Securing the Windows Desktop

Real World Best Practices

By Michael Theroux

Updated 04/04/2006

 

------------------------------------------------------------------------------------------------------------------------------

 

Intro

As much as it would be prudent to recommend that everyone dispense with conventional desktop operating systems and only use something like the live CDs “Knoppix” or “Ubuntu” for anything you do online, 90% of us are still using Microsoft Windows®. So, this is simply a ‘best practices’ document detailing how one can relatively secure a Microsoft Windows® desktop - to the best of their ability. Mind you, ‘securing Windows’ is quite an oxymoron, but you’d be surprised that MS is actually trying to lead the fight in securing their faulty OS. Due to the nature of the Windows OS, one must add-on what I like to call several ‘prophylactic’ programs for “safe surfing”. These include applications for anti-virus, anti-spyware, OS patching, firewalls, alternative web browsers, rootkit detectors, and process ‘sentries’. Most users know about anti-virus, firewalls, and anti-spyware, but I’d like to stray from convention, and introduce the proactive to the reactive, so I’ve included a couple of relatively new add-ons.  How much of this will be relevant when MS rolls out the new OS is to be seen, but from what I gathered, they’re not completely re-architecting the OS, so you’ll still need to use protection.

 

Disclaimer

The use of these practices will in no way ensure your desktop will be secured from exploits. There are new vulnerabilities discovered every day, and new software exploits will be written to take advantage of them.

 

Scenario

The corporate desktop user is using Windows XP® Professional – the standard desktop operating system as defined by the user’s corporation. The user has administrative privileges to several applications and systems on the corporate network. The user’s desktop is partially patched, but not up to date. The desktop has an anti-virus program installed, and is running a personal firewall. It also has an anti-spyware program installed with real-time protection. The user receives an ‘interesting’ email with a link to a website in the text of the email. The user clicks on the link, and Internet Explorer opens up, going directly to the website. The site possesses hidden malicious code which then exploits a vulnerability in MS IE, downloading and running a small application which “hooks” into IE allowing it to bypass the personal firewall. The application then runs in the background, downloading anything from backdoor trojans, rootkits, spyware, keyloggers, and a whole variety of malware. These applications in many cases have the ability to disable antivirus and spyware applications, and also slip under software firewalls, so they can send data back to the originator of the malware. They may hide themselves in memory, hidden hard drive partitions, in the BIOS, Video card EEPROM, disk bad sectors, alternate data streams, etc. They may install applications which can control your hardware such as turning on the microphone or a video camera to record what’s going on in the room (and then send this captured info to the hacker). With a backdoor installed, a hacker would have complete control over the users desktop without their knowledge. Accessing data (such as user IDs and passwords) collected from the keylogger, the hacker would then have access to any systems the corporate desktop user has access to (and any personal information such as credit card numbers, banking passwords, etc.) No matter how secure the corporate network is, it can be completely compromised from a user’s desktop.

 

Although the previous scenario depicts the user in a corporate environment,

all of these practices should apply to the home user as well.

 

Patching

The first and most obvious defense in securing the OS is to make sure operating system “patches” are up to date. Having up-to-date patches won’t guarantee invulnerability, but it will take care of all the ‘known’ vulnerabilities in the wild, thus ruling out these known vulnerabilities should one need to investigate a problem. It is wise to have automatic updates turned on so that the usual MS rollout of patches is installed on the desktop. In the corporate environment, a suitable patch management application should be used to push patches to the desktop.

 

Alternative Web Browsers

One of the major vulnerability problems with Windows has always been their web browser, Internet Explorer® (IE). Since the browser is so closely tied in with the operating system, vulnerabilities can become quite serious. It is recommended that an alternative browser be installed such as Firefox or Opera. While these browsers are not immune to vulnerabilities, they are far safer than using IE.

 

Anti-virus

While anti-virus applications are reactive in nature due to the fact that they are signature-based and can only ‘react’ to a problem with the proper signatures installed, it is still a necessary evil to have an up-to-date AV application installed on the desktop. Here again, automatic updates should be turned on so that new definitions will automatically be installed when rolled out by the anti-virus vendors.

