It is surprisingly easy to protect against the majority of malware infections on a Windows host, and contrary to popular belief, installing antivirus is not the best solution.
I want to try and keep this blog fairly high-level to allow non-techies to benefit from the protection, so the technical detail is shown with italics. The guide is focused towards Windows XP, though any modern Microsoft operating system will be very similar (though consider using AppLocker rather than SRP on Windows 7).
The idea is simple; do not allow any executable file (such as malware) that has been introduced via a limited user account to be run on the system without explicit approval. Whilst these steps do not prevent exploitation of vulnerable services, they do prevent any payload from being executed on the machine. Any unauthorised application launched after these steps have been followed will result in an ‘Access Denied by Software Restriction Policy’ message. I’ve yet to see persistent malware which functions with these restrictions in place.
1.) Run as a Limited User. Do not run as Administrator unless you really have to – for example when installing applications.
Start ->Run -> lusrmgr.msc
Action -> New User…
Enter the relevant information and your new user is created.
All new users are created with a group membership of ‘users’; a new user account does not have Administrator rights unless explicitly granted.
2.) Turn on Software Restriction Policies (SRP). Quite possibly the most useful feature in terms of Windows security is disabled by default, and rarely talked about. Turn it on and start enjoying the benefits.
Enable it here... Start -> Run -> secpol.msc
a) In the ‘Software Restriction Policies’ folder, double click on ‘Enforcement’, ensure that ‘All Software Files’ is selected, and that the policy is applied to ‘All users except Local Administrators’
b) Now create some rules.
The idea here is to disallow execution of all files from any location that ‘limited’ users have write permissions to. If you wish to check where exactly a given user has write permissions to, use cacls.exe. However, as cacls.exe doesn’t look at hidden/system folders, we need to be a bit clever:
> dir /AD /B /S \ > %temp%\dirs.txt > FOR /F "delims=" %G in (%temp%\dirs.txt) DO cacls "%G" >> %temp%\perms.txt
The output from this is fairly long and not particularly easy to parse, but the upshot is a standard user on an XP SP3 machine should only be able to write to these locations:
C:\RECYCLER %USERPROFILE% %ALLUSERSPROFILE% %WINDIR%\Tasks
NB: Malware authors should look at these locations when attempting to infect non-administrator accounts
Add all of the above paths (the interface accepts environment variables and usefully - registry entries) as ‘New Path Rules’, ensuring each location is set to ‘Disallow’. It would also be a good idea to add path rules for all drive letters associated with removable media at this stage.
I don't think there is a way (other than denying all exes by default - see end of post) to universally blacklist all removable media - you'll need to do all potential drive letters manually. Someone please comment if you know a way.
c) Double click on ‘Designated File Types’ and remove the LNK entry
This is to allow Shortcuts to legitimate program files to function – remember they are located in your user profile folder…
3.) Start using your limited user account instead of using the default Administrator account. You can elevate privileges if required, without logging off, by right clicking on shortcuts and selecting ‘Run as…’. If you’ve been running your machine for sometime before taking these steps, you may have to migrate application settings and documents (email, favorites etc) to the new user account.
...and you're done. Hopefully no more virus infections :)
If you are comfortable with Windows ACLs and SRP, I’d strongly recommend white-listing locations rather than the blacklisting approach used in this guide. I’ve detailed the blacklisting guide here as it’s somewhat simpler to implement on the home PC.