When Windows 10 was released, I had the following options: either keep Windows 8 on my PC, or upgrade to Win10, with some advantages. The start menu was back (although I didn’t need it since I’m using the great TrueLaunchBar utility since many many years), it was a free upgrade (I know what you’ll think about this), and it allowed me to be more secure and test new features. On the other side, it’s obvious Microsoft has shifted into the Cloud business, and now heavily relies on data harvesting. That means I need to harden my laptop to prevent any data leaks.
If you want to understand how to setup a similar config, here is my step-by-step checklist of what I’ve done :
Step 1 : Harden Windows 10
I won’t go into details about patching and hardening Windows 10. That seems obvious you need to install all updates and reduce the attack surface by disabling/uninstalling any unneeded feature.
I also daily use :
- Microsoft EMET 5.2 to mitigate against poorly written apps.
- Sandboxie, a cool sandbox framework to test unsure applications (and be able to run my 8 different Facebook test account profiles concurrently without Facebook complaining about it)
- Owasp Zap Proxy / Burp Suite Pro, two great web proxies (more on that below).
- Winitor PEStudio and other similar tools to analzye executables.
- Process Hacker.
- and some other cool tools (check my utools.éé.net collection for some)
There is also a great script that I’d like to mention, that disables nearly all telemetry and data harvesting from Microsoft on Windows 10.
Step 2: Install VMware Workstation
or any alternative that :
- enables you to run VMs, and start them automatically at Windows startup
- enables you to use Layer-2 bridging to your wired network interface.
VMware Workstation adds a « VMware Bridge Protocol » network driver, that does Layer2 bridging, and enables you to create VMs in « Shared Mode », that behave in quite a similar way as if they were running on ESX : autostartup, and more.
That will enable you to install some security-dedicated VMs, such as a firewall and a syslog server:
Step 3: Isolate Windows from Internet.
It’s easy: just go to Network and Sharing Center, change your Adapter Settings, disable or uninstall any adapters you don’t use, and go to your wired Ethernet adapter config. Then, disable all items, including IPv4 and IPv6 !! Yes, you won’t be using this network card anymore from Windows.
As you can see on the above screenshot, the only option left is the VMware Bridge Protocol, that directly routes traffic from the wired interface to the Virtual Networks managed by VMware. That means Windows itself isn’t able to use the interface for routing, as it doesn’t even have an IP address.
I’ve made several Wireshark captures to check the behavior of this, and it seems reliable.
This makes it easy to either capture Windows only, or Windows plus additional traffic.
Step 4 : Install the system Firewall
For Windows, I use the paid version of Agnitum Outpost Firewall Suite. Most of the reasons are :
There are « lifetime » offers. I only paid once, several years ago, and still get major updates.
This seems to be the most configurable/tweakable firewall on Windows I found up to now. For example, I was able to configure every single executable file that needs to use the network, as on a professional firewall (or PF, or IPtables). I admit that took me a lot of time (more than 300 rules), but once it’s done, that’s pretty cool!
- The logs can be set to very verbose, are stored in text file and can be easily parsed. I currently use Multitail on Cygwin to get a realtime overview :
Here is a close-up :
As you can see, that’s quite verbose, and helps a lot to understand any network or malware issues…
The firewall itself is configured in « paranoid mode », that means it starts at windows boot, requires a password to alter its configuration, blocks anything by default, and doesn’t have « auto-learn rules » enabled. That may seem harsh (and I had several issues to even get Windows started properly at the beginning), but it finally works and I can feel quite safe.
Step 5. Install an external Firewall
Once your system firewall is correctly set, you need to add a secure routing device, to allow Internet access. I chose to use PFsense, at is seems quite robust, reliable and easy to configure. The issue was to run it along with Windows, so it’s running as a virtual machine on VMware Workstation, on my laptop. So even if I move or travel, everything is embedded on my laptop and kept secure.
Basically, it acts a the only way to route traffic between Windows and any outside network. Once booted, it sees the wired Ethernet interface as WAN, and gets an IP address via DHCP. And the LAN side is a host-only virtual network (vmnet) shared with Windows 10 only. My laptop’s Windows 10 gets its IP address from PFsense, and is forced to route traffic to it.
Step 6. Configure the external firewall
I quickly realized Windows 10 was trying to call home all the time, for no particul reasons (except data harvesting). The main issue was that the so-called « Cloud » means that you’ve got to block millions of IP addresses if you want to be a bit safe. So I set-up my rules by AS numbers. Basically, PFsense doesn’t provide this, unfortuataly, but with some patience I was able to define major AS network ranges, and enter them into PFsense :
This is also a long configuration to do, but it helped me to check whether Windows 10 was calling home in Ireland or in the US, for example, as I had created different rulesets.
