Enhancing your security posture in the work from home world.

Internet modem/ router taken from my office
Photo by Stephen Phillips

Why?

Home users are often chucked into the deep end after signing up to an internet package and connecting their devices to the ISP supplied router, with default supplied passwords, and several security aspects often disabled or not configured correctly.

The devices being connected to the router are configured out of the box with a trial antivirus with a few months of subscription, unnecessary and often vulnerable third party software, and no instructions on how to maintain it.

Education (at least in the UK) has swapped from the technical route of maintaining, operating, and using computer systems to a heavy emphasis on programming removing several key aspects of owning these devices.

2020 has highlighted the reliance on these home networks to conduct work from home and small steps like the following just enhances your ability to protect yourself, your data, and the services you use and access.


1. Secure the router

Before starting with all of the steps that follow on the router, you're going to need to be connected to your home network, and rather than several strained visits to the router (often in an inaccessible place) - it is worth taking a few photos of the details on the sticker/card underneath of the router. They may also be located on the box the router was supplied in. Failing that you may be in luck if the router uses a generic username and password, these can be searched for on the Router Passwords website.

You are looking for the following key aspects:

  • Make/Manufacturer.
  • Model.
  • Password(s).
  • Serial number.

It is preferable to use a wired connection when making the wireless changes, and firmware updates, otherwise there will be network interruptions or the possibility of the device bricking itself during the update.

1.1 Check the router is still supported

The previously mentioned sticker or card will contain the manufacturers name e.g. BT, Draytek, Netgear, TP-Link to name a few, the model number, and sometimes its hardware revision.

Checking on the manufacturers support site for that model, and sometimes the serial number check will allow you to see if it has reached "end of life" - the industry term for the manufacturer is no longer providing updates to the software (firmware) running on the device. Sometimes manufacturers also use the term "end of sale" and never officially discontinue the model until it just disappears from their website.

This can also be confirmed on the downloads page for the model - if the latest software/firmware version was released more than a 6-12 months old it is highly likely the unit has been discontinued or neglected in favour of newer models.

You can check the end of life on any search engine by typing the manufacturer e.g. "draytek", model e.g. "2830n", and combining it with one of these phrases as part of the search:

  • end of life
  • EOL
  • end of sale
  • EOS

Should you find the make and model close to or beyond the end of life date - it is time to start factoring in the cost for replacing it with a newer model. You can go back to the ISP for a newer model, or provide your own as a replacement.

Choosing a replacement goes beyond the scope of this page, and will follow in a future article due to the range of connection types/options offered.

1.2 Gain access to the admin portal

As with most of the tasks that follow from this point you will need access to the administration portal for the router using the username/password combination for the router from the sticker/card/box, or alternatively you may have some luck using the following site to look up the generic login details for the manufacturer/model.

To get access to the router page you will need to find the gateway address, this is easily acheived by opening command prompt and typing the following command:

ipconfig

You will see in the results in the window and you're looking for the gateway address, typically this will be something like:
192.168.0.1 / 192.168.0.254 / 192.168.1.1 / 192.168.1.254

You can either use the links above if you can see your gateway address, or by using your web browser of choice visit the IP address using the URL/address bar - you may need to prefix it with http:// or https:// to get access e.g. http://192.168.1.1

Some routers require a port to gain access to the admin page such as :81, :808, :8080, :8443 - As an example http://192.168.1.1:8080

Typically this is listed in the user manual for the router so don't be disheartened if it doesn't work initially.

1.3 Change the default router admin credentials.

One of the biggest steps you can take to secure technology at home is to change the default username and password for the admin account that manages the device(s).

This ensures that guests, users and attackers on the network cannot interfere with the settings and configuration of the device without using a vulnerability in the router firmware.

1.4 Check and update the router firmware.

As with all major changes make sure to backup your router configuration before anything major is changed. This is often under a section such as backup/restore, or configuration download.

Depending on the router model this is either an listed as updates, upgrades, or firmware on the panel. You may need to visit the support page for your router and manually upload the file to the router to perform the update. Some routers will allow you to perform the check, download and install within the admin portal.

If you're performing the update via the manual upload method, please ensure you are connected to the network directly via a network cable to maximise the chances of a successful update.

1.5 Filter your connection - Update the DNS servers.

*Note - Some ISP's will not allow the DNS servers on the ISP supplied router to be changed. If you are unable to update the DNS servers on your ISP supplied router you can either set them manually on each device (Section 2.6), or install/subscribe to a filtering solution which has a software agent such as DNS filter, SafeDNS, and CleanBrowsing.

For those routers which can change DNS, there's a few free filtering options but they break down into two categories.

  • Filtering of malicious threats.
  • Filtering of malicious threats, and adult content.

