Skip to content
master
Go to file
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 
 
 

README.asciidoc

Windows and Chrome Hardening

Build Status

Introduction

This document contains a collection of tips and scripts to harden your Windows computer and Chrome browser against attackers.

Unfortunately, both of these pieces of software need to be treated adversarially with a hardened security posture.

Any tips and well-composed content that people would like to add to this document via issues + pull requests would be greatly appreciated!

Or you can send suggestions via DM to @vilimpoc or drop me an e-mail here.

Audience

This guide is intended for anyone who wants to tighten up their security posture and take up a position of security by default.

This guide is written specifically with Windows 10 Version 1809 (October 2018 Update) in mind and will be updated as newer versions are released.

If you’re not running the latest version of Windows 10 on your system, then you aren’t applying the latest security patches and kernel mitigations designed to keep you out of trouble, particularly against Spectre and Meltdown.

Also, newer versions of Windows 10 tend to have better performance and lower UX latency, so why not update?

Hardening Windows

There are too many security-relevant settings to count in Windows, but the following pages describe a few easy changes that offer increased security to the average user.

The topics in this document are ordered from least to most difficult to understand, such that the final items might be more in-depth than most readers would care to delve into.

So, without further ado, let’s get started.

Create and Use a Standard User Account

First and foremost, the biggest and simplest change the average user can make to the way they use their computers is to create and use a Standard User Account.

Windows generally separates users into "two" types of accounts: Administrator and Standard User.[1]

Administrators

Administrator accounts can do anything to your computer.

They can install software, change firewall settings, delete any and all files, and make permanent changes to the system configuration that affect every user on the system.

If you run malware while logged in as an Administrator, then that malware will have complete control over your computer and all of its files and all of its network connectivity.

It may be able to infest your system so thoroughly that only a clean install on a fully wiped system using a Secure Boot medium will allow you to use the system again.[2]

Standard Users

Standard User accounts cannot make permanent or fundamental changes to the operating system that threaten a computer’s ability to boot and run. Because they have limited rights, they can’t delete system files or access files from other users.

This type of account should be used for day to day work and add an extra layer of security against malware getting a deep hold in your system.

Add A Standard User Account

Obnoxiously, Microsoft makes it as hard as they possibly can to create a non-online, standard user account.

It’s more like opt-out than opt-in, which is annoying and you have to jump through multiple dialog boxes to skip this.

Add User 1

It’s almost deceptive, and mildly irritating, as they don’t state upfront how to create an account that isn’t linked to them. Like, I don’t know my friend’s email address, sorry.

The account creation process is worded in such a way that it sounds like you’re doing something wrong if you don’t provide an email address to Microsoft. 🤷

Add User 2

No, I don’t want to log in with a Microsoft account or create a new one that Microsoft has to know about.

Add User 3

No, I don’t want to have my home computer linked to their advertising backend.

In any case, once you jump through the hoops, the local, standard user account is created in the following screen.

Add User 4

Once the Standard User account is created, its settings can be seen by clicking on it.

Note that only the accounts created after the first account on a computer are made Standard Users.

Add User 5

Pump Up User Account Control

User Account Control is what shows the full-screen pop-up window when you install new software or make changes in the Windows Control Panel or Settings app. It’s gotten much less intrusive since Windows Vista.

What it does: Any time you want to do something potentially dangerous to the computer, the Windows kernel will wait until it can confirm that you, as the super-user of the computer, want to do this.

Make sure this is set to "Always notify".

User Account Control Panel

Remove Internet Explorer 11 (and other Optional Windows Features)

If you’re not using a computer with corporate websites (the crappy internal websites that companies never pay to upgrade, thereby dragging down the whole web, and inflicting uncounted suffering on the worker bees), then it makes sense to completely remove Internet Explorer from Windows.

Windows Features Shortcut

To do that, open up the Windows Features list.

Windows Features List

Uncheck Internet Explorer 11 and click OK.

