Hardening

Hardening is the act of protecting a computer from all possible threats. This is not the same as blocking all “known” exploits, as blocking “unknown” exploits is just as important. Blocking unknown exploits may seem to be an impossible task, but there is a solution. The trick is to modify the configuration of the host to prevent entire categories of exploits. For example, fixing the buffer overflow in ASN1BERDecCheck of msasn1.dll will protect you from all possible variations of exploits that use the ASN.1 BER bit stream vulnerability, but an anti-virus solution will only protect you from a few well-known ASN.1 BER bit stream exploits.

This concept can be expanded to prevent the use of vulnerable services, prevent the alteration of critical files, prevent the viewing of sensitive data, prevent the reconfiguration of registry entries, prevent the execution of unsafe components, and so on. Steps can also be taken to secure communication channels, Internet zones, user accounts, and more.

Hardening a system prevents all forms of a known, or expected, exploit type. This form of protection can actually leverage previous exploits to secure all variations, where signature-based anti-virus protection is at the mercy of every new variation to existing exploits. To better introduce the concept of hardening, I recommend Samurai, a free hardening utility available from http://turbotramp.fre3.com, which can be used to fortify any Windows operating system. The Samurai HIPS are shown in Figure 14-1.

Figure 14-1

This tool currently has over 30 hardening options that can be individually selected to provide customized protection. Feel free to download (from the Wiley website) and test the various hardening techniques employed by Samurai. And don’t worry: Every configuration change can be undone, be it a registry modification, a file permission modification, a service modification, or even the removal of a file. Your machine will be restored to its original configuration whenever a security solution is unselected or whenever Samurai is uninstalled. However, be warned: Samurai has not been updated for over a year, and a lot of new exploits have been introduced since then. As such, Samurai is not currently a viable hardening tool for users who surf the Internet regularly.

At the time of this writing, the hardening techniques employed by Samurai include the following:

• Disable known insecure ActiveX controls

• Disable the AIM URL protocol handler

• Prevent anonymous sessions

• Disable automatic file open from Explorer

• Stop the Background Intelligent Transfer Service

• Disable dangerous URL protocols

• Prevent denial-of-service attacks

• Disable insecure job icon handlers

• Set and secure My Computer zone

• Disable dangerous .grp file conversions

• Disable the Guest Account

• Disable the HTML Application MIME type

• Secure HTTP configuration parameters

• Stop the Windows Indexing Service

• Disable null session License Logging

• Prevent LSASS (Sasser-based) exploits

• Stop the Windows Messaging Service

• Stop the Net DDE Service

• Disable the Private Communication Transport

• Disable the Remote Data Services DataFactory

• Stop the Remote Registry Service

• Disable RPC-based DCOM

• Delete the backup password file

• Disable the Shell URL protocol handler

• Disable the Universal Plug and Play Service

• Block unsolicited inbound Internet traffic

• Disable Distributed Web Authoring

• Disable the Windows Internet Naming Service

• Check FRAME/IFRAME NAME field

• Check image files for correctness

• Block Internet Explorer Pop-ups

• Prevent the loading of rootkits

• Disable all known spyware

If nothing else, this list should serve to indicate the extent of the opportunities available to rootkit installation software. These vulnerabilities are not completely covered by anti-virus software, anti-spyware software, operating system updates, tightened browser security, or personal firewalls, leaving host-based intrusion prevention systems as the last line of defense in today’s security model.