2012-01-26 newest contents, 2013-01-29 last update, 2011-07-05 first day, Robert Jasiek

Security Concept for Windows

Preface

This is a security concept for a single PC used for both private and internet activities under Vista, Windows 7 and possibly later Windows versions. It relies on separation of private data, Windows user accounts, user access rights, software restriction policies, integrity levels, and checksums. Most of these can be achieved by Windows's inherent features. The methods are both simple and effective. Strangely, they are hardly ever mentioned or described as a combination. This page shall fill the gap. There is only one noteworthy disadvantage: A good visualization of the methods does not exist yet.

Aims

The concept shall achieve the following:

Protect the privacy of the PC user's data: Only the PC user or the operating system may and can see his own data.
Protect the integrity of the PC's crucial files and folders: They may and can be changed only on request of the PC user or the operating system.
Protect against malware: Malware may and cannot be executed.

100% security cannot be achieved though. E.g., a too great complexity of the operating system leads to bugs. Therefore one can only try to achieve the aims as well as anyhow possible. Thus security is always relative.

Separation of Private Data

Partitions

On the harddisk, these three data types shall be separated from each other:

system data
data interacting with the internet
private data

This separation can be prepared starting with the physical location. Each data type gets its own partition. Therefore create the three partitions C:, D:, and E:.

C:	system data	Windows, Program Files
D:	data interacting with the internet	downloads, uploads, email Inbox and Outbox,...
E:	private data	all folders with your private data

This is a model. You can apply it 1:1 or create further partitions for further purposes, if necessary.

Folders for Data Interacting with the Internet

Create these folders on D:.

\Downloads	Save all downloaded files from your browser or newsreader here.
\Uploads	Copy files to be uploaded or attached to emails here.
\Emails	Here your email program stores its Inbox and Outbox.
\News	Here your newsreader stores its Outbox.

This is a model. You can apply it 1:1 or create further folders for further purposes, if necessary.

Folders for Private Data

Create these folders on E:.

\MyDocuments	texts, tables, databases,...
\MyMusic	music
\MyPictures	pictures
\MyVideos	videos
\MyWork	files related to your profession or study

This is a model. You can apply it 1:1 or choose other names for your major folders.

You will notice a similarity to subfolders of C:\Users\MyUserName. There is an important difference though: They are not separated clearly from the system data partition. Therefore do not use them. Storing all private data on a separate partition has a very great advantage: Backups of either the system partition or of the private data become much easier because one can back up exactly what one wants.

Root Directories

Do not write any files in the root directories of D: and E:. Write only folders there. Put all your files into those folders or their subfolders. The reason is that then the other security means explained further below can be applied more easily. Besides you get a better structure of your data.

Copying Files from Private Data

Do not move (cut and paste) data. Copy them. Copy whichever file(s) you need from your private data on E: to D:\Uploads. Only then use those files or their contents by your internet application(s). Afterwards, delete the used copy from D:\Uploads.

This outward direction from your PC to the internet is relatively simple because little attention needs to be paid to security. You deal only with files of that you already know that they are trustworthy.

Moving Files to Private Data

The inward direction from the internet to the PC requires much greater attention because new useful files need to be distinguished from malware.

All your new files should pass the folder D:\Downloads. Files saved in your browser, newsreader, FTP client, etc. are saved directly to that folder. Your email Inbox, Outbox, and newsreader Outbox require greater care. Each message there should be saved as a single text file to D:\Downloads. Then you can delete the original message in your email program or newsreader to either program's Trash. By this process, you create a lot of new textfiles in D:\Downloads. Speaking file names or subfolders may help you.

Now you want to move the files from D:\Downloads to the appropriate folder with private data on E:. This, however, is a crucial step. There are two cases:

a) Obviously a file is without any danger. Cut it from D:\Downloads and paste it to the appropriate folder on E:.
b) It is not obvious whether a file is without danger. Do not open or execute any such original file in D:\Downloads. Not even by accidentally double clicking it. This file must first be converted to a file that is then without danger. Such is possible in particular for file formats with script languages like, e.g., HTML with JavaScript, hidden, input, or form tags. To convert the file, use an application that does so by means of Regular Expressions. Check if the converted(!) file can still be viewed meaningfully. Finally cut the converted file from D:\Downloads and paste it to the appropriate folder on E:. Delete the doubtful original file from D:\Downloads.

Some HTML files come with an associated folder containing images, JavaScript files, etc. After conversion of the HTML, the JavaScript files might still exist. Delete them (but do not accidentally double click on them).

There are special cases. Exceptional handling is required when you have just downloaded a new program. Make backups, set a Windows Restore Point, try the application, and possibly revert to the restore point.

Some multimedia file formats are dangerous (like a video in an EXE, WMF, or flash file), some not (like a video in an MPEG-2 file). For conversion, one needs special converters. Be sure that those just convert and do not also execute the original file. E.g., a preview within the converter might already mean execution of malware contained in the original file. The safest advice is: Do not download any media files in any executable file formats. If you can't resist, ensure that you understand the conversion process very well before starting it.

If your browser or an addon can save a download without Java and JavaScript, you might think that you could avoid the Regular Expressions conversion. However, do not overlook the other dangerous tags like hidden, input, or form.

