Ready to Start Your Career?

Windows Security Fundamentals

By: Divya Bora

January 10, 2022

WHAT IS COMPUTER SECURITY?

Computer security preserves computing systems by preventing and detecting any unauthorized attempt to use the computer. Prevention assists in ceasing unauthorized access, and detection assists in determining if someone who tried to break into the system was successful or not.

Computer security is essential as it helps protect the personal information or organizational data resources stored on the computer, prevents theft of data, viruses, and malware, and prevents unauthorized access.

Now that one is aware of the importance of computer security, we will secure a computer that has windows installed.

HOW CAN WE MAINTAIN WINDOWS SECURITY?

Here we will learn more about the Fundamentals of Windows Security. We will see what each fundamental does and how they ensure our Windows system’s security.

1. Windows Information Protection (WIP) with VPN

WIP allows separation and protection of enterprise data from being disclosed across personal devices or the organization. It doesn’t need any environmental change and applies to Windows 10 or 11. WIP used with Rights Management Services (RMS) can protect enterprise data locally. When integrated with Windows 10/11 VPN client, WIP is often used for file access blocking, file encryption, restricting sharing operations, protecting intranet resources over an organization’s network, and protecting cloud resources over VPN. WIP doesn’t require any specific AppTrigeerList or TrafficFilterList rules because they are automatically defined.

We should know the protection modes that WIP offers:

Silent - In this mode, WIP runs silently, logs inappropriate data sharing, and stops unallowed actions like applications inappropriately attempting to access a WIP-protected data or a network resource.
Allow Overrides - In this mode, WIP searches for inappropriate data sharing and warns the users if they perform an action that may be potentially unsafe.
Block - In this mode, WIP searches for inappropriate data sharing and stops the user from completing such actions. A couple of blocked actions are sharing information across non-protected applications which are not a part of the corporate network and sharing corporate data between devices and people outside the organization.
Off - WIP is turned completely off in this mode and doesn’t audit or protect the user’s data.

Now let’s see how we can create a WIP policy:

First, sign in to the Microsoft Endpoint Manager admin center.
Navigate to Apps > App Protection Policies > Create a policy
Add a Name (a name for the policy), Description (This is optional, describe the policy), Platform (Choose Windows 10 for the supported platform for your WIP policy), and Enrollment state (Choose without enrollment as the state of the policy)
Click on Create, and the policy will be created. The created policy will be visible in the App protection policies pane.

2. Windows Defender Firewall

A firewall is a system used to maintain network security. It assists in monitoring and controlling all the incoming or outgoing network traffic based on default preset security rules. Windows Firewall, also known as Windows Defender Firewall (in Windows 10), acts as a barrier between a trusted and an untrusted network. Users can add programs to the allowed programs list so that the specific programs can communicate through the firewall. If the computer is on a public network, it’s the Windows Firewall’s responsibility to secure the system by blocking all unsolicited attempts to connect to the system.

We should know that Windows Defender Firewall has the following network profile types:

Public or Guest profile - This profile is generally used in public places as the settings of this profile limit access to the system from the network and prevent its detection to quite an extent.
Private profile - This profile is responsible for getting the system discovered on the network by other devices to share files or printers.
Domain profile - This profile is generally used when the system joins an Active Directory network.

To open the Windows Defender Firewall settings panel, we will first run the classic Control Panel and go to System and Security > Windows Defender Firewall. Let us understand some best practices to keep our system safe:

Click on the “Turn Windows Defender Firewall on/off” button on the left side if the firewall is not enabled.
Click on the “Restore defaults” button on the left side to restore the settings to the default configuration.
Click on the “Advanced Settings” button on the left side to allow or block any inbound or outbound connections for a specific profile.
Click on “Outbound Connection” > “Block” on all three tabs. This will deny the outbound connections for all programs except those allowed.
To add an Outbound Rule, click on “Outbound Rules” > “New Rule” > “Program” > “This Program Path” > “Allow the connection” > Add a name, and that rule will appear in the list. Similarly, one can create an Inbound Rule as well.

