G1234! - Protecting Windows Credentials: An Excessive Guide for Security Professionals - Mark Burnet

without further ado protecting windows credentials an excessive guide for security professionals by Mark Burnett

okay this is right here this is the URL by the way if you want to leave comments or whatever on that on the pair list page I guess for this talk thing else in here all right it's that better can you hear me all right well I'm Mark Burnett and I've been doing security for about 28 years or so security I didn't doing security for about 18 years and then security for about years before that but one of the things I mean I've worked in just about every area at security but one of the main things I've been doing a lot over the years is Windows and I also like doing password stuff so this is

Windows and password stuff but okay so now hardening windows is a huge huge huge project and so I'm trying to limit the scope on this as much as I could basically I was I was thinking here's you know what those of us who are security professionals you get just really tired of user sometimes and menu you're telling them the same things over and over and over and over again and your your new you're trying to secure them and they're still getting hacked so I just this this talk is about screw them let's just get ourselves secure for now you know let's just talk about how we get ourselves you know how we can do stuff that we normally wouldn't

recommend for other users but you know that but it's it's kind of you know good stuff for us and let's let's get ourselves we're you know make sure we're doing the right stuff on our own systems because it's too easy to neglect that and so I the scope of this is it's kind of a standalone computer or you know something that you do connect to a domain sometimes but but that you manage that you keep here you know the you have admin access to and that you're in control but you still use it with other resources and you still you know you make connect to other networks and stuff but well this isn't it the Susan is this

isn't I'm not really going logged into Active Directory I'm not going at Kerberos passing the hash type stuff and you know things that are kind of way beyond the scope of this and and wait too long I this is already going to be I already had a trim this back at time just to fit in 60 minutes and it's not definitely not for regular users of all this stuff the you know it's just gonna no I'm you don't they wanna I mean this isn't these aren't typically things that you would have normal people do but you know I mean the thought is that security professionals do have a higher threat profile and you know some people more

than others of course but you know all of us are our targets and all of us you know could potentially be you know a jumping point for for other other attacks and it's it's kind of funny but the you know one of the reasons why you target security people because they're there security so bad on their own systems but see here so Windows I mean it really has a bad bad reputation as just being really insecure I mean it's just been one thing after another and and it's a lot of it is just the way it was built from the beginning it the architecture has limited what they can do they over the years they try not have

you know they've tried not to make too many extreme changes to what you know how how the kernel works and they're building on broken protocols that they're trying to remain compatibility with storing credentials in memory or storing hashes in memory not properly securing the ashes not properly hashing the hashes so it's just I mean it's just a leaky bucket inside leaky bucket as analogy I like to use I mean we talk about defense and depth but defense in depth doesn't really work if you're if you're putting leaky buckets inside leaky buckets and one of the things you know I was I had this when I bought my house about ten years ago I thought it was really cool

eyes having a lot kidney stones at the time and I found out that hard exercise helped me you know endorphins stuff help the pain so I decided I was gonna dig a pond you know by hand and so I spent a lot about a month or two doing that and then I I went to go seal the pond and I know I think you see these ponds I mean they have water in them and they don't you know they're they're always full so imagine I'm thinking yeah you got to seal it but it's you know the water just stays in there but it turns out the water doesn't just stay in there it's it's it's I mean just the smallest

little hole and it'll it'll be empty before you know it and so what I would do my wife found a bunch of pond liner yard sale and so I try to use all these little pieces and try to fit into my pond and what I ended up with is a lot of well my thought was okay I put this one layer it's kind of kind of weak and it's kind of got holes in it but I put a layer on top of it this was also kind of weak and had holes on it and and I just kind of did I figure if I have enough layers eventually there's not going to be enough you know any way to get in but

water finds a way so that was my leaky bucket inside a leaky bucket and and I would fill it up and it would like you know go back a few days later and it would be empty again and I had to just go and I finally learned what you do is you get one layer completely seal it and then you get next layer completely seal that and when you do have leaks in one layer the next layer is a complete layer that will though will contain that leak however with Windows you can't do that you just got leaky buckets so you're just kind of stuck we're kind of I mean it's things are changing with Windows

