XP/2000 Dangers - Account for them!

Windows as a whole has been created to be easy to configure "out of the box" for endusers and administrators. This makes Window's functionality greater, but also opens a lot of unnecessary holes that can cause big security issues for workstations and servers that are supposed to be in a secured network. The suggested configuration settings below will harden your Windows box to make it more hack-proof. Bare in mind also that it is important to have the latest patches for your system since most hackers keep up with security holes and write viruses that take advantage of these exploits.

1. Swap file: Default Windows operation will leave unencrypted text (including passwords) on your machine in files that nobody would normally look in... but a hacker would. The first thing that needs to be done is to configure your machine to clear the system paging file (swap file) at shutdown/reboot. Go to the "Start" menu and click on "Run", type regedit, and click on "OK". Go to: HKEY_local_machine\system\currentcontrolset\control\sessionmanager\memory management. Find or create the ClearPageFileAtShutdown Dword and make its value 1. Show Me How (2.9MB Quicktime - broadband - minimum resolution 1024 x 768) Get quicktime player - You might need to temporarily disable your Pop-up Blocker to view movie.

2. Dump file: The dump file stores data from system memory during a crash and can be helpful when diagnosing problems, but not unlike the swap file, it can also expose sensitive, unencrypted text. To prevent Windows from making this file, go to the Control Panel > System. Click on the "Advanced" tab, and then the "Settings" button on the "Startup and Recovery" pane. Set the drop-down menu under "write debugging information" to none. Also, the debugging program Dr. Watson saves information when applications crash. To disable it, go to HKEY_local_machine\software\Microsoft\WindowsNT\CurrentVersion\AeDebug and set the "Auto" string to 0. Then use Windows Explorer to go to Documents and Settings\All Users\Shared Documents\DrWatson. Delete User.dmp and then delete the Drwtsn32.log file, an insecure log the program creates.

3. POSIX: Windows XP/2000 comes with a subsystem named POSIX. POSIX is an industry standard UNIX subsystem that allows for "UNIX style" commands. Disabling POSIX prevents hackers from using Unix style commands on your system. Go to "Run" and type regedt32 (not regedit on Windows 2000). Find: HKEY_ local_machine\system\currentcontrolset\control\sessionmanager\SubSystems Click on the multistring called "Optional" in the right-hand pane. By default, the multistring's value will be "POSIX"; delete this value and leave the space empty. Next, click on the actual POSIX multistring in the same pane. Note that it points to a file in your Windows System32 directory called Psxss.exe. Delete that file by searching for it with Windows Explorer, then use the Registry Editor to delete the POSIX string, and finally reboot.

4. Windows Services: Unless needed, it's a good idea to turn off services that can open up "back doors" to your system: TCP/IP NetBIOS Helper, NetMeeting, Fast User Switching, Remote Desktop Sharing, Remote Desktop Help Session Manager, Terminal Serivces, Remote Registry, Routing and Remote Access, Messenger Service, SSDP Discovery Service, Telnet, and Universal Plug and Play Device Host. Go to the Control Panel > Administrative Tools > Services, and click on the services you don't need and select "Stop this Service" in the left-hand pane. (and set the service to disabled or manual)

5. LM hash: The LM hash was created for older versions of Windows to be able to properly authenticate on a Windows domain. The LM hash is not used on today's Windows Active Directory network, and is therefore unneeded. What's more, is that it's encryption is so easy to break it introduces a fast way to gain access to your passwords if not disabled. Mycomputer\HKEY_Local_Machine\SYSTEM\Current_Control_Set\Control\LSA NoLMhash= 1 (This has been set to 1 automatically in the latest XP patches)