Step 7. Configure the external proxy server
All those rules are for non-standard (HTTP or HTTPS) traffic coming from-to Windows. To get even more control on the traffic, I’ve setup a Squid server on my PFsense virtual machine, with authentication and SSL decryption. The configuration is quite basic so I won’t detail here, but there are two important details.
First, **I’ve *forbid* Windows to use my Squid server **(at least directly) ! As Squid is starting by default, and I wanted to have full control on application behavior, my Windows proxy configuration is set to reach a local proxy (127.0.0.1), that either can be Zap Proxy or Burp Suite Pro depending on the need. I just start it on purpose and when needed, so Windows (or any malware/rootkit/legit app using default system settings) won’t be able to go out at any other times!
Second, I use dedicated authentication on my Squid Server, for any application that I allow to go through, such as Firefox.
Each app uses different credentials, allowing me to discriminate logfiles, and prevent any unauthorized app to go out. Brillant.
Step 8. Install and configure the local proxy
For Windows and applications that I don’t really trust or I want to better understand, I have an additional proxy, that I start on demand. This can be either Owasp Zap Proxy, or Portswigger Burp Suite Pro, depending on the needs. That gives me even more details on the transactions, especially the ones from Windows Update, or BITS transfers (by default, I don’t like transfer services that claim to be « Background and Intelligent », and the fact they connect to domains such as « skynet » or « wunderground » !)
It is itself chained to the Pfsense Squid proxy, so that Java never gets out of control (unfortunately those are Java applications, I hate that).
Step 9. Make offline backups
Two rules of thumbs: always do full offline backups, and regularly check them. And keep them forever!
I do monthly full backups. Never online, to avoid any « contamination » issue. So I power off my latop, and either boot on a dedicated Linux CD that contains my backup software, or extract the hard drive to make a clone on another system. This helps me make sure no malware or system « feature » will alter the backup. And I also try to restore some of my backups (at least once a year) on a new hard drive to see if it still boots.
Another paranoid trait of character I have is to never delete all of my backups. That means I tend to buy a lot of 2Tb hard drives (those are relatively cheap in Switzerland), but it also help me to make sure, if for any reason I get infected or I have a doubt about any APT attempt, that I still have all my former backups to compare with.
I also, from time to time, take live full memory snapshots! Just in case some APT might have get through all my defenses, and also because it’s fun to play with Volatility or Rekall memory forensics toolkits. For this, I tend to use the free RamCapture tool from Belkasoft. Works flawlessly even on 64bit Windows 10.
Step 10. Relax and enjoy
That’s it !
I have to admit I couldn’t help myself installing a second VM with a syslog server, to remote-log everything from PFsense and Windows, so those precious logs aren’t corrupt or destroyed in the case someone or an APT is able to infect my system. But that’s more than extra paranoid, I know.
One question I guess you’re about to ask: performance ? Well, I’m quite happy with it, all this setup doesn’t slow much my PC. I’m still able to play CPU/GPU intensive 3D games on Steam witjout hassle, run demos and more!
And, obviously I’ve done quite a similar setup on my home network, but that’s another story (which was my last InsomniHack featured talk in 2015, but I didn’t disclose the slides… yet, mostly because I disclosed too many details on my home setup that may have helped attackers).
So, enjoy, make the config work and relax. And if you do so, just tell me, I’m curious.
Update 14jan16 : My Windows system is now sending all its logs to the syslog server VM, thanks to this open-source Syslog agent for Windows :
Comment by Romain on 2016-01-05 16:01:19 +0200
Nice blog post, but why not using full disk encryption ?
Comment by Bruno Kerouanton on 2016-01-06 10:56:33 +0200
You’re right on this one. Yes, I should use full disk encryption, and already messed around with Truecrypt and Bitlocker in the past. That led me to some major issues that « traumatized » me :
– Having suffered several major disk crashes in the past, not using full disk encryption saved my day, since I was able to use my forensic tools and recover files. I’m now estimating the most important risk is not my laptop being stoled or lost, but outside (network) threat. Maybe I’m wrong, anyway this is my actual view.
– Using full disk encryption is cool, but would prevent me to make full offline disk backups as I currently do, and even more, do forensic analysis on my own hard drives to look for suspicious items. Again, I may be wrong, and maybe some cool backup/forensic tools exist that can cope with encrypted disks, but I now just encrypt my backups, that’s all.