 

Firewalls

Personal firewalls, such as ZoneAlarm, offer the ability to regulate traffic to and from your desktop computer. There are 65,535 “ports” available to choose from for sending and receiving information in the form of ‘packets’.  Many of these ports are registered for specific services such as port 443 for secure HTTP (SSL), or ports 6665-6669 for Internet Relay Chat (for a complete listing, see Ports for Internet Services). The firewall can be configured to allow or disallow traffic on any of these ports. The problem with these firewalls arises from the end-user’s perspective – what should be allowed or disallowed? Most personal firewall applications try to make this an easy process for the end user by asking each time an application wishes to send or receive data through one of these ports. Unfortunately, if the application is allowed to send and receive, any hook into that application will be allowed as well. All one has to do is look at the giant list of individual add-on apps associated with Internet Explorer to see that they are given the same carte blanche as the original program. While a few personal firewall vendors have mitigated some of these issues, there are still significant risks. For instance, “users with sufficient privileges or malicious programs that exploit a vulnerability on a system will be able to install software that ‘climbs over the top’ of the firewall.”  Once a malicious application is allowed to come in ‘over the top’ it is then easy for it to “dig its way out underneath or even go straight through the firewall.” (see Software Firewalls versus Wormhole Tunnels). With that said, personal firewalls should not be relied on as a major line of defense to keep your desktop secure.

 

Spyware Detectors and Process Sentries

The term spyware refers to a broad category of malicious software designed to intercept or take partial control of a computer's operation without the informed consent of that machine's owner or legitimate user. There are many programs available for the detection of spyware, but like the anti-virus applications, they are signature based, and therefore reactive to problems. One anti-spyware application that attempts to go beyond simple signature based detection is Windows Defender. Defender has built-in functions which monitor services and drivers as they interact with the OS, and monitors when programs start, and any operations they perform while running (see Microsoft’s Anti-Spyware Strategy for more). This performs a more proactive function with respect to the health of your operating system than the reactive, ‘after-the-fact’ signature-based applications. Another application that protects Windows processes from attacks by other processes, services, drivers, and other forms of executing code on your system is DiamondCS’s ProcessGuard. ProcessGuard also stops applications from executing without the users consent, attempts to stop malicious worms and trojans from being executed silently in the background, as well as a variety of other attacks. It even claims to stop most keyloggers and firewall leaks, and is “recognised by many to be the most comprehensive anti-rootkit solution available.” In my opinion, Windows Defender and ProcessGuard are a great step in the right direction away from the purely reactive detection applications. If I could only have one of these prophylactic add-ons for Windows, ProcessGuard would be the one.

 

Rootkit Detectors

A rootkit is defined as “a set of software tools frequently used by a third party (usually an intruder) after gaining access to a computer system”. These tools are intended to conceal running processes, files or system data, which helps an intruder maintain access to a system without the user's knowledge. While many rootkits are difficult if not in some cases impossible to detect with conventional signature-based anti-malware applications, again Windows Defender and ProcessGuard are the best proactive approach yet. One might also look at SysInternals RootkitRevealer, and Microsoft’s Strider GhostBuster Rootkit Detection for more on rootkits and their detection. If your tech savvy, check out Rootkit.com for the real gruesome details.

 

Preventative Procedures

While installing all of these applications on your computer will help to secure your desktop OS, the security of a system is still defined by how the user interacts with it. Individual or group security policies should be in place and should not allow the desktop user to change them. All too often, the desktop user will have been granted privileges such as local administrative access which allows them complete control over these applications and policies. Also, the OS, and many installed applications will have default configurations which make the system vulnerable, and they need to be changed (for example, in the default configuration of IE, a rogue website you’ve connected to can steal the entire contents of your clipboard, potentially compromising sensitive personal data. [See ProjectIP for just what kind of info a site can glean from you connecting to it]  Fix: Go to Tools > Internet Options > Security > Select a security zone > Custom Level > Scripting > Allow paste operations via script and set it to Disabled or Prompt.)

