Baselines Part II: Desktop Operating Systems
Updated March 24, 2016.
This site is no longer being maintained so anything below could still be accurate, or very outdated.
Let us first do away with a persistent misnomer. "Desktop" is not necessarily a word reserved for computers in tower cases or even the new breed of mini PCs like Brix, MintBox and NUC. A Desktop Operating System is the OS you'll find on both traditional desktop computers and laptops/netbooks/notebooks/etc.
This page is even more about generalizations than the last because for one, Baselines is intended only to be a starting point and two, the impossibility of a one-size-fits-all answer becomes even more apparent here than anywhere else. How you would thoroughly lock down any system depends on the purpose it serves and what you're trying to protect from. Thus, solutions for this topic are as many in variation as there are opinions on how to actually implement them.
Incidental to any thread model should be the fact that malicious code primarily comes from two places: the internet, and external storage like USB devices, DVDs, etc. A web browser is the largest vulnerability on any personal computer and this will only magnify as browsers' capabilities increase further beyond the scope of viewing websites in a window. We'll deal with browsers specifically on the next page. Here we're concerned with the desktop OS, one area of endpoint security of which Edward Snowden himself has said is "terrifically weak".
- Encrypt user data and/or create an area or container for secure storage.
- Standard accounts for everyone, admin or root requires a password.
- Regulate network traffic (read: proper firewall rules).
- Reduce enabled network-facing services and installed applications to only what's needed.
- Have a data backup strategy.
Network connection during installation
Whether Linux, OS X or Windows, this is not necessary unless you're indenting to make an online user account or using a network-based or mini installation image. It is the most secure choice to install an operating system disconnected from a network so if possible, do it.
The system must stay updated.
Keeping a computer current with updates is one of the biggest things you can do to keep it healthy. This includes web browser extensions, add-ons and plugins. Upon fresh installation, Windows either has automatic updates enabled or will tell you there's no update policy set and coax you into set one. Windows updates include those for Internet Explorer or Edge and both Flash and Java can now auto-update themselves too. Chrome and Firefox automatically update, as do browser extensions if designed to.
OS X and many Linux distros will notify you of updates available but won't install anything until you tell them to. Either platform can be set to automatically download and install updates though, and you can distinguish between automatic updates for security packages only, or for the entire system. Browsers still auto-update extensions by default and some plugins are handled by system updates.
An encrypted safe place
You should have an encrypted container on your computer for storing sensitive information (and for the love of $deity, do not store payment info in a web browser). The requirement of protecting personal data increases exponentially with laptops, so in scenarios where you can't encrypt the entire device or your user account area, an encrypted container would be the next best thing.
Contact details, payment information, passwords, business documentation—anything important to you should be stashed in this container. It is unlocked when you need to pull something from it, then closed again when you're finished. The volume can also be copied to external media so you have a backup available.
TrueCrypt used to be ideal multi-platform solution for this. Development of TC stopped in 2014 but version 7.1a is generally suspected/accepted as safe to continue using. The TrueCrypt audit confirmed this and found only relatively minor concerns which have been fixed in some (all?) of the TrueCrypt forks.
Veracrypt is a fork of TrueCrypt intended to update and strengthen the code base where possible. Since the TrueCrypt exit, CipherShed and TCnext have also appeared as options (forks). Tomb is yet another alternative for Linux and while not based on TrueCrypt, it functions similarly. Also for BSD or Linux systems, you could reserve an entire disk partition as your encrypted volume using dm_crypt and LUKS.
While NOT an alternative to protecting data with encryption, a virtual machine (or several) is an option for segregating activities, personas or types of data you don't want mixed with your primary operating system. Oracle VirtualBox (Linux, OS X, Windows) and VMware vSphere Hypervisor (Linux, Windows) are the two most user-friendly VM platforms, and the're free for personal use.
For VMs where you need high security, you'll want as little host/guest integration as possible. This means using the VM in a bridged networking mode so it's seen by the network as its own host, and not using things like Guest Additions, clipboard sharing, 3D acceleration and host i/o caching.
Use the firewall
Effective endpoint firewall rules are surprisingly simple: block unsolicited incoming connections and allow outgoing connections. That's all. Depending on your uses, you will then need to make rules for incoming services like SSH or network sharing, and of course you can limit outbound traffic however you like, but it all starts with deny incoming, allow outgoing. Without a specific reason, personal computers should not forward internet traffic and should not accept pings originating from outside a 'trusted' local network.
