Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Pages: [1] 2

Author Topic: Microsoft Windows and Security Considerations  (Read 1521 times)

Weaver

  • Addicted Kitizen
  • *****
  • Posts: 9320
  • Retd sw dev; A&A; 4 ◊ 7km ADSL2; IPv6; Firebrick
Microsoft Windows and Security Considerations
« on: March 27, 2020, 01:55:00 AM »

[Moderator note: This topic has been created by splitting off the following posts from renluop's "Updating Office" thread

Make sure not to buy Windows Home as it isnít secure (lots of security- and networking functionality is disabled so it isnít possible to fully secure the machine correctly even if you know what youíre doing or have some help) - always by Windows Pro or whatever itís now called.
« Last Edit: March 28, 2020, 04:06:29 PM by burakkucat »
Logged

tubaman

  • Addicted Kitizen
  • *****
  • Posts: 6193
Re: Microsoft Windows and Security Considerations
« Reply #1 on: March 27, 2020, 03:12:40 PM »

Make sure not to buy Windows Home as it isnít secure (lots of security- and networking functionality is disabled so it isnít possible to fully secure the machine correctly even if you know what youíre doing or have some help) - always by Windows Pro or whatever itís now called.
@Weaver - in what ways is Windows Home 'insecure' please? I've been using it for many years on a number of devices and have never encountered any issues at all. Yes, some of the more advanced features are not available, but as most would not be used by the average user I'm not sure it's fair to call the whole system 'insecure'.
 :)
Logged
BT FTTC 80/20 Huawei Cab - Zyxel VMG8924-B10A

Ronski

  • Helpful
  • Kitizen
  • *
  • Posts: 3836
Re: Microsoft Windows and Security Considerations
« Reply #2 on: March 27, 2020, 07:19:58 PM »

I'm in agreement with you tubaman, all except two of my home PC's are running Windows 10 Home, my two that are running Pro have had no additional hardening as I wouldn't have a clue what to do, so the average home user will be completely clueless.

I suppose the only one I do know about which Pro does have and Home doesn't, but have got around to implementing is Bit-locker, I really should one for that extra level of protection should my PC ever be stolen,.
Logged
Formerly restrained by ECI and ali,  now surfing along at 390/36  ;D

Weaver

  • Addicted Kitizen
  • *****
  • Posts: 9320
  • Retd sw dev; A&A; 4 ◊ 7km ADSL2; IPv6; Firebrick
Re: Microsoft Windows and Security Considerations
« Reply #3 on: March 27, 2020, 07:25:25 PM »

Itís insecure in that it cannot be configured securely. There are not multiple user accounts in the networking system and iirc you cannot use SRP. I canít lock down a system such that malware exes can not be placed in the file system anywhere and run. On a correctly configured system an exe installed in a non-approved location simply will never run; there will be an error on startup. SRP used correctly will achieve this. Needs to be used in conjunction with locked-down file system ACLs.

I have always ensured that windows pro systems that I have administered never have users able to run as admins and have made it impossible to download exes, dlls etc and then run them successfully, nor can users run them from removable media and they can copy exes from removable media but they will not run

Buying windows home is a disastrous mistake because itís a huge false economy, but what is a user supposed to do if they donít know anything about securing / hardening windows. Most so-called professionals have no clue about how to completely lock down a system so itís safe to use.
Logged

Ronski

  • Helpful
  • Kitizen
  • *
  • Posts: 3836
Re: Microsoft Windows and Security Considerations
« Reply #4 on: March 27, 2020, 10:44:40 PM »

Simply put, I do not want a system that locked down, I imagine it would be like putting a flame retardant suite, full race harness, and crash helmet on every time you went out for a drive.
Logged
Formerly restrained by ECI and ali,  now surfing along at 390/36  ;D

Alex Atkin UK

  • Kitizen
  • ****
  • Posts: 1742
    • My Broadband History
Re: Microsoft Windows and Security Considerations
« Reply #5 on: March 27, 2020, 11:44:49 PM »

I suspect that running a locked-down Windows 10 would be pretty horrific for gaming too.

The number of times just booting into Windows wants me to allow a process to run as admin in order to install an update.  How would that even work if my user couldn't escalate privileges?

