Desktop Security

Below are some security recommendations regarding desktops.

The hardening could be done always to the higher level, so only basic is included here.


Recommendation for Linux:

- BIOS password (e.g. to prevent boot from USB)

- Full disk encryption (e.g. to prevent to install something in OS partition)

- iptables in/out direction

- psad or some HIDS/HIPS monitoring

- use KeePassX for generating and storing passwords


Firewall example

Important in the example below is outgoing filtering and only http_user is allowed to access internet (different user with no access to home folder). By this filtering the malware back-connects to C&C should be in some level mitigated. For browsing internet the desktop user should run browser under http_user (su or sudo to http_user)


Create second user

sudo adduser http_user


iptables

# /etc/sysconfig/iptables

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i vboxnet0 -j ACCEPT
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -o virbr0 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o vboxnet0 -j ACCEPT
# allow virtual box bridge interface out, for VMs
-A OUTPUT -o virbr0 -j ACCEPT
# direct ssh to trusted servers
-A OUTPUT -m state --state NEW -p tcp --dport 22 -d some_trusted_ssh_server -j ACCEPT
# direct http/https, uncomment here only temporarily if needed
#-A OUTPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
#-A OUTPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
# http_user, used in sudo
-A OUTPUT -m owner --uid-owner http_user -j ACCEPT
# DNS only to google allowed
-A OUTPUT -m state --state NEW -p udp --dport 53 -d 8.8.8.8 -j ACCEPT
-A OUTPUT -m state --state NEW -p udp --dport 53 -d 8.8.8.4 -j ACCEPT
-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -m limit --limit 60/min -j LOG --log-prefix "iptables INPUT DROP: " --log-level 7
-A INPUT -j DROP
-A FORWARD -m limit --limit 60/min -j LOG --log-prefix "iptables FORWARD DROP: " --log-level 7
-A FORWARD -j DROP
-A OUTPUT -m limit --limit 60/min -j LOG --log-prefix "iptables OUTPUT DROP: " --log-level 7
-A OUTPUT -j DROP
COMMIT


# /etc/sysconfig/ip6tables

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j DROP
-A INPUT -p ipv6-icmp -j ACCEPT
-A OUTPUT -p ipv6-icmp -j ACCEPT
-A INPUT -i lo -j DROP
-A INPUT -m limit --limit 100/min -j LOG --log-prefix "ip6tables INPUT DROP: " --log-level 7
-A INPUT -j DROP
-A FORWARD -m limit --limit 100/min -j LOG --log-prefix "ip6tables FORWARD DROP: " --log-level 7
-A FORWARD -j DROP
-A OUTPUT -m limit --limit 100/min -j LOG --log-prefix "ip6tables OUTPUT DROP: " --log-level 7
-A OUTPUT -j DROP
COMMIT


ubuntu ufw

sudo ufw default deny outgoing


sudo vi /etc/ufw/after.rules


#
# rules.input-after
#
# Rules that should be run after the ufw command line added rules. Custom
# rules should be added to one of these chains:
#   ufw-after-input
#   ufw-after-output
#   ufw-after-forward
#

# Don't delete these required lines, otherwise there will be errors
*filter
:ufw-after-input - [0:0]
:ufw-after-output - [0:0]
:ufw-after-forward - [0:0]
# End required lines

# don't log noisy services by default
-A ufw-after-input -p udp --dport 137 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp --dport 138 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp --dport 139 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp --dport 445 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp --dport 67 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp --dport 68 -j ufw-skip-to-policy-input

# don't log noisy broadcast
-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input

# don't delete the 'COMMIT' line or these rules won't be processed
# http_user, used in sudo
-A OUTPUT -m owner --uid-owner user -j ACCEPT
# DNS only to google allowed
-A OUTPUT -m state --state NEW -p udp --dport 53 -d 8.8.8.8 -j ACCEPT
-A ufw-after-output -m state --state NEW -p udp --dport 53 -d 8.8.8.8 -j ACCEPT
COMMIT


Run browser under second user

main_user: sudo xhost +SI:localuser:http_user
main_user: sudo su - http_user
http_user: export DISPLAY=':0.0'
http_user: google-chrome



Recommendation for Windows:

The main aspect of corporate environments is that domain administrator has privileged access to computers in Windows domain with combination that Windows is still the most widely used OS so most often targeted by exploits. So most often the domain administrators and helpdesk should be responsible to push the group policy and software on the desktops.


But if running local admin it is possible to perform following.

- Stop file sharing services and SMB to prevent domain administrators to log on the desktop (to prevent if the attacker gained the domain admin privilege)

- Install AV with HIPS and sandboxes features. HIPS and personal firewall is important to block the outgoing traffic.

- AD and Group policy should be hardened (e.g. to do not allow by default running macros and active content, set password complexity, do not store LM hashes, ...)

- Run full disk encrypted linux VM from Windows