windows 10 home edition - issa-cos · pdf filewindows 10 home edition it begins with securing...

Windows 10 Home EditionIt Begins with Securing the Endpoint

Al GreenCISSP, Security + CE, MCSA, MCP

Agenda

• An introduction, overview, use of a software tool with checklists, ‘pre’ and ‘post’ results, and useful CMD commands while undertaking Department of Defense (DoD) Defense Information Systems Agency (DISA) Security Technical Implementation Guide (STIG) fix actions for a personal computer with Windows 10 Home Edition installed and more.

• Presentation will conclude with a Summary and Questions & Answers

--NOTICE--The presented material is for informational purposes only. DoD DISA STIGs are freely available and accessible by the general public. Information pre-sented infers no warranties and as such, its use is at one’s own risk.

2© 2016 Alfred Green

Why?

• The baseline Out of the Box (OOTB) security posture of Windows 10 Home is significantly lower than DoD baseline security posture

• Third-party applications that provide firewall, malware, and virus protection help, but don’t begin to address underlying Windows 10 Home Edition lower security posture

• Windows 10 OOTB security posture favors ‘Ease-of-use’ and ‘User Experience’ over ‘Security’ and ‘Best Practice’


What this is Not

• It is not a ‘silver bullet’ solution, nor anything of the like• It is not a guarantee that your computer system can’t be compromised• Actions and steps taken will not stop a nation state, skilled black hatters,

and the like. Basically anyone with resources and determination can get and take what you have and own it with or without your awareness.

• The following tactics are what will make up your defensive strategy:• Closing avenues (cutting off vectors) of attack• Using ‘least privilege’ principle in your day-to-day computer use • ‘Security by obscurity’


Flaws (Vulnerabilities)

• There’s no ‘perfect’ anything…• Hardware is flawed• Operating systems are flawed• Documentation is flawed• People are flawed

• You and I are flawed • As everything is ‘flawed’ it may seem that nothing can be done so

why even try• For a ‘flaw’ a.k.a. vulnerability to be a concern there must be a

corresponding ‘exploit’; otherwise there is no ‘threat’


How Windows 10 is Marketed

• Enterprise (Business) and Education• Requires Volume License ‘$’• Most capabilities/features

• Pro (Personal and Small Business)• Available to retail consumer• AN upgrade path for Home Edition• Supports ‘domain’ joining• Fewer capabilities/features

• Home (Personal)• Least costly (OEM bundled version)• Fewest capabilities/features https://www.microsoft.com/en-us/WindowsForBusiness/Compare


WINDOWS

10

HOME

It’s The Most Secure Windows Ever

• Microsoft touts “Designed to be the most secure Windows yet” (https://www.microsoft.com/en-us/WindowsForBusiness/Windows-security)• And it is; however, not necessarily from the perspective of your online

presence and protection of your data as that is your responsibility

• Where does this leave users of Windows 10 Home Edition?• Mandatory patch updates to address OS vulnerabilities• Reliance on 3rd-party apps to makeup for lack of features found in

other Windows editions, i.e., VeraCrypt for BitLocker and Simple Software-Restriction Policy for Software Restriction Policy/AppLocker


Defense in Depth

• “Defense in depth is the coordinated use of multiple security counter-measures to protect the integrity of the information assets in an enterprise.” (http://searchsecurity.techtarget.com/definition/defense-in-depth)

• An enterprise will have a staff supporting a myriad of customers, services, and systems with a goal of maintaining the ‘CIA’ Triad

• Today there exists a ‘home enterprise’ that contends with the same realities of a business enterprise with a legion of one… YOU!


Securing Windows 10 Home Edition

• Windows 10 Home Edition Operating System is the lastline of defense, besides ‘You’, for your data and information

• The DoD DISA produces STIGs for a multitudeof operating systems, applications, and net-working devices(http://iase.disa.mil/stigs/Pages/index.aspx)

• DISA STIGs are intended for enterprise, not ‘home’ grade products


http://iase.disa.mil/stigs/Pages/index.aspx

Out-of-the-Box Security Posture

• It may be the most ‘secure’ version of Windows yet, but it’s configured more for convenience (ease of use) then for ‘Human’ best practices

• An assessment of the Windows 10 Home OOTB security posture using DoD DISA STIGs shows Windows 10 Home has quite a number of what DoD deems as serious vulnerabilities (findings) even if OS is fully patched

• DISA categorizes vulnerabilities into one of three categories (CAT).• CAT I. (most serious)• CAT II. • CAT III. (least serious)


DISA Category (CAT) Levels

• DISA CAT I Vulnerability: “Any vulnerability, the exploitation of which will directly and immediately result in loss of Confidentiality, Availability, or Integrity.”