Malicious threats

Quad9

IPv4 DNS Server 1: 9.9.9.9
IPv4 DNS Server 2: 149.112.112.112
IPv6 DNS Server 1: 2620:fe::fe
IPv6 DNS Server 2: 2620:fe::9

Cloudflare

IPv4 DNS Server 1: 1.1.1.2
IPv4 DNS Server 2: 1.0.0.2
IPv6 DNS Server 1: 2606:4700:4700::1112
IPv6 DNS Server 2: 2606:4700:4700::1002

Malicious threats, and adult content

Cloudflare

IPv4 DNS Server 1: 1.1.1.3
IPv4 DNS Server 2: 1.0.0.3
IPv6 Server 1: 2606:4700:4700::1113
IPv6 Server 2: 2606:4700:4700::1003

I have excluded OpenDNS/Cisco Umbrella from the above list as they don't support IPv4 at the time of writing, should this change i will update the list with the appropriate addresses.

1.6 Secure the WiFi settings and encryption.

Most of the default wireless settings on routers are set to be compatible with as many devices as possible without thought as to the security implications, with a few minor tweaks the settings can make a world of difference in protecting your network and its communications.

Disable WPS/WiFi Protected Setup

WPS as a feature was designed to allow the easy joining of devices to a wireless network, Usually by a short pin printed on the device, or a physical WPS button to enable anyone to join the network during that period.

Over recent years however it has been found to be vulnerable and subject to easy exploitation, disable it in the wireless settings to secure the router.

Encryption Types

The encryption type selected dictates the level of security between the wireless devices and the router. Some types offer no security at all, others are vulnerable and trivial to break.

For home users the use of Pre-Shared Keys (PSK) is the only realistic option without setting up radius authentication services, this is beyond the reach of most users.

The selected options are rated in terms of security here:

  • No Encryption - DO NOT USE
  • WEP - DO NOT USE
  • WPA - DO NOT USE
  • WPA/WPA2 - DO NOT USE
  • WPA2
  • WPA2/WPA3
  • WPA3

It is my suggestion to use at least WPA2, and where possible WPA3 - device compatibility means that WPA2/WPA3 will be needed for at least a couple of years yet until older devices are replaced or are compatible with the newer standards.

Encryption Ciphers

On the same wireless configuration page it may offer you the option to select the cipher for encryption.

In terms of security:

  • TKIP - DO NOT USE
  • CCMP/AES

1.7 Disable remote administration.

If your router exposes a remote administration page, disable it. Remote administration just opens up your router to tens of thousands of automated attacks and password attempts per day, and also exposes the administration function and interfaces to the internet - increasing the attack surface.

This should be disabled by default on most setups however some providers do still enable it, or it may have been enabled by a third party or helpful family member/friend.

1.8 Advanced security features - Intrusion prevention.

Some makes and models of router such as the Ubiquiti Unifi, Draytek, and Cisco Meraki Go include security features such as gateway web filtering, intrusion prevention, deep packet inspection (DPI), and layer 7 filtering as part of their offerings.

This guide cannot go into depth on how to configure these options but if they are available on your model of router it is well worth enabling them to enhance your security posture.

1.9 Disable the ISP supplied public WiFi/hotspot network.

Providers such sometimes offer a service on the router to enable their hotspot networks. These networks use the broadband capacity, and WiFi to transmit a separate network with internet connectivity.

I do advise to disable these for a couple of reasons:

  1. Any users of the hotspots use your internet capacity and it can impact your download/upload speeds.
  2. It piggybacks onto your router and uses resources that could otherwise be available to serve your devices.

BT: https://www.bt.com/help/broadband/how-do-i-opt-out-of-bt-wi-fi-
Virgin: Sign in to your virgin media account on the website, go to profile, Select WiFi Opt-out and click save.

1.10 Enable the Guest WiFi for visitors.

If you're lucky enough to have a router with a Guest WiFI network available, it is great to throw guests/visitors onto these networks and rotate the passwords whenever you have an issue with slow speeds. These guest networks are separated from the home network and ensure that guests do not interact with internal home devices.


2. Secure the computing devices.

Now that you have hopefully tackled all the issues with your router, its time to secure, cleanup, and harden the device to make it less susceptible to attack.

2.1 Ensure you're using a modern operating system.

Hold the Windows key, and the letter R together to get the run prompt.

Type: winver
winver

Click ok - It will then pop up a window with the operating system and its version
winver2

As you can see from the screenshot, the operating system is windows 10, and the version is 20H2 (2020 - Second half), 21H1 would be 2021 First half, and 1903 would be 2019 first half.

Microsoft is supporting the current release, and two releases behind it, this means roughly 18 months of support for each version.

To upgrade to the latest version: click the start menu, settings (Cog icon), Update and security, it should be offered as a feature upgrade beneath the update button.

