SOLVED

Hardening Windows 10

Copper Contributor

I am locking down my new laptop, which is something I haven't had to do in quite a few years (since Vista).  In versions past (e.g., Win2k, XP, Vista), one of the hardening steps I employed (that was nearly always prescribed) was to protect special binaries (e.g., regedt32.exe, ftp.exe, mmc.exe, cscript.exe, and many other system32 command-line utilities) by removing LocalSystem and Administrators from the ACL and adding Read and Execute permissions to a special group (e.g., Sys32Admins).

 

From my install doc (paraphrased from a source no longer known):

"Protecting Special Binaries

 

Many exploits leverage the fact that the LocalSystem account and Local Administrators group have access to basic system utilities. To help reduce the likelihood of a successful exploit, you should create a separate admin group, say Sys32Admins. Then place the users that you want to use the tools in that group. Change the ACLs on the following tools to remove LocalSystem and the Administrators group, and give Sys32Admins ownership and the ability to Read and Execute. Do this for the following command-line utilities: . . ."

 

In searching for hardening docs for Windows 10, all of my past resources no longer existed or did not have a Win 10 doc.  None of the resources I read (> 150, so far) prescribed this locking of special files.

Is this somehow now redundant?  I.e., with UAC (or other), are these files inherently protected?  I log in as a standard user and I still can run regedt32 (w/ changes), ping, tracert, ftp, and a lot of other commands that used to be considered sensitive/hazardous.  I assume that if a rogue process in Win 10 were to run these, there would be no required permission elevation to do so.

 

Granted, I like to lock my systems down to a once-called "paranoid" level (ref:  Linux); so this is mostly for my edification.  However, I still would like to know if there is any longer a need to lock these or, more importantly, would there be adverse affects to the OS by doing so.  In the past, for Win2k, XP, and Vista, I never had any issues with doing so.  Since the advent of Win7/8/10, I haven't tried it.

 

Thank you in advance for your response.

 

I am running Windows 10 Home Version 1903 (OS Build 18362.267)

13 Replies
best response confirmed by Ivan_Ho (Copper Contributor)
Solution

I think at least some of the actions you previously had to do are now redundant.

Microsoft Windows Defender is a powerful all-in-one security solution that can cover most of those things. it provides enterprise class security tools to the normal users.
It can protect sensitive folders from unwanted programs and you can also add your own folders to the list for even more security, I think this makes more sense instead of shifting permission from one user to another.
Windows defender specially in 1903 (I'm using Pro edition so not sure what options are missing in Home, if Any) is pretty much complete solution.
you can try turning on tamper protection, Core Isolation, Memory Integrity (these options are turned off by default).


the only things you should do is to turn off services, optional features, protocols that you do not intend to use and also make Firewall rules for every new app and software you install. for example a photo editing software you install doesn't need internet connection. for its updates you can manually install newer versions. yes that's some additional work but you asked for it cause hardening is not gonna be easy.
To be honest Windows 10 itself can only be compromised by Zero day vulnerabilities, those that are not found yet, because Microsoft keeps Windows 10 updated and in every 6 months they change the core OS to make it better and more secure. so even if you are a black hat hacker and spend hours and hours trying to make an exploit for Windows 10 using a zero-day bug, you won't be able to use that for long.

Microsoft will patch that bug in a day or two and the constant change in the Core OS renders all the old tools useless, all the time.

 

so all you can worry about is the 3rd party apps and programs you install that increase the attack surface as each of those 3rd party programs can have security holes and bugs that can be exploited, but again for those 3rd party programs you can utilize Windows Firewall rules and Windows Defender.

Also don't forget to turn on DEP (Data Execution Prevention) for ALL programs. (by default it is only turned on for essential Windows programs and services.)

Everything I said above was based on the assumption that you have a Windows 10 Home edition (as you mentioned). for real protecting and hardening you need Windows 10 Enterprise E5, one of its most predominant features is the immunity to zero-day attacks. you can read more about it here:

https://faq.rhipe.com/Search/Article/baf6fcbe-f04c-40e5-b88a-2da862a2620d

 

Have a look at this comparison between different Windows 10 edition security features:

https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2O8jv

 

 

@HotCakeX 

 

Thanks so much for such a detailed response.  I knew about the memory integrity and DEP; but the tamper protection was new [to me].  After MUCH more reading, it seems that DEP and Defender are a LOT more robust and bug-free than they used to be.  Seriously, both used to be one of the first things I would  uninstall/disable. 

 

After posting, I learned that I could not even change the ACLs of the system files in Win 10 Home.  I had a workaround for this in Vista; but it didn't work in Win 10.

 

Thanks again for your response.

@Ivan_Ho 

You're very welcome, glad it was helpful ^^

@HotCakeX 

Does exist a script or GPO way to enable DEP (Data Execution Prevention) for ALL programs ?

 

Also is this still relevant as EMET is now included in Windows Defender/ Security center ?