• DISA CAT II Vulnerability: “Any vulnerability, the exploitation of which has a potential to result in loss of Confidentiality, Availability, or Integrity.”

• DISA CAT III Vulnerability: “Any vulnerability, the existence of which degrades measures to protect against loss of Confidentiality, Availability, or Integrity.“


The ‘Home Edition’ Enterprise System

• HP Stream Notebook PC 13 (< $200)• x64-based PC• 2GB RAM• 32GB SSD

• Windows 10 Home Edition• NT OS Kernel: 10.0.10586.420• Windows Defender: 4.9.10586.0• Enhanced Mitigation Experience Toolkit (EMET) 5.5: 5.5.5870.0


• Fresh Install of Windows 10 Home Edition• Creation of 2 local computer accounts (Not Microsoft)

• First one is a ‘Privileged’ account• Second one is a ‘Least Privilege’ account

• Install latest security updates and patches• Offline: WSUS Offline (first choice)• Online: Microsoft if first option is not possible

• Working knowledge of ‘regedit’ utility and command line environment• A second computer for Internet searches ‘YouTube’ tutorials• Patience as DISA STIG guidance can, at times, be difficult to comprehend

and/or implement

Some Ideal Preconditions


STIGs Used

• STIGs downloaded from: http://iase.disa.mil/stigs/Pages/index.aspx• Windows 10 STIG, V1, R3, 22 Apr 2016

• Total number of checks to evaluate: 273• Windows Firewall with Advanced Security STIG, V1, R3, 24 Jul 2015

• Total number of checks to evaluate: 30• Microsoft Internet Explorer 11 STIG, V1, R8, 22 Apr 2016

• Total number of checks to evaluate : 136• Microsoft Dot Net Framework 4.0 STIG, V1, R2, 24 Jan 2014

• Total number of checks to evaluate : 21• Estimated time to complete on average each applicable STIG check:

~5, ~10, or ~15 mins (Varies per individual)14© 2016 Alfred Green

STIG Viewer Tool


STIG Viewer Tool (Cont’d)


Creating STIG Viewer Checklist


Using STIG Viewer Checklist


Using STIG Viewer Checklist (Cont’d)


Applying STIG Fix Action(s) CMD Line

20

C:\>reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer" /v “AlwaysInstallElevated”ERROR: The system was unable to find the specified registry key or value.

First, for fix actions that involve making changes to the Windows registry, check to see if the required ‘registry key’, ‘value name’, ‘value type’ exist with the required ‘value name value’ In the above example, the ‘reg query’ returns an error message that the system was unable specified registry key or

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer" /v “AlwaysInstallElevated” /t REG_DWORD /d 0 /fThe operation completed successfully.

Second, to implement the fix action you will use the ‘reg add’ command as shown above for this CAT I open finding. The ‘/f’ switch n the above example applies the fix action w/o prompting you for confirmation.

C:\>reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer" /v “AlwaysInstallElevated”

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\InstallerAlwaysInstallElevated REG_DWORD 0x0

Finally, re-run the original ‘reg query’ command to verify the registry change took effect.

© 2016 Alfred Green

Applying STIG Fix Action(s) RegEdit

21

Note: This shows the end state of having added the ‘AlwaysInstallElevated’, value name with a value of ‘0’.

As ‘RegEdit’ is a GUI-based application, navigating its interface can be easily done like any other GUI-based application/utility.

3. Also note that when it comes to entering a ‘value’ for the value name with the type ‘REG_DWORD’ that HEX and Decimal values are one-for-one from ‘0’ to ‘9’ After that, not-so-much.


