System Hardening

Objective

• Explore and configure several security settings including

  • updates,

  • firewalls,

  • antivirus,

  • user access control

  • windows backups

• Configure and test a host based firewall

Configuring an OS securely, updating it, creating rules and policies to help govern the system in a secure manner and removing unnecessary applications and services all part of hardening a system.

Removing Unapproved Programs

To check Softwares installed open powershell as admin

// To check service pack version
> Get-WMIObject Win32_OperatingSystem

// Verify that Service Pack 1 is installed on your system.
// it's SP1 based on the Version number being 6.1… 

PowerShell also let's you view a list of installed programs on the machine to gain an understanding of what is currently running on your system. In the same PowerShell window, first run the following command to query all 64-bit installed programs:

// 
> Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall* | Select-Object DisplayName, DisplayVersion

// command to see the 32-bit install programs
> Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall* | Select-Object DisplayName, DisplayVersion


//To Remove a software which should not be there such as "OpenOffice 4.1.1
//first add the OpenOffice program object into a variable:

> $open_office = Get-WmiObject -Class Win32_Product | Where-Object { $_.Name -match "OpenOffice 4.1.1" }

// Then, call Unistall() on the program object to remove it:

> $open_office.Uninstall()

// When the uninstallation completes, you will need to verify the program was removed
Get-WmiObject -Class Win32_Product | select-string "OpenOffice"

Windows Action Center

1. check the status of Windows automatic updates to make sure our programs update and install automatically. At the PS prompt, run the following to put the AutoUpdate setings into a variable:

   $windows_update = (New-Object -com "Microsoft.Update.AutoUpdate").Settings

   Then, run $windows_update to see this object's attributes. The important variable here to look at is NotificationLevel. Unfortunately, it is set to 1, which means that Windows is set to never check for updates.

2. Let's change Automatic Updates so Windows will install updates automatically. At the PS prompt, run $windows_update.NotificationLevel = 4 and then run $windows_update.save()

Then, verify this change by running $windows_update again to see the new NotificationLevel of 4.

Turn On Firewall

netsh advfirewall set allprofiles state on

Configure Backup

save it to a box on the same network; so click the Save on a network button then type \\192.168.0.10\Users\Administrator\Documents\Share\ in the Network Location field. Enter Administrator username and password fields. Then click OK.

Then Change User Account Control Settings

Configure Host Based Firewall

1. check the status of the Firewall profiles, Domain, Private, and Public. To do so, run netsh advfirewall show all state. All of them should show State : ON. Move on to the next task if so.

2. Let's now query the firewall rules to see all the rules that are enabled. At the prompt, run the following command:

   netsh advfirewall firewall show rule status=enabled name=all

   This will give you an exhaustive list of all enabled firewall rules. Sometimes, it is a bit much to parse. Let's move to the next task to look at how we can narrow down these results.

3. Instead of viewing all firewall rules, say we wanted to view only the enabled inbound rules. To do this, we can add another parameter to the command. Run the following command to see only enabled inbound rules:

   netsh advfirewall firewall show rule status=enabled name=all dir=in

   The list is much easier to digest. Scroll through these results to see the allowed inbound rules.

4. Let's now create a new rule to block inbound ICMPv4 packets, so other machines cannot ping this system. To do this, enter the following command at the cmd prompt:

   netsh advfirewall firewall add rule name="Block ping scans" dir=in protocol=icmpv4 action=block

   If successful, you will see the command return "Ok.".

   
5. Now create a rule that will block all communication to and from the IP address, 192.168.0.100, which is a potential malicious device on this network (the Kali box). To do so, enter the following at the cmd prompt:

   netsh advfirewall firewall add rule name="Block suspicious box" dir=in protocol=any remoteip="192.168.0.100" action=block

   Then, run the same command, but with dir set to out.

   
6. Lastly, setup the Firewall so it logs all dropped connections. To do this, enter the following at your cmd prompt:

   netsh advfirewall set allprofiles logging droppedconnections enable

   If you see "Ok.", then command worked successfully.

   
7. Let's now verify the rules were created. To do so, first check for the first rule we created by running the following command at the cmd prompt:

   netsh advfirewall firewall show rule name="Block ping scans"

   Next, verify the second rule was created successfully. Run netsh advfirewall firewall show rule name="Block suspicious box" to do so. If the rules are both there, you will see the info for both of them.

Then Test it from different system