@Deleted 

Hi,

it is now included in Windows Defender and enabled by default

 

Annotation 2019-11-01 121449.png

 

https://community.spiceworks.com/topic/357133-disable-dep-with-group-policy

Thanks!

So your post about enable the (old) setting is now obsolete?:
https://techcommunity.microsoft.com/t5/Windows-10-security/Hardening-Windows-10/m-p/788325/highlight...

I wonder then why it's still there
I don't think there is anything obsolete in Windows 10.
in there you can make it enabled for all programs but in Windows defender it doesn't exactly specify that so I assume it's only set to important processes only.

I wonder if a todo list for which security features should be enabled, exist.

 

Beside the ones listed in this thread.

A lot stuff is written on microsoft docs but not very friendly as overview.

 

Also some or most stuff can be enabled with a script but looks like nobody make that with all the known features.

It's a pain on every new installation

@Ivan_Ho 

 

Sorry I somehow overlooked that you run Windows 10 Home and asked for a home-system. The information below is a little overkill then and can't be done on W10Home anyway.

But for reference, if someone else might need it, I will keep my original post here.

 

---------------------------------------------------------------------------------------

 

If you want to secure a modern Windows network you can and should use this guidance: https://github.com/microsoft/SecCon-Framework/blob/master/windows-security-configuration-framework.m...

 

It covers most security tasks, including hardware, settings and behaviors you should implement for different tiers of security (basic, enhanced and high security).

 

Additionally, for securing access management inside your network, you should read and implement this guidance: https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privile...

you can  apply  Credential guard, Device guard, Virtualization Based security, hyperevisor code integrity ,

windows defender application control by creating new CI policy with fallback hash and then migrate to EFI partition 

Enable  Early Launch antimalware drivers set to  Good only 

These are all enabled by default in latest Windows 10.

@dretzer 

Does the Github page you mentioned

https://github.com/microsoft/SecCon-Framework

has something to download or any guide to read? there are only few MD files there that have basic explanations.

The Github Page is the guide to read. Open the .md files to read the guidance. It explains what you should have as a minimum for the respective security level you are looking for (in terms of hardware, policies, controls and behavior).

Start with "windows-security-configuration-framework.md" which contains the basic information how to use this framework and what each security level is supposed to provide. Then work your way up level for level. Each successive security level builds on the previous, so to reach a security level of 3 you have to implement level 1 and 2 guidance first. Sadly, the PAW security configurations are still not done in this framework. But the three security levels for productivity devices are complete and can be used as guidance.

If you need configuration and practices for PAWs, look here: https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/privileged-acces...

 

There is a new guidance for "Secured-core PCs" available now which you should take as guidance for modern and secure devices: https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-highly-secure

If you are concerned with high security setups, make sure all your devices fulfill the Secured-core guidance and you implemented everything from level 1 to 3 in the security configuration framework. Additonally implement privileged access management strategies for your network and servers.

 

@HotCakeX 

1 best response

Accepted Solutions
best response confirmed by Ivan_Ho (Copper Contributor)
Solution

I think at least some of the actions you previously had to do are now redundant.

Microsoft Windows Defender is a powerful all-in-one security solution that can cover most of those things. it provides enterprise class security tools to the normal users.
It can protect sensitive folders from unwanted programs and you can also add your own folders to the list for even more security, I think this makes more sense instead of shifting permission from one user to another.
Windows defender specially in 1903 (I'm using Pro edition so not sure what options are missing in Home, if Any) is pretty much complete solution.
you can try turning on tamper protection, Core Isolation, Memory Integrity (these options are turned off by default).


the only things you should do is to turn off services, optional features, protocols that you do not intend to use and also make Firewall rules for every new app and software you install. for example a photo editing software you install doesn't need internet connection. for its updates you can manually install newer versions. yes that's some additional work but you asked for it cause hardening is not gonna be easy.
To be honest Windows 10 itself can only be compromised by Zero day vulnerabilities, those that are not found yet, because Microsoft keeps Windows 10 updated and in every 6 months they change the core OS to make it better and more secure. so even if you are a black hat hacker and spend hours and hours trying to make an exploit for Windows 10 using a zero-day bug, you won't be able to use that for long.

Microsoft will patch that bug in a day or two and the constant change in the Core OS renders all the old tools useless, all the time.

 

so all you can worry about is the 3rd party apps and programs you install that increase the attack surface as each of those 3rd party programs can have security holes and bugs that can be exploited, but again for those 3rd party programs you can utilize Windows Firewall rules and Windows Defender.

Also don't forget to turn on DEP (Data Execution Prevention) for ALL programs. (by default it is only turned on for essential Windows programs and services.)

Everything I said above was based on the assumption that you have a Windows 10 Home edition (as you mentioned). for real protecting and hardening you need Windows 10 Enterprise E5, one of its most predominant features is the immunity to zero-day attacks. you can read more about it here:

https://faq.rhipe.com/Search/Article/baf6fcbe-f04c-40e5-b88a-2da862a2620d

 

Have a look at this comparison between different Windows 10 edition security features:

https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2O8jv

 

 

View solution in original post