‘Programmers’ Calculator


OOTB Win 10 Home Pre-STIGs Results(Window 10 & Windows Firewall)

• Windows 10 Home Results• Open CAT I: 012• Open CAT II: 127• Open CAT III: 008• NA: 035

• Windows Firewall with Advanced Security• Open CAT I: 002 • Open CAT II: 004• Open CAT III: 009• NA: 012

23

Report Card SCORE GRADECAT I (11/23): 48.0%CAT II (72/199): 36.0%CAT III (8/16): 50.0%



OOTB Win 10 Home Pre-STIGs Results(.NET and Internet Explorer 11)

• Microsoft Dot Net Framework• Open CAT I: 000• Open CAT II: 008• Open CAT III: 000• NA: 008

• Internet Explorer 11• Open CAT I: 000 • Open CAT II: 1344• Open CAT III: 101• NA: 000

24

Report Card SCORE GRADECAT I (0/0): NACAT II (5/13): 38.5%CAT III (0/0): NA

Report Card SCORE GRADECAT I (0/0): NACAT II (0/134): 000.0%CAT III (1/2): 50.0%


OOTB Win 10 Home Post-STIGs Results(Windows 10 & Windows Firewall)

• Windows 10 Home Results• Open CAT I: 000• Open CAT II: 009• Open CAT III: 000• NA: 035

• Windows Firewall with Advanced Security• Open CAT I: 000 • Open CAT II: 000• Open CAT III: 000• NA: 012

25




OOTB Win 10 Home Post-STIGs Results(.NET & Internet Explorer 11)

• Microsoft Dot Net Framework • Open CAT I: 000• Open CAT II: 000• Open CAT III: 000• NA: 008

• Internet Explorer 11 • Open CAT I: 000 • Open CAT II: 0004• Open CAT III: 100• NA: 000

26

Report Card SCORE GRADECAT I (0/0): NACAT II (13/13): 100.0%CAT III (0/0): NA



27

• To find the Windows 10 Kernel Version (OS Build) NumberC:\>wmic datafile where name="c:\\Windows\\System32\\ntoskrnl.exe" get versionVersion10.0.10586.420

• To find out if local partitions are formatted using NTFSC:\>wmic volume get FileSystem, Label, NameFileSystem Label NameNTFS Drive C:\NTFS \\?\Volume{5519d835-07b9-40ba-9ab8-e713004d141b}\

Useful CMD Line Commands - 01


28

• To find out if ‘Enhanced Mitigation Experience Toolkit’ is installedC:\>wmic product where "name like 'EMET%'" get name, version, installdateNo Instance(s) Available.

C:\>wmic product where "name like 'EMET%'" get name, version, installdateInstallDate Name Version20160629 EMET 5.5 5.5C:\>

• To find out Windows Firewall ‘StartMode’, ‘State’, and ‘Status’ C:\>wmic service list brief | findstr /i /c:"Status" /c:"MpsSvc"ExitCode Name ProcessId StartMode State Status0 MpsSvc 572 Auto Running OK



29

• To find out if built-in ‘administrator’ account is disabledwmic useraccount get Caption, Status, Name, SID | findstr /i /c:"Caption" /c:"-500“C:\>wmic useraccount get Caption, Status, Name, SID | findstr /i /c:"Caption" /c:"-500"Caption Name SID StatusHPSTREAM\Administrator S-1-5-21-1804363171-3592100806-2665043441-500 Degraded

• To find out if built-in ‘Guest’ account is disabledC:\>wmic useraccount get Caption, Status, Name, SID | findstr /i /c:"Caption" /c:"-501"Caption Name SID StatusHPSTREAM\Guest S-1-5-21-1804363171-3592100806-2665043441-501 Degraded



30

• To find out/list names of accounts with ‘Administrator’ privilegeC:\>net localgroup administratorsAlias name administratorsComment Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------AdministratorTonyThe command completed successfully.



31

• To find out/list names of accounts with ‘User’ (Least) privilegeC:\>net localgroup usersAlias name usersComment Users are prevented from making accidental or intentional system-wide changes and can run most applications

Members

-------------------------------------------------------------------------------NT AUTHORITY\Authenticated UsersNT AUTHORITY\INTERACTIVETonyThe command completed successfully.

Useful CMD Line Commands – 05


• Read the ‘Discussion’ text for each check and try to understand what is being conveyed • You may find yourself undertaking web searches as the language

being used in the ‘Discussion’ may not be clear or make sense• Most STIG fix actions involve making registry changes, that is, adding

new registry entries• Do these first, but go about this with caution as to not make a

mistake• Be advised that making registry changes requires ‘privileged’ access

and at a certain point, requesting ‘elevated privileges’ from a ‘least privilege’ account will no longer work.