Windows 10 is has made a number of improvements in the architecture but but in the meantime you know there's there's a number of things that we're gonna have to do ourselves to to secure ourselves yeah does anyone want me to cover the stuff here this is kind of boring okay let me just do a quick overview I just feel like everyone's already not enough it's only been like five minutes okay so Windows is based on SIDS which is a security ID which is assigned to each user decals which are well you have a there I've gone it on wait too little sleep and I'm going wait I've got way too much caffeine going through me right now so I

started shaking and stuff just yeah just yell out the answer for me access control lists contain decals and they contain cycles decals are discretionary odd access controls that control the permissions of who can access whatever object that is the shackle controls the auditing and and mandatory access or mandatory integrity control of the whatever object is securing there's privileges so that you know you and that's very similar to Linux or any operating other operating system there's privileges for when you need to do something that's normally put a protected action like doing a backup or whatever privileges are a way for the system to assign that's a specific specific users should take care of that tasks mandatory access control mandatory

mandatory and territory control but it's it's kind of similar to mandatory access control but not quite that's where you have different levels of elevation I guess where you you have you know low yeah medium you're high you're protected and system and all but that's what you get when you do some kind of admin thing and the UAC prompt comes out and I ask for your permission whenever you go up you have to ask it has to prompt you for the permission to to elevate that process you can often you can always write down to a lower level you can read down to lower level you can execute it down but you can't read write or execute up and then tokens and

objects token is a is a security I mean it's once you've authenticated your the user is assigned a token and the token contains a number of things the token the user contains an object the user is not object and contains a token it contains a number of information over but pissed yes bits of information bits of information about the yeah privileges and and you know forget that you guys get it okay let's talk about the architecture okay when you have the most operating systems I have a have different rings of privilege and that's basically what you cannot do on the system ring zero is the most privileged process ring it's it's it's enforced by the CPU that the the

different protection rings ring zero is where the kernel exists that's that's where all the protective processes the the device drivers hardware abstraction layer anything that deals with the system itself it's a shared memory area so anything that exists in ring zero anything their bloods in three zero basically has full control of everything and bring zero can communicate outside to other rings it's just like that the mandatory inherited control you can you can go one way but you can't go the other way so ring ring e zero is is the core of the system it's it's the most privileged and the most protected and the most dangerous really part of the system oh wait a second

Oh ring three will go from zero three - why don't you usually don't use ring three is where you have the subsystems the basic core stuff it's all--it's they call user mode and that's the core operating system stuff the the services any user processes those all exist in ring 3 again they can't communicate down to ring 0 but it does need to have a ring 3 needs to do things that ring 0 only ring 0 is able to do ntdll provides the api's for communicating to ring zero from ring 3 so they I'm without going too much into that it's it's it's kind of a separation of of user mode processes and protected kernel processes

and then in the I think the screens warps here in the when you log into a Windows system you establish a session and there are there's the initial session is the system that's session 0 and then any session after that would be session 1 2 or 3 so if you log in first user logging in you're gonna be session 1 and then you have wind stations a wind station is an object that that it's it's a viewport basically it's it's the the desktop you have one wind station when station 0 that you can see there are other wind stations but none of them are visible to the user you can wound station can have one or more desktops

now a desktop is like with with Windows we have sterile desktop we have our desktop that we see and then we have the desktop which is the the login screen ok that's that's its own desktop and and there's the screen saver which is another desktop another desktop is when you do control-alt-delete and comes up with a prompt and the background dims what that is that's actually executing on a separate desktop it takes a screenshot and dims in and shows that on a separate desktop now that the desktop the different desktops between that exists are isolated from each other so they can't really communicate with each other from a user Mollet perspective now with the kernel

