Desktop Security

Below are some security recommendations regarding desktops.

The hardening could be done always to the higher level, so only basic is included here.


Recommendation for Linux:

- BIOS password (e.g. to prevent boot from USB)

- Full disk encryption (e.g. to prevent to install something in OS partition)

- iptables in/out direction

- psad or some HIDS/HIPS monitoring

- use KeePassX for generating and storing passwords


Local Firewall

If the Desktop requires additional hardening, the following approach can be used to limit the outgoing traffic by hardening the local firewall. The approach is quite efficient because by this the user can fully control which application are allowed to access the internet. By default the applications are not allowed and only by running sudo under different user would give such access.


Important in the example below is that the outgoing filtering is enabled and only the http_user (non primary user) is allowed to access internet. Http_user is different user with no access to home folder. By this filtering the malware back-connects to C&C should be up to some level mitigated. For browsing internet the desktop user should run browser under http_user (su or sudo to http_user)


Create second user

sudo adduser http_user


iptables

# /etc/sysconfig/iptables

*filter:INPUT ACCEPT [0:0]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [0:0]-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT-A INPUT -i lo -j ACCEPT-A INPUT -i vboxnet0 -j ACCEPT-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT-A FORWARD -o virbr0 -j ACCEPT-A OUTPUT -o lo -j ACCEPT-A OUTPUT -o vboxnet0 -j ACCEPT# allow virtual box bridge interface out, for VMs-A OUTPUT -o virbr0 -j ACCEPT# direct ssh to trusted servers-A OUTPUT -m state --state NEW -p tcp --dport 22 -d some_trusted_ssh_server -j ACCEPT# direct http/https, uncomment here only temporarily if needed#-A OUTPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT#-A OUTPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT# http_user, used in sudo-A OUTPUT -m owner --uid-owner http_user -j ACCEPT# DNS only to google allowed-A OUTPUT -m state --state NEW -p udp --dport 53 -d 8.8.8.8 -j ACCEPT-A OUTPUT -m state --state NEW -p udp --dport 53 -d 8.8.8.4 -j ACCEPT-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT-A INPUT -m limit --limit 60/min -j LOG --log-prefix "iptables INPUT DROP: " --log-level 7-A INPUT -j DROP-A FORWARD -m limit --limit 60/min -j LOG --log-prefix "iptables FORWARD DROP: " --log-level 7-A FORWARD -j DROP-A OUTPUT -m limit --limit 60/min -j LOG --log-prefix "iptables OUTPUT DROP: " --log-level 7-A OUTPUT -j DROPCOMMIT

# /etc/sysconfig/ip6tables

*filter:INPUT ACCEPT [0:0]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [0:0]-A INPUT -m state --state RELATED,ESTABLISHED -j DROP-A INPUT -p ipv6-icmp -j ACCEPT-A OUTPUT -p ipv6-icmp -j ACCEPT-A INPUT -i lo -j DROP-A INPUT -m limit --limit 100/min -j LOG --log-prefix "ip6tables INPUT DROP: " --log-level 7-A INPUT -j DROP-A FORWARD -m limit --limit 100/min -j LOG --log-prefix "ip6tables FORWARD DROP: " --log-level 7-A FORWARD -j DROP-A OUTPUT -m limit --limit 100/min -j LOG --log-prefix "ip6tables OUTPUT DROP: " --log-level 7-A OUTPUT -j DROPCOMMIT

ubuntu ufw

sudo ufw default deny outgoing


sudo vi /etc/ufw/after.rules
## rules.input-after## Rules that should be run after the ufw command line added rules. Custom# rules should be added to one of these chains:# ufw-after-input# ufw-after-output# ufw-after-forward#
# Don't delete these required lines, otherwise there will be errors*filter:ufw-after-input - [0:0]:ufw-after-output - [0:0]:ufw-after-forward - [0:0]# End required lines
# don't log noisy services by default-A ufw-after-input -p udp --dport 137 -j ufw-skip-to-policy-input-A ufw-after-input -p udp --dport 138 -j ufw-skip-to-policy-input-A ufw-after-input -p tcp --dport 139 -j ufw-skip-to-policy-input-A ufw-after-input -p tcp --dport 445 -j ufw-skip-to-policy-input-A ufw-after-input -p udp --dport 67 -j ufw-skip-to-policy-input-A ufw-after-input -p udp --dport 68 -j ufw-skip-to-policy-input
# don't log noisy broadcast-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
# don't delete the 'COMMIT' line or these rules won't be processed# http_user, used in sudo-A OUTPUT -m owner --uid-owner user -j ACCEPT# DNS only to google allowed-A OUTPUT -m state --state NEW -p udp --dport 53 -d 8.8.8.8 -j ACCEPT-A ufw-after-output -m state --state NEW -p udp --dport 53 -d 8.8.8.8 -j ACCEPTCOMMIT

Run browser under second user

main_user: sudo xhost +SI:localuser:http_user
main_user: sudo su - http_user
http_user: export DISPLAY=':0.0'
http_user: google-chrome



Recommendation for Windows:

The main aspect of corporate environments is that domain administrator has privileged access to computers in Windows domain. Additionally the Windows is still the most widely used OS so most often targeted by exploits. Most often the domain administrators and helpdesk should be responsible to push the group policy and software on the desktops.


However if the user can run the local admin it is possible to perform following hardening:

- Stop file sharing services and SMB to prevent domain administrators to log on the desktop (to prevent if the attacker gained the domain admin privilege)

- Install AV with HIPS and sandboxes features. HIPS and personal firewall is important to block the outgoing traffic.

- Run full disk encrypted linux VM from Windows


Additionally by domain administrators the AD and Group policy should be hardened (e.g. to do not allow by default running macros and active content, set password complexity, do not store LM hashes, ...)