Getting your favorite Windows laptop ready for a security con - no bullshit guide

windows
quick-tip
hardening
Tags: #<Tag:0x00007fe3b9d0fb48> #<Tag:0x00007fe3b9d0f698> #<Tag:0x00007fe3b9d0f2d8>
#1

Don't you love random security advice?

Eat your own dog food.

Typically I don’t even need my laptop much at security cons, because you can hang out at bars and steakhouses without a PC. Trust me, that works fine… in Vegas and elsewhere.

But in a week or two I’m going to be at a training seminar and we are going to have some hands on tech sessions. You never know…

Therefore, and because it’s appropriate, I decided that my trusty old Windows laptop was up for a reconfig.
Here’s my no-bullshit guide I created on the fly. I don’t use any snakeoil security tools and neither should anyone who is serious about information security. Less is more. Simple is better.

The good news is: no hacking required. I am busy and therefore I google’ed for some tools. Combined with the right mindset this worked out like a charm.

Move your personal files, encrypt the disks

This goes without saying. Full Disk Encryption. Seminar rooms are in hotels, and there are going to be thieves. Hot laptops can be sold for a quick buck.

It feels bad if your laptop gets stolen, especially if you know that your disks aren’t encrypted. You will never get it back, and you will never know what has been exposed and what hasn’t.

  • private data stays in the private place, corporate data stays in the corporate place - a con is a public place. That means you are fine without data.
  • no one cares about your data, but laptops are worth money. Real life.

Services.msc - too much stuff

Windows 10 services.msc is a management utility every Admin knows.
Generally, when it comes to hardening guides, we need to be both practical and reliable. Therefore Admin-skills matter. Less services mean less CPU cycles. That in turns means longer battery life. And possibly a smaller attack surface. And possibly less issues. Less complexity. Simple.

In order to reduce the amount of services (some may listen on 0.0.0.0 or ::) you can run the %windir%\system32\services.msc console and one by one go through the entries. Their description could be greatly improved though. – And I have no time for that.

In case you also don’t have the time, check out Easy Service Optimizer. The predefined “Tweaked” setting works well for me.

image

  • reduced amount of services (performance, better battery life)
  • simpler way of assessing host security (via activity logs) because there will be less log noise. Less is more. More insights.

Reduce Windows telemetry - in general

In order to reduce telemetry services (for privacy and confidentiality) I use O & O shutup.

I have read a study by the German BSI from Q1 2019, that seems to indicate that Microsoft has hardwired telemetry deeply into Windows, and that further disabling it can break Windows Update services.

Besides that the biggest chunk of telemetry seems to get created by Office 365, which is not Office 2019.
The subscription based Office suite seems to verify the account details but to also to exchange behavioral information with Microsoft. Personally I do use OneDrive, and therefore my blocklist is limited to current telemetry services:

# Telemetry
telemetry.microsoft.com:65.52.100.9-65.52.100.9
services.wes.df.telemetry.microsoft.com:65.52.100.92-65.52.100.92
sqm.df.telemetry.microsoft.com:65.52.100.94-65.52.100.94
watson.ppe.telemetry.microsoft.com:65.52.100.11-65.52.100.11
wes.df.telemetry.microsoft.com:65.52.100.93-65.52.100.93
reports.wes.df.telemetry.microsoft.com:65.52.100.91-65.52.100.91
df.telemetry.microsoft.com:65.52.100.7-65.52.100.7
survey.watson.microsoft.com:207.68.166.254-207.68.166.254

Keep in mind that these IP ranges can change.

I don’t think that there are real solutions for that at this point in time. I have seen hosts file lists, that intend to block more telemetry endpoints.

You can use PeerBlock to simplify the blocklist management at the expense of a certain amount of reliability.

The advantages include, that you can easily manage exclusions and temporarily disable the blocking mechanism. As I mentioned: the telemetry appears to be hardwired into some Windows services.

  • reduced telemetry via a simple hosts-block approach based on community maintained lists
  • logs about blocked / permitted network activity
  • just a general approach

DNS control is more important than your random VPN

Rather than just advising people to use random VPNs, which may or may not have a security concept, I advice to pay attention to DNS security first. That matters, because DNS is the key to meta-data about your host’s network activity. And not every VPN config will route DNS through the encrypted connection channel.

I use a tool called Simple DNSCrypt and set it to use DNScrypt and DNSSEC (preferably via TCP) with select resolvers. The tool has got many options and will also provide you with a query log window.
The logs can help to identify unwanted telemetry and services.

Keep in mind that the tool can set your IPv4 DNS resolver to 127.0.0.1.

image

  • DNSSEC and DNScrypt for Windows
  • DNS query logs (local resolver)

DHCP and ARP matter - because kids are going to be kids

Why does it matter? – Because some people mistake con networks for pentest labs. Usually kids or idiots.

Personally I don’t care. If needed I will use my company mobile phone as a hotspot. No random idiot intercepts mobile internet connections.

In case you have to use the con WiFi, here’s what matters: it takes time to reset the network settings in case you got unlucky and some network-level MITM affected you.
Usually you’ll just be offline since some random dude tried to ettercap a /24 on a large con network. Turns out these little consumer grade NICs aren’t made for that.

