Windows Vista. Securing & Safe Computing PROTECTING YOUR PERSONAL COMPUTER FROM MALICIOUS THREATS

Windows Vista Securing & Safe Computing PROTECTING YOUR PERSONAL COMPUTER FROM MALICIOUS THREATS

Pre-Setup Notes As of August 12, 2009, all of the following procedures to secure the Windows Vista operating system have been tested on a virtual environment using Sun VirtualBox to ensure that there are no critical exploits to the system. After properly securing the Windows Vista environment, the operating system was tested against SiteProtector, an IBM product that tests for vulnerable machines on a network. Windows Vista passed two scans by SiteProtector (1 with the firewall on and 1 with the firewall off) which in theory passed the setup procedures guidelines. For testing purposes, I recommend using VMware or Sun VirtualBox virtualization software. Feel free to test Windows Vista in these virtual environments to protect your host system from any unwanted damages. Software tested on Windows Vista: Internet Browser- Passed -Firefox is the recommended choice for safe computer browsing Most Major Firewalls (ZoneAlarm, Comodo) Passed - Vista passed vulnerability scan with IBM Internet Scanner with basic windows firewall. Antivirus-Passed -McAfee VirusScan is Recommend (Free to UC community) -Most major Anti-Virus software is compatible with Vista. Visit the windows website below for a full list of Anti-virus software that is supported. http://www.microsoft.com/windows/antivirus-partners/windows-vista.aspx Other Software That Passed: MalwareBytes Anti-Malware Software Eraser Hard-Drive Erasing Software TrueCrypt- Hard-Dive and Volume Encryption Software IZARC- Free Unzip/Zip software with over 20 different file extensions If any vulnerabilities or exploits are found during the testing of Windows Vista please report to: UCIT Office of Information Security Email: infosec@uc.edu

HOW TO PROPERLY SET UP, AND SECURE YOUR WINDOWS VISTA PC FOR SAFE COMPUTING This is a work in progress. Version 07/30/09 Billions of people buy Microsoft software. Microsoft has therefore made a quite understandable decision to set up its products so as to operate smoothly right out of the box for the majority of people. Many computer users don t know a great deal about the inner workings of computers and operating systems, nor do they need to for the most part. However, there are a few things that should be done to secure Microsoft Windows prior to putting into use. This guide is designed to let the average computer user make a home PC or personal laptop much more protected against penetration by a hacker. A few notes before we begin: Where you see (RC) it indicates that you should Right Click the indicated item vs. left clicking as usual. [#] The number in square brackets indicates the number of minutes this step took me in my trial. Your experience may differ based on a variety of factors. Windows Vista has gotten rid of the ownership factor of your own pc. Now, what used to be My Computer and My Documents is now called Computer and Documents. I do usually not give specific instruction steps for clicking Apply, Save or OK. These steps are implied by the instructions. One last thing: Remember one immutable law of security. Physical access trumps almost any technical protections you may put in place. If you have a laptop, never leave it unattended. If it is stolen, a hacker will have unlimited time to break through your security. Buy a locking cable. Install a strong encryption package. None of the below will protect your system or data if a technically-minded thief has your computer. That being said, let s protect your machine from other types of attacks. All the steps from here on, including the clean install of Windows Vista, took less than 4 hours. On with the process

1. Perform a Clean install of Windows Vista. [~40 minutes] Go to Device Manager (Start > Computer (RC) > Properties > Click Device Manager link on the left) and make sure all your devices are working properly. Anything with a yellow exclamation point should be fixed. Consult your documentation or support if you need help to resolve these.