The excuse of not needing a firewall because you're behind a router is a bad one. Remember that every network, including your own, should be treated as hostile territory. Each node on a network should be properly hardened to NOT rely on external equipment for protection. This is a form of damage control too, because if one computer on the LAN gets pwned, it's now got sights set on the other network devices and their open ports for avahi, NetBIOS or whatever. Use a firewall. This is especially important for mobile devices which use public WiFi.
DNSCrypt encrypts all DNS traffic between you and the DNS provider you choose for a significant increase in security and privacy over plaintext DNS. DNSCrypt runs as a background service which you don't need to interact with but there are graphical clients for iOS, OS X and Windows. It's available in a 3rd party repository for Ubuntu-based Linux distros, an AUR package, a Windows executable and as source code for everything else. If you choose to compile from source, there's a auto-installation script for Arch and Debian & Fedora families. You can also find DNSCrypt in alternative router firmwares and some UTM systems as mentioned on the previous page.
Autoplay (or whichever similar name is used) is when you connect an external storage device and the system automatically runs whatever is written in the autorun.inf file. The storage may be a USB stick, DVD or SD card and the action could be starting a movie or a software installation. On the other hand, it could be something hidden and malicious you didn't know was there. Remember that the second main avenue for malicious infection of computers is local file storage devices.
While the biggest concern here is receiving infected files or using devices with infected firmwares, both problems which came from other people, the more exotic and the targeted cases are the most interesting and formidable. There have been USB sticks and software installation discs which shipped from the factory with malware on them. Planting a tainted USB stick or CD in a parking lot, driveway or waiting room is a well known method of getting onto the computers of companies and individuals. You also should never accept USB media given out as swag at conferences or other such 'reconnaissance' events. Even this stuff has been known to contain autorun software for marketing/tracking/other purposes.
As a finale of sorts, recent was the discovery of Equation Group and their interdiction of CDROMs containing recap material from a scientific conference in the United States. The group created new discs implanted with 0-days and kernel exploits which would have bypassed even the disabling of Autorun. The discs were remailed, unsuspectingly run and infected their targets.
A computer's hostname or "Computer name" is visible to every other device on the network. For mobile devices, avoid a hostname that can help identify you in public.
Eventually something will go #! and turn nasty. When that happens, good backups will save you immense amounts of time and frustration. There are a lot of ways to back up your system and personal files but whatever your preference, it's not as important as having some kind of strategy to begin with.
To clone or image a hard drive or partition is the most thorough backup solution. This gives you a sector-by-sector copy of everything on its system-accessible areas and no matter what happens to the operating system, you'll always have a clean disk image on external media to restore and fix the problem. Since image creation and restoration happens outside the installed operating system, it's a reliable and complete 'reset' method. Storing your images externally is the most reliable thing to do because they won't accessible to the operating system, vulnerable to tampering or internal drive failure.
Clonezilla is the backup tool I most often recommend. The Live version does backups and restores from what's basically a Linux live session. Clonezilla compresses unencrypted data, can do a restoration test run to confirm the image's integrity and recently the option was added to output the cloned image through eCryptfs so it's entirely encrypted. At first glance, Clonezilla can look scary if you're used to pretty GUIs, but the developers provide a step-by-step guide to creating and restoring images.
That leaves you with personal files which change much more often than anything of value in the system area. Time Machine, rsync, tar, Deja Dup, Backup and Restore; again, use whatever you prefer. One more trick: on new computers, even tablets and phones, you can free up internal storage space by cloning the recovery partition (or even the entire drive if you choose) to external storage, then deleting it from the device. If you need to do a factory reset, just restore the cloned image.
Separate Home from the System partition.
Creating / and /home on separate partitions gives better control over each partition with backup images and fstab mount options. With /home as its own partition, it can be mounted with nodev and nosuid in fstab to limit privilege escalation, and even noexec if you want to prevent anything from executing from the partition.
You can use filesystem encryption like eCryptfs or encrypt an entire disk partition, and that would be another reason for individual system and home partitions. For a walkthrough of how to do this, see here. If you prefer full disk encryption, see here.
