Windowx 200x/XP virus proof document released

From: Wellington Terumi Uemura (wellington_at_fakemail.com)
Date: 05/31/04


Date: Mon, 31 May 2004 11:36:33 -0300

Hello!

Some time ago, i was asking people to send me virus and worms to my
personal research:
http://www.derkeiler.com/Newsgroups/microsoft.public.security.virus/2004-03/1673.html

And I did receive many jokes about it, people talling me that "if was
that good others "specialists" would have released the information
before" or that this kind of "stuff" is IMPOSSIBLE. E-mail from every
where, includind some people from Microsoft Brasil telling me to show
then what this "magic" was all about.

The good part is that, after sending this document to a person in
Microsoft Brasil, it never replyed or make any comments about it or
others "specialists" that got the document some how, telling me that "I
knew that, nothing new about it"!

Is strange that security magazines and sites, their focus about worms
and virus issue is "Firewall and antivirus" or don't open unknow files
that come in to your e-mail box, don't do this, don't do that. I know
that users dont care about it thinking that a antivirus will prevent
infection, many os us was using antivirus when Mblaster came out and
many others to date.

It's well know that a antivirus can protect you after infection, not
before, Mblaster, Mydoom, Netsky, Sasser, etc, are very good examples of
that. Who never downloaded the last remove tool for a last worm or virus
before they could have time to criate a "cure" for it?

I am not against antivirus software, not at all, but they have some
limitations, some are not smart enought to identify if a change that you
are making in your system are benefic or not, some will prevent system
modifications other won't.

As I have said before, i came from a Linux enviroment and in moust cases
a non root user can't do any damage to the system, this is also true
with the last Windows Systems that use NTFS partition.

After nights of research, i've find out that the only way to get
infected in OS Windows 200x/XP with NTFS partition is that I must have
administrative permission to make system changes. My tests shows that a
worm or virus would not add it self to system partition without
permission or make changes in registry, in special the key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Following the linux security basics I've make some changes to the system.

1 - Create a restricted user for a daily use (read e-mail, access pages,
work).
2- Remove the group EVERYONE and set permission to the GROUP USERS as
READ AND EXECUTE ONLY.
3- Keep FULL CONTROL only to SYSTEM, ADMINISTRATORS and CREATOR OWNER.

The Windows 2000 Adv Server that i have here to test (demo) have the C:\
partition as EVERYONE FULL CONTROL.

To administrators that would try to implement this modifications a
warning, you will get some problems if you don't know what you are
doing, that's why this solution is for corporate enviroment.

Some users may have problems to write in %WINDIR%\temp (C:\Windows\Temp
or C:\WINNT\Temp), that you system administrator must set the apropriate
permission to this folder or other that your company use.

Users will not be able to install appplications in this system or make
any changes in to the registry, to do so, they need to use "Run as.." to
install aplications or what ever that will make changes in the system
(drivers for example).

After installed, users will use their aplications normaly, maybe some
aplications need a special permission to run with all users, but this is
up to the administrator to set this permissions that can be sone easy
with programs like regmon and filemon.

The Microsoft Brasil events that i could participate, they never talked
about this before, maybe after the document spread for a while some one
will take credits for it (nothing new about that) or you will find a new
security paper telling you why to use restricted user in daily basis.

This is what the document was all about, restrictions and user
permissions, i've done the tests my self and some companies that don't
want their names involved, and prove to be true.

It take some time to make many tests, and from December of 2003, none my
computer or the companies involved got infected by ANY virus or worm.
This procedure also did worked out fine, to prevent modifications in
your IE browser by browser hijack techinics.

The original document (PDF) in portuguese is here:
http://members.fortunecity.com/wellingtonuemura/protec/

I hope people make good use of it and let me know if some one have any
comment about it.

Wellington Terumi Uemura
wellingtonuemura (at) hotmail.com