Other unnecessary Windows features (uncheck to remove):

  • Microsoft XPS Document Writer creates a virtual printer that you can "print" to, which then writes the output as an XPS file.

    Who actually uses this?

    Use PDF like everyone else. I don’t think there’s a single home user that would use this, but if it’s enabled, there is code running on your computer that you don’t need.

  • Windows Fax and Scan — Who faxes or scans anymore?

    The "scan" portion of that is more relevant, but if you don’t have one, get rid of this.

  • Remote Differential Compression API Support is a Windows-specific API and it is unclear what software uses it at all.

  • SMB Direct is a Windows-specific technology used to increase data transfer speeds in corporate networks. This is not a technology you’ll likely need on a home laptop.

    SMB Direct requires the following:

    • At least two computers running Windows Server 2012 R2 or Windows Server 2012

    • One or more network adapters with RDMA capability.

    Does that sound like a home computer setup?

  • Work Folders Client would be useful if I had a laptop that connected to a corporate network. But I don’t, so it can go. Also, there are tons of alternative file syncing systems (Dropbox, Box, Google Drive, etc.) that have assumed this role in the modern workplace.

Do Not Install Third-Party Antivirus

Installing antivirus software like McAfee, Kaspersky, or Avira will cause your computer to slow down without necessarily providing better coverage than Windows Defender. (As it turns out, Windows Defender already chews up a significant amount of time scanning your system.)

Also, these 3rd-party antivirus providers may increase your attack surface area with more code, which is irregularly updated and possibly even faulty.

There have definitely been cases where antivirus vendors hooking into undocumented Windows kernel interfaces actually made a system less secure (which led to Microsoft introducing PatchGuard).

Enable Secure Boot

Secure Boot ensures that your computer is running only trusted, signed firmware from the moment it turns on to the moment that it hands control of the hardware over to the Windows operating system.

It does this by instrumenting all changes to the system and attesting to the integrity of the core system components.

Certain 3rd-party add-ons, specifically graphics cards, may not have signed UEFI (Unified Extensible Firmware Interface) drivers. If you have one of these add-ons, you may not have a functional Secure Boot.

(This is the case on a Dell Optiplex system I own, that originally had an extra AMD Radeon graphics card. After removing the add-in card, the CPU-internal Intel HD Graphics unit took over and Secure Boot worked again.)

Windows Security Settings

Some things to note here:

  • Core isolation is good, and sometimes you can turn on "Memory Integrity", but I’ve had problems with this causing Blue Screens of Death.

    Core Isolation Details

    Microsoft explains what core isolation does here.

    In a nutshell, core isolation uses virtualization technology to strictly control access to kernel memory by hardware drivers and other software components, essentially putting the kernel into a different privilege level than the drivers and surrounding it with hardware-enforced defenses against modification.

    It would be excellent if the underlying remaining issues that cause it to be disabled by default could be fixed by requiring hypervisor-enforced code integrity checks in the Windows Hardware Qualification Labs (WHQL) certification process and validated in the field with Windows telemetry.

    It would be good for everyone to require manufacturers to produce higher quality drivers that don’t trip kernel faults.

  • Security Processor — Having a Trusted Platform Module is good.

    Security Processor Details

Hypervisor-Protected Code Integrity (HVCI)

The Windows System Information program shows a few key settings that are security-relevant.

System Information
  • Kernel DMA Protection prevents hijacks from malicious Thunderbolt devices, but requires an Intel processor with VT-d technology enabled (Virtualization Technology for Directed I/O).

  • Virtualization-based security is controlled by the Core Isolation Memory Integrity settings.

Enable BitLocker

BitLocker is used to provide full-disk encryption (FDE) on Windows with hardware-backed key management.