In Linux its recommended to NEVER use root, all admin tasks are supposed to be done using a normal user and privilege escalation as its considered MORE secure.  This was what Microsoft were supposed to be trying to achieve with the popup "run as administrator" messages in the first place.
« Last Edit: March 27, 2020, 11:49:57 PM by Alex Atkin UK »
Logged
INTAKE (ECI) Zen: Home Hub 5A OpenWrt Plusnet: VMG-3925-B10B Three 4G: Hauwei B535-232 Router: pfSense (i5-7200U) WiFi: Ubiquiti nanoHD
Thinkbroadband Quality Monitors

Weaver

  • Addicted Kitizen
  • *****
  • Posts: 9320
  • Retd sw dev; A&A; 4 ◊ 7km ADSL2; IPv6; Firebrick
Re: Microsoft Windows and Security Considerations
« Reply #6 on: March 28, 2020, 12:36:11 PM »

I ran as a non-admin my self, I didnít just inflict it on my users and I never had any complaints. They didnít even notice, honestly. The way I set it up was zero hassle and 100% protection. I was doing this for ten years so I had developed config schemes that were well tuned.

As for installing updates on your own machine, since I was the admin of my own box I would just either use runas to run things that required privileges such as certain updates or log out and log in as the_admin instead if my own personal everyday non-admin account.

I never found this any hassle of my own. I am asking you to just believe me on this. I canít see a reason why your experience might be different to mine. But everyone is different. If you are writing code, you might want to make some holes in the policy for yourself relating to a development area for you to work in. (Because you will be doing build that produce new Ďillegalí exes.

One rule that made my systems work. No exes are allowed to run unless they are in one single tree in the file system "\program files". All exes and dlls outside this official tree are disabled by being renamed to a different extension (eg .exe_disabled) by a scanning script I wrote. and all random folders and files in the root \ are deleted. No installer is allowed to create random directories below root. This keeps policies simple.

The hassle with a locked down system comes with badly behaved apps that will not run under a standard user account, and these need tweaking and hacking in order to fix them, which less experienced admins will not be able to do. The solution is to run such apps inside a virtual machine/sandbox using one of the various VM software applications. I used Microsoftís own free VM solution, whatever it was called, escapes me now.

It all depends on how serious you are about your security. I would never do normal work from an admin account, and as I said no users were allowed to ever be admins. This is why I had zero security incidents in ten years amongst my customersí users. This was combined with the use of email services that had scanning in them server-side so all email was scanned on the server and no exe and other potentially evil attachments of any kind were stripped, so nothing executable could even arrive in email. This plus html email in Outlook was not shown in a browser window so html itself in email could not be evil.
Logged

Ronski

  • Helpful
  • Kitizen
  • *
  • Posts: 3836
Re: Microsoft Windows and Security Considerations
« Reply #7 on: March 28, 2020, 02:01:00 PM »

It's not running as a standard user that's the problem, Windows Home can do that, its all the other stuff your refer to locking down the PC.

I've always managed my works PC (10 Pro) until recently when some wet behind the ears lad from an outside company comes in and starts locking it down, breaking things, changing passwords, I couldn't even create a shortcut key for Excel without creating another shortcut where I had permission to as he changed the admin password for some unknown reason - he actually gave the new password after I asked, and no other machines had it changed. For the standard user who merely opens Excel, Word or any other run of the mill program it's fine, but for power users it's not it eventually causes issues.
Logged
Formerly restrained by ECI and ali,  now surfing along at 390/36  ;D

tubaman

  • Addicted Kitizen
  • *****
  • Posts: 6193
Re: Microsoft Windows and Security Considerations
« Reply #8 on: March 28, 2020, 02:12:57 PM »

All my Win 10 machines are configured with the 'normal use' accounts being Standard user type so that any new installs etc require the Administrator password to be entered. I suppose in that respect I have 'hardened them a little bit. Even if the standard user was an admin I believe it still asks before any install takes place, but forcing the password allows you to stop and think before hitting 'ok' (also stops the kids installing stuff without asking). I am absolutely content that these machines are secure enough for what I process on them.
 :)
Logged
BT FTTC 80/20 Huawei Cab - Zyxel VMG8924-B10A

Ronski

  • Helpful
  • Kitizen
  • *
  • Posts: 3836
Re: Microsoft Windows and Security Considerations
« Reply #9 on: March 28, 2020, 03:11:42 PM »

All my PC's have local user accounts with a separate Admin account to.
Logged
Formerly restrained by ECI and ali,  now surfing along at 390/36  ;D