Windows User Accounts

General

A Windows user account is not just a login name with personal preferences for the desktop's appearance. Rather and the most importantly, each Windows user is associated with rights. In particular, all the rights which partitions, folders, and files the user may access at all and which actions he may perform on them. Furthermore, Windows uses two types of users: administrators and standard users. While administrators may change important system settings and program installations in C:\Program Files, standard users may not. As a consequence, administrators should be used for administrative tasks only while standard users should be used for all ordinary usage of applications and internet access. Malware has a much harder time attempting to do harm when one is working as a standard user because it inherits his restricted rights. To deny malware access also to private data, it is necessary to invent two standard users. Hence we need these three Windows users:

MyAdminUser	administrator	administrative tasks	never online
MyPrivateUser	standard user	offline usage of local applications	never online
MyInternetUser	standard user	online usage of internet applications	may be online

Although this is a model, it will be sufficiently fine for most PC users. If necessary, further Windows user accounts could be created.

After a Windows installation, the active Windows user is an administrator. Give him the name MyAdminUser, a password, and restart Windows.

Next create another user called MyPrivateUser of the type standard user, give him a password, restart Windows, configure the user's preferences and desktop appearance, and restart Windows again.

Finally, log in as MyAdminUser and do the same for the third user MyInternetUser.

Restrictions for the users' access to folders and of programs will be discussed below.

Scheduled Task

When using a DSL cable network connection, switching between offline and online can be tricky. The following procedure is for an English Windows edition; for another language, find out the Windows name of your network connection and substitute it where necessary; e.g. in English it is called "Local Area Connection" but in German instead write "LAN-Verbindung". Procedure for deactivation or activation of a cable network connection:

Create a directory <path> and therein two files having these names and one line contents:

*********************************LANoff.cmd*********************************
netsh interface set interface name="Local Area Connection" admin=disabled
*********************************LANoff.cmd/End*****************************

*********************************LANon.cmd**********************************
netsh interface set interface name="Local Area Connection" admin=enabled
*********************************LANon.cmd/End******************************

Manual Usage

Optional: create a desktop link for each.
Right-click: execute as administrator.
In case of activated UAC, enter the password of MyAdminUser.

Scheduled Task Usage

Assume MyPcName is the computer's name, MyAdminUser is the administrator user's name and MyUserName is a particular user's name.

Login as MyAdminUser, go to the control panel and open the administrative tool "schedule tasks".
For each user, a task is created with a suitable name as follows:

"When running the task, use the following user account": MyPcName\MyAdminUser
Activate "Run whether user is logged on or not".
Activate "Run with highest privileges".
Trigger "At log on": MyPcName\MyUserName
Deactivation Action for program / script: <path>\LANoff.cmd
Activiation Action for program / script: <path>\LANon.cmd
After creation of a task, enter the password of MyAdminUser.

Restart Windows.

Remarks

If <path> contains blanks, use quotation marks, e.g. "C:\Program Files (x86)\My Scripts\LANoff.cmd"
The procedure has been tested under Windows 7 64b Professional German.
During script execution as a scheduled task, no program window is shown. After manual execution, the program window is closed automatically.
After renaming of the network connection, their new names have to be entered also in the two files.
A typical manual usage can be: Use only MyOnlineUser for being online. Just after login of MyOnlineUser, activate the network connection. Bevor logout or Windows shutdown, deactivate the network connection.
A typical scheduled task usage can be to set Local Area Connection for three users as follows: Deactivated for MyAdminUser and MyPrivateUser. Activated for MyOnlineUser.
"Run with highest privileges" sets the Integrity Level "High". Otherwise the changing access to the network connection would be ineffective.
A reliable network cable is recommended.
Deactivation is immediate while activation can take a few seconds. Possibly one has to wait for disappearance of the yellow exclamation mark in the tray's network connection symbol.

User Access Rights

Introduction

A partition's, folder's, or file's user access rights are the rights per Windows user whether and by possibly which actions he may access it. In Windows Explorer, right-click on a partition, folder, or file, choose properties, then choose security. There the users and their rights can be edited. The standard rights (full access, execute, show folder contents, read, write) will do; editing the extended rights cannot be recommended because it creates more confusion and side effects than it would help. As a default, user access rights set for a folder are inherited to all current and future files, subfolders, and files therein. For our partitions D: and E:, this default should always be used. Having the same rights for all folders and files on the same partition is simple and therefore easy to understand and remember.

Windows has also command line tools for seeing user access rights: cacls and icacls.

System Data

Windows has already restricted user access rights of C:\Windows, its subfolders, C:\Program Files, C:\ProgramData, and C:\Users. In particular, standard users may not write or delete anything in C:\Windows and C:\Program Files. Leave these settings untouched. Install all your programs in C:\Program Files. If, for some reason, this should be impossible and a software by all means wants to install itself to another directory, then give it the same user access rights as those of C:\Program Files. Note that 64-bit Windows also has C:\Program Files (x86).

Data Interacting with the Internet

For partition D:, set these user access rights and delete all other generic user handles:

SYSTEM	full access
Administrators (MyComputerName\Administrators)	full access
MyAdminUser (MyComputerName\MyAdminUser)	full access
MyPrivateUser (MyComputerName\MyPrivateUser)	full access
MyInternetUser (MyComputerName\MyInternetUser)	full access

This does not mean though that in practice you should use full access rights with every user. For all the intended ordinary usage, see under Separation of Private Data.

Restricted Execution of Data Interacting with the Internet

Although, according to the access rights, you may execute executable files in D:, the idea is that you do not execute executable files in D:. Also do not open (double-click on) script files like JAR or JS that would then be interpreted by a script processor like your Java Runtime Environment or the Windows Scripting Host. So be aware of your carelessness and do not accidentally double-click on an executable. It is harmless though to open non-executable files like TXT or JPG.

