When Windows 10 was released, I had the following options: either keep Windows 8 on my PC, or upgrade to Win10, with some advantages. The start menu was back (although I didn’t need it since I’m using the great TrueLaunchBar utility since many many years), it was a free upgrade (I know what you’ll think about this), and it allowed me to be more secure and test new features. On the other side, it’s obvious Microsoft has shifted into the Cloud business, and now heavily relies on data harvesting. That means I need to harden my laptop to prevent any data leaks.
If you want to understand how to setup a similar config, here is my step-by-step checklist of what I’ve done :
Step 1 : Harden Windows 10
I won’t go into details about patching and hardening Windows 10. That seems obvious you need to install all updates and reduce the attack surface by disabling/uninstalling any unneeded feature.
I also daily use :
- Microsoft EMET 5.2 to mitigate against poorly written apps.
- Sandboxie, a cool sandbox framework to test unsure applications (and be able to run my 8 different Facebook test account profiles concurrently without Facebook complaining about it)
- Owasp Zap Proxy / Burp Suite Pro, two great web proxies (more on that below).
- Winitor PEStudio and other similar tools to analzye executables.
- Process Hacker.
- and some other cool tools (check my utools.éé.net collection for some)
There is also a great script that I’d like to mention, that disables nearly all telemetry and data harvesting from Microsoft on Windows 10.
Step 2: Install VMware Workstation
or any alternative that :
- enables you to run VMs, and start them automatically at Windows startup
- enables you to use Layer-2 bridging to your wired network interface.
VMware Workstation adds a « VMware Bridge Protocol » network driver, that does Layer2 bridging, and enables you to create VMs in « Shared Mode », that behave in quite a similar way as if they were running on ESX : autostartup, and more.
That will enable you to install some security-dedicated VMs, such as a firewall and a syslog server:
Step 3: Isolate Windows from Internet.
It’s easy: just go to Network and Sharing Center, change your Adapter Settings, disable or uninstall any adapters you don’t use, and go to your wired Ethernet adapter config. Then, disable all items, including IPv4 and IPv6 !! Yes, you won’t be using this network card anymore from Windows.
As you can see on the above screenshot, the only option left is the VMware Bridge Protocol, that directly routes traffic from the wired interface to the Virtual Networks managed by VMware. That means Windows itself isn’t able to use the interface for routing, as it doesn’t even have an IP address.
I’ve made several Wireshark captures to check the behavior of this, and it seems reliable.
This makes it easy to either capture Windows only, or Windows plus additional traffic.
Step 4 : Install the system Firewall
For Windows, I use the paid version of Agnitum Outpost Firewall Suite. Most of the reasons are :
- There are « lifetime » offers. I only paid once, several years ago, and still get major updates.
- This seems to be the most configurable/tweakable firewall on Windows I found up to now. For example, I was able to configure every single executable file that needs to use the network, as on a professional firewall (or PF, or IPtables). I admit that took me a lot of time (more than 300 rules), but once it’s done, that’s pretty cool!
- The logs can be set to very verbose, are stored in text file and can be easily parsed. I currently use Multitail on Cygwin to get a realtime overview :
Here is a close-up :
As you can see, that’s quite verbose, and helps a lot to understand any network or malware issues…
The firewall itself is configured in « paranoid mode », that means it starts at windows boot, requires a password to alter its configuration, blocks anything by default, and doesn’t have « auto-learn rules » enabled. That may seem harsh (and I had several issues to even get Windows started properly at the beginning), but it finally works and I can feel quite safe.
Step 5. Install an external Firewall
Once your system firewall is correctly set, you need to add a secure routing device, to allow Internet access. I chose to use PFsense, at is seems quite robust, reliable and easy to configure. The issue was to run it along with Windows, so it’s running as a virtual machine on VMware Workstation, on my laptop. So even if I move or travel, everything is embedded on my laptop and kept secure.
Basically, it acts a the only way to route traffic between Windows and any outside network. Once booted, it sees the wired Ethernet interface as WAN, and gets an IP address via DHCP. And the LAN side is a host-only virtual network (vmnet) shared with Windows 10 only. My laptop’s Windows 10 gets its IP address from PFsense, and is forced to route traffic to it.
