IT IS ALL ABOUT RESOURCES

        

Speaking for Security, It is all about resources. If you put more resources to secure yourself, than the attacker puts to hack you, you are safe. If the attacker puts more resources to hack you, than you put to secure yourself, you will be hacked. And it is not a matter of if you will be hacked, but it is the matter of when you will be hacked. Everyone should know that your safety is your responsibility alone, and no one else's responsibility. If you do not secure your computer, no one will really secure your computer for you. Either you do some good security practices and stay safe, or you will become low hanging fruit, which is easy to be picked upon. The choice which one you want to be is only yours, and yours alone, but the merit for job well done, or responsibility for what went wrong, is also yours, and yours alone.

Part 1

Windows Operating system

Windows security is based on the user account and user account settings. Additional settings such as Internet explorer, MS office settings including all programs which come with MS Office (word, excel. PowerPoint, outlook….), Windows media center, windows media player, are NOT main settings which must define the main security rule set of a user. These settings are details, which apply on top, to further refine user settings, and they are only aspects which fine tune the user account into one or another direction. The main user security, comes from somewhere else. The main user security, comes from the user account, which is logged on and serves as base on top of which everything else happens. Accounts, belong to groups, and groups, have their rule sets of what is allowed and what is restricted, specified by the group policy editor utility – gpedit.msc. In terms of security, what may represent a huge benefit, is the actual user account that is selected. In case of non-administrative account, the main rule which applies to the user, and programs running on user’s behalf, is:

if it is not specified as allowed, it is restricted by default.  

While application as an object is running under non administrator account, the Operating System enforces the user’s restriction and permissions on the application. The application will suffer the same limitations as the user, because is running on this user’s behalf, under the user’s  credentials. It is possible for an attacker to gain control over the computer even under non-administrator account, but in this case the attacker must use privilege escalation exploit to elevate himself to administrator level. This is one more obstacle to overcome, this is one more element to add, to the attack, and one more element to add to the complexity of the task. In such cases, not always the target, is worth the effort for development of exploits and attack tools.

This rule does not apply on administrative account. For many reasons such as Operating System updates, Application updates, Driver updates, OS settings, networking settings, Hardware settings via drivers, power consumption and battery energy saving where applicable, the administrator account must have unlimited access. If an administrator account is targeted and successfully hacked, all this unlimited access is there for the hacker to use as he wishes. This means game over. It is no longer your machine, and you can’t do anything about it.

Another benefit for Windows security is using windows Vista 64 bits or Windows 7 64 bits. This brings additional security by using additional protection against kernel patching, kernel hooking and any other form of kernel manipulation, and Driver Signature Enforcement policy, which allows only verified and signed drivers to install and load on the system. Driver Signature Enforcement gets reinforced and stronger with July 2012 Microsoft updates. These two features of x64 bit windows will decently reduce the attack surface you have. System memory protection such as DEP, ASLR and SEHOP, actually hardens BOTH the protection routines that protect the kernel, and Driver Signature Enforcement. This also hardens the operating system and its security features making them harder to sabotage. This makes it that much harder for malware to achieve system or kernel level privileges, and set itself as kernel driver, and actually taking over your computer, having effective unlimited access to the whole Operating system and all of it’s resources.

Regular Operating System Updates, application updates, driver updates, help a lot, securing windows. expanding windows update to Microsoft update will further increase the effect, because more software will receive their patches. Driver updates also may help some times. Some times device driver update, such as one for your video display adapter, or network interface card od sound card, might be updated, to support system memory protection, which generally boost Operating system security. By doing so, the Operating system becomes more stable, which gives applications and gives you more solid, more reliable and more robust, and harder to sabotage  fundament to work on. Using and maintaining updated a nice set of defense software, also helps you stay safe while browsing your favorite websites.

Part 2

Microsoft applications, and application integration.

