How to Lock down Your Windows 7 Machine Like Fort Knox

Published Sunday, 21 December 2014

I like security. There's a fact for you

Imagine you're going to sleep, and you suddenly realised you've left the front door wide open, with the keys still in the lock. How would you react? Anyone with the right state of mind (and who doesn't have a fully trustworthy 24/7 security team to pry the keys from that lock, close the door and secure the premises for you) would get up, go to the front door, close it and lock it, before proceeding back to bed with the confidence that an unwanted person won't be getting in.

Your computer wide open like that proverbial front door, and even so if you use your administrator account for your day-to-day, and let's face it, who doesn't these days when you can have a computer each?

I decided to write this article after I read about a tool which claims to break bitlocker drive encryption, and one of the described methods was to get a hold of the computer whilst it was unlocked on an administrator account, install the software, then do evil.

This is done by using the default UAC (User Account Control) settings to gain applications privileged access without the need for actual administrator input.

Not on my computer, heres how:

Part One - Telling the computer what to do when evil brews

In this part we will fiddle with some of the darkest depths of security settings available to make administrator privilege requests (UAC elevations) much harder for an evil person to make a computer do evil stuff

Step One

Open up the Local Security Policy by going to Run and typing secpol.msc Hit enter and it should open up the local security policy (if you are requested to allow it privileges, click yes. Notice how you just get a yes or no, and anybody with access to your computer can click 'yes' or 'no' for you (to do very evil things)). Turns out that by default you don't get this prompt. Evil people could be changing them for you!

Step Two

Navigate to Local Policies/Security Options and scroll to the bottom of what should be a long list of stuff

Step Three

Find these three entries entitled User Account Control, and check they are set to the following, if not set it to them by double clicking the option and selecting it from the drop down menu:

User Account Control: Admin Approval Mode for the Built-in Administrator account
    Default: Disabled
    Setting: Enabled
User Account Control: Behaviour of the elevation prompt for administrators in Admin Approval Mode
    Default: Prompt for consent for non-Windows binaries
    Setting: Prompt for credentials on the secure desktop
User Account Control: Behaviour of the elevation prompt for standard users
    Default: Prompt for credentials
    Setting: Prompt for credentials on the secure desktop

Part Two - Telling the computer to be more picky

Now that we have prevented evil people breaking past privilege requests without an administrator present, we need to make it so that the computer calls for an administrator more often. Doing this also prevents an evil person undoing all the good we did in part one.

Step One

Go to Start, open up Control Panel and in the search box, type 'UAC' and click 'Change User Account Control Settings'

Step Two

Click 'yes' to the UAC prompt (the last time you'll ever click yes) and set the slider to 'Always Notify', as seen below UAC Notification Selection Screen

Your computer is now protected from evil people at the cost of you having to enter your password every time you do something administrative, which shouldn't happen with average day-to-day computer usage.

If you do get the UAC prompt, before you enter your password, think: Why am I doing this?The UAC is there to tell you that you are doing something that is potentially dangerous, so take the time to take a step back and ensure that you are making the right decision

Stay Safe and have a Merry Christmas everyone!