mode anything communicate you know the kernel has access to anything so that's that's kind of exception and then on your desktop you have multiple processes some of them may have windows that that display some of more background processes and these processes can can communicate with each other they have they can send Windows messages to each other they can say they can hook each other's probably hook each other's events and things like that as long as they are the same user now if it's and as long as they are the same they have the same security token access and the long as they have the same mandatory integrity control access so so we've got a got all these different layers and

different objects and each of them provides a little bit of isolation for stuff but none of them is really completely isolated so for example that you have a session the kernel obviously has access to everything you have wind stations you may have multiple users logging in so you have multiple sessions multiple wind stations you have desktops multiple desktops that now the desktops are isolated so they can't they're isolated on the user interface level so they can't hook into each other's functions they can't it's it's a container that that has its own processes but it can't communicate with the other containers and they can't they can't hook each other they can't have access to each other's a user interface

so they can't send Windows messages across different processes in different desktops within the same one however you can do that and that's how key loggers work is that they hook the key press events in once one window and then they log all those key press events however on a secure desktop it can't hook those so that's why when you do your that's why you have to do control delete to login so you're in a secure desktop that's isolated from other desktops and so you're safe and you know there's no there are no key loggers running in that process and then there also let's bring this up so some of these are some different ways that windows can isolate

stuff you've got the security token which already talked about now you can have different processes running like you can have a bunch of windows open under your username under your login but then you can open up a command prompt as another user so you have even though you're on the same desktop you have different user processes now they are actually still even though it's a different user they're still in the same session they're still on the same Wednesday's the same desktop but they are they have different security tokens associated with that process and the Akal of course is different as well the the Akal well you can set it every object in Windows has an Akal and you

can set permissions on it a lot of people don't realize how many different permissions you can set but like running process there's no really good easy way to do to set that in Windows but what a running process has an Akal and so you can say this running process doesn't have permission to shut down or this process doesn't have permissions to launch another process so the Akal controls what the different how the different processes can interact the mandated hairy mandatory integrity control like I said before it prevents escalation from low integrity to high integrity you've got app containers which is the likely the Windows Store apps where the where they're in and it's really a

sandbox that has low integrity and has limited permissions on the system limited number of API calls available to it you've got a thing called you ipi which is user interface for you ipi wear which what it does is it prevents certain windows from interacting each other what does it basically it's it limits certain messages that you can send or intercept from other windows so it prevents things like chatter attacks which is kind of my old thing we only hear about much anymore now you have jobs which they aren't really shown on here but a jobs is a container of processes and the job itself can be it can have its own Akal you've got containers which would be me like dr

something like that sandbox apps there's sandbox use there there's a few of the sandbox these main one people use and that lets you run it basically virtualizes the file system access the registry access and things like that where it you know indicating we can block the network access and so it's it's kind of it's it's you can break out of them but there you know it is kind of nice for for limiting access to two different things i mean it's it is a these like again it's it so it's one layer it's not comprehensive like anything that's kernel-mode for example can break out and also all these things virtual machines protected processes no protective processes are a process

that's a that belongs this system that you can't that an unprivileged process can't access and unprivileged apophysis can't terminate if you try to terminate for you I mean if you elevators administrator and try to terminate it the system crashes silos are a new thing that are Microsoft still hasn't really completely deployed yet but it's they're kind of enhanced containers so you guys so you have this isolation you have the isolation between processes window messages but it's it's nothing really is getting you there but again we need all the stuff because we're dealing with leaky buckets inside leaky buckets and so that's the best we can really hope for is is you know hopefully that well we're

just making a hard-enough - until we get to the point where Windows is actually secure now this is some of the some of the things that they do there they're doing and they started this with Windows 10 they I talked about the kernel list as the lowest level but it it really isn't the lowest level there's actually what they've done is made a hypervisor which is ring- wants to ring zero but they call it ring negative one and the hypervisor is actually below the OS so that when you run Windows you're actually loading the hypervisor and the hypervisor is hypervisor is loading loading the kernel and the user mode processes so this is actually below the

kernel and the cool thing about it is the kernel can't access anything in the hypervisor but the hypervisor can manage everything for the kernel and there's but there's just no way to get to the well I shouldn't say there's no way it's unbreakable there's no uh there's no way I say it again it's really hard to get into the hypervisor there have been exploits that they have accessed that but the cool thing what's in don't the the hypervisor is small I mean it's a tiny amount of code and so it makes it easier to audit and keep you know make sure that you know it's not like the kernel which is huge and a massive

attack surface the hypervisor is limited number of functions aluminum amount of code and it's running it basically controlled by the hardware itself you see the VT ax a thank you for anything the MD one but the the features and the chipset that control the you know that managed access to the hypervisor so since we have a hypervisor that's below it below the regular kernel what they've done is they created another kernel and this kernel is not it's not a true-crime it's not a whole kernel doesn't it's not a duplicate of all the code but what it is it's kind of like a proxy kernel so they they took anything that's really sensitive like crypto functions are in

the secure kernel everything else is available to that Colonel but it's just proxied and over to the yeah it's proxied over to the the main colonel t insecure colonel so it's it sends the calls over that what this does is it has a it keeps it isolated from the other colonel and it has a limited amount of code makes it a lower tax service it's easier to audit but the nice thing is they can't communicate two with each other directly it's all marshal through the hypervisor so you have this this separation that you really can could never accomplish before in Windows for you can actually have code running in a secure kernel it's not accessible from this kernel so

if someone writes a driver or they in you know as maybe they gain system access and able install malware and stuff from this kernel they're not still not able to gain access to all the functions in here and with what we've got over here is that Microsoft has implemented a number of things like device guard or credential guard or a bunch of other guards you guys come on what are the other guards pashka and let's see anyway a bunch of other guards they exist right here and and so one thing they do is they store the hashes for like your Kerberos hash in your your ntlm hash for network authentication is stored in this secure user process area

when this kernel needs to access it sends a message to the secure kernel the secure kernel does whatever crypto is necessary to deal with the hash or you know physics to create the hash or to

or to validate the hash so we've got this isolation that we've never had before now right now that's only available to Microsoft stuff so you can't you can't sign anything and run in there it has to be signed by Microsoft and it can only be Microsoft so it's kind of a secure the kind of cool thing and really secure but we don't have access to it but we do have for now we have credential guard that protects our credentials in that area however doesn't protect all the credentials it doesn't protect local log logins doesn't protect all the Kerberos tickets it doesn't protect stuff when you first log in and before it sends it over to the secure

kernel there are limitations on on how much is protecting us by hey we're getting there and so and they've got some really cool stuff coming up that's that does handle that now to have handles more stuff and and it's you know they're expanding this constantly but this is like the first major major advancement in in how Windows is handling the the handling the credentials in memory and so it's it creates a true isolation from the regular kernel now the hypervisor we talked about negative one here the hypervisor for this the whole work for the whole thing to work we have to trust that hypervisor in order to trust the hypervisor you have to have a TPM

installed and the TPM validates the hypervisor code when it loads and then the hypervisor validates the kernel code and then it loads it that way so when you want to prevent someone - I'm still in your your credential since we can't really do it right now in Windows what we do is we just make it hard so when I do it on my pawn what I did is I I I ended up you know spray-foam I mean that stuff gray I mean it's I mean people talk about wd-40 and duct tape I think it's spray foam and heat shrink tubing or the what we really need in life but I got me a whole bunch of cans of spray

foam like way too many cans of spray foam and I would I would try to sell these leaks and I I kind of got it I kind of got to work and it took got to the point where I would take a month or so to to completely dry now but it's I got it long enough to so I felt good about it I actually ended up filling my pond up with gravel and plants but that's not the point the point is if you want to just ditch windows or deal with gravel and plants become a landscaper so we increase the cost we make it so it just it's harder to do it takes longer to do

