Tuesday, January 25, 2022

Securing a Windows System

 >Securing a Windows System
>Written by: Paperghost [paperghost@vitalsecurity.net] Vital Security -
>www.vitalsecurity.net
>irc.vitalsecurity.net - #vitalsecurity
>22/4/2001
>If this article scrolls off the edge of the page, go to Edit and select
>Word Wrap.



##  Windows: Ease of use at a price  ##

It is no secret that the Windows range of operating systems offer simplicity
of use at the cost of security....indeed, many of the main tools that come
with Windows are actually the main weapons of choice for hackers! (ie
Telnet, for example....a method of opening up a direct connection to a
remote computer on a port that you specify.....go to MS-DOS and type

telnet

to open it up.  You won't be able to do much with it at this stage, though).

Windows is full of holes; someone with only a little knowledge can remove
most admin restrictions on a network within about ten minutes flat, your
passwords are easily accessed, it doesn't have a built-in Firewall (the new
Windows operating system should change all that though) and it is extremely
vunerable to Denial of Service attacks, which should be of great concern to
all....


##  What is a DoS attack?  ##

DoS stands for Denial Of Service.  Basically, it's all about knocking off
some (or all) of the net services being provided to a user without
permission.  This is usually achieved by flooding the bandwidth connection
to your machine.  The less raw data your computer's modem can handle, the
more you should worry, because someone with a more powerful machine will
blow you out of the water every time (although, as with everything, there
ARE exceptions).  After a DoS attack, your computer might not be able to
connect to the net for a while, and a REALLY bad attack can knock it out for
quite some time.  Apart from the bandwidth attack, some other common points
of entry are the Swap Space on your computer, filling up the empty portion
of your hard drive with data, cache attacks and email bombing.  Repeated
nailing of an address with identical emails equals a high bandwdth attack,
but things can always get worse, because if you try to reply back to a spam
attack, the mail will bounce back at you if the sender's address is false.  
This means you'd be getting hit with twice the amount.  Resist the
temptation to reply to such mails.  Apart from anything else, if they ONLY
have your email address but not your IP, when you reply to them it's as easy
as pie to deduce your IP address from your email's header.


##  File and Print Sharing:  The dangers  ##

Windows has an option called file and print sharing. Using this option, you
can share your drive and printers with the whole world if needs be, and this
is obviously a huge security risk.  Indeed, there are numerous Trojans that
exploit this, some of which make your printers spew out endless sheets of
paper, plastered with thick ink....and, of course, there are FAR more
dangerous Trojans out there.  With this option on, your Port 139 is open
(your NetBIOS Protocol), which is the port that understands commands used to
remotely access your file/print sharing servers.  If you have this sharing
option enabled on your computer, then ANYBODY could access your files
without your knowledge and you'd be none the wiser.  You really don't need
this option enabled on a home machine, so go to:

START/Settings/Control panel/Network

and then click on the panel that says "File and Print Sharing" and make sure
that both tick boxes are UNCHECKED.  You may get a message saying "insert
windows 95/98 Disk" and some other things happening, but don't worry; simply
close down any boxes that open up.  The option to file share will still be
turned off.  If you don't believe me, go back into the FileShare section and
you'll see that everything is in order.

Another problem of having this port open is that it makes you highly
vunerable to a Winnuke attack (a form of DoS attack that makes you
disconnect and sends you to the "Blue Screen: System Unstable Mode").  Now,
with all these Trojans and Nukes easily available, coupled with the dreadful
security that Windows "imposes", you may be thinking that there isn't an
awful lot that you can do.  The sad truth is, that's partially true; there
are new Trojans, Nukes and forms of Virus created daily, and it is almost
impossible to keep up with them all....BUT....there are methods and software
you can employ that, when combined, offer you just about the best protection
that you can get your hands on.  The secret is to use a number of programs
that don't either cripple each other or your system.  With the right level
of balance attained, you can fend off all but the severest of attacks, and
seeing as how most of the very worst DoS attacks have the potential to take
out whole reams of users (not just the target), you can guarantee that
someone, somewhere is going to notice someone tampering with their system
and track the Nuker down....