Why do we set the rights to full access while we would want to prohibit execution of executable files? The reason is that Windows's rights system is not so clearcut. There are gaps and side effects. A gap is that, even if execution of executables is denied, one may still execute script files by opening them in the appropriate script prozessor. One side effect is that denying the standard right of execution also denies further rights. Another side effect is that denying only the extended right of execution assigned to a folder and inherited to its contained files also denies access for the command line command cd applied to the folder. Yet another side effect is that denying only the extended right of execution also denies the right of synchronization. Quite likely there are further, still undocumented side effects.

The lesson is that in Windows one should not try to use user access rights for prohibiting execution of files. Instead execution shall be prohibited as follows:

a) For the PC user's manual actions. This requires his discipline. Download only with prior confirmation, do not download and save executables or script files that you do not really want and need, and do not open / double-click on any executable file or script in D:.
b) By means of software restriction policies. See further below. This shall deny unsolicited execution of malware.

Private Data

For partition E:, set these user access rights and delete all other generic user handles:

SYSTEM	full access
Administrators (MyComputerName\Administrators)	full access
MyAdminUser (MyComputerName\MyAdminUser)	full access
MyPrivateUser (MyComputerName\MyPrivateUser)	full access

Have you noticed that MyInternetUser is missing? This is the key to making the partition E: private. When logged in as MyInternetUser, access to E: is prohibited. You can easily test this: Log in as MyInternetUser and click on E:. You will see an Access Denied message. Malware or remote access attempts would be faced with the same prohibition. With the rights of MyInternetUser, they may neither access E: nor change the user access rights of E:.

Software Restriction Policies

Introduction

Software restriction policies (SRP) deny execution of programs for specified Windows users. We shall use mainly whitelisting, i.e., deny all programs except those allowed explicitly. We set SRP for our Windows user MyInternetUser.

SRP require Vista Business, Ultimate or Enterprise, Windows 7 Professional, Ultimate or Enterprise or similar versions of later Windows editions. It is well worth buying an appropriate edition just so that one can set SRP. Before you use them, read introductions to the topic very carefully:

Ruin a malware author's whole day with a Software Restriction Policy: good, easy to understand introduction.
Using Software Restriction Policies to Protect Against Unauthorized Software: SRP under Vista
Using Software Restriction Policies to Protect Against Unauthorized Software: SRP under XP
Software Restriction Policies and PowerShell Code Signing: the most severe mistakes with SRP
Step-by-Step Guide to Managing Multiple Local Group Policy Objects
Software Restriction Policies Tools and Settings
Understanding Group Policy basics for Windows Vista: Also follow the links to tips 1 to 6 and related links about the topic "group policy".
Advanced Group Policy for Windows Vista: Also follow the links to tips 1 to 5.
How to manage Group Policy Objects for Windows Vista
Deploying Group Policy Using Windows Vista: technical introduction to group policies under Vista
What Is Group Policy Management Console?
How Software Restriction Policies Work

Having read that, you are now aware of making a backup of your system partition, how to work with group policy objects, how to create a snapin for a particular user, the standard rules preconfigured by Windows, how a more specific path overrides a more general path, how to make SRP effective at all, how to use gpedit and gpupdate, how not to block administrators, and how to remove the LNK file type. This knowledge of yours is now presumed.

Additional Path Rules

Create an SRP snapin for MyInternetUser, configure its basics, then add these path rules, and make them effective:

C:\Program Files	Disallowed	whitelisting
C:\Program Files\MyBrowserDir	Unrestricted	whitelisting
C:\Program Files\MyEmailClientDir	Unrestricted	whitelisting
C:\Program Files\MyNewsreaderDir	Unrestricted	whitelisting
C:\Program Files\MyFtpClientDir	Unrestricted	whitelisting
C:\Program Files\MyMusicPlayerDir	Unrestricted	whitelisting
C:\Program Files\MySpecialHardwareDriverDir	Unrestricted	whitelisting
C:\Program Files\MyTrustedJavaApplicationDir	Unrestricted	whitelisting
C:\Program Files\MyJavaDir	Unrestricted	whitelisting
C:\Windows\System32\runas.exe	Disallowed	blacklisting
C:\Windows\System32\cmd.exe	Disallowed	blacklisting
C:\Windows\System32\COMMAND.COM	Disallowed	blacklisting
C:\Windows\System32\cscript.exe	Disallowed	blacklisting
C:\Windows\System32\wscript.exe	Disallowed	blacklisting

In 64-bit Windows, another Disallowed rule is needed for C:\Program Files (x86) and some of its subdirectories need Unrestricted. Similar blacklisting rules should be added for C:\Windows\SysWOW64. Furthermore one can consider to blacklist the Powershell executables and change some basic, SRP-independent group policy and administrative template rules concerning command line, execution, registry editing and program search in the start menu's field.

Note that this is a model. Your actual program folder names will differ. When your new rules are made effective, log in as MyInternetUser and notice the effect: Try to execute any application (outside C:\Windows) not on your whitelist. You are going to get a Windows message that execution of that program is prohibited by a group policy or a similar message for a double-clicked JAR file in, e.g., D:\Downloads. The same would be the fate of a Malware.EXE or NewDownloadedProgram.EXE having found its way to, e.g., D:\Downloads.