2. Customize Start Menu to add System Administrative Tools. You will need these to perform some of the following configurations. [1] Right click Start > click Properties Go to Start Menu tab > Customize Configure Start Menu Items to paste and add System Administrative Tools to your menu as shown:

3. Go to Computer Management [3] (Only Vista Business and Vista Ultimate support the next step) Two ways to get to it: 1) Click Start > Computer (RC) > Manage 2) Click Start > All Programs > Administrative Tools > Computer Management Secure the user accounts: 1) Delete all unnecessary accounts (support, HelpAssistant, etc ) by right clicking each in turn and selecting Delete. 2) User account controls are only available in Windows Vista Ultimate and Windows Vista Business. For anyone with other versions please move to the next step. 3) The Guest account cannot be deleted, but it should already be disabled. (This is shown by the circle with a down arrow over the account.) Leave this account disabled. 4) Set a strong password on all active accounts (including Administrator). For tips on how to select a strong password see: http://www.uc.edu/infosec/howtochooseapassword.htm

4. Click Disk Management in the left pane and verify that all disk partitions are formatted with NTFS. [1] 5. Set a Screen Saver and set the system to require a password upon resume. [1] Right Click anywhere on the desktop and select Personalize Select the Screen Saver tab toward the bottom right of the window. Select your preferred Screen Saver. Be sure to check On resume, display logon screen as shown

6. Open your Documents folder, and then select Organize > Folder and Search Options [1] Click View tab. Under Hidden files and folders, set Show hidden files and folders for the time being (you can set this one back to hide after we are done) Scroll down and uncheck Use Sharing Wizard (this one you will want to keep this way)

7. Review and modify file permissions on your hard drives. [3] Click Start > Computer. Right click on your main hard drive and select Properties On the Sharing tab, remove the default share by clicking Advanced Sharing > uncheck Share This folder. By default, Windows Vista does not share this folder.

On the Security tab, remove the Everyone group from file permissions by selecting it and pressing the delete key. By default Windows Vista does not have an Everyone group. Repeat this for any other hard drives that might be connected to your computer More permission setting advice can be found here, but this may be more detail than most users need to worry about http://www.windowsitlibrary.com/content/121/18/1.html

8. Configure Windows Firewall. [3] Click Start > Control Panel > Classic View > Windows Firewall On the side panel click Turn firewall on or off Check On(recommended) Click the Ok button to return to Windows Firewall main screen. Close this window and open Windows Firewall and Advanced Settings from the Administrative Tools menu

(Start > All Programs (RC) > Administrative Tools > Click Windows Firewall and Advanced Settings) Click Windows Firewall Properties Click Customize (located next to Logging) and allow logging for dropped packets & successful connections

9. Change workgroup name if desired. [2] Click Start > Computer (RC) > Properties, Click Change Settings (Located under Computer name, domain and workgroup settings), under Computer Name Tab, Click Change. Change the computer and workgroup name to meet your needs. NOTE For computers on your local workgroup to properly communicate, they will all need to be set up to: Have the same workgroup name Have different computer names

10. Create a non-administrator user account for normal use. [3] Start > Control Panel > User Accounts and Family Safety > Add or remove user accounts Click Create a new account Enter the user name you desire and select Standard User Click on the new account

Add a strong password. See http://www.uc.edu/infosec/password/choosepassword.html for tips. 11. Disable Bluetooth if it is not being used. [1] 12. Disable Wireless if it is not being used. [1] Note: The steps in this document will help protect your PC from attack, but understand that wireless connectivity is currently not a secure technology. It is possible to break WEP encryption (the wireless encryption still used by most wireless access points if any is used at all) in less than 15 minutes using a tool that is freely available online. So, while wireless access is incredibly useful, it is not secure. Just something of which to be aware. 13. Connect your computer to your network via the network cable or wireless adapter. [1] 14. Install a reputable Anti-Virus package like McAfee, Panda or Avira. [5] Currently, the University of Cincinnati offers free Anti-Virus/Spyware protection using the award winning McAfee antivirus software. The latest version of McAfee hosted on the University of Cincinnati s website is fully compatible with Windows Vista and offers real-time scanning to prevent malicious content from access your pc. You can download McAfee by clicking the link below and following the directions for installation. http://www.uc.edu/ucit/ware/software/mcafee.html If you don t want to use McAfee, Microsoft provides a list of both, free and pay, anti-virus software that are fully compatible with Windows Vista. Follow the link below to visit this site. http://www.microsoft.com/windows/antivirus-partners/windows-vista.aspx Update your Anti-Virus package. [7]

15. Install the latest version of Internet Explorer (IE 7 comes standard in Vista). Secure Internet Explorer. [5] 1) Go to Internet Options (located under tools dropdown box) 2) Go to the Privacy tab and set cookie security to High. Once you have done this, you will need to explicitly add any site that you want to have cookies. This requires a little extra work on you part, but it will virtually eliminate the incredible proliferation of cookies that infect most computers and dramatically compromise your privacy. There are a relatively low number of sites that absolutely require cookies.