##  Anonysurfing  ##

Remember your IP address? Well, if someone obtains it, then they can
pinpoint you for numerous DoS attacks, and if that happens, all you can do
is try to weather the storm and patch your computer to withstand the
attacks.  Proxy Surfing is a very useful way of hiding your IP Address from
those that might want it......

# How a Proxy Works

A Proxy works as a barrier, raising itself between you and the rest of the
Web by acting like a go-between, channeling information between users and
the rest of a network. Bear in mind though that the proxy in question MUST
be able to strip your IP address from the requests going out over the net,
or it isn't a very good proxy. Also, it should cover up your operating
system, the user-agent (the program you are using to browse the Web) and
your referrer (the site from which you are linking).
A word of warning though, some Proxy services don't allow lots of fancy web
related effects to function such as Java, ActiveX and, of course, Cookies,
so some of your favourite sites may either not work very well or, indeed, at
all, but that's the price you have to pay for anonymity. If you want to use
a Proxy, find one from a ProxyList (easily obtainable from any search
engine), and then go to:

TOOLS/internet options/connections/settings

Click on the "use proxy settings" box, then click on

Advanced

Once in, type your Proxy Service's address in the HTTP part (along with the
port it will use) and also in the FTP part.  It should look a little like
this:


TYPE:             Proxy address to use             Port

HTTP:             www.myproxy.cache.net            8080

FTP:              www.myproxy.cache.net            8080


Please note that you are legally obliged to ask the permission of the person
running a Proxy Server before you use it.  Alternatively, you can go to

www.webveil.com

For more information on Proxy Servers, and also a list of companies like
Anonymiser and Freedom that run Public Proxy Servers.


##  Proxy Chains  ##

There are a number of methods to "chain" various Proxy Servers together, but
the most common one is to put a

-_-

inbetween the various Proxy addresses.

TYPE:  Proxy address to use                              Port

HTTP:  www.myproxy.cache.net-_-www.proxyproxyproxy.net   8080

FTP:   www.myproxy.cache.net-_-www.proxyproxyproxy.net   8080


This results in excellent security, because someone trying to get at you
will have to go through a considerable amount of effort to track you down,
although the more Proxies you use, the slower the loading times, because the
incoming data packets are being bounced around each proxy in the chain.  
Also, if one of the Proxies goes down without warning (as they are liable to
do), you will need to both find another proxy to use, and (worse still) try
and deduce which proxy isn't working anymore (which involves trying each
proxy manually, one at a time).


##  Firewalls ##

A firewall is a very simple (yet effective) tool for protecting yourself
from outside attacks.  It simply runs whilst you go about your business
online, and analyses each and every data packet that attempts to pass in or
out of your PC.  Before the data can reach you, the Firewall uses a set of
rules to determine whether or not the data packet can be forwarded to its
eventual destination.  As this can be quite an intensive process to set up,
the firewall is often set up on a dedicated piece of hardware away from the
Network, so that no incoming traffic can get at private network resources.  
This is what happens in business; for home use, the application is a little
different....

#  Types of data acceptance

Firewalls use many different rules and regulations when examining what data
is being sent to them.  Some use a set of "acceptable" IP addresses to
accept data transmissions from, and bar all other incoming traffic.  Others
take a more drastic approach, checking EVERYTHING that comes their way,
using various types of approaches to ensure that specific application
attacks can be blocked.  Some companies and websites use multi-layered
firewalls, with firewalls between the "public" internet and the web servers,
and another between the web servers and the application servers that run
everything the site/machine(s) need to function.  A home firewall isn't
really a firewall at all, because it runs on the machine that is actually
accessing the internet (ie - a personal firewall runs on the PC that's
running critical applications).  This is bad, because problems can be caused
if the Firewall leaks (or, indeed, the machine itself), whereas at least if
this happens on a Network Firewall set-up, the critical systems are shielded
from the leak on a seperate, protected machine).  Making sure you install a
Firewall that does NOT leak is essential to your security, and to date the
only Personal Firewall which achieves this criteria is ZoneAlarm, and you
can get the free version from

www.zonelabs.com

What people sometimes don't know is that Firewalls can halt the flow of
traffic OUT as well as in.  This is excellent, because if you have programs
installed on your system that include SPYWARE then you can stop unwanted
breaches of your security by the program trying to "ring home", to tell its
makers what you get up to....