Always enable this for portable computers, this is what it looks like when activated:

BitLocker Active

I don’t have screenshots of the process of activating it, but when enabling it, there is a moment when Windows will ask whether to encrypt:

  • only the parts of the drive currently in use

  • the whole drive including empty space

It is a good idea to encrypt everything including empty space, unless you have a good reason not to or you’re (re-)installing Windows on a previously-encrypted drive (in which case most of the drive is probably filled with mostly random data anyways).

Make sure to save a copy of the BitLocker Recovery Key, or print a physical copy of it and put it in a safe place. (Yes, this means that someone ransacking your office could find it, but that requires physical access anyways.)

Update UEFI Firmware / BIOS Firmware

UEFI (Unified Extensible Firmware Interface) / BIOS (Basic Input/Output System) firmware is the earliest code that runs on a computer to start it up, before the Windows operating system takes over.

It is very important to update firmware, because certain security features of a system can only be enabled when this software is up-to-date. This will be apparent in the discussion about Spectre and Meltdown.

uefi version lenovo prepatch
Figure 1. Old Lenovo firmware (2.67, 9 September 2016)

-

uefi update thinkpad x230
Figure 2. Patching a Lenovo Thinkpad X230 with the latest firmware version.
uefi update optiplex 7010
Figure 3. Patching a Dell Optiplex 7010 with the latest firmware version.
uefi version lenovo postpatch
Figure 4. Updated Lenovo firmware (2.74, 14 November 2018)
uefi version dell postpatch
Figure 5. Updated Dell firmware (A29, 28 June 2018)
Lenovo Release Notes

<2.74>
 UEFI: 2.74 / ECP: 1.14
- [Important] Update includes a security fix.
- (Fix) Fixed an issue where BIOS silent update might fail with system account.

<2.73>
 UEFI: 2.73 / ECP: 1.14
-[Important] Security fix addresses LEN-22133 Speculative Execution Side Channel
             Variants 4 and 3a (CVE-2018-3639, CVE-2018-3640). Refer to Lenovo's
             Security Advisory page for additional information.
             (https://support.lenovo.com/product_security/home)

[...]

VERSION INFORMATION

  The following versions of UEFI BIOS and ECP (Embedded Controller Program) have
  been released to date.

