Closed Solved

Locking Down Windows 7 Home Premium

I am on a large LAN that I absolutely cannot disconnect from. I am using Windows 7 Home Premum with the latest updates. I use Comodo Internet Security (AV and firewall). Here is the problem: I am being hacked from the LAN level. What can I do to lock down my OS and minimize my attack surface?

My Macbook doesn't succumb to this, but my fully updated Windows 7 PC gets hacked relatively easily from other users on the same LAN. I am experiencing remote code execution (IE9), unattended installs and system wide changes.

What can I do to minimize my attack surface?
9 answers Last reply Best Answer
More about locking windows home premium
  1. Do u really have to use IE? Chrome or FF or Opera will do much better job.
  2. Best answer
    junction51 said:
    I am on a large LAN that I absolutely cannot disconnect from. I am using Windows 7 Home Premum with the latest updates. I use Comodo Internet Security (AV and firewall). Here is the problem: I am being hacked from the LAN level. What can I do to lock down my OS and minimize my attack surface?

    My Macbook doesn't succumb to this, but my fully updated Windows 7 PC gets hacked relatively easily from other users on the same LAN. I am experiencing remote code execution (IE9), unattended installs and system wide changes.

    What can I do to minimize my attack surface?


    I have been experiencing something very similar. I haven't solved it yet, but I've narrowed it down with a lot of research. Most likely scenarios are a netbot or something screwy in Microsoft's registration files.

    Most frustrating is that it is recurring and survived two clean installs. I even bought a new computer (another Win7 Home Premium). I plugged it in and connected to the internet and eventually the configuration and behavior started again -- but before I entered any personal info. That was a big clue. It seems somehow tied to my internet access/ISP/IP address? (My other computer was turned off to ensure it wasn't "talking" to the new computer).

    It's helped to get insight to its activity, and separate out what's normal Win7 and what's malicious. Definitely malicious are the code injections. It injected all of my common apps, including Office and my virus protection. On my last computer I had Norton 360, and the next computer had Comodo. Both were taken over, but you wouldn't know unless you knew what to look for. As they were running, they were ultimately acting as agents while pretending to protect my computer.

    Here are some of the best tools I've found, and would love suggestions if you know any:

    The Sysinternals suite of tools are excellent (free on Microsoft's website), and they released a manual/book that I highly recommend (I got the Kindle version at Amazon). The book tells how to use the tools to track down malware, and it's in a quick-reference format.

    So many great tools among them, but the bread and butter for me are Process Explorer and Process Monitor. One brief example: Run Process Monitor, then download an app such as HijackThis (from a reputable site) and install it. Then go back thru the Process Monitors log and and look at what happened to the file. Then launch Process Explorer and the app you just installed. Give it a little time to get active. Then double click the app in Process Explorer and look through all the dialogs to see what attached itself and what the app is really doing. Launch TCPView to monitor the network traffic. I was disturbed to find that my *system* files were all set up to open ports and initiate connections.

    Another excellent free utility (available on cnet.com) is SIW.exe. It showed I was running "Terminal Services with remote admin mode." I later found by launching Computer Management (a Win7 admin tool) and going to Shared Folders > Shares it designates Remote Admin and Remote IPC. It's so frustrating...I'm a basic home user... why is my computer set up with this complicated configuration???

    I found a lot of debris in logs and temp files and such. Set your indexing rules to index everything, including content, in all files including system files, etc. Then search on things like "terminal" (which catches terminal server and terminal services) and "manifest" (which catches many altered files and apps). Put spaces between letters to catch entries embedded in code (e.g. "p r i v a t e" catches some private builds). Search "log" and "active setup" for installation roots. And so on. In the c:\Windows\Installers (or something like that) folder were a bunch of .tmp files that were suspicious. If you have that directory check out the files and see what you think.

    One other item of note is how limited (and vulnerable) Home Premium is. There isn't access to viewing and administering Group Policy and that's how a lot of this is controlled. I upgraded one computer to Win7Pro. It didn't solve the problem, but it gave me a lot more access to see what was happening. It was also curious that I had features activated in Home Premium that aren't even supposed to be available with that edition (enterprise services, "terminal services," etc.).

    The last thing I'll mention is the Active Setup. I think it was in the registry that I found the list of components that were managed like the unattended installs you mentioned. I traced a lot of this back to Windows updates configured with Windows Live. That's what makes me think it's a MS registration thing -- this configuration seems to be originating at MS. It's like their registration db thinks I have a different version so it's installing the wrong files. However, talking with MS tech support, they said that what gets installed is determined from my computer. The jury is still out on that one.

    I could go on and on but not even sure if we are dealing with the same thing. I hope this helped. If you have any feedback or suggestions for me, I'd all ears.
  3. junction51 said:
    I am on a large LAN that I absolutely cannot disconnect from. I am using Windows 7 Home Premum with the latest updates. I use Comodo Internet Security (AV and firewall). Here is the problem: I am being hacked from the LAN level. What can I do to lock down my OS and minimize my attack surface?

    My Macbook doesn't succumb to this, but my fully updated Windows 7 PC gets hacked relatively easily from other users on the same LAN. I am experiencing remote code execution (IE9), unattended installs and system wide changes.

    What can I do to minimize my attack surface?


    Where is the LAN at? At a university?
  4. It was simply a theoretical problem. It never existed.
  5. A Bad Day said:
    Where is the LAN at? At a university?


    The question that I had posed in this thread was a theoretical problem. It was not real.
  6. I wanted to see if Windows 7 could be tuned and configured to have comparable security (from an attack surface perspective) to Mac OS. If that makes it more clear...
  7. Best answer selected by junction51.
  8. This topic has been closed by Nikorr
Ask a new question

Read More

Security Windows 7 LAN