Secure your PC
OBSOLETE
This page is somewhat obsolete: was essential up to the times of
WinXP and Vista, somewhat useful for Win7, and is less relevant for
Win10 or 11. Still, you should be familiar with the issues mentioned
below.
With all the hullabaloo about the virus or worm du jour,
you may want to make your Windows PC more secure. See
disclaimer at end.
You should also check out the
Australian Cyber guides,
the
US Cyber Defense
pages including their
Best Practices for Home
suggestions.
Contents
Commonsense, common settings
- Do not execute malicious code: do not click away, surely not at
attachments in email messages: please follow sensible
strategies for dealing with attachments.
- Turn Java (and JavaScript?) off in your browser: in Mozilla
Firefox go to Tools > Options > Content
(and > Advanced) and un-check them.
Anti-Virus issues
- Disable AutoRun (or AutoPlay) on CD and USB devices. This is not as
simple as it should be, see
CERT
and
TechNet
writeups for details; though maybe not protected, see later
blog,
comments about
folder icons
and
U3;
also
USB issues
and
more.
- Get (and use) some anti-virus software. See the
virus page
(musings, F-Prot and Norton).
Virus checking is a reactive defense: viruses are only recognized after
they have spread and are added to the collection. Be proactive instead,
and make your computer immune to (current and future) viruses and other
attacks. Think of the benefits: no more weekly update of anti-virus
packages (just a weekly check here whether a new vulnerability has been
found...).
Firewall issues
- Should say something about firewalls... but have not got around to it
yet... any day now. - My home PCs are behind a router/firewall, my work
machines behind a firewall/proxy server. Both kinds protect against many
worm-type attacks.
- If you use a router/firewall then keep it secure:
E-commerce and webmail
- Do e-commerce business with, and have webmail hosted by, secure
companies only. Are they able to safeguard the privacy of your credit card
number: can someone hijack your login session through a vulnerability of
their website (see examples of
Cross Site Scripting
vulnerabilities)?
- Ensure you transact business with the right company, not an impostor:
see
newspaper
articles about
Opera House
and
followup.
Do not fall for (fake email) scams like those attacking
eBay,
CommBank
and
followup,
or
ANZ Bank.
- Keep your email address "forever", do not allow your webmail address to
expire (and be deleted so someone else can set it) or your company to go
out of business: taking over your email address may allow
access to private info
you had set elsewhere.
Backups
- Regularly back up important files e.g. to the "cloud" (GoogleDrive,
SkyDrive, Dropbox etc), or a second hard disk, writable CDs, USB memory
sticks or even floppies.
The MS Backup utility in Start Menu > Programs >
Accessories > System Tools is fine (or see
\valueadd\msft\ntbackup on your WinXP CD).
Include System State among the backed-up objects.
- Regular backups may help you to
recover from a security compromise.
Disable unused features
- Do not install (or uninstall or rename)
unused software: Internet Explorer, and Outlook,
Excel and Access (even Word, parts of
MS Office) seem targeted often.
- Disable unused Windows features. More details below...
Solution?
Install
Ubuntu
Linux (as I do at home).
Install Microsoft patches
Since April 2017, Microsoft moved to a
Security Update Guide
delivery of patches: not one bulletin per product, but many individual
updates for each issue and each specific product version. Thus it is not
feasible or useful to maintain a
list of patches
required; I will only keep a list of "known issues", or issues that show
that regular updates are important.
Recent issues (or see
full list):
Reference(s):
https://portal.msrc.microsoft.com/en-us/security-guidance
https://portal.msrc.microsoft.com/en-us/security-guidance/summary
https://technet.microsoft.com/en-us/security/advisories
http://blogs.technet.microsoft.com/msrc/
http://blogs.technet.microsoft.com/srd/
http://blogs.technet.microsoft.com/mmpc/
NOTE that on late-model "7th generation" CPUs, Windows10 only
is supported, no WindowsUpdates for Win7 and Win8.1:
http://support.microsoft.com/help/4012982
(but see also attempts at
re-enabling updates).
BEWARE that some patches may make your machine inoperable (e.g.
Jul2020 Outlook issues
here
and
here,
issues,
more
with the
Oct2018 Win10
updates, or my DellLatitude7390 laptop that in Aug2018 crashes to a blue
screen due to some updates, or
KB4088875/4088878,
KB4074588/KB4058258/KB4056892,
KB4049094 or
KB4015549).
BEWARE that M$ patches do not address all known vulnerabilities.
BEWARE that installing patches or upgrading M$ software may
un-install or un-do seemingly unrelated patches (e.g. re-install outdated
Flash
or
libraries).
BEWARE that installing any patches may overwrite any
customizations (may need to undo them to install the patch):
re-check and re-do all your changes as below.
BEWARE that M$ often changes the underlying patches without
updating the bulletins or KB articles, sometimes changing the file
binaries without updating version numbers.
BEWARE that even big companies make
mistakes
and may release broken or unwanted patches.
NOTE that
Windows7 and Office2010 are now out of support,
see the
Support Lifecycle Index.
USyd users please note the site licences for MS
software.
Do not use Internet Explorer or Edge
IE has a
long history
of vulnerabilities, left un-fixed for years: do not use. Note that IE is
used for many registered
File Types and you may want to
remove them, or use regedit to search
for and clobber most occurrences of iexplore. It may be best to
rename the software so it is not
accessible.
Use
Mozilla
instead.
Note that you still need to keep IE up-to-date with patches, and set
secure IE options (even if you do not use IE), for the many Web-enabled
applications. Windows Explorer in particular will internally handle HTTP
and FTP URLs, disregarding the "URL protocol handler" in the registry, and
is certainly unsafe without careful IE option settings. I wonder if Word
can do JavaScript or VBS in a safe way... So occasionally you will need to
rename the sofware back in place, patch
it, start it up and set secure options, then hide it again.
To set secure options, go to Tools >
Internet Options, then select Security and
Advanced tabs (in Security, set things to Custom to
have fun): see
You may also use third-party "IE hardeners":
IE11 (for Win8.1 then Win7) was released Oct-Nov13 with "better
compatibility", "state of the art performance" and "advanced consumer
security":
Support for versions prior to IE11 has ceased on 12 Jan 2016, see:
https://www.microsoft.com/en-us/WindowsForBusiness/End-of-IE-support
In Windows10, IE is replaced by
Microsoft Edge
that is
claimed to be
more secure
(e.g. note how ActiveX is termed "older, less secure").
Reference(s) (see
IE history
for more):
Do not use Access or Outlook (or Excel or Word)
There are bugs in MSAccess that allow the execution of any VBA macros; bugs
remain in Outlook that allow execution of arbitrary code. Do not use:
rename Access, Outlook and VBA (also
DAO: used in ihackstuff exploit) so they are not accessible.
