Wolfmight
03-14-2003, 05:06 AM
Making your Windows OS more secure is an awkward enough process given the sheer number of things that can be done to improve it. Here are some good steps to follow:
Renaming disabling & default Accounts:
By default Windows creates an Administrator & Guest account, however being that they are named just that makes it that little bit easier for someone to compromise your system as they’ll already know 2 login names. This is easy enough to fix.
Click on Start, Run type in secpol.msc & click Ok. Expand Local Policies & select Security Options.
The options to change being – Accounts: Rename administrator (guest) account. Double click on these options & type in another name to use for these accounts, click Apply, then Ok.
Once renamed, select Accounts: Guest account status & ensure it is set it to Disabled, which will disable anonymous access to the system using that account.
Security Options Configuration:
Once more click on Start, Run type in secpol.msc & click Ok. Expand Local Policies & select Security Options. There are many options in the security options editor that can be used to further tighten your system. Several options worth setting to Disabled being:
• Interactive logon: Do not require CTRL+ALT+DEL.
• Network access: Allow anonymous SID/name translation.
• Network access: Let Everyone permissions apply to anonymous users.
• Recovery console: Allow automatic administrative logon.
• Recovery console: Allow floppy copy & access to all drives & all folders.
Whereas several options to consider setting to Enabled being;
• Devices: Restrict CD-ROM access to locally logged-on user only.
• Devices: Restrict floppy access to locally logged-on user only.
• Interactive logon: Do not display last user name.
• Network access: Do not allow anonymous enumeration of SAM accounts.
• Network access: Do not allow anonymous enumeration of SAM accounts & shares.
• Network security: Do not store LAN Manager hash value on next password change.
• System objects: Strengthen default permissions of internal system objects (e.g., Symbolic Links).
Securing Internet Explorer:
Now load Internet Explorer, click on Tools, then Internet Options. Now select the Security tab.
The main zone to be concerned with here is the Internet zone (As it’s what you’re in for the vast majority of the time you’re connected), so select it. Rather than using a pre-defined setup using the slider instead select the Custom Level button.
Options to consider adjusting here are;
• Download signed ActiveX controls. Being signed by a certifying authority is an indication that an ActiveX control should be safe & as such you should be comfortable setting this to Enable unless you have no desire for any ActiveX controls on your system in which case select Disable or Prompt so you can select to download it for certain websites, e.g. Windows Update, Shockwave Flash.
• Download unsigned ActiveX controls. Unsigned ActiveX controls can be much more of a potential security risk than signed ones & as such should certainly not be set to Enable, rather leave this set to Disable or Prompt for improved security, only allowing controls to be downloaded on site you know can be trusted.
• Initialize & script ActiveX controls not marked as safe. Similar to the previous option, if you’ve set the above to Disable set this to Disable also, otherwise set this to Prompt (recommended) or Enable (Not recommended) instead to allow such unsigned controls to be run.
• Run ActiveX controls & plug-ins. Assuming you don’t accept every ActiveX control/plug-in you come across you should be relatively safe setting this to Prompt or Administrator approved. I wouldn’t recommend selecting Enable though unless you have only Download signed ActiveX controls set to Enable or Download unsigned ActiveX controls to Disable. If you’ve not accepted any ActiveX control downloads you can set this to Disable.
• Script ActiveX controls marked safe for scripting. Similar to the previous option if you have that set to Enable/Administrator approved or Prompt then you should set this option accordingly. These will pose less of a risk than unsafe controls & you shouldn’t need to set this to Disable at all.
• Active scripting. One of the most popular ways of exploiting Internet Explorer is via scripting, though many legitimate websites use scripting also, e.g. Windows Update. While setting this to Disable will significantly aid in securing Internet Explorer it also will have a noticeable effect on website functionality, e.g. Windows Update will not function. One somewhat beneficial affect though is pop-up/under windows will not appear at all. It’s worth noting that this (Disabling Active Scripting) is recommended by many security experts, e.g. Georgi Guninski.
• Allow paste operations via script. This feature allows webpages that script DHTML to paste the contents on your clipboard, which obviously should be a rather serious issue for most of you. As such it is strongly recommended you set this to Disable, as an added bonus this will have zero effect on functionality/compatibility.
