Hardening Windows 8.1

 

Over the last few months I have set up a few Windows 8.1 machines, both laptops and desktops, and have gradually found more ways to harden Windows 8.1 - so this is my current list of ways that I use to harden Windows 8.1 - at the moment this webpage is mostly about the lower layers in the typical Windows stack.

Hardening an operating system is the process of closing down as many of the unused services and programmes as possible - most services, processes, protocols, and programmes that are running on an operating system introduces some kind of additional risk of attack.

Unfortunately, Microsoft still have a bad habit of running many of these things by default on their operating system, in the belief that it makes it easier to use the computer in different ways. It would be much safer if Microsoft ran as little as possible by default, and left it to users to turn on the services or process or protocols or programmes as required. But for whatever reason, they don`t.

Microsoft also seem to have a mindset that every new version of Windows must be capable of connecting to every other older versions of Windows - so they build in, and run by default, communication networks that go all the way back to NT - it is unbelievable that modern versions of Windows still have NetBIOS built in to them.

Microsoft talk about the security of modern Windows version, but they build in vulnerabilities that go back to NT.

So this web page looks as various ways to harden Windows 8.1, but I should add that none of the machines I have set up use any kind of Microsoft networking, nor do they connect to an Active Directory domain, so I am always looking for ways to remove the Microsoft networking capabilities.

Unfortunately, the internet is getting to the state that it is now far more likely that a machine will be attacked by a user opening an attachment on an email or downloading an app than by a network based attack into the machine - however hardening the machine does still seem to be a good approach.

Added to that, computer manufacturers seem determined to make their product more attractive by including all kinds of software which adds to the risk. So this needs to be looked as well.

 

Don`t connect to a network

I strongly recommend that a computer is not connected to a network until it has been hardened. Until it has been hardened it is quite a bit more vulnerable to attack, and even respected websites may be delivering malware, because the web server has been attacked.

There is also a possibility that other computers on the same network are infected, and are trying to cross infect the other computers on the network.

There is a bit of a conundrum here - how do you do a Windows update to make the computer more secure, without connecting to a network, and to the internet - in the commercial world it could be done by using WSUS, but that isn`t really feasible for the average home or small business user.

I don`t have an answer to this one, except to suggest you do as much hardening as possible, before connecting to Windows Update

 

User accounts and passwords

The account that is set up when Windows is first installed and configured by the user is the administrator account. Don`t use this account for normal day-to-day work. Only use it for administration.

Go to Settings / Accounts / Other accounts / add an account.

Create a new account that is a Standard user, and give it a decent password - use this account for day-to-day stuff.

If you are doing stuff with the administrator account, and you get attacked, the attacker can do pretty much anything to your computer.

If you are doing stuff with a Standard account, an attacker would be more limited in what they could do.

You can extend the limitations of a standard user account by going to Control Panel / User accounts / Change user account control settings and push the slider up to 4.

It does mean that both standard and admin users get more pop-ups whenever they try to install anything - Vista was famous for this - so you need to weigh up if the extra security is worth the annoyance.

 

Removing programmes

Every programme installed on a computer increases the vulnerability by a greater and lesser amount - except hopefully programmes designed to find malware such as anti-virus software. So un-install as much of it as possible.

Computer manufacturers tend to be guilty of installing all kinds of programmes which they think will make their product more attractive. Often known as bloatware, the more that can be removed the better.

There is an additional advantage in doing this, as much of this bloatware will be run at start-up, and so is consuming memory space and cpu time, so will slow the computer down.

If you are in the fortunate position of being provided with a Windows 8.1 installation DVD or USB memory stick along with the computer, the ideal thing to do would be to wipe the computer, and install Windows from scratch, so you get a clean installation of Windows 8.1, without all the bloatware.

Removing programmes rarely completely removes all traces of the programme, some debris always gets left behind, so doing a clean install of Windows is preferable.

However you would have to sort out all the drivers required, so doing an install from scratch isn`t always just too straightforward - some OEM`s add the drivers packaged up in a folder somewhere inside Windows, so have a look around before wiping the machine

If the computer doesn`t come with an installation media, but instead has a recovery partition on the hard drive - then you are stuck with uninstalling each programme one by one.

I strongly recommend that you make a back-up of the recovery partition before you start un-installing the bloatware, just in case things go seriously wrong during the uninstalls - this can happen. Both installing and un-installing software can upset the operating system, un-installing software seems to be a bit more risky than installing software.

In particular look for and get rid of any programmes that allow incoming traffic which the programme has not requested. Messenger programmes are famously bad for this - every so often they generate and send out some traffic to no-one in particular - the sole purpose of this is to keep open a hole through stateful firewalls, so unsolicitated traffic can come in through the firewall at any time.