The Disallowed rule for C:\Program Files sets the basis for a whitelisting of the listed Unrestricted application subfolders. The five executables in C:\Windows\System32\ are a blacklisting overriding the preconfigured Unrestricted rule for %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%. Now malware or remote access cannot abuse the command line and a JS file may not be interpreted by a Windows scripting host as long as MyInternetUser is the current user.

You should appreciate how short the whitelist is. All your other applications (office, graphics, video, etc.) may not be run by MyInternetUser. Nevertheless you should think twice whether you really need MyTrustedJavaApplication or whether you should rather also drop MyJavaDir from the whitelist.

Remarks

Windows 7 (Ultimate) or later offers AppLocker. Using SRP presumes not to use AppLocker because the latter overrides the former. Using AppLocker instead of SRP is an alternative though.

By experience, the safest way to avoid problems after editing SRP is this procedure: 1) execute gpupdate, 2) restart Windows, 3) login as MyAdminUser, 4) logout, 5) login as MyInternetUser and test the changes.

If you have a notebook or a mainboard with special hardware components, then several drivers and tools might be in the program directories and need to be whitelisted, too.

Normally one should not try to use blacklisting because it is a never ending task. However, the few programs in C:\Windows\System32\ are straightforward and useful exceptions. Many further should not be added.

The interaction of SRP and Java Runtime Environment is badly documented. Allowing MyJavaDir because of one Java application allows it for potentially all JAR files. That some testing of JAR files in D:\Downloads has led to a different Windows error message is no guarantee that the behaviour will always be the same. Therefore it is safer not to allow MyJavaDir at all as MyInternetUser.

Browser addons that are defined in script files (like those for Mozilla Firefox) create a similar problem. SRP block EXE files but not proprietary script files. Therefore one should be very careful with trusting browser addons. The easiest solution is not to install any. However, some say that a few specific addons like NoScript were a security gain in themselves. Every PC user needs to make up his own opinion here.

The programs C:\Windows\explorer.exe (Windows Explorer), C:\Windows\notepad.exe (simple text editor), C:\Windows\System32\calc.exe (simple calculator) may be used without putting them on the whitelist explicitly because they, like all system programs within C:\Windows\ are already whitelisted by the preconfigured path rule. This is different for C:\Program Files\Windows NT\Assessories\wordpad.exe (text editor with simple formatting); you would need to whitelist it. When you start either of these programs under MyPrivateUser or MyInternetUser, they run on the integrity level Medium. You might prefer to copy, e.g., notepad.exe to C:\Program Files\MySimpleLowToolsDir, rename it to notepadLOW.exe, whitelist this directory in the SRP, set MySimpleLowToolsDir to CI OI L NW NR NX (see under Integrity Levels further below), and use this Low copy of notepad.exe only for viewing the TXT files on D:. Setting the Windows Explorer to Low is impossible though because it also serves as the shell and manages the other applications started by the user as child processes.

Obviously, if you install some monitoring tools that you want to use also under MyInternetUser, you need to whitelist their directory, too.

Since in principle an application used under both MyPrivateUser and MyInternetUser might collect information when running under MyPrivateUser and send it when running under MyInternetUser, you might further increase security by using all your internet applications only under MyInternetUser. This is relatively easy for email and ftp clients and newsreader but you might want to use further applications like an HTML reader (or a different browser for that purpose) that you use under MyPrivateUser only.

SRPs have their unfortunate restrictions, too. E.g., one cannot associate ressources like folders, files, and registry keys on a per application basis. Some multi-sandboxes like Geswall promise to do such, however, none of them can convince under Windows so far. Anyway it would be great to see a future Windows edition with that feature. Currently there is a risk that application A writes to application B's files, etc. Another solution in future might be the idea of explicit per application access rights quite like user access rights.

If you start a non-administrative Sysinternals ProcessExplorer under 64-bit Windows, then it can create a 64-bit program copy at C:\Users\MyUserName\AppData\Local\Temp\procexp64.exe. Since whitelisting the \Temp directory would be a bad idea (malware can use that directory, too), a whitelisting hash rule should be added for procexp64.exe. Some other programs can also have helper executables at unexpected places; also they need to be located and possibly ruled.

Integrity Levels

Introduction

Vista has introduced the new mandatory security mechanism of integrity levels and also later Windows versions use them. There are these levels and flags:

TrustedInstaller		possibly used by TrustedInstaller.exe, but undocumented
System		system processes
High	H	crucial administrator processes
Medium	M	default; used for ordinary applications, folders, and files
Low	L	internet applications and their accessed folders and files
Untrusted		mostly undocumented

The basic idea is that an application on a level may not access any folder or file on any higher level. There is a finer distinction though: There are these three types of possibly prohibited higher access with their command line flags:

NoWriteUp	NW	writing on a higher level is prohibited
NoReadUp	NR	reading on a higher level is prohibited
NoExecuteUp	NX	executing on a higher level is prohibited

NoWriteUp used alone is the default.

Furthermore, one distinguishes between containers and objects and whether a container also inherits to all containers (CI) or all objects (OI) below it:

container	can contain containers or objects	CI	inherits to all containers below
object	does not contain containers or objects	OI	inherits to all objects below

Beware of the typo IO; it does have a different meaning: inherit only. We do not use it.

Various kinds of containers and objects carrying an explicit or inherited integrity level exist: processes, registry keys, etc. We are interested only in folders (a type of containers) and files (a type of objects). A folder or file without explicitly set integrity level inherits its integrity level and related flags from its (parent) folder.