Weaver

  • Addicted Kitizen
  • *****
  • Posts: 9320
  • Retd sw dev; A&A; 4 ◊ 7km ADSL2; IPv6; Firebrick
Re: Microsoft Windows and Security Considerations
« Reply #10 on: March 28, 2020, 08:36:23 PM »

You need to do a lot more than that because the standard file system ACLs are too lax. And users can install exes in their own file system tree. With SRP such exes (and wherever I say exe I include dlls) cannot run, not even if theyíre copied/downloaded into the userís own directories to which she/he must have write perms. I took me some thought to design the necessary 100% bombproof  config.
Logged

Alex Atkin UK

  • Kitizen
  • ****
  • Posts: 1742
    • My Broadband History
Re: Microsoft Windows and Security Considerations
« Reply #11 on: March 29, 2020, 12:29:46 AM »

One rule that made my systems work. No exes are allowed to run unless they are in one single tree in the file system "\program files". All exes and dlls outside this official tree are disabled by being renamed to a different extension (eg .exe_disabled) by a scanning script I wrote. and all random folders and files in the root \ are deleted. No installer is allowed to create random directories below root. This keeps policies simple.

The hassle with a locked down system comes with badly behaved apps that will not run under a standard user account, and these need tweaking and hacking in order to fix them, which less experienced admins will not be able to do. The solution is to run such apps inside a virtual machine/sandbox using one of the various VM software applications. I used Microsoftís own free VM solution, whatever it was called, escapes me now.

Those things are kinda mutually exclusive on a gaming PC I think because they will be updating exe files inside Program Files all the time and they CAN'T easily be updated from another user account as you need to be signed in on the client for the digital rights management systems to function.  I also have games on my second drive in various paths, again depending on if its Steam, Epic Games, U-Play, etc.  Locking them down would be a lot of work I suspect.

I can totally understand why your system makes a ton of sense in a business environment, but it sounds a huge PITA for a home user.  Doubly so as I'm primarily a Linux user so not familiar with how Windows handles things these days. 

Its bad enough having to update the GPU drivers every time I boot into Windows, after being used to a single command updating everything without any user input whatsoever on Linux.
« Last Edit: March 29, 2020, 12:34:40 AM by Alex Atkin UK »
Logged
INTAKE (ECI) Zen: Home Hub 5A OpenWrt Plusnet: VMG-3925-B10B Three 4G: Hauwei B535-232 Router: pfSense (i5-7200U) WiFi: Ubiquiti nanoHD
Thinkbroadband Quality Monitors

Weaver

  • Addicted Kitizen
  • *****
  • Posts: 9320
  • Retd sw dev; A&A; 4 ◊ 7km ADSL2; IPv6; Firebrick
Re: Microsoft Windows and Security Considerations
« Reply #12 on: March 29, 2020, 03:45:49 AM »

Alex I did that with my own main machine at home. I didnít do anything to users that I didnít do to myself. It was no hassle. If you need to run a game and donít know how to hack it to get it to run as a non-admin, or if thatís totally impossible just make another admin account and runas it in that. The most important thing is not to be using a web browser or email in an unsecured admin-privileged account. If all you do in that admin account is run your game and your game is not evil then whereís the harm.

I guarantee from ten years of personal use at home that if done right by someone with enough security config expertise, fully secured machines are zero hassle. They had to be because my clients[ users would be moaning otherwise but they never even knew there was anything unusual about their systems, not until they tried to do something highly suspect or made a bad mistake and got stopped.

Itís important to use a good email program and a filtered virus-scanned email service with attachment stripping so eg exes get stripped before they get to you. Although no harm will come to you on a fully secured system, as even if you receive a malicious exe and save it, you canít run it. But a clueless user could email it to someone else which is not good at all. Donít ever use webmail unless you have a scanned attachment-stripped email service. Use a proper email client such as outlook which blocks attachments and castrates html email.

I donít know what firefox is like now but it used to be hopeless in security terms. Chrome showed promise but Microsoft browsers have always been light years ahead in security terms because of their sophisticated split-privilege/low privilege special architecture. Chrom may have this too. But unless you know a lot about security architectures stick to a Microsoft browser for safety given web browsing is the highest risk activity there is. With full SRP and file system ACKs hardened you will be ok even if the web browserís security model fails though.

