The following defenses will help prevent malicious attacks against Windows computers.
The number one way to prevent malicious attacks on the registry is to not give non-admin users Administrator-privileges. By default, as shown in Table 6-3, non-admin users usually only have Read-only access to most registry keys. If you have chosen to allow your regular end users to be logged on as administrators, consider manually hardening the high-risk registry locations listed in Tables 1-1 and 6-4 so that the user only has Read permissions (instead of Full Control).
By default, even non-admin users have Read and Write permissions to the HKCU subtree. Consider giving users Read-only permissions to high-risk registry keys listed in Tables 1-1 and 6-4 for high-risk HKCU entries. Pay special attention to the HKCU\Software\Classes and HKCU\Software\Microsoft\ Windows entries.
By default, Windows installs with hundreds of file associations (in HKCR, HKLM\Software\Classes, and HKCU\Software\Classes). Consider making a list of file extensions that should be allowed in your environment. Use Table 5-1 as your guide. Then, using registry permissions, block non-admin users access to high-risk file associations. For example, if your company does not normally use encoded VBScript files (file extension .VBE), block access to them. Take away the user's capability to read the file association key. Note that I didn't say give Read-Deny permissions to the Users group. Doing so, as some readers might have after having read the previous sentences, would result in Administrators (who are Users) from being able to access the key. Table 6-5 shows the especially high-risk file associations that should be blocked from casual use.
File Extension | File Type | Malicious Use Details |
---|---|---|
.ani | Windows Animated Cursor | Two exploits were announced by Flashsky Fangxing (flashsky@xfocus.org) on Dec. 23, 2004. First, a Windows Kernel DoS exploit, Windows XP SP2 not vulnerable, but most other Windows versions (NT to 2003) are. Second, an Integer buffer overflow, most Windows versions are vulnerable (NT to 2003), caused by LoadImage API in USER32.Lib. |
.asf, .lsf, .lsx | Streaming audio or video file | Can be exploited through buffer overflows, head malformation, or dangerous scriptable content |
.bat | DOS batch file | Can contain malicious DOS command interpreter instructions |
.chm | Windows Compiled Help File | Windows Help Files (.hlp) can be compiled for better performance and feature sets. Malformed Compiled Help Files have been involved in many announced exploits over the years, including Microsoft Security Bulletin MS05-031. Can be opened in Internet Explorer automatically without user intervention using Ms — its moniker. |
.cmd | Command file | Contains batch-file-like DOS interpreter script commands. Can contain malicious instructions. |
.com | Program executable | Older, some legacy DOS executables. Still work under all Windows versions, except newer 64-bit Windows. |
.cur | Windows cursor graphic file | Integer buffer overflow, announced by Flashsky Fangxing (flashsky@xfocus.org) on Dec. 23, 2004, most Windows versions are vulnerable (NT to 2003), caused by LoadImage API in USER32.Lib. |
.dbg | Debug file | Can contain malicious machine-language instructions that can be compiled by debug.exe into malware |
.dsm, .far, .it, .stm, .ult, .wma | Nullsoft WinAmp media file | Has been involved in malicious exploits |
.dun | DUN export file | Can contain malicious dial-up connection information that initiates outward calls |
.eml, .email | Outlook Express e-mail message | Used by Nimda and many other worms |
.hta | HTML application | Frequently used by worms and trojans |
.pdc | Microsoft compiled script | Can contain dangerous code |
.pif | Program information file | Can run malicious programs |
.png | Portable Network Graphics file | PNG is an open-source graphics format with lossless compression (www.libpng.org/pub/png). Has been involved in several exploits, including multi-browser buffer overflows. Last PNG IE buffer overflow resolved by MS05-025. |
.pol | Windows Policy File | Could be used to lower security settings on Windows 9x and later machines |
.reg, .key | Registry entry file | Can create or modify registry keys |
.scf | Windows Explorer command | Could be used maliciously in future attacks |
.shs, .shb | Shell scrap object | Can mask rogue programs by containing links to other programs. Shell scrap file objects can have hidden extensions even when Windows is told to display hidden file extensions. This file type can itself run raw code. |
.slk | Excel SLK data-import file | Can contain hidden malicious macros |
.swf, .spl | Shockwave Flash object | Can be exploited |
.vb, .vbe, .vbs | VBScript file | Can contain malicious code. VBE files are encoded VBScript files that can easily be decoded and read by Windows and IE. These files are executed by Wscript.exe, Cscript.exe, or VBScript.dll. |
.vcf | vCard file format | Used in many e-mail clients, including Outlook and Outlook Express, to communicate recipient addressing details. Has been involved in a few exploits. |
.ws, .cs, .wsf, .wsc, .sct | WSH file | Can execute malicious code |
These file associations were chosen for the following reasons:
They are frequently exploited by malware or attackers.
They are infrequently used legitimately.
Removal would cause few problems in most environments.
Modify your list based upon your environment's needs and expectations.
Don't forget to block non-admin access to dangerous URI handlers (e.g., news://, aim://, telnet://, rlogin://). URI handlers are the special keywords that can be added to the beginning of a URL to launch an external program. Not all URI handlers are dangerous. Http:// and Https:// are used legitimately most of the time, but malware has used a few other URI handlers in the past to exploit computers. Table 6-6 lists high-risk and other unused URI handlers that should be reviewed.
URI Handler | Description |
---|---|
Aim | America Online Instant Messenger (AIM) program can be launched from an embedded HTML link. Has been used a few times in the past to conduct buffer overflows and steal files. |
Callto | Will launch NetMeeting to call dial-up phone number. Has been used by malware to make expensive long-distance calls. |
News, nntp, snews | Network News Transport (NNTP) protocol. Will launch Outlook Express (OE), even if OE is not used (and not patched). Has been used to spread malware. Involved in a Windows buffer over exploit as recently as June 2005. |
ftp | File transfer protocol (FTP). Will launch Internet Explorer (IE) in FTP-mode. Can be used to download malicious files. Can be used to exploit other ftp vulnerabilities, such as user name and password disclosures. |
Gopher | Early Internet protocol. Can be used to launch IE, although Gopher has been disabled in IIS and IE for many years now by default. Not really a high risk, but it should be disabled because it is no longer used. |
Ldap | Lightweight Directory Access (LDAP) protocol. Will launch OE by default. Not abused much by malware, but could be used to do e-mail address directory harvesting and to send malicious e-mails. |
Ms-its | Allows compiled help files (.CHM) to be launched. Compiled help files have been used in nearly a half dozen different exploits over the years. |
Rlogin | Remote logon is a Unix-style telnet utility (Rlogin.exe) included in several versions of Windows. Essentially a telnet utility. Not abused by malware, yet, but should be disabled because it is rarely used legitimately. |
Telnet, Tn3270 | Can be used to launch a remote telnet session. Not popularly exploited, but has been used in the past. |
The URI handlers installed in Windows vary in each environment according to the version of Windows and what software has been installed. Administrators should query workstation registries to determine whether any other high-risk entries should be blocked. You can find URI handlers by searching for the data field, URL:, under HKCR.
Search for and delete the NeverShowExt values for high-risk file associations in HKCR, HKLM\Software\ Classes, and HKCU\Software\Classes. At the very least, remove this registry value for the following file types:
SHS
SHB
SHC
LNK
PIF
XNK
By default, only Administrators (and Power Users) can create or change file associations. If end users are logged in as Administrators, you can still deny them the ability to change file associations through the Windows Explorer GUI (although they still could do it programmatically or using Regedit.exe). To enable the admin blocking feature, write a Dword value of 00000000 to the NoFileAssociate value (you may need to create) under HKLM\Software\Microsoft\Windows\CurrentVersion\ Policies\Explorer.
Lastly, use a group policy object, local computer policy, or security template to automate hardening registry permissions. Chapter 14 covers this advice in more detail.