  1. You can use the arp -s command to persist the MAC address of the main gateway until the reboot.
  2. Once you get an IP from a hopefully valid DHCP server you can setup a fixed IP
  • don’t use the con WiFi for work stuff. Work always hunts us, I know.
  • if you have to use it, and you are offline, check DHCP and ARP. Don’t be that guy, who ends up on the Wall of Sheep

Disable network discovery and broadcasting services

People get bored… now this one here is what I consider a polite network config:

  • Do you intend to share printers with other con attendees?!

Wireguard and IPsec VPN (Algo)

I run a Linux VM with AlgoVPN on a dedicated server (hardware). At the moment I use the TurnSafe client with Wireguard and not the Windows IPsec stack. I keep both options at my disposal.

Besides that I may also decide to use my own DNScrypt resolvers from my personal server.

image

  • dedicated self-hosted IPsec and Wireguard VPN with decided encryption schemes
  • personal DNScrypt resolvers

Service and resource enumeration with Windows Resource Monitor

Windows 10 has an integrated netstat like UI, that is versatile and easy to use. And it can do a lot more…

  • Port to process mapper - service and communication enumeration
  • If you are familiar with your system activity you can spot anomalies and decide whether they are security relevant

Set firewall rules for custom applications - example VMware Workstation

With Resource Monitor I discovered that vmware-hostd and vmware-authd listen on public (unspecified) IPv4 and IPv6 interfaces. Therefore I decide that I want to use the Windows Firewall to block external traffic (from local or remote networks) to reach these services.

First of all I check that the Sharing feature is disabled in VMware Workstation (version 15+)

image

Sadly the security concept of VMware Workstation does not entail that the daemons listening on TCP:903 and TCP:913 become restricted. And no… no random dude is able to take advantage of that. Still it bothers /me.

Windows has got a host firewall which can get started via %windir%\system32\wf.msc. I create a rule “My blocklist” with these ports. You may want to switch the protocol to “Any”, but that is not what I did.

Note that the local instances of VMware Workstation will remain fully functional even though you have set this firewall rule.

image

  • Restrict services that aren’t intended to be shared with the security conference audience
  • Verify this with tools like Nmap (on your internal network)

Mind your WiFi network adapter settings

image

You can disable LLDP, Link Layer discovery protocols, IPv6, Printer Sharing etc. In the screenshot you can see that I didn’t untick the box “Client for Microsoft Networks”. Even if I untick this and disable the “TCP/IP NETBIOS Helper” in services.msc SMB shares still work via Windows Explorer.

  • disable NETBIOS, LLDP and sharing services via the network adapter settings
  • it goes without saying that I would gladly share my internet connection with other conference attendees… :slight_smile:

Paranoia bonus points

Run osquery with a threat-hunting config

  • Similar to a flight-recorder osquery might allow you to determine the root causes for security issues affecting your system(s)

Windows 10 1809 Windows Defender

The current version of Windows Defender (1809) is known as efficient unless you are trying to behave worse than the average end user.
Microsoft is known to cut down investments every now and then. For now the Windows Defender seems to be fine. But even if you disable it, there shouldn’t be an issue, because the most relevant security measure is your “paranoia” :wink:

  • No need for supplemental AntiVirus.

Why not use SSH tunnel via Socks5

There is a nice SSH client that will automatically reconnect. It can also open Socks5 proxies (on a local interface). Browsers can use these, and decide whether to use a local or remote DNS resolution. – You know who’s in charge of security? Yes, the browser is… browsers can go wild on occasion.

In case an application does not support Socks5, Proxifier is a nice little utility to inject such functionality and to define custom proxy routes for select applications, protocols or server endpoints.

One advantage is, that this way browsers will not automatically connect to websites in background tabs, unless the proxy is established. This adds some control at least.

  • Use SSH, and proxify traffic within the VPN

Summary - ez clap

In case you don’t plan to just chill at your favorite InfoSec con, you may need to configure your favorite laptop.

Any operating system you know well enough will do. Windows, Linux, BSD or MacOS. Pick your’s and “mind the gap(s) please”. Because every OS has security gaps.

The gaps we just closed are:

  • data stays where it belongs, and we agreed that we like Full Disk Encryption (Bitlocker etc.)
  • less services actually mean a simpler and potentially more convenient experience. Simple is better.
  • less telemetry means fewer outgoing connections. In return that means more control and better system awareness. Awareness is key.
  • DNScrypt and DNSSEC on Windows are a thing, and it’s ez clap
  • less boxes ticked on the network sharing and network adapter config equal less attack surface on the local network. And we may not need IPv6 because NAT is the way. And NAT is without alternative.
  • the Windows Firewall works fine, and you can just block incoming connections to your local instance of VMware Workstation (15)
  • VPNs with a security concept are cool.
  • SSH is cool. Especially because it gives us control with Socks5 usage patterns.
  • we can install a flight recorder like osquery with a threat-hunting config. Chances are that we can just delete the log files in case nothing happens…

… and nothing ever does.

No, I don’t take this overly seriously and neither should you. Downloading these small tools and running them may add a certain layer of control. Still it means nothing, but that we are all just human beings. – With computer skills.