So a few weeks ago I asked the forum what they thought to a Windows security guide, to which people thought it was a good idea.
Now one may think Windows 10 is secure by default, and windows includes these safe guards in Windows 10, but they are disabled by default, this allows maximum application compatibility and ease of use for the average end user who may not even care about security and thinks geek squad can fix any virus with Mcafee/Norton, by the way anti-virus is pointless now and should not be used, just rely on Windows 10 Defender, its free and Microsoft can out class any vendor easily.
This guide will also cover Windows 10 Pro or higher only, Windows 10 Home cannot be considered secure without heavy modification and modifications cannot always be verified, it lacks a majority of excellent security features and should never ever be installed on a laptop, workstation or any security sensitive device in my personal opinion, its designed for home desktops.
Video recommendations for the time being
While the text below is being written (this will take time) I will post some videos from an industry expert called Sami Laiho,He is a Microsoft Most Valued Person multiple years in a row and I know his content well and he has taught me a lot, there are others but I don’t know their content as well.
These are useful if you wish to go faster than I can post, check his Winfu dojo for more expert training which is not covered here or at youtube.
Mastering the Lions PAW - Sami laiho Ignite 2017
This is using Microsoft concept of privileged access workstations but changed slightly for people who are not military or need ultimate security.
Good starting point to get ideas of what to do.
Sami Laiho Recommendations 2018
A quick video on what you should be doing to help improve security.
Sami Laiho, why no admins and we need bitlocker
This covers my two current points in more detail and shows the attack I explained in the bitlocker section and have also personally used, I learned it from Sami and it shows how easy and quick it is once mastered.
STANDARD USER ACCOUNT
Lets begin with this, Windows becomes around 90% with one simple change to the operating system, this is called a standard user.
The first account you create in Windows is classed as Administrator, it has to be to administer the system, while this is not the highest level account in Windows, its still a dangerous account as it can still administer the system.
So the solution is to create a standard user, this user and its group called users is restricted, it cannot change settings and install applications without elevation to administration and even when it does it does not fully elevate, this is another technique called impersonation and is one of the corner stones of how Windows permissions and rights work, but that’s not for now.
So for example you are logged into a fresh Windows install and at the desktop, you would then go to users and groups which is inside Microsoft Management Console or MMC.exe.
Then you create a new user account under the standard user group, create a secure password, log out and into the new user and well done your system is 90% more secure, as long as you never directly log in with the administrator account again.
So why does this work so well? this is simple because the user does not have modify/write/execute to critical files and if it needs to access any critical files the operating system will ask for administrator to say yes, in addition to this is can improve the lifespan of a Windows install as less junk is being written by administrators account.
This is why I do not use less than Windows 10 Pro, Bitlocker is one of the most powerful protection systems in Windows against local attacks, it is almost impossible to bypass by any attack unless using Direct Memory Access (DMA) based attacks as it can reveal the Bitlocker secret which is required for decryption.
So enabling Bitlocker is simple, for none enterprise or business the standard 128bit AES encryption cipher will work fine, a thief is never going to break 128bit encryption unless he works for the government.
So type bitlocker and allow it to enable, this will encrypt your entire drive so when removed and installed in a different system it will ask for a password or recovery key.
But that’s not its most valuable feature, to me personally at least.
The Windows usb installer is one of the most dangerous tools against Windows, it can break any version of Windows with a few commands, and when I mean break I mean allow the user to have full system access without even logging in, this uses the system32 account which is the highest and most dangerous account in Windows and can issue any command without question.
How this works can be explained simply, when Bitlocker, Secure boot and TPMs are enabled (Which is default on modern systems) something called a hash is taken, the system MUST check against this number to allow a successful boot. if anything in the hash is changed Bitlocker will prompt for a recovery key given when you setup Bitlocker.
Now if you where to make a change to a Windows 10 system via USB and then boot, the hash value will change prompting a key, hence the way side load attacks are stopped.
TO BE CONTINUED WHEN I HAVE MORE TIME