and in the process your crew they're creating more log entries or create more noise more things that we can catch we can mitigate exploits with so we can we can prevent certain things from running and we can block certain types of attacks and and windows is getting a lot of exploit mitigations built in they have value damit which is going to be integrated completely integrated in the next version of Windows the fall update then we've got reduced an attack surface now this is the thing about Windows I mean I don't know if you guys saw when I was doing this night I hit the Start menu accidentally I had a read that was really cool set up here and I I entered

my password when I said when I saw this up I entered the password wrong and I verified it wrong and then when I went to go when I got here I I had a didn't know my password and so I had to reinstall and all I had was a when I was 10 home so there so you got this stuff and so what at what I do is I I am tech reduced attack surface before I even load windows before I even install windows and there's there's tools like until I or an lied or has a number of them or you can use the DSM tool you can there's number couey's for that and you

can script however you want to you know what components you want to remove and so I pull out things like Cortana I pull out telemetry I pull out all these these these DLL so you can go through and even yeah it's easier to use the GUI tools like NT light where you just have checkboxes of what you want to remove so you take all the stuff out and you can I mean you can get it like a four gig install we're cake install and narrow he has about four gig isn't it yeah and narrow down to like two gigs to install the whole you know installation C for Windows and then you take outlaw stuff like the the pre-installed apps

all that stuff that popped up you know candy crush you take out what else is there that we don't like oh and you put windows k double windows calculator put that back in and you know the old one window seven one and you put in the old windows seven photo viewer because I have a new photo of you there's like I always hated that one I always hated the calculator I mean who wants it anyway and so you can do all these cool thing you can add in your registry registry ACTU whatever you want to do in this at that point and so you have a build that's already has the tax RIF is reduced of course you get in there and

then you run an update and Mike shop puts half the stuff back oh can you zoom the camera in on me for a second stop doing that Microsoft they didn't say what and I was just saying there's not even anyone anyway but it look cool right so so that's the way you'd reduce tax difference and this is really the I talked about extreme I'm not really able to get into the lot of extreme stuff in the time I'm giving her I was originally going to do you know give you all the stuff that I do the list of registry settings anything but it's I you know I've been an hour worth registry settings wasn't pretty morning I still

would have covered at all so I'm kind of just kind of going on a higher level here but you you reduce that attack surface and the main way you can do that is to not have it in there in the first place and then when it's not in there it's it's less likely windows will they're getting better but with last update I didn't put as much stuff back except for that 3d builder whatever thing I just you can't get rid of that and then you want to contain the attack so you want to make it so it's harder for them to to expand from from where they were at how we do on time it's time okay

tack process they want okay so if you're gonna attack Windows you got to deliver the exploit somehow either to a download or zero-day or open port or something like that you have to run the exploit you run the code that you know they've run the payload and then you've got to elevate usually so you can actually do interesting stuff on the system now the hard thing about it is each one of these steps gets more and more difficult and then beyond here you've got lateral movement and just pretty much owning you but each step is harder harder to to contain once you they've gotten to that one point they can always keep moving force that's why you like when company

says oh yeah we were hacked in Yahoo and we we we found the problem and we cleaned it up so it's all good but the fact is they're it's not good they're not they haven't gotten rid of the problem because the person is probably already here and there and so it gets way way way more difficult to to roll that back much less contain it so what we want to do is we want to focus on contain at this point we want to look at the choke points where where we have to do the least amount of work and prevent us from getting stoats those farther farther but Brenda if we get farther along so what I what I do is I look at

Windows it's kind of a zero trust environment we talk about zero trust networks but you know who does trust windows really any more oh come on don't all raise your hands and you're really dumb it's it's the high stuff from us administrators and they they obfuscate what certain processes do and they you see connections going I remember when I was I'm a strim the modem light flashing it's like oh crap someone's connecting me you know something's going on and you get panic now it's just constant you know Windows is constantly everyone get that see when you have a modem and you you know does anyone like that old jeez hey hey you remember when we had a modem and

we're all the whales guys around here yeah there's an old guy who are you here to me a little baby yes yeah yeah and you saw it and you're connect there and you saw the light going on it's like you had to worry about something because the light was on and now now it's just constant constant any other old guys anyway it's just constant communication