Should you fall behind and you are unable to use the windows update method, run the following tool to force an upgrade to the latest version: https://www.microsoft.com/en-gb/software-download/windows10

2.2 Run operating system updates.

Ensuring you have the latest updates is one of the easiest ways to protect yourself from threats online.

Click the start menu, settings (Cog icon), Update and security, then click check for updates, it will eventually update the list of updates and attempt an install.

2.3 Uninstall unused software.

There's two sections to check this as unfortunately they still haven't fully merged the old control panel and the new settings page. Some programs can only be uninstalled via settings, and others via Control Panel.

You can check on google as to what applications are/do if you are unsure about them. Some common and easy hits are old games, search bars, old mobile phone software.

Every application removed minimises the attack surface and in the case of software like iTunes, it speeds up the machine when you remove it.

Settings

Start, Settings (Cog icon), Apps

Control Panel

Start, type "Control Panel" without the quotes, uninstall a program.

2.4 Enable automated third party software updates.

Third party updates of software are best handled via Patch My PC, they offer a home patching service for free which covers over 300 applications commonly used on windows PC's.

I cannot recommend them enough for how easy the software is to install, and manage on an automated basis. I'm not going to go into details of how to install it as there's a youtube video and FAQ's on the site.

2.5 Antivirus.

Antivirus most personal devices these days come preinstalled with some variant of protection such as McAfee, Symantec or such.

You can find out which antivirus programs are installed by visiting the security centre (Start, type security, click on Windows Security, settings, Security providers).
security-providers

Since the start of windows 10 the built-in windows defender is enough for home protection when combined with other Windows Security features such as ransomware protection/onedrive, app and browser control etc which is covered in 2.11.

Other than that the third party antivirus providers that consistently score high are Avira, Bitdefender, ESET, and Kaspersky. I would personally discount AVG/Avast due to several experiences over the last 15 years of dealing with them.

It is worth noting you should only have one antivirus program installed, and remove all others as it will impact the performance of the device, and may conflict with each other.

2.6 Filtering (again!).

If you're out and about with the device, or otherwise unable to change the DNS via your router you can set the local DNS of the machine to one of the following:

Malicious threats

Quad9

IPv4 DNS Server 1: 9.9.9.9
IPv4 DNS Server 2: 149.112.112.112
IPv6 DNS Server 1: 2620:fe::fe
IPv6 DNS Server 2: 2620:fe::9

Cloudflare

IPv4 DNS Server 1: 1.1.1.2
IPv4 DNS Server 2: 1.0.0.2
IPv6 DNS Server 1: 2606:4700:4700::1112
IPv6 DNS Server 2: 2606:4700:4700::1002

Malicious threats, and adult content

Cloudflare

IPv4 DNS Server 1: 1.1.1.3
IPv4 DNS Server 2: 1.0.0.3
IPv6 Server 1: 2606:4700:4700::1113
IPv6 Server 2: 2606:4700:4700::1003

The easiest place to change this is by heading to start, type "Network Status", change adapter options. Select your network interface, right click and click on properties. You can select the IPv4 and IPv6 options and add the DNS servers as above.
niccard

Save and close.

2.7 Back your data up in multiple locations.

Traditionally the 3-2-1 backup rule has been used and preached for years.

  • 3 copies of the data (the original and 2 backups)
  • 2 different storage mediums (not the same hard drive / solid state drive).
  • 1 of them located offsite (away from the home).

I also suggest that in the age of crypto-malware which attacks all data and holds it to ransom that at least one additional offsite / offline backup is kept at all times.

In practical terms online storage services have started bringing ransom recovery into their service offering, and it is tightly integrated in onedrive to the point of selecting a date and time and clicking the restore button, the per year cost for the office licensing, onedrive and other features is more than worth the investment for home and business users.

2.8 Block firewall requests inbound

Unless you're serving files or services out to the local network you will only need outbound requests, head over to the start menu, type "firewall & network protection".

For both public and private click onto them and select "Block all incoming connections, including those in the list of allowed apps".

This will secure your device whilst on all networks*

* - some games and apps require inbound local network access to perform their functions so this step may need to be undone if you have an app or two that stops working.

2.9 Remove unused/unknown browser plugins.

Depending on the browser the method will vary but double check all plugins installed to ensure you don't have a malicious plugin, or that its still supported, updated, and hasn't changed hands to another developer.

When the plugins change hands to other developers often there is tracking code, or changes to the intended function of the plugin without disclosing this to users of the plugin. The plugin then automatically updates and runs with the updated parameters.

This is a growing problem and one i hope to see solved sooner, rather than later.

I would disable/deactivate any plugins you aren't sure of, and keep only the ones you trust, go back after a couple of weeks then remove the disabled ones.

A quick web search should explain what they are doing, or reveal any controversy around them.