(Do other MS Office components too: at least Excel, preferably most others
even Word, at the same time.)
Use OpenOffice instead.
Reference(s):
Set Word options
Apply some protection settings in MSWord against harmful macros. (Would be
tempting to disable Word along with the rest of MS Office, but...)
Reference(s):
If you use Office XP or 2003, then beware of it sending debugging
information, containing your sensitive documents, to Microsoft. Use
regedit
to set:
for Office XP, DWNeverUpload, DWNoExternalURL, DWNoFileCollection and
DWNoSecondLevelCollection to 1 in both
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\10.0\Common] and
[HKEY_USERS\.Default\Software\Policies\Microsoft\Office\10.0\Common];
for Office 2003, QMEnable to 0 in
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\Common].
Reference(s):
Apply privacy settings, or your document will contain unwanted
information.
Reference(s):
Banish LanMan passwords
If you use any Windows passwords, e.g. to connect to a Samba server, then
ensure that only NTLM or NTLMv2 password hashes are used. The older LM hash
is insecure as it can be cracked easily. (Cracking NTLM hashes is
significantly harder, see
L0phtCrack.)
Both LM and NTLM hashes are replayable: there may be no need to crack them.
Windows may be tricked into revealing your credentials, e.g. by using
<img src=file:\\evil\pub.gif> in an HTML email or
web page. Use NTLMv2 hashes if possible.
Need to set my Samba server not to accept an LM hash ("lanman auth = no"
in smb.conf; check also "min protocol"). This does not buy much per
se: if the attacker has the LM hash, then he could crack the password
and win; or he could replay the NTLM hash as he is likely to also have
that. As the user is likely to have the same password elsewhere, we should
protect against crackable LM hashes even if we are vulnerable to NTLM hash
replays. Configure clients so they never send an LM hash; by hacking Samba
to actively reject users who send an LM hash, clients can be forced to
update their settings. - Samba 3.0.5 supports NTLMv2 but not message
encryption (Samba 2.2.8a does not support either).
To use NTLMv2 authentication on Win9x, you need to install the
Directory Services Client (in Clients\Win9x\Dsclient.exe on
the Windows2000 Server CD). You can then un-install this client: the
NTLMv2 support files will stay behind. - Seems that Win9x can only do LM or
NTLMv2, and cannot do NTLM authentication (which makes sense as the only
allowed values of LMCompatibility are 0 or 3). (Samba 2.2.8a and Win9x
cannot communicate securely.)
Use regedit to:
- Set HKLM\System\CurrentControlSet\Control\Lsa\LmCompatibility=3 and/or
LmCompatibilityLevel=3 so only NTLMv2 passwords are sent. May need to set
this to 2 to use NTLM with Samba 2.2.8a (Samba supports NTLMv2 from
version 3.0.5 only).
- Set HKLM\System\CurrentControlSet\Control\Lsa\MSV1_0\NtlmMinClientSec=0
and NtlmMinServerSec=0x20080030 for the message encryption levels you accept.
Would like NtlmMinClientSec to also be 0x20080030 but Samba 3.0.5
does not yet support encryption.
- Set HKLM\System\CurrentControlSet\Control\Lsa\NoLMHash so no LanMan
hashes are created or stored locally.
- On Windows 2000 machines, also consider setting
HKLM\System\CurrentControlSet\Control\Lsa\RestrictAnonymous=2 .
Reference(s):
Disable unused services
This is a bit long... see sub-sections on
services,
network and
registry
settings, see what
ports
are open, and some further
checking.
Services setup
Disable the services you do not need in
My Computer (right-click) >
Manage >
Services and Applications >
Services.
My WinXP home computer happily survives with just
Name Status Startup Type
Application Management Disabled
COM+ Event System Started Manual
DHCP Client Started Automatic
DNS Client Started Automatic
Event Log Started Automatic
Human Interface Device Access Disabled
LexBce Server Started Automatic (my Lexmark printer?)
Messenger Disabled
Network Connections Started Manual
Network Location Awareness (NLA) Started Manual
Plug and Play Started Automatic
Print Spooler Started Automatic
Protected Storage Started Automatic
Remote Access Connection Manager Started Manual
Remote Procedure Call (RPC) Started Automatic
Routing and Remote Access Disabled
Security Accounts Manager Started Automatic
Server Started Automatic
SSDP Discovery Service Disabled
System Event Notification Started Manual
Task Scheduler Disabled
Telephony Started Manual
Terminal Services Started Manual
Windows Audio Started Automatic
Windows Management Instrumentation Started Manual
Workstation Started Automatic
(rest are manual startup and not running).
My WinXP work PC (hanging off a Samba PDC) has (excessive, unsafe?)
Name Status Startup Type
Alerter Started Automatic
Application Layer Gateway Service Started Manual
Automatic Updates Disabled
Background Intelligent Transfer Serv Disabled
ClipBook Disabled
COM+ Event System Started Manual
Computer Browser Started Automatic
DCOM Server Process Launcher Started Automatic
DHCP Client Started Automatic
DNS Client Disabled
Error Reporting Service Disabled
Event Log Started Automatic
Help and Support Disabled
HID Input Service Started Automatic
Messenger Started Automatic
MS Software Shadow Copy Provider Disabled
Net Logon Started Automatic
NetMeeting Remote Desktop Sharing Disabled
Network Connections Started Manual
Network DDE Disabled
Network DDE DSDM Disabled
Network Location Awareness (NLA) Started Manual
Performance Logs and Alerts Disabled
Plug and Play Started Automatic
Print Spooler Started Automatic
Protected Storage Started Automatic
Remote Access Auto Connection Manager Disabled
Remote Access Connection Manager Disabled
Remote Procedure Call (RPC) Started Automatic
Routing and Remote Access Disabled
Secondary Logon Started Automatic
Security Accounts Manager Started Automatic
Security Center Automatic
Server Started Automatic
Shell Hardware Detection Started Automatic
Smart Card Disabled
SoundMAX Agent Service Started Automatic
SSDP Discovery Service Disabled
System Event Notification Started Automatic
System Restore Service Disabled
Telnet Disabled
Terminal Services Started Manual
Themes Started Automatic
User Profile Hive Cleanup Started Automatic
Volume Shadow Copy Disabled
WebClient Started Automatic
Windows Audio Started Automatic
Windows Firewall/ICS Started Automatic
Windows Management Instrumentation Started Manual
Windows Time Started Automatic
WinMonitor Started Automatic (home-grown management)
Wireless Zero Configuration Disabled
Workstation Started Automatic
(rest are manual startup and not running).
Network setup
Find your network connections (devices, interfaces) in
Start Menu >
[ Settings or Control Panel ? ] >
Network and Dial-up Connections
and
their properties in
Local Area Connection >
Properties or
Dial-up >
Properties >
Networking.