The Internet Explorer has one advantage after all: Part of it uses the integrity level Low. This ends the list of its advantages; already some other parts of it use the levels Medium or High. The fundamental idea to use Low as a sandbox for all one's internet applications is very good though because malware that should somehow manage to exploit or abuse an internet application inherits its integrity level Low and hence may do damage only to the Low folders or files. However, Windows does not assign Low integrity levels and flags to internet applications automatically yet. The PC user needs to do it manually. Besides one has to accept that not all applications are ready yet to be restricted by integrity levels; some want to access more ressources than one can reasonably include in the Low list. Some experts also point out that integrity levels do not work 100% for all types of Windows desktop messages, etc. yet. Hopefully in future software developers become more reasonable and a later Windows edition will fix the remaining gaps. Until then one has to accept that mandatory integrity control is very promising, but still imperfect. It does add to the PC security though; there are no reports yet how a malware can always work up its way from Low to System.

Going back to a Windows Restore Point can sometimes not revert all user access rights and integrity levels and flags. So if you have made recent changes, you should verify again.

A running application's integrity level can be seen in Sysinternals's ProcessExplorer. Activate the appropriate column.

Root Directory

One might also try to apply integrity level commands to a partition's root directory if all folders there shall carry the same flags. However, experience shows that one can run into difficulties. E.g., the superhidden folder System Volume Information might not accept such a change and $Recycle.bin wants special treatment, too. Therefore the safe approach is to assign integrity levels and flags to every major folder as soon as the PC user creates it on D: or E:. Even better - develop a reliable concept for your top level folders and afterwards neither add nor delete top level folders (or recall that every newly created top level folder on D: or E: should immediately receive the appropriate integrity level and flags).

Copying and Moving Folders and Files

One can easily copy or move subfolders or files without explicitly set integrity level and flags to a new location below another top level folder. The subfolders or files simply inherit their new top level folder's integrity level and flags.

Copying or moving folders or files with explicitly set integrity level and flags to a new location appears to keep the previous explicitly set integrity level and flags. So they might differ from those of the new top level folder. Check this. If necessary, correct level or flags for the copied or moved folders or files.

In practice, one hardly needs to move application folders. The folders and files copied or moved as described under Separation of Private Data above do not create problems as long as a) one does not move top level folders and b) one does not explicitly set integrity levels and flags for some subfolders or files. Hence the concepts Separation of Private Data and Integrity Levels work well together and assist each other. The same can be said for user access rights. When copying or moving folders or files from D: to E: or vice versa, the user access rights are inherited from those of the new location's partition.

Sandbox the Folders for Data Interacting with the Internet

Set these flags for your Low folders on D:.

\Downloads	CI OI L NW NR NX
\Uploads	CI OI L NW NR NX
\Emails	CI OI L NW NR NX
\News	CI OI L NW NR NX

E.g., this can be done for every folder (insert the appropriate name) by the following command:

D:\>chml FolderName -i:l -nw -nr -nxchml applies CI and OI by default. After changing, you should always verify the success using icacls or accesschk. E.g., type

D:\>icacls *.*

Put the Folders for Private Data outside the Sandbox

Set these flags for your Medium folders on E:.

\MyDocuments	CI OI M NW NR NX
\MyMusic	CI OI M NW NR NX
\MyPictures	CI OI M NW NR NX
\MyVideos	CI OI M NW NR NX
\MyWork	CI OI M NW NR NX

E.g., this can be done for every folder (insert the appropriate name) by the following command:

E:\>chml FolderName -i:m -nw -nr -nx

Sandbox Your Internet Applications

Introduction

All your internet applications shall get a Low. For simple applications, the only path to be set is C:\Program Files\MySimpleApplicationDir:

C:\Program Files>chml MySimpleApplicationDir-i:l -nw -nr -nx

Now examples of some more difficult applications shall be shown. For your internet applications, find out the folders they access, set CI OI L NW NR NX to the application's directory in C:\Program Files and only CI OI L NW to its other used folders.

In 64-bit Windows, a 32-bit program's path is under C:\Program Files (x86). This applies also to Mozilla Firefox, Mozilla Thunderbird and Real Alternative below. If you have 64-bit Windows and apply a command to a 32-bit program's program directory, replace C:\Program Files by C:\Program Files (x86).

Mozilla Firefox

C:\Program Files\Mozilla Firefox	CI OI L NW NR NX
C:\Users\MyAdminUser\AppData\Local\Mozilla	CI OI L NW
C:\Users\MyAdminUser\AppData\Local\TEMP	CI OI L NW
C:\Users\MyAdminUser\AppData\Mozilla	CI OI L NW
C:\Users\MyPrivateUser\AppData\Local\Mozilla	CI OI L NW
C:\Users\MyPrivateUser\AppData\Local\TEMP	CI OI L NW
C:\Users\MyPrivateUser\AppData\Mozilla	CI OI L NW
C:\Users\MyPrivateUser\AppData\Roaming\Mozilla	CI OI L NW
C:\Users\MyInternetUser\AppData\Local\Mozilla	CI OI L NW
C:\Users\MyInternetUser\AppData\Local\TEMP	CI OI L NW
C:\Users\MyInternetUser\AppData\Mozilla	CI OI L NW
C:\Users\MyInternetUser\AppData\Roaming\Mozilla	CI OI L NW

To show some usage of icacls, here is an example for setting the flags CI OI L NW:

C:\Users\MyAdminUser\AppData\Local>icacls Mozilla /setintegritylevel (ci)(oi)L

icacls sets NW as a default but neither NR nor NX.