6. XP Firewall: Windows XP has a firewall that is configured by default in sp2. (service pack 2) If you have patched your system with sp2 (via automatic updates) you should notice you have a new "Security Center" applet in the "Control Panel". To configure the firewall you should click on the "My Computer" icon in the Start Menu, and then click on the "Network Places" icon that will be on the left hand side of the new window. Next, click on the "View Network Settings" icon... again, on the left hand side. From here, icons for your adapter settings will be presnt. Right click on the adpter that hosts your internet connection and choose the "Properties" selection from the contextual menu that appears. Now, a window will come up with the adpater settings. Go to the "Advanced" tab and press the "Settings" button. From here you will find an "Exceptions" tab that will give you a way to enable and disable network traffic on your computer's ports... along with a way to add in or edit settings. You should keep all the ports unchecked for incoming traffic unless you can not connect without the ports unchecked. There will be some ports that will already be checked for incoming traffic such as MSN Messenger. Uncheck this port... it works just fine w/o the checkmark, and should be unchecked since you don't want uninvited incoming traffic on that port when the application is not on. (The XP firewall gives some applications the right to recheck the ports back to open, so it is my suggestion to find a good third party software firewall to use instead or use the "no exceptions" feature) A trial and error approach is suggested for the rest of your pre-checked/open ports. The sp2 firewall also has a feature that guards the network activity of applications that generate or receive network traffic. A pop window will come up that asks you if you want to allow this traffic. The rule of thumb is to disallow any traffic that is not absolutely necessary to the functionallity of your applications and/or computer/network. Even if the application is legitimate in nature, there are still holes in the best of applications... it's better to error on the side of caution than to give your applications free reign on your network. Note also that a firewall with out this functionallity will only help keep *incoming traffic* blocked... and has no effect on applications that start up and generate outbound traffic on your system when your computer starts... or something like AIM/Messenger that you leave open (never leave your AIM/Messenger open if you don't need it open... and that goes for any similar communications application. - You don't leave your phone off the hook after you're finished talking, do you?) If you've got an application open that communicates with the internet, then you have opened a hole to your computer. It might be of value to buy a hardware firewall/router also.

7. Anti-virus Scanner: You've got a virus scanner so now you won't get any viruses, right? Wrong! A virus scanner can only save you from the viruses that are known. That's why it is extremely important to have the latest virus definitions and keep your virus scanner's auto-update setting on automatic so you are always up to date on the latest threats. It is also equally important to have your virus software configured for real time file system scanning. Otherwise, you'll have to run your scans manually. The first thing to get disabled with a new virus is the real time scanning fucntion... it is essential to keep tabs on the real time scanner feature and make sure it is working correctly. If you think your scanner or system is infected, you should get your system scanned by one of the free virus scanners online. Once you've found the virus your computer has, you should use one of the virus protection company's freely downloadable virus removal tools. (from company's such as Symantec and McAfee.) Be sure to follow the removal tool's instructions exactly, step by step. If you don't have any money to buy a virus scanner you can download and use AVG's free edition instead. Be warned... after using the free scanner and then upgrading to the latest Symantec scanner my system had been infected by 3 trojens that the free AVG scanner did not find. You pay for what you get, but it's better to have some protection than no protection.

8. Spyware scanner: Anytime you use the internet, companies and individuals use datamining techniques to track your activity online... this involves the use of browser cookies, exploits, trojens and applications such as Gator (a well known spyware application). Download and scan your entire computer's hard drive with an application such as Spybot or Adaware. This needs to be done at least once a week. These applications also need to be updated with the latest spyware definitions or you take the same risk of infection that you do with a virus.

9. Application startup blocker: Every time you install new software, there is a chance that it will leave a setting in Windows to start itself automatically when your computer boots up. Use an application such as Startup Cop to limit the startup applications to the bare minimum that you need. Not only does this secure your computer, it might even make it run faster since now you've got less processes tying up your CPU and system RAM. The rule of thumb is that if you can not find the startup helper app's function by searching for it on Google, then you should disable it... who knows what it is.

10. File shredder: Use a file shredder application such as Red Strike's Ultrawipe to scan for and clean out unneeded files in directories, such as the temp directory. Once again, just because your virus scanner can't find it does not mean it does not exist... so be proactive cleaning out unknown/unneeded files in directories where viruses are commonly found in. (such as the temp directory)

11. Anonymous Proxy: Use an anonymous proxy for your browser's internet connection to keep your online activity only your business. An application such as JAP will connect your computer to a server that helps protect your browser from giving away your online activity and infecting your computer with datamining applications. The connection may slow up your browser's "snappiness", but it is good practise to the patient. Furthermore, many companies offer paid-for services that are much faster than JAP's free service... as well as being more secure. Don't forget to change the proxy settings in your browser before running the proxy application.

12. A patched web browser: I personally suggest Mozilla's Firefox browser for surfing the internet. Not only is it just as fast as Internet Explorer, it leaves out unneeded API's such as ActiveX. ActiveX is the gateway to many spyware apps. I have seen some cases where an ActiveX applet has completely wiped a hard drive just by visiting a site with the ActiveX plugin enabled on IE. If you must use IE, make sure you never check the "always trust" checkbox when an ActiveX installer pops up... and only use and install the ActiveX applets you need or must use. Make sure also that you are using the very latest version of the web browser you like. Automatic updates will not always account for your browser's patches... or any other non-system application you use for that matter. It is a general rule of thumb that the more functionality your browser has, the more potential security holes it can create. Barring this in mind, only install the plugins you need. (such as Macromedia's Flash or SUN's JAVA) With sp2, IE now further protects ActiveX popups from installing applets with out your permission.

13. Third Party network penetration testing: If you have the money, you should get a company to audit your network for security holes. If you have no money for this, you can go to sites like www.auditmypc.com to help you assess your own vulnerabilities.

14. Automatic Update & Windows patches: As stated in the beginning, it is essential to have the latest patches for your Windows box. But bare in mind that even some of these patches get goofed up from time to time, so I would recommend the following setting for your automatic updates on XP/2000: "Notify me when updates are ready to download and notify me again once they are downloaded and ready to install". With this setting, you have greater control over the patching process... and if a patch does go bad, you have the ability to pull it before is becomes part of your system first.

15. System Restore & GoBack: System Restore is enabled by default on XP. If you have 2000, you can use a program created by Roxio called "GoBack". (Recently bought by Symantec) GoBack can also be used on XP for a more fine grained restore feature... but bare in mind that GoBack causes a lot of harddrive overhead due to it's "fine grained" approach. GoBack will have to be reconfigured if you use your systems with disk intensive operations. If you get a virus and/or find spyware that you want to remove permanently, you'll need to turn off/disable these applications first in order to remove it completely. This is because both applications duplicate the system's data in order to restore your system. This duplicate data can not only restore your system, but everything else on it including viruses and spyware. (and in Adaware and Spybot's situation, you'll need to completely delete the quarantine files with System Restore off as well) After you're done with the removal tool(s), be sure to turn system restore back on, or re-enable GoBack.

16. File encryption: Windows XP and 2000 come with a filesystem feature called EFS. (Encrypted File System) You can use EFS to secure important data on your system so that it can not be read with out your user account's password. Two places that it's a good idea to implement this encyption is your "Temp" directory and your "My Documents" folder. In order to encyprt these directories you need to make sure you are using the NTFS files system. If you are using FAT32 you must first convert your filessyem to NTFS. To convert your "C" drvie to NTFS, follow the following steps: Go to the "Start" menu and find the "Run" icon. Click on the run icon and type in cmd. A command prompt will appear... type convert C: /FS:NTFS After the conversion has run, you are now able to use the EFS feature. Go to your "My Documents" icon and right click on it. From the drop down contextual menu choose "Properties". Now go to the "General" tab and click on the "Advanced" button at the bottom of the window. A window called "Advanced Attributes" will appear. Select the "Encrypt contents to secure data" check box at the bottom of the window and click on the "OK" button. Now click the "Apply" button on the "Documents and Settings Properties" window. A new window should pop up that is titled "Confirm Attrbute Changes". Click on the "Apply Changes to this folder, subfolder and files" radio button and then click the "OK" button. A window should pop up that shows the conversion process to EFS taking place. Once finished, all you need to do is drop a file you want to convert to encrypted format in to the "My Documents" folder and it will automatically be encrypted. (Note that if you copy your file to a different location it might lose it's encryption) The second folder that you should encrypt is your "Temp" folder. To find the Temp folder, Go to the Start button and click on Run, type cmd and wait for the command prompt window to pop up. Now type the command, set in the command prompt and hit enter. A few rows of data will be outputted. Look at the bottom few rows where you should see 2 lines that give the path to the Temp directory. Now right click on your Start button and choose "Explore" from the contextual menu. Now type one of the two given paths to the Temp folder in the Explorer window that pops up. As soon as you hit enter, you should open to the Temp diretory. On the left hand side of the Explorer window should be a Folder list that opens to the Temp folder. Right click on the Temp folder and choose Properties. You'll want to follow the same process as you did above, but I recommend to only choose the "Apply changes to this folder only" because the encryption can cause issues when applications such as a program installer uses the directory to install an application. If you get errors trying to install applications you should first remove the encryption to the Temp directory and then install your program... then re-encrypt. (That goes for any automatic updates as well such as virus definition updates and windows patches.... if you're scared you might screw something up, I recommend you forego encrypting the Temp directory) You can use the above process to encrypt any individual file also. simply right click on the file and follow the steps above.