3) Go to the Security Tab and set to High for the Internet zone as shown. 4) On the same tab, click the Trusted Sites (Green checkmark). Click the Sites button On the resulting screen, uncheck Require https (at the bottom) and then enter the following URLs as shown above. These will be required to run Windows update in the next step. update.microsoft.com *.update.microsoft.com download.windowsupdate.com windowsupdate.microsoft.com (If you are using IE 8 or later, enable SmartScreen Filter. In IE8- SmartScreen Filter allows you to browse the internet safely. SmartScreen Filter blocks malicious websites. To enable SmartScreen Filter, click Start > type in the search bar Internet Options (hit enter)> click the Advanced Tab > under Security make sure the box is checked next to Enable SmartScreen Filter.)

16. Run Windows Update. [45] Click Start > All Programs > Windows Update Another window will open prompting you to update. Click the install updates button (if applicable). Another method of updating your Windows OS is by going to www.windowsupdate.com on IE8 and following instructions from there. 17. Configure Local Security Policies. [15] Click Start > All Programs > Administrative Tools > Local Security Policies In the Account Policies > Password Policy section, set: 1) Do Not Enforce Password History 2) Set Maximum Password Age 42 days 3) Set Minimum Password Age 0 days 4) Minimum password length 10 5) Password must meet complexity requirements Enabled 6) Store password in reversible encryption - Disable Set Account Lockout Policy 1) Threshold 5 attempts 2) Duration 60 minutes 3) Reset lockout counter 60 min

Set Local Policies > Audit Policy as shown Under Security Options do the following. 1) Accounts: Guest account Disable 2) Accounts: Rename administrator account Rename this to something else. I chose HighLevel 3) Accounts: Rename guest account Rename this to something else. I chose DoNotUse 4) Domain member: Require strong (Windows 2000 or later) session key Enabled 5) Interactive logon: Do not display last user name Enabled 6) Interactive logon: Do not require CTRL+ALT+DEL Disabled

7) Set a logon message if desired (Like This computer is the property of company X. Authorized use only. etc ) a) Interactive logon: Message text for users attempting to log on b) Interactive logon: Message title for users attempting to log on 8) Microsoft network client: Send unencrypted password to third-party SMB servers Disabled 9) Network access: Allow anonymous SID/Name translation Disabled 10) Network access: Do not allow anonymous enumeration of SAM accounts Enabled 11)Network access: Do not allow anonymous enumeration of SAM accounts and shares Enabled 12) Network access: Do not allow storage of credentials or.net Passports for network authentication Enabled 13) Network access: Let Everyone permissions apply to anonymous users Enabled 14) These next three settings should have all their entries removed to prevent Null Session attacks: a) Network access: Named Pipes that can be accessed anonymously b) Network access: Remotely accessible registry path c) Network access: Remotely accessible registry paths and sub-paths d) Network access: Shares that can be accessed anonymously These are the default values for the above three keys. I am including them here in case you need them for future reference: o Named Pipes Do Not Enter Anything: by default there are no values in this setting o Remotely accessible registry path System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion o Remotely accessible registry paths and sub-paths System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog o Shares that can be accessed anonymously Do Not Enter Anything: by default there are no values in this setting 15) Network access: Sharing and security model for local accounts Classic 16) Network security: Do not store LAN Manager hash value on next password change Enabled 17)Network security: LAN Manager authentication level Send NTLMv2 response only\refuse LM & NTLM 18) Network security: Minimum session security for NTLM SSP based (including secure RPC) clients Check Require NTLMv2 and Require 128-bit encryption