Strategy for Applying STIG Fix Actions


STIG ‘Check Content’ ExamplesRule Title: IPv6 source routing must be configured to highest protection.STIG ID: WN10-CC-000020 Rule ID: SV-78045r1_rule Vuln ID: V-63555

Check Content: If the following registry value does not exist or is not configured as specified, this is a finding:Registry Hive: HKEY_LOCAL_MACHINERegistry Path: \SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\Value Name: DisableIpSourceRoutingValue Type: REG_DWORDValue: 2


C:\>reg query "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" /v “DisableIpSourceRouting”ERROR: The system was unable to find the specified registry key or value.

reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" /v “DisableIpSourceRouting” /t REG_DWORD /d 2The operation completed successfully.

STIG ‘Check Content’ ExamplesRule Title: Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad.STIG ID: WN10-CC-000085 Rule ID: SV-78097r1_rule Vuln ID: V-63607

Check Content: The default behavior is for Early Launch Antimalware - Boot-Start Driver Initialization policy is to enforce "Good, unknown and bad but critical" (preventing "bad").If the registry value name below does not exist, this is not a finding.If it exists and is configured with a value of "7", this is a finding.

Registry Hive: HKEY_LOCAL_MACHINERegistry Path: \SYSTEM\CurrentControlSet\Policies\EarlyLaunch\Value Name: DriverLoadPolicyValue Type: REG_DWORDValue: 1, 3, or 8 (or if the Value Name does not exist)


C:\>reg query "HKLM\SYSTEM\CurrentControlSet\Policies\EarlyLaunch" /v DriverLoadPolicyERROR: The system was unable to find the specified registry key or value..

STIG ‘Check Content’ ExamplesRule Title: Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites.STIG ID: WN10-SO-000190 Rule ID: SV-78285r1_rule Vuln ID: V-63795

Check Content: If the following registry value does not exist or is not configured as specified, this is a finding:Registry Hive: HKEY_LOCAL_MACHINERegistry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\Value Name: SupportedEncryptionTypesValue Type: REG_DWORDValue: 0x7ffffff8 (2147483640)


C:\>reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters" /v SupportedEncryptionTypes /t REG_DWORD /d 2147483640 /fThe operation completed successfully.

C:\>reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters" /v SupportedEncryptionTypesHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters

SupportedEncryptionTypes REG_DWORD 0x7ffffff8

Windows 10 STIG ‘Top 3’ Starters

1. Principle of Least Privilege (LP)Vuln ID: V-63361Rule Title: Only accounts responsible for the administration of a system must have Administrator rights on the system.

2. Prevent LP users from using elevated privileges to install softwareVuln ID: V-63325Rule Title: The Windows Installer Always install with elevated privileges must be disabled.

3. Disable Autorun/AutoplayVulid ID’s: V-63667, V-63671, V-63673Rule Title: Autoplay must be turned off for non-volume devicesRule Title: The default autorun behavior must be configured to prevent autorun commandsRule Title: Autoplay must be disabled for all drives


3 Security by Obscurity Tactics

1. Internet Control Message Protocol (ICMP) To ‘cloak’ or not to ‘cloak’https://technet.microsoft.com/en-us/library/cc749323(v=ws.10).aspxhttps://technet.microsoft.com/en-us/library/cc786041(v=ws.10).aspx

2. Hide Account Names from Desktophttps://technet.microsoft.com/en-us/library/cc957392.aspx(Note: Although TechNet article pertains to Windows 2000, it’s applicable to Windows 10 as well)

3. Hide Wireless Connection Icon from Logon screenVulid ID: V-63629Rule Title: The network selection user interface (UI) must not be displayed on the logon screen


• It’s too late to go back to paper and pen• There’s no ‘perfect’ anything…

• Hardware, operating systems, documentation, and people are flawed• From a DoD DISA STIG perspective, Win10 Home is not ready for use

OOTB• Security posture of Win 10 Home can be vastly improved if STIGs fix

actions are applied• Best practice of ‘Least Privilege’ may reduce likelihood of a compromise

by up to 70%• Do not attempt if you don’t feel qualified

Summary


39

Thank You!

Al GreenCISSP, Security + CE, MCSA, MCP

Questions & Answers


windows 10 home edition - issa-cos · pdf filewindows 10 home edition it begins with securing...

Documents