Mozilla Thunderbird

C:\Program Files\Mozilla Thunderbird	CI OI L NW NR NX
C:\Users\MyAdminUser\AppData\Local\Thunderbird	CI OI L NW
C:\Users\MyAdminUser\AppData\Local\TEMP	CI OI L NW
C:\Users\MyAdminUser\AppData\Roaming\Thunderbird	CI OI L NW
C:\Users\MyAdminUser\AppData\Thunderbird	CI OI L NW
C:\Users\MyPrivateUser\AppData\Local\Thunderbird	CI OI L NW
C:\Users\MyPrivateUser\AppData\Local\TEMP	CI OI L NW
C:\Users\MyPrivateUser\AppData\Roaming\Thunderbird	CI OI L NW
C:\Users\MyPrivateUser\AppData\Thunderbird	CI OI L NW
C:\Users\MyInternetUser\AppData\Local\Thunderbird	CI OI L NW
C:\Users\MyInternetUser\AppData\Local\TEMP	CI OI L NW
C:\Users\MyInternetUser\AppData\Roaming\Thunderbird	CI OI L NW
C:\Users\MyInternetUser\AppData\Thunderbird	CI OI L NW

Real Alternative

C:\Program Files\Real Alternative	CI OI L NW NR NX
C:\Users\MyAdminUser\AppData\Local\Real	CI OI L NW
C:\Users\MyAdminUser\AppData\Local\TEMP	CI OI L NW
C:\Users\MyAdminUser\AppData\Roaming\Media Player Classic	CI OI L NW
C:\Users\MyAdminUser\AppData\Roaming\Real	CI OI L NW
C:\Users\MyPrivateUser\AppData\Local\TEMP	CI OI L NW
C:\Users\MyPrivateUser\AppData\Roaming\Media Player Classic	CI OI L NW
C:\Users\MyInternetUser\AppData\Local\TEMP	CI OI L NW
C:\Users\MyInternetUser\AppData\Roaming\Media Player Classic	CI OI L NW

Remarks

Use an administrative command line (C:\Windows\System32\cmd.exe started as administrator) for the command line tools.

In a command line, a path parameter containing empty spaces must be enclosed by "". Example:

C:\Users\MyInternetUser\AppData\Roaming>icacls "Media Player Classic"/setintegritylevel (ci)(oi)L

I am not sure whether Mozilla Thunderbird and Real Alternative do use the \TEMP folders. Since we have set them to Low for Mozilla Firefox already anyway, it does not matter.

Do not change integrity levels for \VirtualStore folders. These are managed by Windows - not by the applications themselves.

If your application does not start, then probably further directories need to be set to Low. Within each application, set the path for saving files to a Low directory. E.g., for your email program that should be D:\Emails. (You could make problems for yourself if you used D:\Folder1\Emails, set \Folder1 to Medium, and \Emails to Low. Mozilla Thunderbird could not open \Emails because it tries to access it via first visiting the parent \Folder1, what is prohibited due to a higher integrity level. Keep things simple and you will meet fewer problems.)

Do not be surprised if Windows sometimes restricts execution of Low programs under MyAdminUser. This makes sense since internet applications are not administrative tools.

Windows annoys the PC user with a confirmation dialog whenever he trys to start a Low program (other than the Internet Explorer) under MyPrivateUser or MyInternetUser. This is illogical. It would make more sense if instead Windows asked "Are you sure?" in case of Medium or High programs because they may access more if started. It is possible though to deactivate the dialogs. Log in to the user for whom you want to deactivate. In the control panel choose: "Internet Options | Security | Internet | Custom Level | Miscellaneous | Lauching applications and unsafe files | Enable (not secure)". Click OK. Log out and log in again as the same Windows user. Are you scared by the red shading (also in the Security Center) and by overriding Windows's recommendation? Since I have never got any such confirmation dialog for a Medium or High program, it is safe to assume that this particular dialog box and all related red shading effects or symbols are meant for PC beginners clicking around all options in the preferences without thinking rather than for power users.

Software

icacls: This command line tool for cmd.exe is part of Windows.
accesschk: This is a Sysinternals command line tool. Copy it to C:\Windows\System32.
chml: This command line tool is from Mark Minasi's webpage. Copy it to C:\Windows\System32.
Integrity: This tool on Andreas Hötker's webpage has a graphical user interface.

Checksums

Introduction

Although Windows is said to protect its system files itself, the scope is mostly undocumented and unclear. It is safer to double check the integrity of the system files. Besides one wants to check it for the program files, what Windows does not do at all. Hash values are used for verification of each file's integrity. A hash is a lengthy, possibly hexadecimal number calculated as a checksum of the file's sequence of bits using some defined algorithm. In practice, changing bits of a file always leads to a new hash. Therefore a changed hash value means that the file has been modified. Modifications occur for different reasons like a) a log or ini file has been updated, b) a file is new (e.g., after the related program has been installed) or has been deleted, c) a file has been replaced due to a Windows or a software update, d) malware has attacked a file. In most cases, it is rather obvious why a hash value has changed. Almost all changes occur due to updates, (de)installations, logs, or prefetch data. When suspiciously more has happened to the files on C:, then this can be an indication of the effect of malware.