Linux distros generally don't install with a firewall enabled, whether there are listening services or not. The excuse of having no open ports (Ubuntu) is weak because what do you have when you install something that opens ports without you knowing? Open and unfiltered ports you're unaware of. But that said, you should always make sure you know what ports on which protocols your system has open and/or unfiltered. You can do this with: sudo netstat -tulpn.
ufw (Debian & SUSE families) and FirewallD (Fedora family) are the easiest ways to filter all ports but both are just controllers for iptables (and then there's nftables on the way too). Using iptables without a controller is more efficient for the system but can be more complicated to configure. Basic firewall rules are all that's needed to begin with though, so see pages 24-25 of my Inventory for Debian Family Hardening for a quick & easy iptables ruleset.
Disable or remove unneeded network services.
Telnet, VNC (remote desktop), dnsmasq, avahi, rpcbind, Samba and CUPS are some of the major Linux network services often installed and/or enabled by default. Before removing anything, first make sure you know what it is you're purging from the system. An alternative to total removal is to set a service to a manual mode. How you do this will depend on the distro's init system, but this way you could start a service with a script or terminal command and then stop it when you're finished. The netstat command above will show you which services are listening and on what addresses and interfaces.
IPv6 privacy extensions
With IPv6 privacy extensions fully enabled, your link-local IPv6 address is basically randomized. Without it, your NIC's MAC address, be it ethernet or wireless, is part of your IPv6 address—you don't want that. Different Linux distros have different defaults here, so you'll have to check yours. To do so, the interface must be up so connect the ethernet wire or switch on the WiFi card and run this in a terminal: sysctl -a | grep use_tempaddr.
If IPv6 privacy extensions are enabled to any degree, those sysctl settings will have a value of 1 or 2. If not, you should set these to 2 in your sysctl.conf file and enable the change with sudo sysctl -p. Then verify by looking for your MAC address in the results of test-ipv6.com. You can read more about IPv6 privacy extensions in kernel.org's sysctl documentation.
Official software sources
A linux distribution's repositories will contain software which was examined by the distro's security team, will be least likely to cause stability problems and won't introduce malware to the system. Source code, a PPA, .deb or .rpm provided by an application's developer or dev team are also safe sources.
Be cautious about anything from 3rd parties, be it a PPA, installation binary or script. Do some searching around to see if the source is reputable and works as said. This goes for any operating system, but unoffical software sources should usually be avoided.
Turn off Amazon searches in Unity.
System Settings > Security & Privacy > Search tab. Switch off the slider for online search results. Or just purge the packages.
Using AppArmor with web browsers, chat clients and other internet-facing applications is a good practice. The community maintained AppArmor profiles (in the package apparmor-profiles) are well polished for easy, painless use. They're not as strong as something custom built for your system but they do add a lot of access restrictions for applications.
The downside is that an AppArmor rule is one more thing with potential to go wrong and if you don't know how to fix it, you may not be able to launch or fully use a program until there's a profile update released. There aren't many occasions of default profiles severely obstructing use of an application in LTS/Stable distro releases but it is something to be aware of. If you prefer building your own profiles, you have your work cut out for you, though you should check if any of my base profiles could start you off.
Firejail was released in 2014. It's another sandboxing method and while much easier to use than creating an AppArmor profile, it's not as thorough, though still very benficial. Firejail confines restricted programs into namespaces and uses Seccomp-BPF to further limit their system access. It's capable of more than just that so you should check out the features page of the developer's website.
Mount browser caches in a tmpfs area.
With a browser's cached files in RAM, accessing those files will be faster than reading from disk. Since RAM contents are volatile, the cache is completely cleared when the computer shuts down. This does the same as would clearing the browser cache manually, including removing ETags. See here for how to do this.
Apple actually has a 260+ page long document about hardening OS X, though it seems to be a now abandoned effort. Here are probably the three best and most complete links you'll find for Apple desktop security, so I won't bother repeating their contents. Those which are slightly outdated are still applicable with a few minor changes.
- OS X Yosemite Security and Privacy Guide. Dr Duh, 2015.
- How the NSA Snoop Proofs its Macs. Macworld, 2013.
- Mac OS X Server Hardening Checklist. Jason M Ragland. University of Texas at Austin, 2011.
- Mac OS X Security Configuration Gudies for 10.3 to 10.6. Apple, 2010.
Cleaning a new system
A fresh installation of Windows is always snappier than one which has been in use for years and years. If you can start with a new install, do it, and don't forget to clone the drive or partition so you don't have to reinstall again unless you're upgrading Windows versions.