19) Network security: Minimum session security for NTLM SSP based (including secure RPC) servers Check Require NTLMv2 and Require 128-bit encryption 20)Recovery console: Allow automatic administrative logon Disabled In User Rights Assignment, set the following. You will sometimes be removing groups (like Everyone ) and adding others (like SYSTEM ). 1) Access this computer from the network Administrators (remove everyone and other groups) 2) Bypass traverse checking Administrators, SERVICE, power users, users 3) Deny access to this computer from the network ANONYMOUS LOGON 4) Deny logon locally Guest 5) Deny logon through terminal services Everyone 6) Log on as a batch job <remove all> 7) Log on as a service <remove all> 18. Shutdown and disable Services that are not required. [15] Start Services manager in one of two ways: 1) Click Start > All Programs > Administrative Tools > Services 2) OR 3) Click Start > Type in the search bar at the bottom Services > click Services To stop a service: 1) Select the service you want to modify (green arrow) 2) Click the Stop button (red arrow)

To set a service to Manual or Disable it: 4) Double click the service you want to modify 5) Stop the service (there are a few that will not stop until you reboot) 6) Select Disabled or Manual under Startup Type 7) Click Apply and OK Go through the Services manager and set the following services like this: 1) Application Experience - Set to Manual 2) Application Layer Gateway Provides support for 3rd party plug-ins for Internet Connection Sharing/Internet Connection Firewall. Required if using Internet Connection Sharing/Internet Connection Firewall to connect to the internet. Automatic if using ICS, Disabled if not. 3) Com + System Disable. 4) Computer Browser The browser service is used to maintain the list of PCs you see in Network Neighborhood. This is normally a server function. A home user can set this to Manual. 5) Desktop Window Management Session Manager Set to Manual 6) Diagnostic Policy Service Set to Manual 7) Distributed Link Tracking Client Distributed Link Tracking Client sends notifications of files moving between NTFS volumes in a network domain. Disable on a home computer. 8) Distributed Transaction Coordinator Coordinates transactions that are distributed across two or more databases, message queues, file systems, or other transaction-protected resource managers. Manual. 9) DNS Client Resolves and caches Domain Name System (DNS) names. This is normally provided by your ISP. Disable and if you have name resolution problems, return it to Automatic. 10) Fax Set to Manual if you don't need fax services. 11) Internet Connection Sharing If you are want to share an Internet connection for your home network, then set this to Automatic. If not, leave this set to Manual. 12) IP Helper Set to Manual 13) Net Logon Supports pass-through authentication of account logon events for computers in a domain. Logging onto a domain? Leave it. Otherwise set it to Manual. 14) Offline Files Set to Manual

15) Portable Device Enumerator Service- Set to Manual 16)Print Spooler Set to Manual 17) Protected Storage Set to Manual 18) Remote Access Connection Manager Only needed if you are configuring a new network connection. Keep Disabled normally. 19) Remote Registry Allows remote registry manipulation. A home user can set this to Manual. 20)Routing and Remote Access Offers routing services to businesses in local area and wide area network environments. A home user can set this to Manual. 21)Secondary Logon Set to Manual. 22) Security Accounts Manager Stores security information for local user accounts. A home user can set this to Manual unless you are using Local Security Policy Editor. 23) Server Disable this service unless you are sharing files on your hard drive or your printer. Hackers will get nowhere if you do. 24)SSDP Discovery Part of UpnP. Disable. 25)Tablet PC Input Service Set to Manual 26) TCP/IP NetBIOS Helper Provides support for name resolution via a lookup of the LMHosts file. If you are not using LMHOSTS name resolution, you can set it to Manual. 27) Telephony Provides Telephony API (TAPI) support for programs that control telephony devices and IP based voice connections on the local computer and, through the LAN, on servers that are also running the service. Normally set to Manual on workstations. Leave it on Manual. 28) UPnP Device Host - Universal Plug and Play Device Host Provides support to host Universal Plug and Play devices. Disable unless installing new hardware. 29) WebClient Provides HTTP services for applications on the Windows platform. Required if you are running a web server. Most common entry point for hackers! Disable it. 30) Workstation Creates and maintains client network connections to remote servers. If this service is stopped, these connections will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. Set this to Manual. May normally be left stopped. Reactivating Services If you want to run certain functions of Windows, you will have to turn some services back on: 1) Enable local workgroup networking Workstation (set to auto) to be visible on local network Server (set to auto) to see others on local network Computer Browser (set to auto) 2) If you install software that needs telephony, like Skype, you may need to re-enable Telephony and perhaps Remote Access Connection Manager. Test this by trying the software first and then enabling first one then the other.