Completely disable unused network interfaces, particularly wireless
interfaces on itinerant laptops.
Decide if any are "trusted" networks: your dial-up internet connection
is certainly un-trusted. My home PCs trust the LAN interface: my other PC
(only) is on that network, and I want them to share everything.
Ensure all un-trusted connections have
File and printer sharing for Microsoft Networks
disabled. You should only have
Client for Microsoft Networks and
Internet Protocol (TCP/IP)
listed among the protocols/services used. My home PCs show:
Dial-up, Properties, Networking, "... uses the following items":
[x] Internet Protocol (TCP/IP)
[ ] File and Printer Sharing for Microsoft Networks
[x] Client for Microsoft Networks
Local Area Connection, Properties, "... uses the following items":
[x] Client for Microsoft Networks
[x] File and Printer Sharing for Microsoft Networks
[x] Internet Protocol (TCP/IP)
while my work PC has
Local Area Connection, Properties, "... uses the following items":
[x] Client for Microsoft Networks
[x] Internet Protocol (TCP/IP)
You should enable File and printer sharing on trusted networks only,
and only if you really intend to let anyone see (and delete or change) your
files. (It may be possible to have sharing with controls on who can do
what, but is beyond my abilities.) You may un-install File and printer
sharing if no network interfaces need it. Do not delete Client for
Microsoft Networks as some dial-up features rely on it.
Ensure all un-trusted connections have
Disable NetBIOS over TCP/IP
selected in
Internet Protocol (TCP/IP) >
Properties >
Advanced >
WINS.
My home PCs have more-or-less:
Dial-up, Properties, Networking, Internet Protocol (TCP/IP), Properties,
(Automatic IP and DNS), Advanced, WINS: "Disable NetBIOS over TCP/IP".
Local Area Connection, Properties, Internet Protocol (TCP/IP), Properties,
Advanced:
IP 192.168.111.112, netmask 255.255.255.0
Gateway (none)
DNS server 192.168.111.111
WINS server 192.168.111.111
Enable NetBIOS over TCP/IP
while my work PC has
Local Area Connection, Properties, Internet Protocol (TCP/IP), Properties,
(Automatic IP and DNS), Advanced, WINS: "Use NetBIOS setting from DHCP server".
Registry setup
Use regedit to set:
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\LmCompatibilityLevel=3
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\NoLMHash
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RestrictAnonymous=0 (could be 1?)
HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\MaxWorkItems=256
HKLM\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\SmbDeviceEnabled=0
HKLM\SYSTEM\CurrentControlSet\Services\Rpc\Linkage\Bind=(empty, REG_MULTI_SZ or REG_SZ)
HKLM\SYSTEM\CurrentControlSet\Services\RpcSs\ListenOnInternet=N
HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM=N
HKLM\SOFTWARE\Microsoft\Rpc\DCOM Protocols=(not including ncacn_ip_tcp)
Reference(s):
Am I now safe even without
MS03-026,
MS03-039,
MS03-049,
MS04-011
or
MS04-012
patches in place? My home PC has survived Blaster, Welchia and Sasser;
my office machine is behind a firewall, so has not been tested.
Ports open
My home PCs have only a few ports open:
C:\> netstat -ano
Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING 4
TCP 192.168.111.112:139 0.0.0.0:0 LISTENING 4
UDP 0.0.0.0:1029 *:* 796
UDP 192.168.111.112:137 *:* 4
UDP 192.168.111.112:138 *:* 4
(On Win2k use just netstat -an , or
TCPView
from
http://www.sysinternals.com/
to show process IDs.)
TaskManager shows (among others):
Image Name PID User Name
SVCHOST.EXE 796 NETWORK SERVICE
System 4 SYSTEM
The line
TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING 4
is due to the Remote Access Connection Manager service; you
need it for dial-up connections (set it to disabled and reboot to see
the port go away, along with your dial-up settings).
This port seems harmless, not actually open as
telnet localhost 1026
fails, same as any other non-open port.
Surely it is a bug in System:4 that it opens
but forgets to close the port.
The line
UDP 0.0.0.0:1029 *:* 796
seems to appear some minutes after boot only.
The connections shown by netstat do not change when I dial-up connect.
My work PC has open:
C:\>netstat -an
Active Connections
Proto Local Address Foreign Address State
TCP 129.78.94.2:139 0.0.0.0:0 LISTENING
UDP 129.78.94.2:137 *:*
UDP 129.78.94.2:138 *:*
Maybe all those are needed...
Further checks
Check the registry for processes started at boot or login time, ensure
all are legitimately needed.
Reference(s):
I wonder if it would be possible or useful to set
DisableIPSourceRouting=2
EnableDeadGWDetect=0
EnableICMPRedirect=0
EnablePMTUDiscovery=0
NoNameReleaseOnDemand=1
PerformRouterDiscovery=0
SynAttackProtect=2
in both
HKLM\System\CurrentControlSet\Services\AFD\Parameters
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters
Reference(s):
Do not rely on WinXP/Vista/7/8/10 security
Do not assume that WinXP, Vista, Win7, 8 or 10 are secure, but expect
local users to easily get "administrator" privileges: Windows has
bad design, foolish defaults, and some bugs for attackers to exploit.
Still, you should not normally log in as Administrator, but as some
low-level user; and should protect the machine from low-level users, e.g.
with sensible file and registry permissions. Then malware will not be able
to install themselves as system services (foiling a number of viruses):
see e.g.
(Power users getting admin is a "known bug"
http://support.microsoft.com/kb/825069
.)
Reference(s):
- Patch Tuesday Revisited - CVE-2020-1048 isn't as "Medium" as MS Would Have You Believe
https://isc.sans.edu/forums/diary/Patch+Tuesday+Revisited+CVE20201048+isnt+as+Medium+as+MS+Would+Have+You+Believe/26124/
PrintDemon: Print Spooler Privilege Escalation, Persistence & Stealth (CVE-2020-1048 & more)
https://windows-internals.com/printdemon-cve-2020-1048/
- Defeat Windows Defender (Re: Defense in depth -- the Microsoft way (part 64): Windows Defender loads and exeutes arbitrary DLLs)
https://seclists.org/fulldisclosure/2020/Mar/53
https://skanthak.homepage.t-online.de/offender.html
- Windows has a new wormable vulnerability, and there's no patch in sight
https://arstechnica.com/information-technology/2020/03/windows-has-a-new-wormable-vulnerability-and-theres-no-patch-in-sight/
Microsoft Guidance for Disabling SMBv3 Compression
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv200005
Microsoft delivers emergency patch to fix wormable Windows 10 flaw
https://arstechnica.com/information-technology/2020/03/microsoft-delivers-emergency-patch-to-fix-wormable-windows-10-flaw/
CVE-2020-0796 | Windows SMBv3 Client/Server Remote Code Execution Vulnerability
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796
- CVE-2019-19363 - Local Privilege Escalation in many Ricoh Printer Drivers for Windows
http://seclists.org/fulldisclosure/2020/Jan/34
Truly universal, or specific to Ricoh?
