In "standalone" or individual windows (vista & above: Vista, Win7, Win8, Win8.1, etc OS based) computers & tablets, which are configured to use only "TCP/IP" network component, each has Internet connectivity, and there is no windows-network present, (for such computers, we are trying to do these):
QUESTIONs:
(1) How to safely force all apps (including all windows components) to (always) use such
%APPDATA%which must have location value similar to:C:\Users\<username>\AppData\Local\?
or, How to force all apps to use%LOCALAPPDATA%which now has location value:C:\Users\<username>\AppData\Local\?
Instead of current%APPDATA%, which by default now has this folder location value:C:\Users\<username>\AppData\Roaming\(2) Optional Question: How to make non-networked standalone individual windows computer more secured, how to HARDEN security ? How to completely stop roaming profile support ? so that these windows computer's any config, settings, etc data are not propagated/copied to any other/external computer.
I only need to know answer of above first question, and better if both questions are answered. I have already shown solve/answer for second question, see if its suffice & safe.
DETAILS & OPTIONAL sections:
YOU DO NOT HAVE TO READ ANYMORE, (Please Just Answer Above First Question), Unless You Want to Know More Details:
It seems, this "AppData\Roaming\" value for %APPDATA%, is used by Vista & above windows-OS by default, and to me its appearing like this:
this value is purposefully, in advanced, pre-chosen & pre-set by Microsoft for entire world's all standalone or individual non-networked Windows computers, even before any computer has joined with any windows "Active Directory" or "WorkGroup" or Homegroup etc windows-network based servers/computers, or even before any computer has joined with any Cloud servers (or even before any computer has joined with any Remote Hosting Provider, or with any Remote Company based remote servers), or even before any computer has joined with any mobile "Windows Phone" OS!
A standalone individual non-windows-networked windows computer, MUST have everything always inside "AppData\Local\" BY DEFAULT, and must be completely out of reach (and protected) of any remote or external computer, (user or service, etc).
ONLY after joining with (previously mentioned) any server (or device or service), then Microsoft Windows OS, first MUST have to ASK that computer's owner or Administrator user, if user/OWNER wants to enable & use "AppData\Roaming\" for %APPDATA% or not ? and ASK/PROMPT user/owner if he/she wants to enable "Roaming Profile" mode or not ? and then also ask user, what (exact set of apps) to move or transfer into "AppData\Roaming\" for roaming profile propagation ? Only after such steps & answers & CONSENT is OBTAINED from OWNER, then using "AppData\Roaming\" (inside %APPDATA%) makes valid and legal sense (to us), not otherwise.
A tool/utility must exist from Microsoft, to MIGRATE/move ONLY CHOSEN ROAMING apps from default location "AppData\Local\" into "AppData\Roaming\" and set "AppData\Roaming\" inside %APPDATA%, at-least for its/microsoft's own windows components, ONLY after when a user/Owner of computer joined it with a windows-network (like AD, etc), and any computer MUST NOT set and must not use "AppData\Roaming\" inside %APPDATA%, before joining with any windows-network. And such tool also must perform opposite, that is, move/migrate apps out of "AppData\Roaming\" into "AppData\Local\" and change value of %APPDATA% into "AppData\Local\", specially when ANY computer's owner decides to never use (or stop using) any type of windows-network, or decides to never use (or stop using) any roaming profile.
OBJECTIVES:
We Are Trying To Achieve Such As These:
These (non windows-networked) standalone individual computer(s), tablet(s), etc will NOT (ever) JOIN with any type of windows-network ("Active Directory"/AD or "WorkGroup" etc) servers/computers. So "AppData\Roaming\" value for %APPDATA% usage is not necessary for most apps, specially not for any Microsoft local windows apps or components.
All apps, components must use preset value "AppData\Local\" obtained from %APPDATA%.
We do not want any app to get comfy & prepared for propagating stuff out of this computer, (by storing stuff inside AppData\Roaming), and somehow copy/migrate to any other or any external computer(s). We need to stop that.