• Scripting of Java applets. JavaScript (Not to be confused with Java) is an open, cross-platform object scripting language & much like the Active Scripting option above also represents a big enough potential security risk, as such it is recommended you set this to Disable.
Now select the Content tab of Internet Options. The main thing to be concerned with here is AutoComplete (Click on the same named button).
While AutoComplete can be a great time saver it also represents a fairly big privacy concern, should someone be able to logon as you, what with it capable of storing usernames, passwords & various other details for various websites.
As such I’d strongly recommend Unticking Forms (This stores information such as phrases used in search engines), User names & passwords on forms (This stores information such as your username & password for logging into forums) & Prompt me to save passwords. After this be sure to click the Clear Forms & Clear Passwords buttons, then select Ok. This may make your browsing a bit less convenient, though obviously reduces access to personal information/passwords should your system be accessed/compromised by anyone.
Securing Internet Explorer (cont.)
Now select the Advanced tab of Internet Options. Several options to review here being:
Use Passive FTP (for firewall & DSL modem compatibility). Tick this setting to enable passive FTP mode. This mode is more secure as your IP address is not requested, although should you have problems connecting to some FTP sites than try Unticking this setting. For best security leave this setting Ticked.
Check for publisher’s certificate revocation. When Ticked Internet Explorer will check a Software Publisher's Certificate to see if it has been revoked before accepting it as valid. E.g. in the shot below a program I have downloaded, selecting Open when prompted how to save the file, it will not work if you select Save. In this case no Certificate has been found & it will not install/execute without your authorisation.
Untick this setting to disable this feature. For security reasons I’d strongly recommend leaving this setting Ticked.
Check for server certificate revocation. Ticking this setting will enable Internet Explorer to check if a websites certificate has been revoked before accepting it as valid. As before, this is useful for security reasons, although Untick it should you wish to disable this feature.
Check for signatures on downloaded programs. When Ticked Internet Explorer will verify the identity of any Programs that you have downloaded & you will be prompted with such information. This is useful for security reasons, although Untick it should you wish to disable this feature.
Do not save encrypted page to disk. When Ticked secured webpages are not saved in your Temporary Internet Files folder. Secured websites are those whose URL beings with https rather than http. This is most useful on shared computers where you would want to ensure no one accesses such data (e.g. credit card numbers). Unticking this setting will disable this feature, which isn't recommended, particularly if others have access to your system.
The next 3 settings (Use SSL 2.0, Use SSL 3.0 & Use TLS 1.0) are in relation to security protocols used on secure Websites on the Internet, e.g. most websites use SSL for carrying out secure transactions, such as when you are entering your credit card number into an online order page. Personally I’d recommend Ticking all 3 of these (Use SSL 2.0, Use SSL 3.0 & Use TLS 1.0). If you have problems on some secured websites then trying Unticking all but Use SSL 2.0 (As all secured websites support this).
Warn about invalid site certificates. When Ticked Internet Explorer will display a warning message if the website address in a Website’s security certificate is invalid which is a very useful security feature. Untick this setting to disable this feature.
Warn about changing between secure & not secure mode. When this setting is Ticked a warning message is displayed when changing from a Secure to Unsecure Internet connection. This is probably of most use when shopping/purchasing goods online & you want to ensure that you are on a secure webpage when giving Credit card details & so on. Leave this setting Unticked if this feature is of no use to you (Not recommended).
Warn if forms submittal is being redirected. Tick this setting to enable a warning message to be displayed when webpage forms are submitted to a location other than the website it is located on. I’d recommend leaving this Ticked for best security of your information. You will be prompted as to whether or not you want to continue submittal. Untick this setting to disable this feature, which isn’t recommended.
Tightening Your Connections:
By default Windows will install several Protocols/Services/Clients for any Network/Internet connection created, though for most users these aren’t required & make your system more vulnerable, i.e. NetBIOS & File & Printer Sharing. This can be resolved easily enough, steps being as follows;
Windows 2000/XP
1. Click on Start, Control Panel, then Network Connections. Right click on your Internet connection & select Properties, then the Networking tab.
2. Select & Uninstall (Or at least Untick) File & Printer Sharing for Microsoft Networks & Client for Microsoft Networks if not required for your system.
