will be used for online banking and other critical/sensitive activity.
9. For the browser in step 8, configure its sandbox to automatically delete whenever the browser closes.
10. Depending on the nature of your other internet facing applications, you may choose to also configure their respective sandboxes to automatically delete on closing.
11. This step is obviously optional: have one sandbox to test applications/malware in (the DefaultBox will do) where the only configurations are to enable automatically delete and block file access to any areas of your computer containing sensitive information (eg. “My Documents”).
12. Create separate sandboxes for each USB/external drive hardware you have connected (or would connect) to your computer. Force run the relevant drive letter to run in the relevant sandbox. Other configurations/restrictions may be applied here (see above).
13. Create separate sandbox(es) for your CD/DVD drive(s). Force run the relevant drive letter to run in the relevant sandbox. Other configurations/restrictions may be applied here (see above).
14. Create a separate sandbox for your Virtual Machine program. Other configurations/restrictions may be applied here (see above).
15. Create a separate sandbox for opening newly introduced files (with a sandboxed explorer.exe) on your REAL system. For easy access, you will also need to create a shortcut to this sandbox and place this shortcut appropriately. Configure this sandbox to automatically delete on closing. Please click here for more information about this step.
16. This step is only necessary if you're using SRP to block cmd.exe (see above):
Make a copy of cmd.exe and rename it (eg. cmd1234.exe). Change the Sandboxie Delete Command accordingly in each sandbox to:
%SystemRoot%\System32\cmd1234.exe /c RMDIR /s /q "%SANDBOX%"

Windows Firewall, NAT Router and IPSec:

Mostly using the default settings. Even with Windows Firewall alone, you are very well protected against inbound attacks. You shouldn’t have to worry about malicious outbound connections if you follow this guide and therefore keep your system clean.

IPSec is another built-in Windows feature and is very useful for Windows XP users - there's no need to use a third party firewall to control outgoing traffic while eg. doing a sensitive online banking session. During online banking, I have restricted connections to only my bank IP address via Port 443. Therefore, no connections can occur between my computer and the internet via any other Port, and no connections can occur between my computer and any other IP address.

The Security Approach:

With just LUA + SRP + Hardware DEP, Didier Stevens' POC's (and dare I say, wj32's) can theoretically be used by malware (even though there are no examples of real-world malware like this, period) to bypass it and cause problems to a computer system.

If you are so paranoid as to want to provide extra protection for something that has never been seen in the real-world, read on.

You will need to add in a containment level of protection, as suggested in this post:
http://www.wilderssecurity.com/showpost.php?p=1381659&postcount=14

I personally use a well configured Sandboxie with the correct setup and approach. What is the setup? Read above (under Sandboxie). What is the approach? Read on.

When recovering files on to your REAL system, it won't be covered by Sandboxie. However, at this point, LUA + SRP + Hardware DEP is of course still protecting you. But how can you use the containment mechanism of protection at this stage?

Simple - always open any newly introduced file with a sandboxed explorer.exe (easily done, and place the shortcut of this sandboxed explorer.exe on your QuickLaunch bar or similar for easy access). See step 15 above.

Furthermore, always scan newly introduced files on your REAL system with on-demand scanners before opening/executing them (I use Hitman Pro on-demand, but Malwarebytes’ Anti-Malware and/or Avira AntiVir Personal on-demand are also good alternatives). Also consider uploading files to sites like Virustotal to get an opinion. And remember, all these are just opinions – they may be wrong and produce false positives as well as false negatives.

When in even greater doubt and if your paranoia levels have escalated to an extreme level, you can enable a system virtualiser (I would suggest Shadow Defender) before downloading and recovering files on to your REAL system. This would additively prevent any harm from exploits like these: http://blog.didierstevens.com/2009/03/04/quickpost-jbig2decode-trigger-trio/

Of course, the correct approach if you're really in doubt about whether a file is safe (particularly a file that is clearly an executable), is to always handle and execute it in a full blown Virtual Machine (I use VirtualBox). You can also simply ask knowledgeable people what they think about the file, and/or post at forums like this to ask people’s opinions.

But how about theoretical scenarios like malware escaping the Virtual Machine environment?

Well, the solution is to simply run your Virtual Machine sandboxed (I use Sandboxie for this when I am testing malware), and/or enable a system virtualiser (I would suggest Shadow Defender) before testing the malware in your Virtual Machine. In this way, the malware will need to bypass your Virtual Machine as well as Sandboxie and/or Shadow Defender. Then once it’s out, it will still need to bypass LUA + SRP + Hardware DEP.

Finally, always keep a recent back-up image handy and/or back-up important files on an external hard-drive. I would recommend taking full image snapshots of your entire drive/partition at least once a month and storing them on an external isolated hard-drive. I personally use Drive Snapshot for this. If all else fails or if your hard-drive dies (a much more likely event than malware actually bypassing the above security setup and approach), you can still reboot to a clean and exact working image of your choice.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: ssj100's Security Setup

Post by ssj100 on 25/9/2011, 02:45

September 2011:
Significant addition to my security setup/approach (described above):
IPSec (on-demand)

IPSec enforcement can be enabled and disabled with just a couple of clicks.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum