Hardening is the act of protecting a computer from all possible threats. This is not the same as blocking all “known” exploits, as blocking “unknown” exploits is just as important. Blocking unknown exploits may seem to be an impossible task, but there is a solution. The trick is to modify the configuration of the host to prevent entire categories of exploits. For example, fixing the buffer overflow in ASN1BERDecCheck of msasn1.dll will protect you from all possible variations of exploits that use the ASN.1 BER bit stream vulnerability, but an anti-virus solution will only protect you from a few well-known ASN.1 BER bit stream exploits.
This concept can be expanded to prevent the use of vulnerable services, prevent the alteration of critical files, prevent the viewing of sensitive data, prevent the reconfiguration of registry entries, prevent the execution of unsafe components, and so on. Steps can also be taken to secure communication channels, Internet zones, user accounts, and more.
Hardening a system prevents all forms of a known, or expected, exploit type. This form of protection can actually leverage previous exploits to secure all variations, where signature-based anti-virus protection is at the mercy of every new variation to existing exploits. To better introduce the concept of hardening, I recommend Samurai, a free hardening utility available from http://turbotramp.fre3.com, which can be used to fortify any Windows operating system. The Samurai HIPS are shown in Figure 14-1.
This tool currently has over 30 hardening options that can be individually selected to provide customized protection. Feel free to download (from the Wiley website) and test the various hardening techniques employed by Samurai. And don’t worry: Every configuration change can be undone, be it a registry modification, a file permission modification, a service modification, or even the removal of a file. Your machine will be restored to its original configuration whenever a security solution is unselected or whenever Samurai is uninstalled. However, be warned: Samurai has not been updated for over a year, and a lot of new exploits have been introduced since then. As such, Samurai is not currently a viable hardening tool for users who surf the Internet regularly.
At the time of this writing, the hardening techniques employed by Samurai include the following:
Disable known insecure ActiveX controls
Disable the AIM URL protocol handler
Prevent anonymous sessions
Disable automatic file open from Explorer
Stop the Background Intelligent Transfer Service
Disable dangerous URL protocols
Prevent denial-of-service attacks
Disable insecure job icon handlers
Set and secure My Computer zone
Disable dangerous .grp file conversions
Disable the Guest Account
Disable the HTML Application MIME type
Secure HTTP configuration parameters
Stop the Windows Indexing Service
Disable null session License Logging
Prevent LSASS (Sasser-based) exploits
Stop the Windows Messaging Service
Stop the Net DDE Service
Disable the Private Communication Transport
Disable the Remote Data Services DataFactory
Stop the Remote Registry Service
Disable RPC-based DCOM
Delete the backup password file
Disable the Shell URL protocol handler
Disable the Universal Plug and Play Service
Block unsolicited inbound Internet traffic
Disable Distributed Web Authoring
Disable the Windows Internet Naming Service
Check FRAME/IFRAME NAME field
Check image files for correctness
Block Internet Explorer Pop-ups
Prevent the loading of rootkits
Disable all known spyware
If nothing else, this list should serve to indicate the extent of the opportunities available to rootkit installation software. These vulnerabilities are not completely covered by anti-virus software, anti-spyware software, operating system updates, tightened browser security, or personal firewalls, leaving host-based intrusion prevention systems as the last line of defense in today’s security model.