One popular algorithm creates MD5 checksums and files. A suitable and mighty command line tool with the ability to analyse subdirectories and their files recursively is fsum from Slavasoft's webpage, which should be copied to C:\Windows. If you prefer a GUI with this feature, you might need to purchase some shareware.

Integrity starts from the moment of installing Windows. If one starts only later and some files are already compromised, then all one would be checking afterwards is that the compromised files are still compromised. To check that all files have integrity, one needs to start afresh. In other words, reinstall Windows and calculate the checksums for the first time immediately afterwards. Later one should perform checksum calculations regularly. Additionally it makes very much sense to check just before and just after a Windows update or a major installation or program update.

For checking the MD5 of a single, downloaded file, there are more convenient freeware programs with GUI. You will find some easily.

Usage of fsum

General

Of course, you can also use a different utility; nevertheless the following will give you the general idea. Create a directory where you store checksum files: E:\MyDocuments\MD5. Whenever you verify for integrity, perform a two-step process. Note that, in case of a Windows update, you should perform the procedure twice: Once just before and once just after the Windows update. Let us devise a suitable naming convention for our stored checksum files:

YYMMDDfoldername.TXT stores the changes in foldername on the date YYMMDD.
YYMMDDfoldername.MD5 stores the list of checksums in foldername on the date YYMMDD.

We should observe these folders and use the denoted abbreviations for foldername:

C:\	c
C:\ProgramData	programdata
C:\Program Files	programfiles
C:\Windows	windows

For 64-bit Windows, see the related remark in the section Integrity Levels.

Step 1: Log the Changes to the Last Previous Checksums

Let us assume that the current date is 2009-02-01 and that our last previous checksum creation was on 2008-12-31.

C:\>fsum -c -jf E:\MyDocuments\MD5\081231c.MD5 >E:\MyDocuments\MD5\090201c.TXTC:\ProgramData>fsum -c -jf E:\MyDocuments\MD5\081231programdata.MD5 >E:\MyDocuments\MD5\090201programdata.TXTC:\Program Files>fsum -c -jf E:\MyDocuments\MD5\081231programfiles.MD5 >E:\MyDocuments\MD5\090201programfiles.TXTC:\Windows>fsum -c -jf E:\MyDocuments\MD5\081231windows.MD5 >E:\MyDocuments\MD5\090201windows.TXT

-c compares and does so also recursively in all subdirectories, -jf outputs the failures only. The sign > before a path to a filename redirects the output to that file. Note that fsum works relative to the current directory. When you create checksums for the first time, omit step 1.

Step 2: Calculate the Current Lists of Checksums

C:\>fsum *.* >E:\MyDocuments\MD5\090201c.MD5C:\ProgramData>fsum -r *.* >E:\MyDocuments\MD5\090201programdata.MD5C:\Program Files>fsum -r *.* >E:\MyDocuments\MD5\090201programfiles.MD5C:\Windows>fsum -r *.* >E:\MyDocuments\MD5\090201windows.MD5

-r executes also recursively in all subdirectories, *.* applies to all files.

Miscellaneous

Manual Protocol

If you do not want to lose track of what you are doing, manually log the crucial facts to text files:

names of the partitions of data interacting with the internet or of private data
list of top level folders on D: and E:
user access rights of D: and E:
export the list of software restriction policy additional path rules to a text file
list of Low NW NR NX folders on D:
list of Medium NW NR NX folders on E:
list of Low programs, their Low NW NR NX folders, and their Low NW folders on C:
naming concept of your MD5 related files

Backups

Make regular backups. Back up your system and programs partition by a Windows or third party software, maybe once every one or two months.

Especially just before any software installation, create a Windows Restore Point. Give it a speaking name like "Before MyNewApplication1". If you find the application to be unsecure or not fitting your taste, you can go back to the restore point and be sure of the system files' integrity again. Additionally, you might have to delete a remainder of the application's subfolder manually.

Frequently back up your personal data, application data, and application settings files.

Compromised PC

"There is malware on my PC or I am not sure whether some symptoms might indicate malware. What should I do?" There is only one correct answer: Reinstall Windows or at least your last known good image of your system and programs partition(s). Everything else would leave behind doubts.

Windows Default

Although, since Vista, Windows has a number of new security features, the operating system's default settings do not guarantee security yet because the aims are not achieved and because emphasis on usability leads to compromises.

User Account Control

Have the UAC activated and set it to the highest level. Bear the confirmation dialogs. The UAC is meant to nerve you - not to let you just click away every box but to let you think carefully whether a) it has been you to start the action and b) you really want to change the relevant system setting. If you are online as a Windows standard user and a malware wants to change the system, it cannot do so because it has to pass your explicit grant. Therefore so far the UAC is in particular still the best known anti rootkit software for Windows. One just has to be aware of the possibility of an UAC dialog being spoofed, i.e., forged to fetch your administrator password. If in doubt, cancel the action instead of entering the password. One must also understand that an installer inherits administrative or even higher rights for its further actions once it is allowed in an UAC dialog at all. Bad software developers abuse this power by, e.g., changing rules in the Windows Firewall.

Windows Settings

This page is not a complete or detailed list for choosing secure Windows settings. However, be aware of the importance. The following measures should be considered seriously. For further reading, also search for hardening.