Each windows computer is pre-assigned for certain-type-of or specific set of users or group or person, and placed in specific physical location, or mobile. Each is connected with a network switch, access-point or router, either via wired or wireless connection. Router is connected with Internet, via ISP. Some of our mobile devices & tablets have USB based Broadband (3G, 4G, LTE, etc) Wireless Modem, or wireless phone connectivity/tethering app, or Android wireless phone HotSpot feature connectivity.
We do not want, even by any accidental reason (or by some mistake or by some malware or by some backdoor based exploit or hack, or by any direct user/person of these computers), suddenly or temporarily join in a (or any type of) windows/Microsoft networks or join into such (Internet or local or Cloud) service, where network software or service (somehow) will be able to pull, propagate, transfer, retrieve, copy OR move our data, settings, configs, etc, from these "standalone" (non-windows-networked) windows computers' AppData\Roaming\ (or AppData\Local\), to any other (or external) computer. We want to completely stop such exploit/abuse, or make it very very harder, for any local/remote user or malware.
We need to eliminate (or reduce) those risks.
And we are trying to increase security, hardening security, for these each windows computers, and our other computers.
Few Basic philosophy or IDEOLOGY:
I'm human, i do not have (or use) a dog or cat, and i will never have a dog or cat, so then, why would i keep a pet door for dog or cat in my home or in my office ?! if i do, then unwanted dog or cat or OTHER animals or drones will or may get in, right ? i do not want that to happen, and i do not want to take the risk. I only need a "door" for human, with safe lock & safe alert system. So i will make sure to completely and effectively block (or remove) the dog/cat/pet door, if i had any.
If i load many heavy wight things, add or enable/add many features, etc in my car/vehicle, then my mileage (number of miles/kms which can be traveled per gallon/liter of gas/fuel) will go down, (if those added features are, not for increasing the mileage), right ? as car is heavier & pulling more weight, and I will end up spending more for extra gas/fuel. So i must get rid of such "things" or "features". If i do need to use such "things" later, then i can stop by into a nearby reputable "chain-store" and buy/rent it. And when i will not need it, and if i've traveled to another location, then i can still return it back to another shop of that same reputable "chain-store". Or mail it to my home or destination, to deal with it later.
Similarly, we must have to temporarily & effectively "disable" or "stop", few unnecessary, not used components, apps, services, etc inside OS. IF needed or required, only then, we will enable it, or we will obtain it via secured + encrypted Internet connection.
If i add very nice looking costly components & features outside body of car, then greedy persons (most likely or) may not always control themselves, or they may not exhibit/practice good morals. And they may try to steal it or harm car, and as consequence my essential resources, and I, will be harmed.
Similarly various hidden, sleeping or stopped windows and other apps, can be triggered & turned-ON directly, manually, remotely, to do many unwanted & unexpected & unnecessary things. We have to stop that.
SOLUTIONS / ACTIONS / SECURITY PRACTICES:
So Far These Have Been Applied For Each Windows Computer:
- Fresh Windows 7 or 8 or 8.1 was installed in these computers, and, tablets.
Apps were loaded/installed using an "Administrator" type of privileged user.