- Microsoft Patches Windows UAC Flaw
https://www.sans.org/newsletters/newsbites/xxi/92
Thanksgiving Treat: Easy-as-Pie Windows 7 Secure Desktop Escalation of Privilege
https://www.zerodayinitiative.com/blog/2019/11/19/thanksgiving-treat-easy-as-pie-windows-7-secure-desktop-escalation-of-privilege
CVE-2019-1388 | Windows Certificate Dialog Elevation of Privilege Vulnerability
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1388
- Microsoft Windows .Reg File / Dialog Box Message Spoofing Vulnerability
http://seclists.org/fulldisclosure/2019/Mar/27
- Microsoft Windows task scheduler contains a local privilege escalation vulnerability in the ALPC interface
http://www.kb.cert.org/vuls/id/906424
- Microsoft Master File Table bug exploited to BSOD Windows 7, 8.1
http://www.theregister.co.uk/2017/05/29/microsoft_master_file_table_bug_exploited_to_bsod_windows_7_81/
- Stealing Windows Credentials Using Google Chrome
http://seclists.org/fulldisclosure/2017/May/61
http://www.defensecode.com/news_article.php?id=21
- Defense in depth -- the Microsoft way (part 46): no checks for common path handling errors in "Application Verifier"
http://seclists.org/fulldisclosure/2017/Mar/68
Defense in depth -- the Microsoft way (part 47): "AppLocker bypasses are not serviced via monthly security roll-ups"
http://seclists.org/fulldisclosure/2017/Mar/69
- CPU Flaw Can Be Exploited to Bypass ASLR
http://www.sans.org/newsletters/newsbites/xix/14#308
- Improved scripts in .lnk files now deliver Kovter in addition to Locky
http://blogs.technet.microsoft.com/mmpc/2017/02/02/improved-scripts-in-lnk-files-now-deliver-kovter-in-addition-to-locky/
- Microsoft Windows SMB Tree Connect Response denial of service vulnerability
http://www.kb.cert.org/vuls/id/867968
Windows SMBv3 Denial of Service Proof of Concept (0 Day Exploit)
http://isc.sans.edu/forums/diary/22029
- Malicious Office files using fileless UAC bypass to drop KEYBASE malware
http://isc.sans.edu/forums/diary/22011
- Making Windows 10 a bit less "Creepy" - Common Privacy Settings
http://isc.sans.edu/forums/diary/21947
- UAC Bypass in JScript Dropper
http://isc.sans.edu/forums/diary/21813
- Windows 10 Cannot Protect Insecure Applications Like EMET Can
http://insights.sei.cmu.edu/cert/2016/11/windows-10-cannot-protect-insecure-applications-like-emet-can.html
- MSRT November 2016: Unwanted software has nowhere to hide in this month's release
http://blogs.technet.microsoft.com/mmpc/2016/11/08/msrt-november-2016-unwanted-software-has-nowhere-to-hide-in-this-months-release/
No matter how it attempts to hide, though, most Soctuseer installations and system modifications will be uncovered and removed...
Most but not all?
- Bypass-UAC, a framework to perform UAC bypasses based on auto elevating IFileOperation COM object method calls
https://github.com/FuzzySecurity/PowerShell-Suite/tree/master/Bypass-UAC
- Force allow access button to Bypass windows firewall
http://seclists.org/fulldisclosure/2016/Jun/8
- Defense in depth -- the Microsoft way (part 37): MMC.exe and DrvInst.exe load and execute ".dll" with elevated resp. SYSTEM privileges
http://seclists.org/fulldisclosure/2015/Dec/30
- yet another (trivial) UAC bypass resp. privilege escalation
http://www.securityfocus.com/archive/1/536396
- Re-Direct to SMB Vulnerability Affects All Versions of Windows
http://www.sans.org/newsletters/newsbites/xvii/29#300
- Windows Local WebDAV NTLM Reflection Elevation of Privilege
http://seclists.org/fulldisclosure/2015/Mar/149
https://code.google.com/p/google-security-research/issues/detail?id=222
- Windows Elevation of Privilege in User Profile Service
https://code.google.com/p/google-security-research/issues/detail?id=123
- Windows 8 Privilege Escalation
http://seclists.org/fulldisclosure/2015/Jan/1
- Microsoft DHCP INFORM Configuration Overwrite
http://seclists.org/fulldisclosure/2014/May/161
- Defense in depth -- the Microsoft way (part 11): privilege escalation for dummies
http://lists.grok.org.uk/pipermail/full-disclosure/2013-October/091643.html
- Windows 7/8 admin account installation password stored in the clear in LSA Secrets
http://www.securityfocus.com/archive/1/527210
- Abusing Windows 7 Recovery Process
http://lists.grok.org.uk/pipermail/full-disclosure/2013-June/090850.html
Owning Windows 7 - From Recovery to "nt authority\system" - Physical Access Required
http://intelcomms.blogspot.com.au/2013/05/owning-windows-7-from-recovery-to-nt.html
- exploitation ideas under memory pressure
... working exploit that grants SYSTEM ...
http://lists.grok.org.uk/pipermail/full-disclosure/2013-May/090476.html
http://lists.grok.org.uk/pipermail/full-disclosure/2013-May/090496.html
http://lists.grok.org.uk/pipermail/full-disclosure/2013-June/090617.html
Introduction to Windows Kernel Security Research
http://blog.cmpxchg8b.com/2013/05/introduction-to-windows-kernel-security.html
- Privilege Escalation Vulnerability in Microsoft Windows (HTB23108)
http://www.securityfocus.com/archive/1/524354
- Defeating PatchGuard - Bypassing Kernel Security Patch Protection in Microsoft Windows
http://www.mcafee.com/us/resources/reports/rp-defeating-patchguard.pdf
- [Positive Research] Intel SMEP overview and partial bypass on Windows 8 (whitepaper)
http://www.securityfocus.com/archive/1/524176
[Positive Research] Intel SMEP Part II: Bypassing Intel SMEP on Windows 8 x64 Using Return-oriented Programming
http://www.securityfocus.com/archive/1/524225
- How well does Microsoft support (and follow) their mantra "keep your PC updated"?