  Package  (ID)     UEFI BIOS  (BIOS ID)   ECP  (ECP ID)       Rev.  Issue Date
  ----------------  ---------------------  ----------------    ----  ----------
  2.74  (G2UJ30US)  2.74  (G2ETB4WW)       1.14  (G2HT35WW)    01    2018/11/30
  2.73  (G2UJ29US)  2.73  (G2ETB3WW)       1.14  (G2HT35WW)    01    2018/06/25
  2.72  (G2UJ28US)  2.72  (G2ETB2WW)       1.14  (G2HT35WW)    01    2018/04/19
  2.71  (G2UJ27US)  2.71  (G2ETB1WW)       1.14  (G2HT35WW)    01    2018/03/12
  2.70  (G2UJ26US)  2.70  (G2ETB0WW)       1.14  (G2HT35WW)    01    2017/10/03
  2.68  (G2UJ25US)  2.68  (G2ETA8WW)       1.14  (G2HT35WW)    01    2017/04/28
  2.67  (G2UJ24US)  2.67  (G2ETA7WW)       1.14  (G2HT35WW)    01    2016/09/21
  2.66  (G2UJ23US)  2.66  (G2ETA6WW)       1.14  (G2HT35WW)    01    2016/03/23
  2.65  (G2UJ22US)  2.65  (G2ETA5WW)       1.14  (G2HT35WW)    01    2015/10/02
  2.64  (G2UJ21US)  2.64  (G2ETA4WW)       1.14  (G2HT35WW)    02    2015/07/07
  2.64  (G2UJ21US)  2.64  (G2ETA4WW)       1.14  (G2HT35WW)    01    2015/04/29
  2.63  (G2UJ20US)  2.63  (G2ETA3WW)       1.14  (G2HT35WW)    01    2015/02/16
  2.62  (G2UJ19US)  2.62  (G2ETA2WW)       1.14  (G2HT35WW)    01    2014/09/30
  2.61  (G2UJ18US)  2.61  (G2ETA1WW)       1.14  (G2HT35WW)    01    2014/05/12
  2.60  (G2UJ17US)  2.60  (G2ETA0WW)       1.13  (G2HT34WW)    01    2014/03/14
  2.59  (G2UJ16US)  2.59  (G2ET99WW)       1.13  (G2HT34WW)    01    2013/12/13
  2.57  (G2UJ15US)  2.57  (G2ET97WW)       1.13  (G2HT34WW)    01    2013/11/12
  2.56  (G2UJ14US)  2.56  (G2ET96WW)       1.12  (G2HT33WW)    02    2013/11/04
  2.56  (G2UJ14US)  2.56  (G2ET96WW)       1.12  (G2HT33WW)    01    2013/09/09
  2.55  (G2UJ13US)  2.55  (G2ET95WW)       1.12  (G2HT33WW)    01    2013/07/23
  2.54  (G2UJ12US)  2.54  (G2ET94WW)       1.12  (G2HT33WW)    01    2013/05/08
  2.52  (G2UJ11US)  2.52  (G2ET92WW)       1.10  (G2HT31WW)    01    2013/03/11
  2.51  (G2UJ10US)  2.51  (G2ET91WW)       1.10  (G2HT31WW)    01    2013/01/18
  2.50  (G2UJ09US)  2.50  (G2ET90WW)       1.10  (G2HT31WW)    01    2013/01/11
  2.06  (G2UJ08US)  2.06  (G2ET86WW)       1.10  (G2HT31WW)    01    2012/11/27
  2.02  (G2UJ07US)  2.02  (G2ET82WW)       1.10  (G2HT31WW)    01    2012/09/18
  1.13  (G2UJ06US)  1.13  (G2ET33WW)       1.09  (G2HT30WW)    01    2012/08/10
  1.12  (G2UJ05US)  1.12  (G2ET32WW)       1.09  (G2HT30WW)    01    2012/06/21
  1.11  (G2UJ04US)  1.11  (G2ET31WW)       1.07  (G2HT28WW)    01    2012/05/29
  1.10  (G2UJ03US)  1.10  (G2ET30WW)       1.07  (G2HT28WW)    01    2012/05/25
  1.09  (G2UJ02US)  1.09  (G2ET29WW)       1.07  (G2HT28WW)    01    2012/05/14
Dell Release Notes

Dell OptiPlex 7010 System BIOS

This package provides the BIOS update for Dell OptiPlex 7010 running in the following Operating Systems: Windows and DOS.

Fixes & Enhancements

Fixes
- Updated CPU microcode to address security advisory Intel Security Advisory INTEL-SA-00115 (CVE-2018-3639 & CVE-2018-3640).
- Addressed remote control cannot find Video setup option.

Enhancements
- Improved OS installation from USB.

Version
Version A29, A29

[...]

Version    Release Date    Importance
A28        14 Mar 2018     Urgent
A26        09 Jan 2018     Urgent
A25        22 May 2017     Urgent
A24        12 Dec 2016     Recommended
A23        25 Aug 2016     Recommended
A22        20 Jul 2016     Optional
A21        03 Feb 2016     Recommended
A20        05 Feb 2015     Urgent
A19        18 Nov 2014     Recommended
A18        05 Jun 2014     Recommended
A16        16 Oct 2013     Recommended
A15        23 Sep 2013     Recommended
A14        11 Jul 2013     Recommended
A13        20 May 2013     Recommended
A12        25 Jan 2013     Recommended
A09        26 Oct 2012     Recommended
A05        03 Aug 2012     Recommended
A04        13 Jul 2012     Optional
A01        05 Jun 2012     Recommended

As you can see from the Dell and Lenovo Release Notes, there are a ton of changes to the lowest-level firmware over the multiyear lifecycle of a computer.