In times past, a new Windows computer came with a Windows OEM installation DVD. A common ritual was to wipe the entire drive and reinstall Windows from the OEM disc for a pristine system free of manufacturer supplied bloatware/malware.
With Windows 8, the majority of (all?) manufacturers stopped including these discs while the need to remove their preinstalled crap has increased. To create installation media for Windows 8.1, see here. If you're on Windows 8, you'll have to upgrade to 8.1 and then use that 8.1 installation media link.
BitLocker may be a viable choice if it's supported by your version of Windows and you have the correct partition arrangement  . (Oh, and and if you log in with a Microsoft account instead of a local user account, your Bitlocker key is uploaded to Microsoft.) The TrueCrypt forks are other possibilities for full disk encryption but also allow you to create encrypted containers if you don't want to mess with FDE and reinstalling Windows. There are plenty of online guides showing both ways.
Standard user account
By default, Windows gives you an administrative user account which has full privilege to do anything to the system you want. This means that if you pull anything malicious into your user account, it has access to anything in the system that your admin account has access to. The only potential roadblock would be the UAC prompt for your consent, which can be bypassed, if not disregarded by the user.
Set up a standard user account and use that for day-to-day activities instead of an administrative account. This isn't bulletproof but disabling the default-on access to admin privileges closes off a significant attack vector. For Windows 8 and up, you'll need to decide whether you want this standard account to be a local (offline) account like you had with previous Windows versions, or a Microsoft account (online).
The network location setting is a very basic firewall controller for choosing different profiles of network services allowed through the firewall. A Public profile will have no open ports unless you specify otherwise, and this is the safest setting if you don't need sharing services.
For finer control of these profiles, you can enable or disable the individual services each location controls for a custom profile. Go to Control Panel > Network & Sharing Center > Homegroup & sharing options > Change advanced sharing settings.
Additionally, there's an exception list of programs and services which are allowed to pass through the firewall for each network location. For a true deny in/allow out policy, you'll need to block all incoming connections to even these, and enabling the notification for when something does try to go against a rule would be helpful. You can see and edit the exceptions list from Control Panel > Windows Firewall > Allow a program or feature through Windows Firewall. For more advanced rules than these, you can configure manually.
Open the Start menu, run services.msc and take a look through there. Click on the word Started at the top of the column so that Automatic services are at the top of the list. Remote Desktop and Remote Registry, Network Discovery, UPnP hosting, SMB/NetBIOS, Computer Browser and file, printer or internet connection sharing are all potentials to be disabled.
Be careful with Windows services though. Often they're interdependent of others but their functions are not well explained. You may need to put some time into searching around for a thorough understanding of what a specific service does before disabling anything beyond the obvious. Black Viper is a good place to start for that.
Disabled system services won't still send network traffic whereas, for example, if you "disable" file or printer sharing through the firewall settings, NetBIOS will still send out packets onto the network.
For Windows 10, versions above Home can postpone installing some Windows updates for a few months. Enable this to minimize the risk of non-essential updates breaking the system.
AppLocker and Software Restriction Policies
AppLocker can be found on Windows 7 and up, and is the new evolution of SRPs from Vista and XP. These are forms of access control which basically let you whitelist and/or blacklist certain file types which are allowed to load or execute or not. This is applied to users or user groups and specific filesystem locations of your choosing.
AppLocker/SRPs are useful for helping prevent external storage from automatically executing unwanted applications (malware avenue #2) but while powerful, there are ways around them. Both are much more complicated than this brief description so you'll need some reading and tinkering to get strong policies set which won't be too intrusive.
AppLocker and software restriction policies are Group Policy objects and not available all Windows versions, so check this list to see if you can use AppLocker. For SRPs, you must have either XP Professional or 64-bit, or either Vista Enterprise or Ultimate. If your Windows version doesn't have AppLocker or SRP, an alternative is to configure parental controls for an effect similar but more limited. There are 3rd party anti-executable applications as well; see Section 8.5 of Probably the Best Free Security List in the World.
By default, Windows hides the file extensions of "known" file types. This means that a malicious file like track_01.mp3.exe can be easily disguised as track_01.mp3. Set file extensions to always be shown: Control Panel > Folder Options > View > Hide extensions for known file types.
Install EMET or enable Data Excution Prevention.