http://lists.grok.org.uk/pipermail/full-disclosure/2012-August/088015.html
Defense in depth -- the Microsoft way (part 5): sticky, persistent vulnerabilities
http://lists.grok.org.uk/pipermail/full-disclosure/2013-July/091132.html
- New Vulnerability in Windows 7 64 bit
http://isc.sans.edu/forums/diary/12238
Secunia Advisory SA47237 - Microsoft Windows win32k.sys Memory Corruption Vulnerability
http://secunia.com/advisories/47237
Microsoft Windows 'win32k.sys' Remote Memory Corruption Vulnerability
http://www.securityfocus.com/bid/51122
- Microsoft Windows Kernel 'Win32k.sys' Keyboard Layout Local Privilege Escalation Vulnerability
http://www.securityfocus.com/bid/50763
- Microsoft Windows Kernel Word File Handling Remote Code Execution Vulnerability
http://www.securityfocus.com/bid/50462
- Bypassing Windows 7 kernel ASLR
http://lists.grok.org.uk/pipermail/full-disclosure/2011-October/083436.html
- Stack overflow in Microsoft HTML Help 6.1 (CHM files)
http://www.securityfocus.com/archive/1/517441
- MS Windows Server 2003 AD Pre-Auth BROWSER ELECTION Remote Heap Overflow
http://lists.grok.org.uk/pipermail/full-disclosure/2011-February/079189.html
- Windows Kernel-mode GS Cookies subverted (paper)
http://lists.grok.org.uk/pipermail/full-disclosure/2011-January/078453.html
- On the effectiveness of DEP and ASLR
http://blogs.technet.com/b/srd/archive/2010/12/08/on-the-effectiveness-of-dep-and-aslr.aspx
- Privilege escalation 0-day in almost all Windows versions
http://lists.grok.org.uk/pipermail/full-disclosure/2010-November/077572.html
http://isc.sans.edu/forums/diary/9988
Microsoft Windows RtlQueryRegistryValues() does not adequately validate registry data
http://www.kb.cert.org/vuls/id/529673
- MSRC-001: Windows Vista/Server 2008 NtUserCheckAccessForIntegrityLevel Use-after-free Vulnerability
http://lists.grok.org.uk/pipermail/full-disclosure/2010-July/075423.html
- Microsoft Help Files (.CHM): 'Locked File' Feature Bypass
http://lists.grok.org.uk/pipermail/full-disclosure/2010-June/075294.html
- Microsoft Windows NT #GP Trap Handler Allows Users to Switch Kernel Stack
http://lists.grok.org.uk/pipermail/full-disclosure/2010-January/072549.html
- 0day vulnerability Sogou input method to obtain system privileges
http://www.securityfocus.com/archive/1/508990
- Windows Update (re-)installs outdated Flash ActiveX on Windows XP
http://www.securityfocus.com/archive/1/502819
- Windows 7 - not so secure ?
http://isc.sans.edu/forums/diary/5767
Sacrificing security for usability: UAC security flaw in Windows 7 beta (with proof of concept code)
http://www.istartedsomething.com/20090130/uac-security-flaw-windows-7-beta-proof/
Microsoft to Address UAC Security Concerns in Next Release of Windows 7 Beta
http://www.sans.org/newsletters/newsbites/xi/11#310
- Microsoft Windows CHM File Processing Buffer Overflow Vulnerability
http://www.securityfocus.com/bid/33204
- Microsoft VISTA TCP/IP stack buffer overflow
http://www.securityfocus.com/archive/1/498471
- Token Kidnapping Windows 2003 PoC exploit
http://www.securityfocus.com/archive/1/497168
- [Wired Security/EOF] Disable Windows Defender (Vista) PoC code
http://lists.grok.org.uk/pipermail/full-disclosure/2008-May/062313.html
- iDefense Security Advisory 05.12.08: Microsoft Windows I2O Filter Utility Driver (i2omgmt.sys) Local Privilege Escalation Vulnerability
http://lists.grok.org.uk/pipermail/full-disclosure/2008-May/062275.html
- Microsoft Windows XP SP2/2003 - Macrovision SecDrv.sys privilege escalation (0day)
http://www.securityfocus.com/archive/1/482482
- Need to upgrade DirectX:
iDefense Security Advisory 07.18.07: Microsoft DirectX RLE Compressed Targa Image File Heap Overflow
http://lists.grok.org.uk/pipermail/full-disclosure/2007-July/064727.html
- Windows Vista: Non-privileged code can redirect shortcuts to intercept privilege elevation requests
http://www.securityfocus.com/archive/1/468533
- Heap Overflow Flaw Reported in Windows Help
http://www.sans.org/newsletters/newsbites/ix/30#304
Microsoft Windows Help File Unspecified Heap Overflow Vulnerability
http://www.securityfocus.com/bid/23382
- US Government Secure Configuration Mandate Helps Everyone
http://www.sans.org/newsletters/newsbites/ix/30#200
An Explanation of OMB's Security Mandate
http://blogs.govexec.com/techinsider/archives/2007/04/post_6.html
The Chink in OMB's Windows Mandate
http://blogs.govexec.com/techinsider/archives/2007/03/is_that_windows_system_safe.html
- [VulnWatch] Microsoft Windows Vista Slideshow Unspecified Blue Screen Of Death Vulnerability
http://www.securityfocus.com/archive/1/464148
- Microsoft Windows Vista - Windows Mail Client Side Code Execution Vulnerability
http://lists.grok.org.uk/pipermail/full-disclosure/2007-March/053143.html
http://lists.grok.org.uk/pipermail/full-disclosure/2007-March/053145.html
- Exploiting Microsoft dynamic Dns updates
http://lists.grok.org.uk/pipermail/full-disclosure/2007-March/053134.html
- [Reversemode Advisory] Microsoft Windows Ndistapi.sys IRQL escalation
http://www.securityfocus.com/archive/1/463208
- WGA Always Sends Info to Microsoft
http://www.sans.org/newsletters/newsbites/ix/21#305
- Microsoft Windows Explorer fails to properly handle malformed OLE documents
http://www.kb.cert.org/vuls/id/194944
Microsoft Windows OLE32.DLL Word Document Handling Denial Of Service Vulnerability
http://www.securityfocus.com/bid/22847
- Windows Shell User Logon ActiveX Control Unauthorized User Creation
http://www.securityfocus.com/bid/22710
- Microsoft Windows 2000/XP/2003/Vista ReadDirectoryChangesW informaton leak
http://lists.grok.org.uk/pipermail/full-disclosure/2007-February/052613.html
-
Issue regarding Windows Vista Speech Recognition
http://blogs.technet.com/msrc/archive/2007/01/31/issue-regarding-windows-vista-speech-recognition.aspx
- Defeating Microsoft Office Genuine Advantage (OGA) Check
http://lists.grok.org.uk/pipermail/full-disclosure/2007-January/052085.html
- Microsoft Help Workshop .CNT contents files buffer overflow vulnerability
http://www.securityfocus.com/archive/1/457210
Help project files (.HPJ) buffer overflow vulnerability in Microsoft Help Workshop
http://www.securityfocus.com/archive/1/457436
- Windows logoff bug possible security vulnerability and exploit.