            This still can’t keep the average user from opening email attachments or clicking on malicious links, but in the corporate environment, controls can be put in place for monitoring and disallowing such activities. Controls can also limit the potential damage to a system by hardening the OS against
a user account - i.e. denying a user access to things like cmd.exe, the %systemroot% dir, etc. Controls need to be quite balanced, though, as a desktop should be secure, but still very useable. All of the information presented here is just as valid for the home user too, but you’ll have to set your own permissions and follow good surfing practices.

 

Summary and Review

Here’s a review of the best practices and applications one should have installed and configured on their Windows desktop:

 

Patch management – Microsoft Update

AntiVirus – MacAfee AntiVirus, Symantec/Norton AntiVirus

Firewalls - ZoneAlarm

Alternative Browsers - Firefox or Opera.

Spyware Detectors and Process Sentries - Windows Defender and ProcessGuard

Rootkit Detectors - SysInternals RootkitRevealer

Review system security policies and application default configurations.

 

References

Thanks to Eric Johansen for review of this document and valuable input.

 

Websites

  1. NSA Initiatives in Enhancing Software Security - http://www.nsa.gov/snac/ (OS and application configurations).
  2. Fundamental Weakness Of Outbound Blocking Firewalls - http://www.whirlywiryweb.com/article.asp?id=%2Ftrojanimplant
  3. Browsing for secure alternative browsers - http://www.computerworld.com/securitytopics/security/story/0,10801,95326,00.html
  4. Software Firewalls versus Wormhole Tunnels Bob Rudis and Phil Kostenbader. - http://www.securityfocus.com/infocus/1831
  5. An SSL Trojan Unmasked - http://www.infoworld.com/article/06/03/03/75970_10OPsecadvise_1.html
  6. How to Find Security Holes - http://www.canonical.org/~kragen/security-holes.html
  7. Papers and conference presentations by Joanna Rutkowska - http://invisiblethings.org/papers.html



Books

  1. Rootkits : Subverting the Windows Kernel by Greg Hoglund, Jamie Butler.
  2. Malware: Fighting Malicious Code by Ed Skoudis, Lenny Zeltser.
  3. Secrets and Lies : Digital Security in a Networked World by Bruce Schneier.

 

White Papers

  1. Yi-Min Wang, Roussi Roussev, Chad Verbowski, Aaron Johnson, and David Ladd, "AskStrider: What Has Changed on My Machine Lately?", Microsoft Research Technical Report MSR-TR-2004-03, Jan. 2004.
  2. Guide to Securing Microsoft Windows XP® Operational Network Evaluations Division of the Systems and Network Attack Center - http://www.nsa.gov/snac/os/winxp/winxp.pdf
  3. Samuel T. King, Peter M. Chen, Yi-Min Wang, Chad Verbowski, Helen J. Wang, Jacob R. Lorch, "SubVirt: Implementing malware with virtual machines", to appear in Proc. IEEE Symp. on Security and Privacy, May 2006.
  4. Yi-Min Wang, Doug Beck, Binh Vo, Roussi Roussev, and Chad Verbowski, “Detecting Stealth Software with Strider GhostBuster,” in Proc. IEEE International Conference on Dependable Systems and Networks (DSN), June 2005.
  5. Yi-Min Wang, Binh Vo, Roussi Roussev, Chad Verbowski, and Aaron Johnson, “Strider GhostBuster: Why It’s A Bad Idea For Stealth Software To Hide Files,” Microsoft Research Technical Report MSR-TR-2004-71, July 2004.
  6. Shuo Chen, John Dunagan, Chad Verbowski, and Yi-Min Wang, “A Black-Box Tracing Technique to Identify Causes of Least-Privilege Incompatibilities,” in Proc. Network and Distributed System Security Symposium (NDSS), February 2005.