#  Spyware

There is evidence that Realplayer rings home every so often, letting its
makers know EXACTLY what music you've played on it, where you got it from,
what tracks you played etc, in order for them to use this information as
they see fit (usually, worryingly detailed "trend/browser/user habit"
databases), and you can imagine how invaluable such a bulk of information
would be to marketing companies and the like.  And, truth be known, there
are MANY programs that do this; Realplayer is most definitely not alone in
this disturbing trend.  You may get quite a shock when first using a
Firewall, because very often, a window will pop up asking for permission to
let "such and such a program" to access the internet; sometimes, it might
just be to let the program take you to the product's website for an update,
but at the risk of sounding slightly paranoid, there really isn't any
difficulty in accessing the webpage etc in your own time, instead of letting
a program connect for you, possibly sending back compromising information to
its creators.  When in doubt, it is best to just deny net access to the
program in question.


#  PortScanners

A portscanner is a device which simply scans PC's for open ports, so that
the hacker can begin to manipulate your system as they see fit.  Some are
configurable, allowing the user to scan a specific range; most have to go
from 0 to 65536.

#  Trojan Benifits

What if you DO have a Trojan installed on your PC, just waiting for somebody
with a PortScanner to pick it up, and then connect to you at their end?  
Well, again the Firewall is invaluable here.  Since a firewall checks,
scans, and blocks traffic flowing both ways through it, both into and out of
your computer, it is easy to prevent unauthorized communication by a Trojan
horse program.  If you had a Trojan that didn't attempt any outward bound
connections, but simply sat and waited for incoming traffic, no passing
Trojan scanner could detect or know of the Trojan's existence, because all
attempts to contact the Trojan inside your computer would be blocked by your
firewall.

#  Logging attacks

Since every arriving packet must contain the correct IP address of the
sender's machine, (in order for the receiver to send back a receipt
acknowledgement), you will ALWAYS recieve an IP address to go along with the
attempted connection, which will usually be stored in the firewall's Log
File for later use.  Of course, they might be using a fake IP address to get
around this, but it still means they have to put in more time and effort to
try and break into your system, and this is time and effort which will STILL
be thwarted, resulting in a futile connection attempt.  Some people become
disheartened at the amount of unknown connections that are attempted on
their machine; they shouldn't be, because if you actually got a warning
about a blocked transmission, then that's exactly what it was: BLOCKED.  It
never actually reached your computer; it simply bounced off into the
wilderness.