Comment by dummys on 2016-01-07 10:43:46 +0200
At the end, why not simply use linux with Windows VM’s ?
Comment by lowlevel on 2016-01-13 10:56:13 +0200
moue .. ben si être expert c’est d’utiliser uniquement des logiciels tiers…omg ridicule le level du post la.. :-/
Comment by Bruno Kerouanton on 2016-01-14 16:00:37 +0200
I’m not pretending to be an expert and never did. I’m just a CISO 😉
Anyway, if I published this post, it’s simply because I may believe some people out there may be interested in setting up a similar config for their own needs. And what about you, did you publish any interesing hardening solution for other people to use ?
Comment by nuartvision on 2016-01-27 11:53:49 +0200
Any ideas on Outpost substitute? As they sold everything to Yandex, will stop support Dec.2016 and are giving now Kaspersky licenses (with firewall unable to break connection of users choice).
Comment by Bruno Kerouanton on 2016-01-27 16:02:01 +0200
Hi, thanks for your comment.
Your’re totally right on this point. Agnitum being incorporated into Yandex is a terrible info, as I don’t have any decent Firewall that could replace it. As far as I know, all competitors offer less flexible solutions, which is not acceptable.
We have 11 months left to find a decent solution… any help appreciated !
Comment by Bruno Kerouanton on 2016-01-27 16:06:24 +0200
That may also be good, but not for my specific use. I enjoy using Windows natively because I’m sure it handles all peripherials, devices and other hardware features smoothly and flawlessly. The second reason is that my most CPU/GPU intensive applications run on Windows, not Linux. So I prefer using Windows natively and Linux on VMs. At home, this is different, since I do the opposite (I run an ESX server with both Linux and Windows).
Comment by Varun Agrawal on 2016-01-27 23:12:02 +0200
I used to think I am the only one who is unnecessarily paranoid about security and then I found you. I think you shouldn’t undervalue full disk encryption. I’m not sure what are you trying to achieve by forensic analysis but both Bitlocker and Acronis True Image are good products and offer complete encryption.
I suspect you have much more chances of data stolen from a stolen laptop than by a malware.
P.S. You may want to try CryptoTE. It is pretty good 🙂
Comment by Varun Agrawal on 2016-01-27 23:17:36 +0200
Oh btw regarding firewall, I don’t know what features Outpost Pro supports, but I use WFC (Windows Firewall Control). It is pretty powerful too. Other than this,
Comment by Varun Agrawal on 2016-01-27 23:17:55 +0200
Oh btw regarding firewall, I don’t know what features Outpost Pro supports, but I use WFC (Windows Firewall Control). It is pretty powerful too.
Comment by Bruno Kerouanton on 2016-01-28 00:09:59 +0200
Thanks for the tip, I’ll definitely have a check. Anyway the reason I dislike full disk encryption is because I really had issues on data loss and disk failures before, that I would never have been able to restore if I had encrypted my disk. You can argue I had backups. I did, but if you don’t do full or near real-time backups (as it’s done on OSX with TimeMachine), you’re quite sure to lose something valuable…
Anyway, I’ll probably think about another strategy to protect my data, and start disk encryption.
Comment by Bruno Kerouanton on 2016-01-28 00:14:53 +0200
Again, thanks for the tip. That seems neat and I’ll have a look. But my point of using Agnitum Outpost was to make sure I had a second, independent firewall from another vendor than Microsoft, to layer security. As a best security practice it’s often said to mix technologies and vendors, just in case one of them has a backdoor or a flaw.
Since you’re mentionning the native Windows Firewall, I want to mention the free Microsoft Message Analyzer, which is also a great tool to investigate/check all kind of logs and events, from Network and firewall to USB, event viewer and more. It’s available here.
Comment by Varun Agrawal on 2016-01-30 21:25:11 +0200
Yes! You are right! And I checked Microsoft Message Analyzer. It is quite powerful with lot of features!
One more tip (you don’t have to follow it 😉 ). Consider using services like Disqus on your blog to increase engagement. I was able to saw your last comment, just because I had the page bookmark. Not everyone bookmark pages wherever they comment. An E-Mail notification of the reply can be very helpful.
Comment by Jigar Solanki on 2016-06-15 11:06:40 +0200
Hello Bruno 🙂
Cool post actually.
I was wondering if it was possible to get your pfSense XML config, (of course, without all password hashes ! haha), particularly regarding the AS numbers and the squid config please.