A 3rd party full DNSSEC supported local DNS Resolver software, "Unbound" (
https://unbound.net/), was installed & configured in each computer. And127.0.0.1and::1were set inside DNS of all wired/wireless Network Adapter's TCP/IPv4 and TCP/IPv6 network stack. Since there were more than 5 such computers, to reduce DNSSEC based (and DNS) internet traffic, we specified our own 2 forwarding dns servers, inside each local dns resolver. And 2 Linux/Unix computers do have (full DNSSEC supported BIND/named) DNS Server running. Skipping DNS & related other network details.Then these services and drivers were "DISABLED", as these computers are "standalone", individual, and will not use any type of windows-network, and do not require such components always running or ready to be triggered or turned-ON by such:
SSDP, UPnP, NDP, NetBIOS, IGMP, Teredo, ICMPv6, DNS Client, Distributed Link Tracking Client, Internet Connection Sharing, IP Helper, Secure Socket Tunneling Protocol (SSTP) Service, TCP/IP NetBIOS Helper, SSDP Discovery, UPnP Device Host, Windows Remote Management (WS-Management), WebClient, Server, Routing and Remote Access, Remote Registry, SNMP Trap, Remote Desktop Services, Remote Desktop Services UserMode Port Redirector, Remote Access Auto Connection Manager, Remote Access Connection Manager, Link-Layer Topology Discovery Mapper, Remote Assistance, Teredo Network Adapter, ISATAP Network Adapter, Remote Access IPv6 ARP Driver, NetBT driver, etc. And see below referenced URLs, and find out what these are, and how hackers & other entities still using them to exploit & abuse users, computers, routers, private data, etc.We will not ever use IGMP, so IGMP was disabled with this command:
netsh interface ipv4 set global mldlevel=noneThese network traffics are "BLOCKED" (and "LOGGED" in some of administrator level computers) using firewall rules, (because we do not need + use them, and to increase security, and to free-up network resources):
In/Out IP type 2 (IGMP). In/Out IP type 47 (GRE). In/Out IP type 139 (HIP). In/Out IP type 241 (PXP). Outbound UDP to port 3544 toward multicast 224.0.0.253 (Teredo). In/Out UDP/TCP ports: 137, 138, 139 (NetBios). In/Out TCP port 445 (NetBios). In/Out UDP/TCP port 3389 (RDP). In/Out IP type 58 (ICMPv6) specially few NDP toward such: FF02::2 (Local Network Routers), FF02::16 (MLDv2 Report), etc.If one of these computer do need an Inbound connection for a specific ESSENTIAL & REQUIRED software, then, instead of allowing Microsoft UPnP (and related services, like SSDP, NDP, etc) to auto (create or) PUNCHING HOLE(s) in router (or NAT/PAT) system, We do these secured steps: each new computer's one network adapter (aka, NIC) is chosen, and that NIC's MAC physical address is added into router's "Allowed MAC List", and a fixed IP-address is pre-defined & pre-declared into router's "LAN DHCP List" for each computer, so that DHCP service can allocate a specific pre-chosen IP-address to a specific computer. And later, when a computer needs an Inbound port connection, in router (one of the) admin adds an UDP port in "Port Forwarding List" for the IP-address of that specific computer. And password protected Security suit software inside that computer, is programmed (that is, new firewall rules are added), to allow only a very specific software to use that Inbound connection. (If UDP port does not allow the software to work properly, then same port for TCP is also added into port forwarding list).
Following options were unselected (DISABLED) inside each windows (NIC or) Network Adapter:
Client for Microsoft Networks,File and Printer Sharing for Microsoft Networks,Link-Layer Topology Discovery Responder,Link-Layer Topology Discovery Mapper I/O Driver. In WINS tab/section of each NIC, "Disable NetBIOS over TCP/IP" option is selected & chosen. In DNS tab/section of each NIC, "Register this connection's addresses in DNS" option is unselected & disabled. And either127.0.0.1or::1only one IP-address is added into "DNS server addresses" list, as we are using & configured a local ("Unbound") DNS Resolver software.- Direct RAW printing over TCP/IP is used, for printing.
SCP+SSH based file sharing, and also SSHFS based shared network-folder, (with Linux/Unix based NAS servers), etc.
All type of Auto-Runs features or options were disabled, in each windows computer.
- Few other system tuning, registry cleaning, disk cleaning apps/tools were carefully used, after creating restore points.
- USB devices connection is alerted, tracked and blocked.
BIOS is locked with password. BIOS boot menu is disabled.
Then other "standard" user accounts were created (in each computer), checked & fine-tuned.
To disable Windows Roaming Profile support, these were applied/done:
- started "Group Policy Management": WindowsButton+R,
gpedit.msc, ok. - navigated to: Computer Configuration\Administrative Templates\System\User Profiles.
- selected "Enable" option for these two policies: "
Prevent Roaming Profile Changes from propagating to the server", and "Only allow local user profiles".