19. Disable Dump File Creation A dump file can be a useful troubleshooting tool when either the system or application crashes and causes the infamous "Blue Screen of Death". However, they also can provide a hacker with potentially sensitive information such as application passwords. You can disable the dump file by going to Start > Computer (RC) > Properties, click Advanced System Settings > Startup and Recovery section under Advanced Tab> click Settings Change the options for Write Debugging Information" to None. If you need to troubleshoot unexplained crashes at a later date, you can re-enable this option until the issue is resolved but be sure to disable it again later and delete any stored dump files 20. Run GRC security tests. [5] http://www.grc.com/freepopular.htm UnPlug n Pray Shoot the Messenger Leak Test MouseTrap

21. Set up software restriction policies. [5] Click Start > in search bar at bottom type > Local Security Policy Click Software Restriction Policies, click Action, click New Software Restriction Policy Double click on Enforcement and set it to All (vs. not on libraries) Double click on Trusted Publishers and set it to Allow only all administrators to manage Trusted Publishers 22. Set up a share folder if desired If you want to share files with other computers on your home network you will need to set up a shared folder. Create a new folder for this purpose, then right click on it and click Properties. On the Sharing tab, click Advanced Sharing. Provide the name of the share ( Share below). I recommend that you limit the number of computers that can connect to your computer to a realistic number for you network. I put 2 in the example below. Once that is set, click the Permissions button. On the Permissions for Share screen, remove the Everyone group and replace it with Authenticated Users. Finally, add the ANONYMOUS LOGON group and set all permissions for it to Deny as shown. 23. Test your security. [4] Run GRC Sheilds-Up! found at http://www.grc.com/default.htm If available, scan your system with a vulnerability scanner such as Nessus, ISS or NexPose

24. Change your boot sequence and set bios passwords. [6] Refer to your system documentation for instructions on how to do this Change the boot sequence to start with your hard drive For the slightly more paranoid, you can set the bios password so that the computer cannot be even started without entering a password. This will require you to enter two passwords to start up your system (bios and windows) and is normally not required. 25. Post Configuration Clean-up If desired, you may hide your Hidden files again. Open your Documents folder, and then select Organize> click Folder and Search Options > click the View tab > Under Hidden files and folders, set Do not show hidden files and folders 26. Remember to always backup your data. It is important to back up your data in the event of your computer crashing, catching a virus and etc. Always back up your important data on an external drive. To reset security if something gets fouled up (Reference - http://support.microsoft.com/kb/313222) Be very cautious when tampering with your OS settings. To reset Security Policies secedit /configure /cfg C:\WINDOWS\repair\secsetup.inf /areas securitypolicy /db secsetup.sdb /verbose To reset Services secedit /configure /cfg C:\WINDOWS\repair\secsetup.inf /areas services /db secsetup.sdb /verbose To reset User Rights secedit /configure /cfg C:\WINDOWS\repair\secsetup.inf /areas user_rights /db secsetup.sdb /verbose To reset All secedit /configure /cfg C:\WINDOWS\repair\secsetup.inf /db secsetup.sdb /verbose