http://www.securityfocus.com/archive/1/457167
http://www.securityfocus.com/archive/1/457807
- AusCERT Alert AL-2006.0102 -- Microsoft Windows Kernel GDI Local Privilege Escalation
http://www.auscert.org.au/6942
- Exploit Code Can Disable the Windows Firewall
http://www.sans.org/newsletters/newsbites/viii/87#204
- An analysis of Microsoft Windows Vista's ASLR
http://lists.grok.org.uk/pipermail/full-disclosure/2006-September/049722.html
- Microsoft Vista's IPv6: Dangerous Information Leak?
http://lists.grok.org.uk/pipermail/full-disclosure/2006-August/049066.html
SLAAC Attack - 0day Windows Network Interception Configuration Vulnerability
http://lists.grok.org.uk/pipermail/full-disclosure/2011-April/080096.html
- Microsoft Updates WGA Notifications
http://www.sans.org/newsletters/newsbites/viii/52#311
Defeating Microsoft WGA Validation Check
http://lists.grok.org.uk/pipermail/full-disclosure/2005-May/034242.html
http://lists.grok.org.uk/pipermail/full-disclosure/2005-May/034255.html
http://lists.grok.org.uk/pipermail/full-disclosure/2005-July/035613.html
- How to break Windows Notepad
http://blogs.msdn.com/michkap/archive/2006/06/14/631016.aspx
Non-security, useless, but cute...
- Windows Software Restriction Policy Protection Bypass
http://lists.grok.org.uk/pipermail/full-disclosure/2006-June/046719.html
http://lists.grok.org.uk/pipermail/full-disclosure/2006-June/046735.html
Circumventing Group Policy as a Limited User
http://www.sysinternals.com/blog/2005/12/circumventing-group-policy-as-limited.html
- [48Bits.com Advisory] Path conversion design flaw in Microsoft NTDLL
http://www.securityfocus.com/archive/1/433583
- [Reversemode] Microsoft Infotech Storage library Heap Corruption
http://www.securityfocus.com/archive/1/433435
- Windows XP Home LSA secrets stores XP login passphrase in plain text
http://lists.grok.org.uk/pipermail/full-disclosure/2006-May/045800.html
- Microsoft DNS resolver: deliberately sabotaged hosts-file lookup
http://lists.grok.org.uk/pipermail/full-disclosure/2006-April/045079.html
http://lists.grok.org.uk/pipermail/full-disclosure/2006-April/045084.html
http://www.securityfocus.com/archive/1/431032
- Windows Help Heap Overflow
http://lists.grok.org.uk/pipermail/full-disclosure/2006-March/044748.html
http://www.securityfocus.com/archive/1/430871
Microsoft Help (WINHLP32.EXE) - Multiple Remote Code Execution and Denial Of Service Vulnerabilities
http://www.securityfocus.com/archive/1/443034
http://www.securityfocus.com/archive/1/443039
- Microsoft Investigates HTML Help Flaw Warning
http://www.eweek.com/article2/0,1895,1920601,00.asp
Security Advisory B008 - Microsoft HTML Help Workshop .hhp File Processing Buffer Overflow Lets Remote User Execute Arbitrary Code
http://users.pandora.be/bratax/advisories/b008.html
- Windows Access Control Demystified.
http://lists.grok.org.uk/pipermail/full-disclosure/2006-January/041877.html
(Partially?) fixed in
MS06-011.
- [ImpersonateNamedPipeClient] Question for the Windows pros
http://lists.grok.org.uk/pipermail/full-disclosure/2006-January/041569.html
http://lists.grok.org.uk/pipermail/full-disclosure/2006-January/041587.html
The Weakness of Windows Impersonation Model
http://www.securityfocus.com/archive/1/434151
- Bypass user GPO in Windows Xp / 2003
http://lists.grok.org.uk/pipermail/full-disclosure/2005-December/040444.html
http://lists.grok.org.uk/pipermail/full-disclosure/2005-December/040448.html
http://lists.grok.org.uk/pipermail/full-disclosure/2005-December/040461.html
http://lists.grok.org.uk/pipermail/full-disclosure/2005-December/040479.html
- -Exploiting Freelist[0] On Windows XP Service Pack 2-
http://lists.grok.org.uk/pipermail/full-disclosure/2005-December/039683.html
- Miscrosoft Registry Editor 5.1/XP/2K long string key vulnerability
http://lists.grok.org.uk/pipermail/full-disclosure/2005-August/036448.html
http://lists.grok.org.uk/pipermail/full-disclosure/2005-August/036461.html
http://lists.grok.org.uk/pipermail/full-disclosure/2005-August/036468.html
- hidden users on windows?
http://lists.grok.org.uk/pipermail/full-disclosure/2005-August/035731.html
http://lists.grok.org.uk/pipermail/full-disclosure/2005-August/035748.html
- Microsoft ActiveSync information leak and spoofing
http://lists.grok.org.uk/pipermail/full-disclosure/2005-August/035703.html
Microsoft ActiveSync Remote Password Compromise
http://lists.grok.org.uk/pipermail/full-disclosure/2005-August/035706.html
- Microsoft Windows NTFS Information Disclosure
http://lists.grok.org.uk/pipermail/full-disclosure/2005-June/034787.html
http://lists.grok.org.uk/pipermail/full-disclosure/2005-June/034812.html
- Useless tidbit [MS AntiSpyware, program.exe trick]
http://lists.grok.org.uk/pipermail/full-disclosure/2005-May/033909.html
iDEFENSE Security Advisory 11.15.05: Multiple Vendor Insecure Call to CreateProcess() Vulnerability
http://lists.grok.org.uk/pipermail/full-disclosure/2005-November/038789.html
Window's O/S [IE notepad.exe in Desktop]
http://lists.grok.org.uk/pipermail/full-disclosure/2005-November/039095.html
http://lists.grok.org.uk/pipermail/full-disclosure/2005-November/039109.html
http://lists.grok.org.uk/pipermail/full-disclosure/2005-November/039116.html
Insecure call to CreateProcess()/CreateProcessAsUser() [IE telnet]
http://lists.grok.org.uk/pipermail/full-disclosure/2006-May/046212.html
- HKLM locking
http://www.securityfocus.com/archive/1/388517
- [ Positive Technologies ] Defeating Microsoft Windows XP SP2 Heap protection
http://lists.grok.org.uk/pipermail/full-disclosure/2005-January/031292.html
- Microsoft Windows winhlp32.exe Heap Overflow Vulnerability
http://www.securityfocus.com/archive/1/385332
Microsoft Windows LoadImage API Integer Buffer overflow
http://www.securityfocus.com/archive/1/385342
- Desktop.ini flaw results in executing folders
http://www.securityfocus.com/archive/1/363590
- Microsoft's Explorer and Internet Explorer long share name buffer overflow.
http://lists.grok.org.uk/pipermail/full-disclosure/2004-April/020526.html
The referenced
http://support.microsoft.com/kb/322857
says this is fixed in W2kSP4 and WXPSP1; but is in fact
http://lists.grok.org.uk/pipermail/full-disclosure/2004-April/020545.html
http://lists.grok.org.uk/pipermail/full-disclosure/2004-April/020631.html
http://lists.grok.org.uk/pipermail/full-disclosure/2004-April/020644.html
not fixed in either.