##  Freeware  ##

By and large, the ONLY Freeware that actually does what it claims to are
Virus and Trojan removers.  Most Port Monitors don't actually function as
they're supposed to, actually making your security holes WORSE.  A prime
example of this is Nukenabber.  I used to use this program myself, thinking
that the Ports specified would be blocked from all attacks.  The irony is,
they ARE.....use a PortScanner on yourself on some of the "blocked" ports to
prove it.  The problem lies with the fact that these programs actually have
to activate the ports selected so they can sit on them and monitor their
activities, meaning that when a Hacker runs a PortScan on you, instead of
getting NO results back (like they would if you had your PC in "Stealth"
mode with ZoneAlarm, for example) the Scanner picks up the selected ports
that you've blocked off, which makes them think they've found the world's
biggest ever collection of ports ready to tamper with....cue sustained
attack on all quarters.  When THIS happens, you're in trouble because for
all you know, they might pass word around about a machine that's full of
holes (ie - YOURS).  This isn't keeping a low profile, and will result in
more trouble than it is worth.  I've stopped using these programs, and so
should you.  Stick with a Firewall; they do everything you need, monitor all
port connections and disallow anything untoward; what other protection could
you possibly employ on top of something that's doing it all anyway?  A good
example of what I'm talking about is the Program GENIUS, which has a whole
host of useful functions.  It has a PortScan detection feature, which you'd
probably be tempted to use.  If you actually check the settings however, or
even stop to think for a second, you'd realise that, in order for it to
monitor for PortScans, it would actually have to OPEN a port to begin with,
in order to sit on it and wait for a connection!
Why open up extra Ports in order to try and stop people from accessing them?
  It doesn't make sense!  A Firewall doesn't open your ports up, and in
Stealth mode makes them seem they don't actually exist at all, which is
INFINITELY better than a Freeware Program like Nukenabber returning a CLOSED
status to a PortScanning Hacker, as we shall see....


## Stealth  ##

Normally, your Ports will appear to be either Open or Closed to a
PortScanner.  When you have a Stealth function activated on a Firewall, it
makes it look like your computer is either off or not online; instead of
open or closed, they simply appear not to exist.  So, even if you had been
attacked and logged by a malicious user for future use, upon their return
they would find that your computer no longer appeared to be there; it would
seem like you had either left the internet forever, or else the machine no
longer existed.  They would soon get bored and move on to other targets.  
The other good thing about this mode is that, because of its nature, the
Scanner is actually damaged a little when attempting to find open holes on
your machine.
Stealthed ports are, strictly speaking, a violation of proper TCP/IP rules
of conduct. Proper conduct requires a closed port to respond with a message
indicating that the open request was received, but has been denied. This
lets the sending system know that its open request was received so that it
doesn't need to keep retrying. But, of course, this "affirmative denial"
also lets the sending system/Hacker know that a system actually exists on
the receiving end....now can you see why a Program like Nukenabber is bad
when it returns a CLOSED status?  Above all else, THIS is what we want to
avoid in the case of hackers attempting to probe our systems, which they
simply cannot do when you are in stealth mode, because to them you're not
even there.
You cannot hurt that which you cannot see.


## Reviews ##

As something to get you started, I include here a number of reviews of
various Firewalls, taken from my Toshogu Online Security website.  I haven't
included the URL here, as this is an article for Vitalsecurity and so has
noting to do with my own website.  If you feel the need to visit it, email
me and ask for the address.

## Freeware Firewalls ##

ZONE ALARM   (www.zonelabs.com)

Is there anyone who DOESN'T have this thing??  Very popular, and easy to see
why; straightforward to use, heaps of features and an excellent Stealth
mode, let down slightly by the fact that it is almost TOO basic a program;
there aren't many configurable options, so if you want more customisation,
go for TINY.  ZA blocks unwanted intrusions with near Martial efficiency,
and also only allows Programs to access the Net that YOU want to access it.  
Its MAILSAFE feature also allows you to check out any emails that have
Visual Basic Scripts attatched to them, monitoring and controlling them
where neccessary.  IMPORTANT:  Early versions of ZONE ALARM are **NOT** as
safe as later versions, so go to www.zonelabs.com to upgrade.  Its FREE for
the Standard version, so there's NO excuse!

Marks Out of Ten:     10


TINY PERSONAL FIREWALL   (www.tinysoftware.com)

Oh, this is GOOD....used by the US Air Force, no less, and built upon ICSA
Certified Security Technolgy, WinRoute Pro.  As well as doing all the
standard stuff, TINY also includes an excellent Application Filter, which
notifies the User when an Application attempts to bind to a Port for
Comminication.  In addition to this, it is hugely customisable, so if you
know what you're doing or feel a little restricted by a product like ZA then
this is the Firewall to get.  PLEASE NOTE though that TINY will NOT function
properly on a machine using WinRoute or Microsoft Internet Connection
Sharing.