3. IP Security (IPSec)

IP Security (IPSec) is defined as an Internet Engineering Task Force (IETF) standard suite of protocols between two communication points within an IP network. It provides integrity, confidentiality, and data authentication. Protocols required for secure key exchange and key management are predefined in IPSec and also determines whether the packets are encrypted, decrypted, or authenticated. IPSec is generally used to protect network data, provide authentication without encryption, provide security to routers, and encrypt application layer data.

IPSec runs directly on Internet Protocol (IP). IPSec is a suite of protocols which comprises of:

Encapsulating Security Protocol (ESP) is responsible for encrypting the IP header and the payload for each packet. It adds its header and trailer to every data packet to provide authentication. ESP also provides encryption, anti-replay protection(no unauthorized transmission of packets), and data integrity.
Authentication Header (AH) ensures that data packets are tamper-proof and sent by a trusted source. It also provides authentication, data integrity, and anti-replay (no unauthorized transmission of packets) but no encryption or confidentiality.
Security Association (SA) refers to the various protocols used to negotiate encryption and algorithms. SA is responsible for establishing shared security attributes between two network entities to ensure secure communication. One of the most widely used SA protocols is Internet Key Exchange(IKE).

4. Microsoft Enhanced Mitigation Experience Toolkit (EMET)

EMET is a freeware security toolkit for the Windows operating system developed by Microsoft. It is supported by all released versions of Windows but is recommended for use by apps running on Windows XP as it lacks some essential security controls incorporated in the newer versions of windows. EMET adds a layer of security against malware and is placed after the firewall and before the antivirus software. EMET assists in defending against potentially vulnerable legacy and third-party applications.

EMET uses the following mitigation techniques:

Anti-Return Oriented Programming is used to prevent hackers from bypassing Data Execution Prevention(DEP).
Structured Exception Handler Overwrite Protection (SEHOP) prevents attempts to exploit stack overflows.
Data Execution Prevention (DEP) prevents malicious code use in the system’s memory.
SSL/TLS certificate trust pinning helps detect man-in-the-middle(MITM) attacks that leverage the public key infrastructures.
Export address table access filtering prevents the malicious exploit from locating a function.
Mandatory address space layout randomization makes it tough for exploits to locate specific addresses in a system’s memory.

Let us understand how to use EMET to keep our system safe:

We can add high-risk programs like Firefox and Chrome to EMET to exploit and store essential data.
Open EMET > Right-click on a running process > click on “Configure process” > click on “Ok,” and the process will be added to EMET’s application list. Restart the program selected.
Just in case the process that was just added is not working, we need to correct the issue. We need to open EMET’s protected applications listing and turn off all protection, now start by turning on each of them one by one. As we switch on a program, we need to make sure it runs by starting the program up manually.
EMET has four system-wide rules: Data Execution Prevention (DEP), Structured Exception Handler Overwrite Protection (SEHOP), Address Space Layout Randomization (ASLR), and Certificate Trust (Pinning). Three of them are always on, but ASLR is set to opt-in instead. Set up these rules for each application that the user wants EMET to protect.
EMET rules set for a system can be easily imported or exported to other systems by clicking on the “Export” button and selecting the desired XML which contains the rules. The imported rules are added to the rules list.
EMET has some extra rules that can be added to the programs by the user for extra safety, like CertTrust, Popular Software, and Recommended Software. CertTrust contains EMET’s default configuration of Certificate Trust Pinning for Microsoft and other third-party applications or online services. Popular Software enables protection for some day-to-day used software like VLC, Quicktime, WinZip, etc. Recommended Software enables protection for minimal recommended software like Microsoft Office, Java, Internet Explorer, and Adobe Acrobat Reader.

Fundamental Windows Security Overview is a course designed to strengthen the basics of Windows Security for a beginner. Configure IPSec will be a great start for beginners to learn how to configure IPSec properly. Combine it with pfsense: Installing and Configuring the Firewall to gain in-depth knowledge about firewalls.

REFERENCES