Another one to look out for is the ActiveX version of the Flash player which is designed for the Internet Explorer / Windows environment.

ActiveX is a technology designed by Microsoft to allow web designers to pull up other programmes from within Windows - it was intended to enhance the performance and capability of websites. However it also allows malicious attackers to do unpleasant things deep inside Windows.

If you want the Flash player on the computer - you will be struggling with a lot of websites without Flash - use a different browser like Firefox or Opera, and download the non-ActiveX version of the Flash player.

Unless you really need it, Java should be uninstalled. Java can be used by attackers to make modifications to the computer, and unless it is upgraded and updated regularily, it will have weaknesses.

 

Stopping programmes running by default

If the computer is an off-the-shelf item from one of the bigger manufacturers, it will probably be set up to run all kinds of things at start-up.

Finding from where they are run can be a bit time-consuming - some will be run from start-up menus, some from the registry, and so on. There are various ways to search them out.

Msconfig is a GUI tool which is fairly simple to use, and may provide some information.

The Start-up tab on Task manager is another place to look.

However the best tool is Autoruns - it is a tool that can be downloaded from Windows Sysinternals.

It takes a wee while to get the hang of it, but it is a worthwhile investment if you want to see what is getting started on a Windows machine, and how it is getting started.

You need to run Autoruns as administrator if you want to use it to modify any of the startup settings through it.

 

Windows 8.1 firewall

I wrote at length about the Windows Firewall in the page about hardening Windows 7, so I`m not going to repeat it all - so to simplify things, here are the three important settings I have done.

Some websites suggest that you change the outbound ruleset to a default block - in theory it is a good idea, in practice, it would result in a lot of administration, and trying to find out what apps need what holes enabled.

It is your choice.

 

Stopping services

It would be a big improvement in the security of Windows if Microsoft didn`t run a lot of services by default, and instead left it to users to switch on services if they need them.

To help harden Windows 8.1, there are many services that can be disabled - but as before, it depends on how you want to use the computer.

Be prepared to spend quite a lot of time working out which services can be safely disabled, and which ones are required for the way you want to use the computer. You need to take account of service dependencies, as well as the primary function of the service.

Msconfig allows you to control services, but using it for this is more for stopping services in the course of fault finding, rather than for permanent configuration.

A better tool is the Services tool available through Start menu / Control panel / Administrative tools / Services.

To change whether a service starts up automatically, is started manually, or is disbled, highlight the service, right click on it, and select Properties.

Some of the services in Windows 8.1 are legacy services that are the same as on NT, 2000, or XP - if you don`t want interaction with older versions of Windows, they can and should be disabled.

I`m still working my way through them all, but here are some of the services that so far, I reckon can be disabled - this list is built around the way I use Windows 8.1 - your list will probably need to be different. The Startup Type after each service is the original setting.

There are probably more services that can be disabled, it does depend on how you are going to use Windows.

 

Removing protocols

As described above, Windows 8.1 comes with many communication technologies - some of them introduced with Windows 7, and some that are for backward compatibility with older versions of Windows. Some of these are famously insecure - NetBIOS is one, and is a common route for malicous attacks on Windows. It is enabled by default in most versions of Windows - including NT, 2000, XP, Windows 7, and even Server 2008.

The infamous Conficker worm variants A, B, C, and E all used NetBIOS to reek their havoc on so many computers in 2009. NetBIOS provides a well worn route into a Windows machine for hackers. Don`t underestimate the risk of enabling NetBIOS on a computer.

Go to Control panel / Network and sharing centre / Change adapter settings / Right click on Local area connections

Select Properties

You will probably see a list of 7 items, all with ticked boxes. Many of these are weak spots - get rid of as many as you can, that you don`t need.

For a basic Ethernet LAN connection, the only two required ones are

Some websites suggest that QoS Packet Scheduler is not required - however I am not so sure about that, so I leave it in.

The other ones all depend on how you want to use the computer - but they all lower the security of the computer. You can untick the boxes to kill them, but a better method is to uninstall them. This has the advantage that it removes them from the wireless connection as well.

Now highlight "Internet Protocol Version 4 (TCP/IPv4)", click on Properties, click on Advanced, click on the Wins tab. Unless you really need it - select "Disable NetBIOS over TCP/IP".

If you are going to use some of the Microsoft file sharing technologies, you may need NetBIOS.

If Windows 8.1 is on a laptop, repeat all this for the Wireless network connection.

There may be other types of connections listed, eg - VPN`s. You may need to repeat all this for them as well.

 

LLMNR

Windows 7 advertises itself using LLMNR, and it can`t be stopped using the firewall - and I think Windows 8.1 will behave the same way.