your eyes the size just think of someone as old as me that's what I'm saying I'm look if someone's olds me I'm talking about modems here come on yeah sorry fine if any of you you come up here can you can you could everyone move around and let them up here I've got a few other things too yeah that's right so everything's the perimeter really now because you don't trust anything you don't wind Windows Microsoft made it easy for a lot of other apps to have access to lips as telemetry features and and I just on Twitter their day I got a kidney stone in what installing Windows 98 it's amazing how it all right now

the other comments what's that so we focus on checkpoints everything's perimeter yeah that's all we fo k so internet clients the biggest way this the stuff get into our systems you got to keep it updated I mean this okay I'm gonna go you know this I I kind of had a plan for here but I have a feeling it's just gonna end up with a big ramp you know and we're just gonna go way over but I shouldn't even be saying this stuff half the stuff but I'm saying it so you have to keep your systems updated there's sand boxes and containers love the browsers I mean chrome is doing it it just doing it Firefox is getting there where they

have their own sandboxing mechanisms built in there's a number of plugins that you can use it astable features and scripting stronger stronger permissions now one thing i do is i i with the default permissions you're still tremendously exposed so what i thing is well we want to control the system we don't we know we want to be in charge we want to make sure that i mean we're we're the experts here right so we want to make sure it's only doing what we want it to do so one of the things i do is is look at you know i look at this path of how i'm downloading files you've got the Downloads directory so what i do

is i go in and i i rememeber missions from the Downloads directory so when i download something i can never run it from there I've either got to move it to a staging area which has different permissions or I the I don't know yeah Oh another thing is I deny admins on the bottom there I deny it so admins can't run the browser only regular users can so you're never elevating and running the browser you you have to kind of kind of forces you into use end some of the browsers don't really like that there's no reportable browser if we're you can use them you can run them low integrity you can you can do a number of things that make it

way more secure but it's like with chrome and and fire the Firefox default installs it's hard to do that but you look at the permissions you just tighten those up because that's that's that's your your biggest entry point anti excavation software and there's there are a number of things that will anti exploit stuff the anti-malware software that will detect any kind of memory invalid memory writing trying to access other processes any process which shouldn't be running processes ntlm we want you want to disable so you're not sending out hashes out to the internet you're not you know so people can't do the relay stuff on you you want to block that the firewall you want to brock

block on your system and you want block on the outer firewall we gonna you should really should remove the tail a cipher suite so you're not using this the cipher so you're not using or that ignited they shouldn't be using because they are I mean you shouldn't have rc4 on there Microsoft's getting better about it they still leave stuff in there that that you really can do without and it's your own system it doesn't work and put it back in I mean you know you should be able to to go to there's what's going Wikipedia the data cell pay the tails page on Wikipedia is very much up to date on on the latest acceptable

the minimal acceptable settings okay so open ports and services I firewall now I use Windows Firewall but I also have a second firewall hardware firewall because you can't trust Windows Firewall because they seriously they I mean they I I found out that Microsoft will first of all you got like 300 rules in there three high roll I mean come on this is it's more fun when you do it on Twitter because you type really hard and do all caps and people anyway and there's just so many default rules I I kill all the default rules and start from scratch and I found out the windows will reinstall some of the rules when you do updates and it

will silently reinstall so you've got your firewall where rules are appearing without your permission that you never even knew about so I have an extra firewall just to just prevent that and then there's this program I use it's called that's Benny soft firewall control or something where it allows you to set groups for your all your firewall rules and then say only these groups should be there so if any other firewall rule is created that's not in that group it'll delete them so that that kind of keeps keeps track that and I also on some my systems I own servers the stuff I I use the PowerShell scripts to create the firewall rules just delete