Step 6. Configure the external firewall
I quickly realized Windows 10 was trying to call home all the time, for no particul reasons (except data harvesting). The main issue was that the so-called « Cloud » means that you’ve got to block millions of IP addresses if you want to be a bit safe. So I set-up my rules by AS numbers. Basically, PFsense doesn’t provide this, unfortuataly, but with some patience I was able to define major AS network ranges, and enter them into PFsense :
This is also a long configuration to do, but it helped me to check whether Windows 10 was calling home in Ireland or in the US, for example, as I had created different rulesets.
Step 7. Configure the external proxy server
All those rules are for non-standard (HTTP or HTTPS) traffic coming from-to Windows. To get even more control on the traffic, I’ve setup a Squid server on my PFsense virtual machine, with authentication and SSL decryption. The configuration is quite basic so I won’t detail here, but there are two important details.
First, I’ve *forbid* Windows to use my Squid server (at least directly) ! As Squid is starting by default, and I wanted to have full control on application behavior, my Windows proxy configuration is set to reach a local proxy (127.0.0.1), that either can be Zap Proxy or Burp Suite Pro depending on the need. I just start it on purpose and when needed, so Windows (or any malware/rootkit/legit app using default system settings) won’t be able to go out at any other times!
Second, I use dedicated authentication on my Squid Server, for any application that I allow to go through, such as Firefox.
Each app uses different credentials, allowing me to discriminate logfiles, and prevent any unauthorized app to go out. Brillant.
Step 8. Install and configure the local proxy
For Windows and applications that I don’t really trust or I want to better understand, I have an additional proxy, that I start on demand. This can be either Owasp Zap Proxy, or Portswigger Burp Suite Pro, depending on the needs. That gives me even more details on the transactions, especially the ones from Windows Update, or BITS transfers (by default, I don’t like transfer services that claim to be « Background and Intelligent », and the fact they connect to domains such as « skynet » or « wunderground » !)
It is itself chained to the Pfsense Squid proxy, so that Java never gets out of control (unfortunately those are Java applications, I hate that).
Step 9. Make offline backups
Two rules of thumbs: always do full offline backups, and regularly check them. And keep them forever!
I do monthly full backups. Never online, to avoid any « contamination » issue. So I power off my latop, and either boot on a dedicated Linux CD that contains my backup software, or extract the hard drive to make a clone on another system. This helps me make sure no malware or system « feature » will alter the backup. And I also try to restore some of my backups (at least once a year) on a new hard drive to see if it still boots.
Another paranoid trait of character I have is to never delete all of my backups. That means I tend to buy a lot of 2Tb hard drives (those are relatively cheap in Switzerland), but it also help me to make sure, if for any reason I get infected or I have a doubt about any APT attempt, that I still have all my former backups to compare with.
I also, from time to time, take live full memory snapshots! Just in case some APT might have get through all my defenses, and also because it’s fun to play with Volatility or Rekall memory forensics toolkits. For this, I tend to use the free RamCapture tool from Belkasoft. Works flawlessly even on 64bit Windows 10.
Step 10. Relax and enjoy
That’s it !
I have to admit I couldn’t help myself installing a second VM with a syslog server, to remote-log everything from PFsense and Windows, so those precious logs aren’t corrupt or destroyed in the case someone or an APT is able to infect my system. But that’s more than extra paranoid, I know.
One question I guess you’re about to ask: performance ? Well, I’m quite happy with it, all this setup doesn’t slow much my PC. I’m still able to play CPU/GPU intensive 3D games on Steam witjout hassle, run demos and more!
And, obviously I’ve done quite a similar setup on my home network, but that’s another story (which was my last InsomniHack featured talk in 2015, but I didn’t disclose the slides… yet, mostly because I disclosed too many details on my home setup that may have helped attackers).
So, enjoy, make the config work and relax. And if you do so, just tell me, I’m curious.
Update 14jan16 : My Windows system is now sending all its logs to the syslog server VM, thanks to this open-source Syslog agent for Windows :