When using Microsoft applications, on Windows Operating System, you will face the situation of windows application integration, and shared dll files, at a certain point. Make no naïve illusions that you may get away with it.

Example 1

While windows, Ms Office , Windows media player, Microsoft update Internet features, are linked trough Internet explorer’s internet engine, most of them do not use Internet explorer’s rendering engine, but still use the internet engine. This means Internet explorer shares dll files with the other applications. With this dll sharing between applications, if a DLL file which originally belongs to Internet explorer, is used by number of applications.

Example 2

The same principal applies for multimedia properties. Windows, MS Office, Internet explorer, use Windows media player’s dll and multimedia features. Somewhere Microsoft applications use their own renderer’s, somewhere hey use windows media player’s renderer, but still using windows media player’s media features. This also mean there more shared dll files. They originally belong to windows media player, but they are shared because many applications use them.

Part 3

How parts 1 and 2 relate to each other in terms of security or functionality

Most people assume Microsoft software is all riddled in bugs, some of them affecting security, some of them affecting security. Well it really does affect functionality or security, but the truth is a bit different. The applications are not really riddled with bugs. If a shared file, originally belonging to Internet explorer, has a bug, actually  this is only one bug, actually only Internet explorer is the application with the bug, but because the file with the bug is a shared file, and many applications use it, the bug is extended to all applications, that use the same shared file, creating impression all applications suffer each with it’s own bug. When Internet explorer is updated, and the buggy shared file is fixed, because it is a shared file, the fix is extended to all applications which use the file. The same principle goes with system memory protection and exploitation mitigation. Internet explorer 9.0.8, which is the current version, during the time this article is written. Starting with Internet explorer 9, and improving trough versions and updates, with each update more files belonging to IE, part of which are also shared files are subjected to system memory protection, which shared file relation, actually extends, the system memory protection trough all applications which use the same shared file. In this case not only Internet explorer benefits the improved security, by system memory protections but also all applications onto which this is extended, also benefit form this protection.

Part 4

Additional resources

EMET - Enhanced Mitigation Experience Toolkit ver. 3.0 is current version at the time this article is written, is great memory protection utility, which helps harden applications and Operating System, by monitoring software's action and kill any process which attempt to do first suspicious instruction. Processor with both hardware DEP and hardware virtualization ENABLED from BIOS, help to dramatically increase EMET's Security effect on the computer, because it gives hardware backup for EMET, which cannot be bypassed so easy. By enabling virtualization, you allow EMET to take the blue pill-like approach and monitor the OS and application from outside the OS, acting like security supervisor, not only for the applications but for the OS as well. Using EMET 3.0 you can harden your attack surface, by cranking up Data Execution Prevention - DEP, Address Space Layout Randomization – ASLR, and Structured Exception Handling Overwrite Protection - SEHOP. If your CPU has both Hardware Virtualization and Hardware DEP, make sure they are both ENABLED.

Hardware DEP in the CPU, will be hardware backup of OS DEP, boosting DEP strength high enough to completely eliminate the buffer overrun exploitation family of attacks. By doing so you harden your system by a great deal. This is achieved in the following way:

The CPU side of DEP just marks the entire memory as non executable, on the lowest physical address level, allowing tough control. The Operating System DEP utilizes this control, and enforces it over the Stack and Heap of Operating System and programs. If execution is needed, the Operating System and Operating System's HAL -hardware abstraction layer, just mark selected addresses of memory as executable on the fly.

ASLR will randomize the stack and heap of OS and Programs, to present additional obstacle for attacker by randomizing everything, the hacker will have huge problems with guessing where things are. This further hardens your system.

It might look like hardware virtualization from CPU has nothing to do with security, but it does. One good use of hardware virtualization for security is EMET 3.0. Hardware virtualization allows EMET 3.0 to work outside of the OS, which allows EMET 3.0 to monitor and react reliably on what is going on in your system. In this case not only OS is generally hardened and protected by EMET 3.0, but also your programs which run, and your antimalware software also gets hardened, and more difficult to sabotage.