Although some of these patches may be more important than others, it is recommended to apply them regularly.

Check Spectre and Meltdown Fixes

Spectre and Meltdown are a category of hardware design flaws on Intel, AMD, and Arm processors that can lead to remotely-triggered exploits, information stealing, and so on.

SpecuCheck is a utility from Alex Ionescu (one of the grandmasters on the security research scene) that shows how well your system has been patched against these vulnerabilities.

The program prints a list of the applied mitigations, and importantly whether the CPU’s microcode has been patched to provide them.

specucheck output 3320m 2.67
Figure 6. SpecuCheck output from i5-3320m on Windows 1809 and a Thinkpad X230 with firmware v2.67

-

specucheck output 3320m 2.74
Figure 7. 'SpecuCheck output from i5-3320m on Windows 1809 and a fully-patched Thinkpad X230 with firmware v2.74

Notice how the mitigations slightly improve after the firmware update!

specucheck output 3770
Figure 8. SpecuCheck output from i7-3770 on Windows 1809 and a fully-patched Optiplex 7010 with firmware A29

Because they are hardware vulnerabilities and haven’t yet been completely fixed by the main CPU makers, and because hardware replacement cycles are longer than they used to be, these issues will be around for a while.

Kudos to Dell and Lenovo, whose engineers updated the firmware microcode for my 5+ year-old laptop and desktop machines to address these issues. Talk about good support!

Hardening Chrome

As it turns out, having a browser built by the world’s largest advertising company may not provide the most end-user privacy.

The following tips are meant to provide a safer alternative to the default settings and reduce the online footprint each person leaves behind.

Blocking Third-Party Cookies

Third-party cookies follow you around the internet. These are the tiny pieces of data that expose you as a targetable, profiled individual online.

They are sent to servers other than the website you’re currently browsing, i.e. nobody who really needs to know.

These are how Amazon, Google, Facebook, and other advertisers know when to show you an ad for that thing you were just looking at buying.

Let’s say you visit Buzzfeed, at least a dozen ad agencies will find out exactly what you did there:

blocked cookies

This happens on every single website you visit, so multiply the number of cookies you’re generating by a hundred.

Here’s how to disable these web tracking cookies:

block third party cookies

Once the third-party cookies are blocked, the list of cookies per website will drop substantially.

Faking Answers To Security Questions

There is no good reason to use real, personal information to answer security questions online.

Let’s say you run into the following three questions:

  1. What is the name of city you were born in?

  2. What was the name of your first pet?

  3. What is the your favorite color?

What you can do here, if you are using a password manager, is invent new answers for each website that requires them. Make sure you write these answers down.

The answers don’t even have to match the subject matter of the question.

It is possible to use answers that are fully decorrelated from the questions being asked, and in fact this makes it harder for someone to guess these answers.

So you might have answers like:

  1. Mashed Potatoes

  2. Greenwood Street

  3. Socket Wrench

Because you’re using answers that don’t actually relate to the questions being asked, guessing the answer becomes harder since it cannot be looked up in a list of colors or a list of common animal names, for instance.

And, because none of the systems asking for security questions even know the meaning of what you’re talking about, they should let those answers through.

Under no circumstances should you ever use your real birthday or mother’s maiden name as the answer to a security question.

Remember, these questions are designed to give you a recovery mechanism for a single website, in case your account has been hacked.

So the idea is to invent a unique set of keywords that will allow you reset access to that website and that website alone, without letting an adversary use those keywords to let them gain access to any other website where you have an account.

Contributors

Max Vilimpoc (@vilimpoc)


1. There are actually more types of accounts, but the primary types that are assigned to human users that actually interact with a computer, are these two types. macOS and Linux also follow the same general distinction.
2. And even then, against nation state-level bad actors, you might have to worry about threats persisting in system firmware.

About

A collection of tips to harden your Windows computer and Chrome browser.

Resources

Packages

No packages published
You can’t perform that action at this time.