- started "Group Policy Management": WindowsButton+R,
- Started "System Properties": WindowsButton+R,
sysdm.cpl, ok, Advanced, User Profiles, Settings. And each windows user's profile type was checked: "Local profile" is selected, (not "Roaming profile").
These Windows Computers, Each Has:
• 3rd party Security suite software, which includes Firewall, Anti-Virus, Anti-Spyware, etc. Most suites are password protected, except for few admin level access computers. Only certain set of outbound network traffic is allowed. All else is by default denied, dropped or blocked, with a deny report kept in log.
• Mozilla Firefox is default web-browser. Thunderbird is default mail client. (But computer do have MS Outlook). Firefox in each user's profile in each computer, includes these extensions/addons: AdBlock, NoScript suite, Tab Mix Plus, Session Manager, DownThemAll, CipherFox Secure, DNSSEC/TLSA Validator (https://www.dnssec-validator.cz), etc. Dnssec addon is configured to use the local 'Unbound' resolver (127.0.0.1 or ::1), not any remote DNS servers. Firefox plugins like these are disabled: Java, Adobe Acrobat, Silverlight Plug-in, Google Talk Plugin, Google Update, etc, as we do not need to use them always inside each computer.
• Few other anti-malware, anti-spyware related apps (SpyBot Search and Destroy, Spyware Blaster, etc) are periodically (weekly) used, these apps can add malware distributing website domains, IP addresses, malware detection code list, etc inside "Block" list or related configuration location, inside of each web-browser (default/system firefox, portable firefox, IE, etc), windows hosts file, etc.
• SIP/VoIP telephony, Skype, etc, live instant messaging (IM) apps like: Pidgin, PChat IRC client, etc.
• Cygwin based tools, OpenSSH, etc.
• GnuPG/GPG for windows, etc.
• VM (and Hypervisor software), etc.
Local network also has few Linux/Unix computers, which has our website servers, email servers, DNS servers, file server, etc running.
What ELSE can be done ? to make sure such "standalone" (Non windows-networked) individual windows computers, remain as standalone & secured ?
and, how to make sure apps are NOT using %APPDATA% (which is mapped into AppData\Roaming\) ?
that is, we want, all apps to use %APPDATA% (or %LOCALAPPDATA%) which is mapped into AppData\Local\.
And primarily we want to stop all type of personal/private data propagation out of these computers, to any external computer.
And by "standalone" windows computer, here, i'm not pointing-to or meaning a windows computer with no Internet connectivity. I'm indicating to windows-computer which is: Non windows-networked, or Non-AD (Active Directory) networked, or Non-Windows-WorkGroup networked, or No connection with any type of Cloud network or services, or Disabled "Client for MS Networks" and disabled "File & Printer Sharing For MS Networks", or TCP/IP-only networked computers with Internet connectivity.
Details are added so that our objectives, configurations are understood easily.
Thanks in advance.
References: [01] http://msdn.microsoft.com/en-us/library/windows/desktop/dd378457%28v=vs.85%29.aspx [02] https://en.wikipedia.org/wiki/IGMP_snooping [03] https://en.wikipedia.org/wiki/ICMPv6 [04] http://support.microsoft.com/kb/312138/en-us [05] http://blog.coultard.com/2012/01/how-to-setup-active-directory-users.html [06] http://technet.microsoft.com/en-us/library/hh826139.aspx [07] http://hardenwindows7forsecurity.com/Harden%20Windows%207%20Home%20Premium%2064bit%20-%20Standalone.html [08] https://en.wikipedia.org/wiki/Simple_Service_Discovery_Protocol [09] https://en.wikipedia.org/wiki/Neighbor_Discovery_Protocol [10] https://en.wikipedia.org/wiki/Teredo_tunneling [11] https://en.wikipedia.org/wiki/Conficker [12] https://en.wikipedia.org/wiki/ICMP_hole_punching [13] https://en.wikipedia.org/wiki/Multicast_address [14] https://en.wikipedia.org/wiki/Hole_punching [14] https://en.wikipedia.org/wiki/SSHFS