Deactivate all superfluous Windows services.
Prevent the Windows Defender from phoning home.
Disable all sharing in the network center.
Choose the network profile Public because that is the most secure choice even if the PC is used only at home.
If you use the Windows Firewall, verify in its advanced settings that the desired direction(s) of filtering are activated for in particular the currently used network profile Home / Private, Public, or Domain / Work.
Deactivate every protocol that you do not use. E.g., in the properties of your network connection, you should consider to deactivate Client for Microsoft Networks, File and Printer Sharing for Microsoft Networks, IPv6, Other Users in the Network, and WINS / Netbios for IPv4.
In the Control Panel, configure the Internet Settings defensively: E.g., deactivate automatic connection, ActiveX, Java, JavaScript, etc.
Deactivate autoplay for optical drives.
Set harmless standard programs like notepad.exe for all dangerous file associations like DOC or VBS so that accidentally clicking on such a file does not cause its execution.
Disable or delete all unnecessary autostart entries; you might use Sysinternals's program Autoruns, which shows a dozen of more autostart places than you have dreamt of.

PC User

The best security concept is useless if the human being in front to the machine violates it. The PC user must understand the concept and always think about what he intends to do and how. Think of yourself as being the greatest risk for your PC's security. The PC user might, e.g., accidentally format a partition, install malware described as useful application, or open an executable email attachment.

Third Persons

Since you do not watch your PC 24h every day, there is a danger of third persons trying to access it. Whenever you leave your PC temporarily, lock the currently active Windows user, e.g., by the keyboard command [Win] + L. Close the room. Encrypt partitions or folders before someone accesses your PC by a different operating system launched, e.g., from a DVD or before your PC needs to be sent in for repairs.

Personal Firewall

Either use the Windows Firewall or some good personal firewall. Do not use two firewalls simultaneously because this creates conflicts and instability. People recommending the Windows Firewall do so because of the greater complexity, often greater number of security holes of personal firewalls, and doubting the usefulness of outbound or application filtering. Those in favour of some particular personal firewall appreciate its much easier configuration per se and also of outbound or application filtering. This pages does not intend to prove either preference and instead recommends further reading elsewhere. One thing seems to have universal agreement though: inbound packet filtering is essential.

Monitoring Tools

There some good monitoring or logging tools like those from Sysinternals. However, monitoring means to observe what has already happened and - if one wants to be complete - requires permanent watching. So monitoring can at best offer assistance - it is not a security solution in itself. Logging network traffic helps for setting appropriate firewall rules. Logging files and registry activity of an application can assist judgement about the software.

Anti Virus, Anti Spyware, Host Intrusion Protection, Virtual Machine, Anti Rootkit Software

The number of malwares grows exponentially and malware exists already before its signatures are added to databases. Therefore signature based detection does not guarantee security, even if tests report 99.9% filtering for previously known malware. The best anti virus softwares achieve only 60% detection by behaviour blocking and also cause some false alarms. Instead of making compromises by trying to rely on anti virus software, never just open attached or downloaded untrusted executables, scripts, macros, and documents with scripts / macros (e.g., files in the format DOC). Although it does not hurt to run anti spyware or anti rootkit software from time to time, they offer only assistance. A few HIPS or virtual machines may be rather efficient if configured correctly, however, they all fight with the problem of the unsecure design of Windows messages. Hence do not rely on such tools alone. Besides consider the potential problem of greater instability of the operating system due to greater complexity caused by intervention of security software services in system services.

Applications

Reflect which companies, programmers, softwares, download sites, and checksums you can and want to trust. The fewer the better. Verify reputation and trustworthy reviews. Always be aware that it might be malware. All security fences are overcome if the PC user makes one wrong decision. In case of doubt, do not install or execute.

Usually applications should not install anything into the Windows directory or its subdirectories. Applications have the cleanest installation procedure, if it can be done by the PC user manually copying the file(s) to a new subfolder of the Program Files folder. While normally system files and folders are protected, an installer or a setup.exe run with administrative rights are exceptions. This major gap in Windows's security design may permit a greater compatibility of old softwares and installation of a new hardware or device driver but at the same time potentially opens all gates for malware. Therefore let me repeat: Never install any software that you do not fully trust.

After installation and a Windows restart, the first thing to do for every Windows user is to set the application's preferences: Disable all script and macro languages, phoning home, and information sharing features. This applies also to applications preinstalled with Windows: e.g., Windows Media Player, Windows Media Center. Let your email program edit and show only plain text; disable HTML because it can contain scripts, etc.

Do not install skins if they behave like executables. Do not install addons unless you apply the same careful considerations as for the software's major EXE.

Do not use Internet Explorer and Outlook Express. Never. They are programs with a record history of security gaps. Use much more secure programs as browser and email client instead. For a start, here are some names: Opera, Firefox, Thunderbird.

Internet applications require further thinking: Sometimes an essential webpage relies on JavaScript. Unless you use a whitelist for such webpages, activate JavaScript (and possibly Cookies) temporarily and immediately afterwards deactivate it again.

Updates

Keep Windows and your applications up to date. This is important because many updates close known security gaps. There is a question though about which might be the best method. While automatic updates are timely, manual downloads and offline installation of updates ease recognition of the last known good state and calculation of checksums just before / after an update and work better with the idea of separation that MyInternetUser is used for downloading but MyAdminUser is used for installation of a previously downloaded Windows update or application. Therefore, together with the described security concept, I recommend regular manual updates.

Not Covered

This page does not cover hardware security, password security, router settings, various attacks on browsers, and online banking. Please read about these and further security topics elsewhere.