Other Security Applications There are a wide variety of security products that you can use on your Vista machine. While we do make recommendations as to what security products work best, it is solely your decision as to what products you want to use. Firewalls In the case of firewalls, the windows firewall that comes pre-installed on the OS is much better than past versions. Windows Firewall and a good Anti-virus product are effective in keeping your computer running at optimal performance. For those of you that want more protection, we recommend using ZoneAlarm or Comodo. ZoneAlarm [4] is a free bi-directional firewall that is consistently one of the best reviewed and secure personal firewalls on the market. http://download.cnet.com/zonealarm/3000-10435_4-10039884.html Comodo [4] combines both a firewall and anti-virus software for optimum security on personal computers. CNET editors have given it 5 Stars. http://download.cnet.com/comodo-internet- Security/3000-10435_4-10460704.html?tag=mncol Anti-virus, Anti-spyware, and Anti-malware McAfee Anti-virus & Anti-spyware As mentioned earlier in this article, UC is proud to offer McAfee Anti-virus and Anti-spyware software FREE to the UC community. McAfee has been ranked #1 in Anti-virus software for 7 years straight. We recommend that everyone in the UC community take advantage of this great offer. We do realize that you may prefer a different Anti-virus program or may be paying for another Anti-virus program, and that is why we do not require you to use McAfee. Other Anti-virus & Anti-spyware As mentioned at the beginning of this document, there are other alternatives to using McAfee. 2 good free Anti-virus suites are AVG and Comodo. If you prefer to use a different one there is a complete list of supported software at the link below. http://www.microsoft.com/windows/antivirus-partners/windows-vista.aspx Malware Remover Feel as though your computer is infected with spyware/malware? Install Malwarebytes Anti- Malware- FREE spyware/malware removing software and scan your pc. This program is a top rated contender among anti-spyware/malware programs. Reviews state that Malwarebytes is better than most non-open source Anti-spyware/malware programs. Click the link below to be redirected to the download page. http://download.cnet.com/malwarebytes-anti-malware/3000-8022_4-10804572.html?part=dl- 10804572&subj=dl&tag=button

Utilities Disk Erasers Eraser - http://www.heidi.ie/eraser/download.php - this utility wipes your hard-drive clean, or can be used to wipe unnecessary data off of your drive for better performance and extra storage. Encryption TrueCrypt - http://www.truecrypt.org/ - TrueCrypt is an open source encryption tool that allows for single file and whole disk encryption. Bitlocker Vista provides its own whole disk encryption solution that comes free with the installation of vista. is a hard-drive/usb/volume encryption utility that offers you security for you data storage media in the case of theft. File Management WinRAR - http://www.rarlab.com/download.htm - Comprehensive archive utility that can compress and decompress RAR and WIN files along with many others - not free Izarc free open source archive utility (better alternative to winrar) that compresses and decompresses files in over 20 different formats. http://www.izarc.org Network Browsers CurrPorts - http://www.nirsoft.net/utils/cports.html - CurrPorts is network monitoring software that displays the list of all currently opened TCP/IP and UDP ports on your local computer. Firefox - http://www.mozilla.com/en-us/firefox/personal.html - Firefox is a secure open source browser that is free of charge. This is the preferred browser for security.

References General http://labmice.techtarget.com/articles/winxpsecuritychecklist.htm http://www.windowsitlibrary.com/content/121/18/1.html Services http://www.tweakhound.com/xp/security/page_3.htm http://www.ntsvcfg.de/ntsvcfg_eng.html http://www.techknowl.com/2009/03/disable-unwanted-services-and-speed-up.html Registry http://www.windowsitlibrary.com/content/121/18/1.html Local Security Settings http://support.microsoft.com/kb/823659 Networking http://www.grc.com/su-bondage.htm & http://www.grc.com/su-rebindingnt.htm) http://www.windowsnetworking.com/articles_tutorials/install-microsoft-loopback-adapter-windows- XP.html http://www.windowsnetworking.com/articles_tutorials/optimize-network-connections-windows- XP.html http://support.microsoft.com/default.aspx?scid=kb;en-us;894564 Folder and File Permissions http://www.windowsitlibrary.com/content/121/18/1.html http://technet.microsoft.com/en-us/library/bb727037.aspx