everything is there and then recreate it from scratch that way I can carefully plan and reproduce what I'm blocking stop service is obviously in remote room abhor calls things like NetBIOS over tcp/ip wins just things they just don't need and there are sending stuff out to internet but you know it's just basically just things are leaking your credentials disable any kind of remote management if you're managing the server I mean that's not what's going to be possible but if you're managing the server then you should disable the remote management disable win RM disabled thing there's a number there's a couple of scripts on Microsoft side that's one is called net cease and ones called Sam Sam I are something that the

the that will disable some of the remote management features you don't want people running PowerShell remotely under system and you you can't you can't completely block those I mean you can obviously can you can block all the ports on the firewall so nothing come in telemetry I already talked about that a little bit just you can remove the telemetry components now it used to be with the older versions windows you could delete stuff it when you first boot up windows you have the the NT mode where you have westward check disk runs and the it's it's kind of before Windows load says it's just a limited it's a limited number of api's are available but I used to have had a tool I'd made

that would delete files there so when windows started it wouldn't see the files there and so when try to replace the files now with Windows 10 it's way harder you have to deal kinds of stupid stuff to try to prevent my just repeating files back it's so that's why you don't put them in the first place you remove them from the disk common deaqon I should not be saying this I want to show you this little quote I found ok so these are some of the things you should disable the scripting object w script what W have things like double skip run scripting at the file system object MSA do you most the time don't

need cont s most time you don't need and then you can do things like C disable decom ok I wrote this this wasn't a book I wrote in 2002 so 15 years ago I'm still giving the same exact advice and it's still I mean it's still completely relevant I one of the other talks I attended yesterday was talking about exploiting every single one of these things on ok physical hardware security I one of the things I do is I block all the ports in my system is little locking things you can put in there I mean it's lock its lock its you have to a little key but it's not like it's super secure but it is to prevent casual is someone

casually going up and sticking stuff in there I also have like a locking cables on the my little firewall thing so no one can stick in there protect the bios don't trust hardware like your phone you shouldn't stick your phone I mean phone is like the worst thing you could possibly plug into your computer connect your computer because this is something that's been on just about every network out there and you don't I mean it's it's just it's just you're connecting untrustworthy hardware that's been on the outside connected to you know to a sensitive computer the most sensitive computer what I do is like if you need to charge your phone on your laptop what I do is

just a little battery packs and you can buy data block or cables but you just get a little battery pack you know portable battery pack you plug your phone in there and then we'll plug the battery pack into the in the laptop and it keeps it from keeps from transferring a data but I still charges its BitLocker if you're gonna use I mean definitely use BitLocker you if you do use BitLocker do the pre authentication the pre-boot authentication where you enter in the password before the system boots up because after boots up you're leaving too many artifacts you leaving the keys where they can be circum stolen sticky keys it's no time and I go to that

exploit mitigations some of the things you can do I mean if you do anything on your system protect the L SAS process and this is just it's not set by default but that one thing prevents mimic cats from dumping all your Sam passwords it you know anything that will prevent several things it prevents miracast from accessing the LS a process and so it can't reading the stuff that's stored in there so that that loan if you do anything run as ppl and then you can also there's our new audit settings so you can keep track of that file associations that's a big thing that needs to be changed like first of all I remove JavaScript and vbscript

because I don't ever use them on my system but if I do I just will enable them in my script itself so make sense I have a script that runs that enables it and then yeah so like JavaScript like J's files should be associated with notepad and VBS files and and there's all the different any kind of scripting file in fact should be associated with notepad C user account control now people say that it's user account control really isn't a security boundary it's meant to be two of the migrate from single user to having separate users but a lot it what's happened is people think the user account control mix-up for having separate users but it

doesn't so what you do is you make sure I'm still can't believe I'm saying this but make sure you have an admin account and make sure you have a user account but a lot of people still don't do that it's just that one thing there can make a huge difference because it prevents a lot of exploits from happening there's so many UAC Elevation exploits that you can't you really can't prevent it from happening there's there's just way too man they're constantly new ways to exploit that so if you have a separate user account where you have to enter in the username and password you you completely eliminate a whole entire class of exploits mandatory technically