LLMNR multicasts UDP messages on port 5355. It may also use TCP on port 5355.

It can be regarded as a security risk, as the host transmits multicast LLMNR packets which identify the host.

In addition, as the Windows firewall is a stateful firewall, the outgoing packets will cut holes through the firewall for incoming packets for a period of time on port 5355 - this provides a hole for attack. So it is better to disable LLMNR if it is not required.

On the higher versions of Windows, Group policy can be used to disable LLMNR.

On Windows 8.1 Home, LLMNR can be disabled by a registry entry - the key doesn`t exist by default, and needs to be created. The key is 


       HKLM/Software/Policies/Microsoft/WindowsNT/DNSClient/

Create a DWORD called "EnableMulticast" with a value of "0".

There is a bit more about LLMNR in my web page about Windows 7 Name Resolution.

PS - if you have doubts as to whether you should do this - a hacker can use LLMNR traffic to capture user name and password hashes from a computer, then use cracking tools to extract the password from the hash, and he now has a username and password to log onto the computer whenever he wants. Not really what you want !

 

Network Location Awareness

Network Location Awareness is a service for identifying what types of network the computer is connected to. It can be used to decide if a network connection should be part of the Public profile or the Private profile, once the administrator has made a choice about it.

It can also be used by applications that are NLA aware to react to changing network connections, such as might be experienced by a roaming laptop, which might be used on LAN`s, then on WiFi, for example.

So it may be useful from that point of view. However it has a couple of security downsides - every time the computer is started, or reconnects to a network -

The list above of disabled services therefore includes the Network List Service and the Network Location Awareness service.

However if you think you need this service, but don`t want the computer to connect to the web server at "www.msftncsi.com", this action can be stopped via a registry entry - go to the key 


       HKLM\System\CurrentControlSet\Services\NlaSvc\Parameters\Internet\

Change the DWORD called "EnableActiveProbing" to the value of "0"

 

Disable IGMP

IGMP is part of Windows networking, and if you don`t want to use Windows networking, IGMP can be disabled using 


       netsh interface ipv4 set global mldlevel= none

This adds a registry entry 


       HKLM\System\CurrentControlSet\Services\TCPIP\Parameters\IGMPLevel

which is a DWORD with the value of 0

It also adds another two keys, but these have no data associated with them. 


       HKLM\System\CurrentControlSet\Services\TCPIP\Parameters\IPAutoconfigurationMask

       HKLM\System\CurrentControlSet\Services\TCPIP\Parameters\IPAutoconfigurationSubnet

 

Disable IPv6

IPv6 is very much built into Windows 8.1, and Microsoft quite strongly advocate that it should not be disabled - in fact it can cause some boot-up delays if it is disabled.

However if it is not required, it increases the attack surface - in particular, any IPv6 tunneling techniques are a significant attack surface, as they can be used to connect to the computer through the firewall, and the firewall doesn`t see what is going on.

There is quite a lot of variety in the suggestions on the internet about how to disable IPv6, and it took a bit of digging to understand what is going on.

To disable all or part of IPv6, add an entry to the registry - 


       HKLM\System\CurrentControlSet\Services\TCPIP6\Parameters\DisabledComponents

which is a DWORD with a default value of 0x00000000 - which means that IPv6 is fully enabled.

It appears that the last two digits of this character string act as a mask, with each character within the mask acting as a flag for a particular part of the IPv6 suite - but bear in mind that the above string is in hex, the mask works at a binary level.

In all these, the default value is zero, which is on, set it to one to block that mechanism.

So to leave all of IPv6 working as Microsoft wants , leave the above registry entry on 0x00000000

To disable all IPv6, set the above registry entry to 0x000000ff - don`t set it to 0xffffffff as some websites suggest.

To disable all IPv6 tunneling but leave IPv6 working, set the above registry entry to 0x00000001

You can do your own maths if you want to allow some tunneling mechanisms but block others.

PS - you may need IPv6 without realising it, because your router or wireless connections use IPv6.

PPS - historically, some sources suggest that to disable all IPv6 the registry setting should be set to 0xffffffff - this is now regarded as wrong, as the upper 24 bits need to be zero for the fastest boot up times. These upper 24 bits don`t do anything as far as controlling IPv6 is concerned, so there is no need to set them to one. So use 0x000000ff, don`t use 0xffffffff.

 

Disable Autoplay

Go to Control Panel / Autoplay, and remove all the settings which allow autoplay.

 

Not the end

This is not the end of hardening Windows 8.1, there are other techniques that I haven`t got into yet.

 

 

 

 

 

website design by ron-t

 

website hosting by freevirtualservers.com

 

© 2024   Ron Turner

 

+                                   +  

 

Link to the W3C website.   Link to the W3C website.