These are the pillars :
1. No users as admins, esp not yourself
2. File system ACLs hardened correctly
3. Draconian SRP done right
4. Delete all random directories below the root unless you absolutely need some for a badly behaved app. This simplifies SRP and filesystem rules and keeps them correct long term. Also have zero random files in root (comes under ACLs anyway). This latter rule is not 100% essential but not having it is the road to hell.
5. Patches patches patches / updates to Windows and all your apps

If you have a badly behaved app or a game say which wonít run under a standard user account and you canít work out how to hack it even with expert help and tools, then run it within a VM and then problem over. Donít spend days on it.

I hacked the application ďSmartStampĒ from the Royal Mail iirc, an app that prints out stamps, as it wouldnít run under a standard user account - unforgivably for a business app. While doing so I found it introduced an enormous security hole into every machine it was running on. Any standard user could user SmartStamp to gain admin privilege and cause limitless havoc. I fixed this evil by modifying the cruddy thing suitably, getting a knife into it. I mention this because this annoying process of dealing with random badly behaved apps can sometimes be very revealing.

Itís not all about security. A well secured machine where youíre in charge not some horrid random appsí quirks is one that is more reliable because apps canít wreck it.

Aside from VMs, if you can afford it why not have two physical machines if you want one for gaming, and have another for work or a place where you keep your critical data, stuff that you donít want to lose and on which you do ultra hi risk activities such as web browsing.

If youíre serious about security and donít know how to do all these things get some help from a real expert professional, unfortunately these extremely rare, but if you shout, I am here for you.

You also need a fully secured wireless LAN, a proper firewall and a router that is not full of security holes/bugs. Donít allow random or evil users on to your LAN be it wireless or wireful as their machines could attack lan infrastructure with scary results. If you need to have such users visit you, put them in another LAN or use VLANs - there are a variety of solutions. Help is available with this kind of network security design. Itís difficult to give guidance because some things depend on the capabilities of the kit that youíve got.

Sorry itís been such a rant, hope some of it might be useful. Did this for a living full-time for a decade until I became too ill. I did security config for many home users not just business customers as home users matter too.
Logged

Alex Atkin UK

  • Kitizen
  • ****
  • Posts: 1742
    • My Broadband History
Re: Microsoft Windows and Security Considerations
« Reply #13 on: March 29, 2020, 04:58:18 AM »

Quote
I guarantee from ten years of personal use at home that if done right by someone with enough security config expertise, fully secured machines are zero hassle. They had to be because my clients[ users would be moaning otherwise but they never even knew there was anything unusual about their systems, not until they tried to do something highly suspect or made a bad mistake and got stopped.

The thing is though, Windows 10 is different to how it used to be.  There are plenty of reports of Windows Updates reverting these sorts of changes behind peoples backs, because Microsoft want to be the god of exactly how security works (or doesn't.)  By securing Windows, you're fighting the OS itself as it tries to prevent you from doing so.

Alex I did that with my own main machine at home. I didnít do anything to users that I didnít do to myself. It was no hassle. If you need to run a game and donít know how to hack it to get it to run as a non-admin, or if thatís totally impossible just make another admin account and runas it in that. The most important thing is not to be using a web browser or email in an unsecured admin-privileged account. If all you do in that admin account is run your game and your game is not evil then whereís the harm.

But that's just it, games aren't self-contained any more, they are installed, updated and executed from homogenised UIs that are effectively web driven front-ends.  Web components are embedded within how the games work these days.

Games do generally run as standard users I believe (clients used to manage those games generally only ask for admin when they update), but I'm not sure they would be friendly to the level of lock down you are proposing.  Game clients refuse to launch without installing the latest update and those clients won't do a thing if you aren't logged into your account.
« Last Edit: March 29, 2020, 05:01:18 AM by Alex Atkin UK »
Logged
INTAKE (ECI) Zen: Home Hub 5A OpenWrt Plusnet: VMG-3925-B10B Three 4G: Hauwei B535-232 Router: pfSense (i5-7200U) WiFi: Ubiquiti nanoHD
Thinkbroadband Quality Monitors

Weaver

  • Addicted Kitizen
  • *****
  • Posts: 9320
  • Retd sw dev; A&A; 4 ◊ 7km ADSL2; IPv6; Firebrick
Re: Microsoft Windows and Security Considerations
« Reply #14 on: March 29, 2020, 06:21:01 AM »

I of course defer to Alex since I retired ten years ago, and as he says things have changed since then. I hated Windows 8 so much that I switched to Apple 100%. I was introduced to iPads by Janet in fact as she bought one to find out what it was like and then I immediately bought one too. The iPads took over my world completely pretty soon and then the Apple invasion became complete.
Logged
Pages: [1] 2
 

anything