Microsoft's Enhanced Mitigation Experience Toolkit allows you to enforce kernel-level security policies like ASLR, DEP and SEHOP for any application you choose. This is a big boost in fortification against 0-day attacks for commonly targeted software like Adobe Flash and Reader, Internet Explorer, Java browser extensions and office suite macros.
The two downsides to EMET are that it requires .Net Framework 4 which is not an insignificant addition of code and some would say is a security vulnerability all its own. Windows Update will keep .Net updated so I personally think the benefits of EMET outweigh the risk of .Net. Some applications won't play well with EMET though; Chrome, Skype and VLC player are popular examples. The Recommended settings and applications list isn't problematic and you can add, remove or adjust programs under EMET's control if you do experience issues.
If you don't want to use EMET, an alternative would be to just turn on Data Execution Prevention inside Windows. Of course this won't give you the SEHOP and ASLR policies that EMET will, and forcing DEP for everything still comes with the chance of some 3rd party programs being unhappy until you whitelist them. See: Control Panel > System Security > System > Advanced system Settings > Advanced tab > Performance > Data Execution Prevention.
Windows Media Player
Press Alt to show WMP's menu or Control+m to show the menu bar. Go to Tools > Options and see the Privacy, Security and Network tabs. Deselect Run script commands and rich media streams when the Player is in a Web page and Allow the player to receive multicast streams. Then anything in the Privacy tab you don't want the player to do. Know that the Internet Zones and cookies settings you set for Windows Media Player will apply to Internet Explorer too.
- Leave UAC alone. Disabling it completely will remove Protected Mode from Internet Explorer and Windows Media Player.
- Microsoft Security Essentials was repackaged as Windows Defender, so Windows 8 and up ships with an antivirus program. In Windows Vista and 7, the old Defender is what you get.
- Here is probably the best single guide for Windows security I've ever come across. It goes way beyond the basics and you should give it a look when you've got more than a few moments.
Homegroups are a (sometimes) easy way to share files and devices between Windows computers, but disabling the file sharing wizard and sharing with Advanced sharing allows greater permissions control.
Secunia's Personal Software Inspector is an application that warns you when software on the computer becomes outdated. While PSI can tell you when Windows updates are available, it's primarily intended to keep 3rd party applications up to date. If you've got a lot of extras installed, you may find PSI useful for keeping all of them updated.
Windows 10 privacy
Depending on your Windows 7 or 8 update settings, you may be shown the popup for the Get Windows 10 app. If you choose to upgrade to Windows 10, there are significant privacy issues to realize. For workarounds, see this Reddit page and the links in it and this Youtube video.
Java Runtime Environment
Oracle's Java SE is colloquially referred to as just "Java" and has two main components. First is the runtime environment and second is the accompanying web browser plugins. Then on the other hand is OpenJDK, the open source alternative to Java SE and is the development platform on which Oracle's Java is built. OpenJDK only includes the runtime environment so the IcedTea-Web browser plugin must be installed separately.
Java is used on a huge variety of devices and while it has its criticism and praise, the web browser plugins are how the almost amusingly large amount of Java vulnerabilities are exploited on desktop computers. Java browser plugins are set to 'Ask' or 'Click to Play' in Chromium and Firefox-based browsers and Safari. Internet Explorer enables them by default but this is addressed on the next page.
Oracle's Java browser plugins can also be disabled from the Java Control Panel so then the browsers won't even show them available. If you instead use OpenJDK with IcedTea-Web, Firefox sets it to 'Ask'. Midori does not and Chromium-based browsers won't work with IcedTea-Web at all.
Java SE 6 and 7 are no longer publicly supported. If you don't need Java on your computer, remove it. If it is required, use SE version 8 unless completely impossible. As a sanity check though: any application or service that requires you to use an outdated version of software which is at the top of the pyramid in terms of security holes, should be dropped like a bad habit.
That takes care of desktop systems. What about servers, smartphones or tablets? Well, there are a bagillion different types of servers and how to harden them depends more on the software stacks they're running.
On the other hand, since a server is so specialized, the three general keys to start with are using a non-root account, good firewall rules, only a thoroughly secured lifeline for administrative access (SSH keys, not passwords) and an updated system. Beyond there, you'll need to research your specific application. As for Android and iOS, they will be in an upcoming page.
Anyway…Baselines Part III: Web Browsers