17. MSN messenger: For whatever reason, Microsoft has given the MSN Messenger application the right to reconfigure the XP firewall however it sees fit. I personally suggest removing MSN Messenger for a program that does not have such abilities. I have replaced MSN Messenger with the Trillian chat program after completely removing it. To remove Messenger, go the the Start menu and click on the Run icon. Now type in the follwoing string and hit ok: RunDll32 advpack.dll,LaunchINFSection %windir%\INF\msmsgs.inf,BLC.Remove (Remember to edit your firewall settings to be reconfigured for Trillian, unchecking the open ports left by Messenger)

18. Secure workstation configuration: Nothing can be worse than being hacked and not even knowing it. If you work on your computer in an environment that makes it easy for others to physically access your computer, you should take the following steps to make it harder to hack in to your account. First, if you are the only person that should be on your computer, you should turn off Fast User Switching and Disable the "Welome Screen" logon. First Go to the Start button and click on the run icon in the Start Menu. Type in services.msc and hit enter. Scroll down the serivces window untill you see the "Fast User Switching" serivce. Set the service to disabled and click on Apply. (Optionally, you can disable the Terminal Serivces service at this point as well, if you do not plan to use Remote desktop or Terminal Serivces on your machine) Next, go to the Start Button and go to the Control Panel icon and click on it. Once the Control Panel window appears you should double click on the "User Accounts" icon. Once the User Accounts applet is up, you will want to click on the "Change the way users log on or off" link. Now uncheck "Use the Welcome Screen" and verify that "Use Fast User Swithcing" is unchecked. Next we want to be able to stop any zombie processes that might have been executed at startup by a trojen or virus. We do this by configuring the logon screen to prompt for a Control Alt Delete signal before displaying the logon screen. Go to the Control Panel once again (make sure you are using the "classic" Control Panel veiw by clicking on the "Switch to Classic View" link on the left hand side of the Control Panel colum) but this time we want to click the "Administrative Tools" icon. Once the applet is up, look for the "Local Security Policy" icon and double click on it. Now a window will appear that is called Local Security Settings. You will want to scroll down until you see an icon labeled "Interactive Logon: do not require CTRL+ALT+DEL". Double click on that icon and configure for a CTRL+ALT+DEL logon by selecting the "Disabled" radio button and then click on OK. Next we want to make sure that nobody knows our username we use to log on with. Still in the Local Security Settings window we want to search for the icon labeled "Interactive Logon: Do not display last user name" (Most likely right above the Interactive Logon: do not require CTRL+ALT+DEL setting we just altered) Double click on the icon and set it's properties to Enabled and click OK. Now we need to scroll up the Local Security Settings window to the top and locate the "Accounts: Rename Administrator Account" and "Accounts: Rename Guest Account". When you double click on each icon a window will come up that has a feild that can be changed to whatever you want to reanme the two accounts to. The more obsucre and complicated the name the better. Click OK when you are done. (If you are logged in a Administrator a reboot is nessasry.. and do not forget to write down your account's names in case you forget) Optionally, you can change the "Accounts: Administrator Account Status" and "Accounts: Guest Account Status" Property settings to disabled if you already have another Administrator status user account you want use instead. (These 2 icons should be right above the rename icons) The Local Security Settings Applet has other features that can help further harden your machine the way you want it, so be sure to browse thorugh all the possible settings.

You might be asking yourself at this point why is Windows so open by default? The answer is that Windows is not unlike a double edged sword... It has exceptional configurability for just about all practical uses. Most corporations today exclusively use Windows on the desktop... and most employers want an easy way to track the online activity of it's employees. This means installing spyware or keyloggers to track their employee's activity to make sure they are being productive at work... and not surfing porn, gambling online, or any other activity they choose to discourage. Even though this makes sense to Microsoft's biggest buyer, the corporation, it does not always make sense for home or private desktop usage.

Remember that Windows, at this point, is designed for usability first, and security second. There will always be a tradeoff between the features of an operating system and the security of one. This is easily tracable in sp2 by looking at the way the XP firewall gives some applications priority over the security of the network communications. Instead of blocking all traffic by default, firewalled ports are rechecked open when certain applications start. Bottom line, Microsoft wants an OS that endusers find simple to use and businesses find easy to deploy... and this being the case, ease of use comes first.

||| Back