2.10 Disable script execution.

Disabling script execution can prevent malicious payloads from running if they're opened via an email, or download link.

Open an elevated command prompt (start menu, command prompt, run as admin), then run the following, it will limit or eliminate the windows scripting engine for users. This will prevent scripts from being run without deliberate intervention by a user.

reg add "HKCU\Software\Microsoft\Windows Script Host\Settings" /v "Enabled" /t REG_DWORD /d "0" /f
reg add "HKLM\Software\Microsoft\Windows Script Host\Settings" /v "Enabled" /t REG_DWORD /d "0" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d "1" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "1" /t REG_SZ /d "wscript.exe" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "2" /t REG_SZ /d "cscript.exe" /f

2.11 Advanced tweaks and changes.

2.11.1 Configure Microsoft Defender

Start => Windows Security => Virus and threat protection => Manage Settings.

Enable:

  • Realtime protection.
  • Cloud-delivered protection
  • Automatic sample submission
  • Tamper protection

Click controlled folder access and enable the function.

2.11.2 App and Browser control

Some of these settings have a hardware requirement and may not be possible to enable on older/unsupported equipment.

Start => Windows Security => App & Browser control

Enable:

  • Reputation-based protection
    • Check Apps / files: on
    • Smartscreen: on
    • Unwanted app blocking: on and block apps / downloads.
    • Smartscreen for Microsoft Store apps: on
  • Isolated browsing (Tick the Microsoft Defender Application Guard, then ok to install).

2.11.3 Device Security

Some of these settings have a hardware requirement and may not be possible to enable on older/unsupported equipment.

Start => Windows Security => Device Security

  • Core Isolation
    • Memory Integrity: on
    • Memory access protection: on
    • Firmware Protection: on
  • Security boot: on (this requires secure boot to be enabled on the device bios).

Restart the device to apply these settings.


3. Improve and practice your security hygiene.

3.1 Use a password manager.

There's a whole range of password managers out there such as 1Password, Dashlane, Microsoft edge's built in version.

I still recommend 1Password due to its ease of use and the way they have designed the entire product around security, then openly disclosed it throughout their website and documentation. To top it off - they cannot see your data and it is fully encrypted on their service, and without the account secret key the data cannot be used.

Dashlane is quite polished and includes a couple of nice touches such as the auto-password changer.

Microsoft edge includes an up and coming password manager with a focus on usability and security. One to watch for the future.

3.2 MFA/2FA all the things.

Enabling MFA/2FA on all your accounts is one of the quickest and easiest ways to strengthen your account security, it requires a token you have and that is generated randomly every 30/60 seconds to get into the account.

Not every service supports this but it is becoming more and more common.

Worst case, if the service supports nothing but SMS tokens as a secondary factor. USE THEM. It is an absolute worst case scenario but it is STILL another barrier to get through.

3.3 Don't reuse passwords.

Having a uniquely generated password via a password manager ensures that any breach is limited to that site, and can't spread to other services you use. In effect the breach becomes extremely limited in scope and when combined with 2FA/MFA mimimises the risk to you.

3.4 Check for breached passwords/services regularly.

One of the best services you can use to check for breached passwords and accounts is haveibeenpwned.

You can check passwords here, email addresses here, or if you own a domain you can check all users here

I can also highly recommend signing up for the breach notification service.

It is also integrated with 1Password's watchtower service if you use that as a password manager.

Change any passwords, and any locations that password was used when a breach is detected. Credential stuffing (trying that password everywhere) is a common occurence after a breach, be proactive with your security and stop them before they get in.

3.5 Use disposable cards for online purchases.

Use a disposable card service such as Revolut or Privacy (US) to ensure your financial details are protected. Revolut is the easiest to use UK service via their virtual cards option. Privacy.com (US) integrates with 1Password and makes it a seamless process.

Protecting yourself in this manner ensures your underlying card number is never exposed and the virtual card can be easily changed should a service you are buying from has a breach.

Failing that revert to credit cards where the protection of the credit provider helps should an issue occur.

3.6 Delete unused accounts and services.

Go through online services you have previously signed up for and close them down fully. These historic accounts are still in service, with data about your online account, password hashes, email addresses etc. If one of these services is breached, or they gain access to the account they gain more information about you which is often used for targeting phishing attacks, to gain access elsewhere, or to attempt blackmail in some cases.

3.7 Organise and manage your data.

Organise and sift through your existing data in your desktop/documents and other folders, organising and sorting through this data you will probably find duplicates, varying versions and data you no longer need.

Clear out data that you no longer need or use - not only will this save you space, it's less data to backup and protect in services such as onedrive/dropbox/google drive, meaning a shorter time to restore should you need to recover from a data loss or crypto-malware incident.


I'd like to thank the entire admin and mod team of WinAdmins who have seen several versions of this and offered input, suggestions and corrections.