Marks Out of Ten:     9


GATEWAY GUARDIAN PE   (www.gatewayguardian.com)

Want an entire Linux Operating System Firewall running off a 3-1/2" Floppy
Disk?  You got it.  Download THIS little number, and run it on a machine
that ISN'T the Internet Gateway (that's right, you need two
machines.....doh!)  BUT....do it, and watch with glee as it uses a pure Java
application to sort out your hardware, custom settings and a rock-solid
Firewall is now in place. AND....after you remove the Disk, the machine
reverts back from Linux to whatever system you were running
previously....there are NO changes to your machine's Internal Hardware
Configuarations.  So, if you DO have two computers requiring shared access
to the Net through a single connection, use THIS and be really rather happy
with yourself.  PLEASE NOTE:  You need Java Runtime Environment to use this
Program (as well as more than one PC!)

Marks Out of Ten:     9


## Firewall Shareware##

BlackICE DEFENDER

A powerful detection and analysis system like no other provides pretty much
all the protection you can shake a digital stick at.  Numerous network ports
and protocols are monitored for suspicious behaviour, and when it FINDS
some....it springs into action, using sophisticated attacker analysis
techniques.  First off, using network algorithms, it ferrets out the
attacker's computer and automatically blocks any and all transfers from that
machine in the future, but at packet level.  This basically means that,
HOWEVER hard they try to get into your machine, any transmission sent to you
by them is stopped before it even gets inside your computer.

Marks Out of Ten:     10


NeoWatch   (www.neoworx.com)

With NeoWatch on your machine, your computer is Stealthed like no other, and
you simply will NOT appear to have any kind of presence on the net whatsover
to all but the most determined of snoopers.  After installation, you are
totally invisible to all manner of port scans, pinging, unwanted TCP
connections and UDP packets.  Also, you won't be picked up by streaming
media of most types, standard browsing or plain old Email.  ICQ will still
work whilst you have NeoWatch running, however.  This program incorporates  
NEOTRACE technology to allow you to pinpoint the intruder on an incredibly
accurate series of maps including (and not limited to) Satellite
Photography, Ordinance Survey maps, Topography charts etc.  On top of all
this, NeoWatch uses HackerWatch.Org to compile hacker attempts from hundreds
of thousands of users, and the data is then monitored and actively pursued
to shut down unwanted intruders forever.
How cool is that?

Marks Out of Ten:     10


ConSeal PC FIREWALL   (www.consealfirewall.com)

Unlike other desktop Firewalls that only protect Winsock applications, this
Program protects all operating system devices (like printer and file shares,
for example).  It also uses encrypted communications tools for added
security.  Pretty easy to use, and you can be as basic or as complex with it
as you like.

Marks Out of Ten:     8


Private Firewall   (www.privacyware.com)

This easy to maintain program utilises techniques such as Secure Socket
Layer Encryption (amongst others) to ensure the protection of all POP3 Mail
such as Outlook Express and so on.  Alongside this, it focuses in on the
more sensitive areas of your computer, constantly monitoring them and
letting the user know when they're under attack.  Also does all the usual
basic packet filtering, port scanning, IP Tracking etc.

Marks Out of Ten:     8


## Links ##

www.grc.com       An excellent site devoted to testing how secure your PC
is.


##  Summary  ##

I hope this Article is useful in showing you both how to secure yourself
against unwanted connections, and also how to shield yourself from unwanted
scans and Spyware.  The Internet is by no means as anonymous as some people
think it is, and although this is to the detriment of people's security
online, this also works both ways....it IS possible to find and stop even
the most determined of attackers, you just have to be patient and keep
hunting for clues and techiques which will help you put an end to their
exploits.  Just remember:
You cannot hurt that which you cannot see.


>Article "Securing a Windows System" Copyright (C) 2001 Paperghost All
>Rights Reserved
>Loyalty and Protection for all our families
>email paperghost@vitalsecurity.net with comments.
>irc.vitalsecurity.net