I when I get it to that one of the things you can do here you can have if you're running us two separate users you can set this run as invoke or flag for different specific processes so you can run them non elevate so for example you can run regedit without having to elevate to an admin or something else or whatever user has the permissions another thing I do is when I need to run something sensitive I don't elevate on that desktop I do the fast user switching wente and then login as admin user and run the stuff on that desktop because then you have the complete isolation of the session and the wind station desktop you you get all

this all these different protections that will prevent anyone from exploiting that window that you have open so if you have like I showed you before if you have if you have a command prompt running as administrator and you have another process running is a regular user if a if a malware is able to send keys to the command prompt then those whatever since there is gonna run as administrator so just just it's not that hard to I mean again these are you know this isn't for regular users but just never run stuff as administrator on your on your regular desktop don't they're still running in the same session it's still running the same wind station and

on the same desktop so it's completely Vernal vulnerable to a number of attacks so logout or not like I would just do a fast user switching monitoring our teen we're out of time so I'm not gonna go in you got to do a lot of system on is the main tool to use here for us am should have an external one I look a remote one and then you should have a local one one thing I use is event century which will like you can have it monitor any kind of change in the system that any kind of significant change the system it's a free tool snort what I use for I yes and then oh and there's tons

of tools I'm gonna have a follow-up on this talk on that that pair list page I'll list all the different tools because there's just way too much to list here but there's a number tools you can use to just check your system make sure you just do a sanity check make sure everything's still clean here are some of the more comments from my favorite tools no virus thanks tons of cool tools they have one where everything that runs you have to manually approve it or you can wife's why doesn't some things but you can weightless anything but I whitelist some things and then that way every time something's running I have to manually approve it running I'll going back I

mentioned Benny saw when firewall control I said that to notify me whenever something new is connecting out so I have to manually approve area outgoing connection excuse has some good memory stuff memory detection stuff where when when one process tries to exploit another process it can detect that it can you take there there's tools to moderate registries changes no fire syncs similar tools s cubits has this one there's a new feature coming out in the fall craters update where you can only run certain extensions with certain programs from certain locations they have a tool that lets you enforce out on the system that's it so that's it anyone have a couple more hours on the

rest of it yes that's a micro tech this I like this one because a smaller the question was what the name was of the firewall this is micro ticking I love it never wants even smaller than this but it's got to a Ethernet and wireless but and it's $25 but and it runs off the USB power so yeah mikrotik yeah zero net X ATO net so with this knowledge and the fact that you're using Microsoft Windows do you consider yourself as a masochist yes yeah guys anyone who knows me on Twitter probably it's a second hear me rant why use Windows but on a more serious note this secure coding you start at Windows 10 feature or the secure mode oh yeah

yeah that's that is a I believe it's the fall creators that they one thing I forgot to mention that explode edge Microsoft edge actually has its own kernel that it runs in as well it has its own it so I showed you the different kernels each has its own roof currently it runs in so it's actually pretty secure I won't use edge I'll just windows but I won't you said you know I I do windows could've been doing Windows since Windows has been windows so it's been you know I've used every version windows ever except for a version which I use one point one but I use os/2 also but hey hey hey old guy

[Laughter] any other questions yeah bromium there's some of the new features that are coming out in the fall creators update they actually take a lot of features that bromium uses the micro kernel or micro it's like administer vm into basically virtualized different processes so they they have used that and they also the cubes OS they take a number of the features of that so Windows actually has becoming very secure and within a couple years we're gonna mean it's gonna be it's gonna be a really incredible operating system but you know are still gonna be bugs and there's there's still old stuff that will never change but yeah it's a they're gonna make incredible strides in this it's really

fascinating seeing where they're taking it and there's like someone finally gave them permission to really change stuff like let's change the kernel okay cool so it's kind of freed them up and and completely changed wait the operating system works and that Billy dog the skirt operating system you couldn't secure before now you can kind of lots of pop that's an awesome thank you [Laughter] else you are anyone give a big round of applause to Mark Burnett everyone thank you [Applause]