If your system cannot cope with this security level, maybe is time for hardware and software upgrade. Intel based system - systems which run entirely on Intel cpu, Intel video, Intel motherboard, Intel chipset, Intel NIC, are more privileged and allow this security approach, to be fully cranked up to 100% full force. AMD/ATI based systems, do suffer instabilities, mainly on ATI Display adapter drivers side. They suffer Drivers incompatibility with high protection levels of ASLR, controlled by EMET 3.0. In this case you cannot crank your security up to 100% full force, you will have to use ASLR at Opt-in level which is next to useless. In this case you should determine if you are willing to go with lesser security, or you want full force security. if you are happy with our security as it is, ok, by me, keep your ATI display adapter. If you want to crank your security up to 100% full force, upgrade from ATI Display adapter, to NVidia Display adapter or Intel display adapter. Both Intel and NVIDIA Display adapter Drivers work fine with this high security cranked up to 100% full force. AMD CPU's which do have hardware DEP and hardware virtualization, do not limit the Security level, they contribute to achieve high level security, so you have no real reason to change your CPU. They Remain stable and work reliably, with NVidia display adapter drivers, allowing you to crank the security up to 100% full force. EMET 3.0 has no problems working fine on AMD CPU's and delivering high and reliable results. All EMET 3.0 wants from your CPU to achieve high and reliable results is BOTH hardware DEP and hardware Virtualization ENABLED.

Another good security resource is a combination of firewall and anti-malware software which coordinate and synchronize with each other. This way, if one miss, other will catch. If one catches something and cannot make sense of what it is, it will ask the other to help identify the threat, increasing overall level of protection, and reducing the degree of false positive alarms. This will lead to higher quality of protection. Note that if EMET is set to work and protect the system, it will also harden the firewall and antimalware, because from emet’s point of view they are applications working under the Operating system. Additional hardening of protection software can be achieved by working under non administrative account. Such benefits are inability for the malware to stop the firewall and anti-malware, or in case of windows firewall, to create it’s own rules. This effectively raises the overall protection level.

Another useful resource is disabling UPNP – Universal Plug aNd Play from both your Operating system and router, if you have a router. In it’s root UPNP is a software and device interconnection technology, which allows software and devices to connect freely, by dynamically creating rules which allow connections in windows firewall or a Nat router, effectively canceling the useful effect of it. In history, at the side of usefulness there is no or very little software that makes any use of UPNP, from malware side, this is heaven’s paradise. Hey any malware can issue UPNP commands to get connection to wherever is it’s command and control or to collect data and phone home to deliver collected data. Lost useful connectivity is easy to fix, just map the ports which the application or device needs into the router’s Nat table, to point to the IP of the device or computer that is involved with it. Such software is peer to peer software like Skype or bit torrent, and such devices in it’s vast majority are game consoles, like x-box or Sony play station. They both need UPNP, to work but a quick search in Google shows which ports they use so if you map these ports manually, the console and it’s on-line features will work just fine without connectivity issue, and without compromising your useful security.

Another useful resource is the “hosts” file. This file can be used to effectively prevent your computer from going somewhere you do not want it to go. You can use it to prevent malware from connecting anywhere it wants by any reason. Hosts file could pose as strong barrier. Basically if you use the hosts file to prevent your computer from going somewhere, be sure that your computer will forget completely about this domain. Your computer sees itself as local host with ip address  127.0.0.1. If you simply put:

127.0.0.1     unwanted_domain.com

in your host file, this is enough o make your computer to never ever connect to it, and also no software installed on your computer, regardless if it is malware or any other will not be able to connect. All connection attempts, will be cancelled, because the computer will redirect the connection to itself, and not the original server. And because the software is redirected somewhere else, away from the intended server, the software will also fail to connect.

Enjoy your Windows OS!