Beware: this bug is remotely (web, email) exploitable to run
arbitrary code (no public references yet).
- Windows XP explorer.exe heap overflow [EMF, WMF image loading]
http://www.securityfocus.com/archive/1/354783
http://www.securityfocus.com/archive/1/354844
http://lists.grok.org.uk/pipermail/full-disclosure/2004-February/017756.html
http://lists.grok.org.uk/pipermail/full-disclosure/2004-February/017761.html
http://lists.grok.org.uk/pipermail/full-disclosure/2004-February/017772.html
http://www.securityfocus.com/archive/1/355082
http://www.securityfocus.com/archive/1/355388
- HTML Help API - Privilege Escalation
http://lists.grok.org.uk/pipermail/full-disclosure/2003-October/012638.html
http://lists.grok.org.uk/pipermail/full-disclosure/2003-October/012667.html
http://lists.grok.org.uk/pipermail/full-disclosure/2003-October/012713.html
- Process Killing - Playing with PostThreadMessage
http://www.securityfocus.com/archive/1/339947
http://lists.grok.org.uk/pipermail/full-disclosure/2003-October/011296.html
- Detailed analysis: Buffer overflow in Explorer.exe on Windows XP SP1
http://www.securityfocus.com/archive/1/321301
http://www.securityfocus.com/archive/1/321557
http://www.securityfocus.com/archive/1/321602
This seems not to affect W2k, but WXP only.
- Win32: Postmessage API security flaw
http://www.securityfocus.com/archive/1/315061
- SECURITY.NNOV: Windows NT 4.0/2000 cmd.exe long path buffer overflow/DoS
http://www.securityfocus.com/archive/1/311359
- Opentype font file causes Windows to restart.
http://www.securityfocus.com/archive/1/305382
http://www.securityfocus.com/archive/1/305407
http://www.securityfocus.com/archive/1/305679
http://www.securityfocus.com/archive/1/305904
http://www.securityfocus.com/archive/1/307051
This is "just" a DoS (against most Windows versions, not only W2k),
until someone makes this into an execute-my-code exploit.
- Windows File Protection Old Security Catalog Vulnerability
http://www.securityfocus.com/archive/1/304481
Windows File Protection Arbitrary Certificate Chain Vulnerability
http://www.securityfocus.com/archive/1/304480
- Execution Rights Not Checked Correctly For 16-bit Applications
http://www.securityfocus.com/archive/1/292260
- White paper: Exploiting the Win32 API.
http://www.securityfocus.com/archive/1/286185
http://www.securityfocus.com/archive/1/286272
http://www.securityfocus.com/archive/1/286308
http://www.securityfocus.com/archive/1/286679
http://www.securityfocus.com/archive/1/286861
http://www.securityfocus.com/archive/1/286868
Other example (exploit) code:
http://www.packetstormsecurity.nl/filedesc/GetAd.c.html
See also:
- SECURITY.NNOV: Windows 2000 system partition weak default permissions
http://www.securityfocus.com/archive/1/286260
Default NTFS Permissions in Windows 2000
http://support.microsoft.com/kb/244600
Windows 2000 Default Permissions Could Allow Trojan Horse Program (Q327522)
http://technet.microsoft.com/security/bulletin/ms02-064
- DebPloit (exploit)
http://archives.neohapsis.com/archives/ntbugtraq/2002-q1/0172.html
http://www.securityfocus.com/archive/1/264441
http://www.securityfocus.com/archive/1/264927
- Elevation of privileges with debug registers on Win2K
http://www.guninski.com/dr07.html
- Double clicking on innocent looking files may be dangerous
http://www.guninski.com/clsidext.html
- Double clicking on MS Office documents from Windows Explorer may execute
arbitrary programs in some cases
http://www.guninski.com/officedll.html
http://www.securityfocus.com/archive/1/276755
- ... Also local Administrator compromise at least on default Windows 2000
http://www.guninski.com/ieshelldefview.html
I fail to see how Windows 2000 got "Common Criteria" certification. Maybe
because they assume a "friendly" network and "cooperating" users ... but
isn't any computer secure under those circumstances?
Reference(s):
Use Firefox, Thunderbird
Use
Firefox (browser) and
Thunderbird (mail client),
and keep them updated to latest version.
Mozilla
is actively maintained, free of old known bugs.
As mentioned above: turn
Java
off in Tools > Options > Content.
Reference(s):
Netscape Navigator
has reached
End of Support
and they recommend to use Firefox.
Or you may want to use
Chrome
or
Opera
or
Safari
(all have security problems, I just do not keep track of those).
Use Acrobat DC
There are vulnerabilities in older
Acrobat reader
versions, use Acrobat Reader DC, updated: see
http://get.adobe.com/reader/otherversions
(and
FTP site).
BEWARE: PDF files may carry active content, so are also dangerous. In
Edit > Preferences set:
- JavaScript: do not Enable Acrobat JavaScript
- Multimedia Trust: do not Allow multimedia operations
- Security (Enhanced)
- Enable Protected Mode at startup
- Protected View: All files
- Enable Enhanced Security
- no Privileged Locations, do not automatically trust documents or sites
- Trust Manager
- do not Allow opening of non-PDF file attachments with external applications
- Internet Access from PDF Files outside the web browser: (Change Settings) Block all web sites
See also the
NSA "Recommendations for Configuring Adobe Acrobat Reader DC in a Windows Environment".
Reference(s):
Third party software
Need to keep various other third party software updated.
See sub-sections on
Java,
messengers
AIM,
MSN,
YIM,
ICQ,
mIRC,
Skype
and media players
RealPlayer,
Winamp,
Windows Media Player,
QuickTime,
Flash.
The list here is not exhaustive but only the common software I knew
about; and is not in order of importance. Some third party software
(IE,
Firefox,
MSWord,
Acrobat,
Eudora)
singled out elsewhere.
Java
or
latest
needs to be kept up-to-date (and/or removed and/or disabled in the
browser).
Reference(s):
There are vulnerabilities in AIM (AOL Instant Messenger).
Reference(s):
Do not use MSN Messenger as it has privacy problems (combine that with
cross-site-scripting problems on MS sites...); servers are misconfigured;
and it can be hijacked.
Reference(s):
Need to update YIM.
Reference(s):
Need to update ICQ.
Reference(s):
Need to update mIRC.
Reference(s):
Vulnerabilities have been found in
Skype,
and you should update the software.
Reference(s):
Vulnerabilities have been found in
RealPlayer,
and you should update the software.
Reference(s):
Vulnerabilities have been found in
Winamp,
and you should update the software.
Reference(s):
Windows Media Player seems to have security problems: it will run a WMA or
WMF file as such, even when renamed; and even though it is not the default
MP3 player. Use e.g. RealPlayer or Winamp instead, and un-install WMP. Note
also that both WMP and RealPlayer may be "tricked" via files named WAV or
MP3 that in fact contain something else.
Reference(s):
Should un-install Apple
QuickTime
Player:
no longer supported or needed
on Windows.
Reference(s):
Upgrade
Flash
and
Shockwave
players; or remove them altogether...
Reference(s):
Beware of long filenames
Long filename extensions: no patch or workaround yet (thankfully no remote
exploit either). Explorer crashes, probably exploitable as a buffer
overflow encoded into the extension.
Reference(s):
Long NTFS filenames: some software packages (Windows Explorer and CMD.EXE
included) may not be able to access long NTFS pathnames.
Reference(s):
Disable WSH, VBS, CHM, Scrap
WSH is Windows Script Host. To disable,
rename the relevant files; or for
Windows 98, un-install it: select Start Menu >
Settings > Control Panel >
Add/Remove Programs > Windows Setup tab >
Accessories and make sure Windows Scripting Host is
deselected (no checkmark).
Reference(s):
Delete VBS VBScript (Visual Basic) Script File from the
registered File Types list or
use regedit to clobber the command to
open them, or rename the software so it
is not accessible. (VBS files may not be listed after you disabled
WSH.) Delete VBE VBScript Encoded Script File also. Other
file types (such as REG files) may also be dangerous, and can be
removed/clobbered for a more secure system.
Reference(s):
Delete CHM Compiled HTML file from the registered
File Types list or clobber the
command with regedit, or
rename the software so it is not
accessible. Note that there are CHM files in C:\windows\help\
and then you may not be able to use them.
Reference(s):
To disable scrap files, alter or remove
File Types SHS and
SHB or clobber the command shscrap.dll with regedit, or rename the software so it is not
accessible.
Reference(s):
Un-hide file types
Make Windows show all file types (extensions): EXE files, scrap files,
VBS scripts, PIF and LNK file attachments ... (sent by email?).
- Set Windows option: in Windows Explorer (e.g. double-click
My Computer), select Tools >
Folder Options > View tab, and disable the
Hide file extensions for known file types option (ensure it is
un-checked); Apply, then set all Like Current Folder.
- Use regedit to search for the
value "NeverShowExt", and consider renaming them to "AlwaysShowExt". (You
may be reluctant to also do lnkfile or piffile, as then your Desktop and
StartMenu will look ugly. But they are also dangerous: a file called
neatinfo.txt.lnk or .pif could point to "C:\dos\format.exe C:", and in
fact some viruses propagate by email as "hidden" .pif and .lnk files.)
Miscellaneous settings
You may want to be careful with what "legit" software you install. In
particular, you may want to turn off autoplay on your CD drive (as
mentioned above).
Reference(s):
Under Win2k/NT, a user can lock files so that no other user can access
them. (This may include logon scripts and files to set security policies...)
This is a Windows design "feature", with no fix planned. (Or, are "group
policies" but not logon scripts et al, fixed in
MS02-016??)
Reference(s):
Though not security issues, Microsoft should not be rude to its
competitors, should not engage in software piracy nor infringe patents.
Reference(s):
Physical security
I seem to have neglected physical security. Generally, once an attacker
has access to the keyboard/screen of your computer, he can do any "bad
things" he likes. Seems that Windows was designed as a single-user
machine, the paradigm of "the user is king", with any "security" an
after-thought slap-on.
- With Win98, used to be able to simply press "cancel" at the login
prompt; Win11 allows "trick" to recover lost password.
- Boot into "safe mode" and bypass some restrictions. Set Windows to
ignore the "boot-interrupt" (F5 or F8?) keys.
- Boot from CD or USB and do anything to the hard disk. Most BIOS (the
boot program on the motherboard, usually accessed by hitting the
DELete key soon after power-on) have password features to prevent
this.
- Remove your hard disk and use another computer to retrieve or alter
data, then put it back in place. Disk encryption may help to protect.
- Install a keystroke logger (inline into the keyboard cable) to retrieve
any passwords.
- Use Firewire (or Thunderbolt/LightPeek) to access system memory
(including run any code).
- Eavesdrop to radiation emitted by your computer or keyboard. Beware
particularly of wireless/bluetooth keyboards and mice, some may be read
or impersonated.
You may need to have your computer room locked with a key.
Reference(s):
Recover from compromise
If your PC has been compromised (e.g. infected with some virus), and you
would like to return it to a safe state, then you really should re-install
it from scratch: re-format the hard disk and re-install Windows and
all software, from safe media (e.g. original CDs).
If it had been infected with a "known virus" then maybe your anti-virus
product can clean it up. However, can you be sure that was the only
compromise: that there were no other as-yet-undetected viruses, or maybe
some specific (personally directed) malware lurking?
You need to secure your newly installed PC before first connecting it to the
internet (e.g. to read these instructions on how to keep it secure, or to
use WindowsUpdate): at the height of the Blaster and Sasser worms,
unprotected PCs were infected within a minute of connection. Print out these
instructions, then re-format and re-install everything, and configure things
to keep safe.
Disclaimer
Only Windows PCs are considered here. I do not keep track of Mac or MacOSX
or of UNIX or Linux issues. - I only care about two or three kinds of
Windows PC:
- My home PCs. First had one with Windows98, upgraded to Windows2000
then WindowsXP; now have Windows7 also; they (and my Ubuntu machine)
are networked to cable broadband via a router/firewall.
- PCs in computer labs and offices at work: with Windows XP, to log into
and be controlled by a Samba server. (We have many Debian Linux servers
and office machines also.)
Only issues of relevance to my setups are listed, some generalities
first, then in apparently random order. Advice here may not be
applicable to some Windows versions or other configurations. In
particular I blissfully ignore IIS and SQL.
There are many security issues not covered here, either because I never
knew about them, or because I did not think they were relevant to my
setups. Do not rely solely on my advice. Conversely, following any advice
here may render your computer inoperable. Use at your own risk. - Please
let me know if I missed something obvious, or if any of the advice above
gave you trouble.
Paul Szabo
[email protected]
28 Oct 24