3. Select Internet Protocol (TCP/IP) then the Properties button, then the Advanced button.
4. Now select the WINS tab & Untick Enable LMHOSTS Lookup & Disable NetBIOS over TCP/IP.
5. Now click on Start, Control Panel, Administrative Tools then Services.
6. TCP/IP NetBIOS Helper. Enables support for NetBIOS over TCP/IP (NetBT) service & NetBIOS name resolution. For best Internet security it would be best not to use NetBIOS & as a result you should set this to Manual or Disabled.
7. Close the Services utility & Network Connections & restart your PC as required.
Outlook Express:
Load Outlook Express, select Tools, then Options. Now select the Security tab. The latest versions of Outlook Express contain extra anti-virus features over older versions which are well worth checking into.
Select the Internet Explorer security zone to use. This option lets you set which Security zone to treat email as (particularly that of HTML based email). The zones available for use are the Internet & Restricted sites zones. Set this to Restricted sites zone to minimize your systems vulnerability to maliciously coded emails. This should have a minimum effect on functionality.
Warn me when other applications try to send mail as me. This setting is fairly self-explanatory. I'd recommend leaving this setting Ticked, should you be prompted that an application is attempting to perform this task, check the contents of your Outbox to see what it is sending.
Do not allow attachments to be saved or opened that could potentially be a virus. When this option is Ticked it will essentially disable the opening of email attachments.
For best virus protection you should leave this setting Ticked & only Untick it if you wish to save/run attachments from people whom you know, or are expecting email from. Remember, in nearly all circumstances it is you who must execute a virus in order to infect your machine. So a certain amount of caution should be exercised whenever you get email with attachments in them.
Firewalls & Anti-Virus:
There’s only so much you can do to secure your system before you’ll also want to look into help from external sources. One important application to have is a Firewall, which basically is there to protect your PC from the outside world. As such you can’t really go wrong with Zone Alarm, which also provides logging & some level of email protection too.
Those of you with Windows XP can take advantage of the built-in firewall should you so wish to not use an external firewall application. Click on Start, Control Panel then Network Connections. Right click on your Internet connection & select Properties, then the Advanced tab. Simply Tick the Internet Connection Firewall option to enable it. Use the Settings button to further tune it.
If you’re an advancer user & have a Firewall/Router in Windows 2000/XP which allows you to block Ports on your system you can find a good listing of ports (& services) you may want to close by opening Windows Explorer, navigate to your Windows directory, then go to system32\drivers\etc, e.g. C:\Windows\system32\drivers\etc, right click on the services file & Open with Wordpad or Notepad (Well, any text editor really). Do what you will with this listing.
There’s also a large variety of Anti-Virus programs out there should your system manage to be infected by one, or you need to minimize the chances of being infected with one.
Updates:
Goto Windows Update and scan your computer for Updates to the system to fix many diffrent things, includeing security risks:
http://v4.windowsupdate.microsoft.com/en/default.asp
Hope these help ya out!
;)
Renaming disabling & default Accounts:
By default Windows creates an Administrator & Guest account, however being that they are named just that makes it that little bit easier for someone to compromise your system as they’ll already know 2 login names. This is easy enough to fix.
Click on Start, Run type in secpol.msc & click Ok. Expand Local Policies & select Security Options.
The options to change being – Accounts: Rename administrator (guest) account. Double click on these options & type in another name to use for these accounts, click Apply, then Ok.
Once renamed, select Accounts: Guest account status & ensure it is set it to Disabled, which will disable anonymous access to the system using that account.
Security Options Configuration:
Once more click on Start, Run type in secpol.msc & click Ok. Expand Local Policies & select Security Options. There are many options in the security options editor that can be used to further tighten your system. Several options worth setting to Disabled being:
• Interactive logon: Do not require CTRL+ALT+DEL.
• Network access: Allow anonymous SID/name translation.
• Network access: Let Everyone permissions apply to anonymous users.
• Recovery console: Allow automatic administrative logon.
• Recovery console: Allow floppy copy & access to all drives & all folders.
Whereas several options to consider setting to Enabled being;
• Devices: Restrict CD-ROM access to locally logged-on user only.
• Devices: Restrict floppy access to locally logged-on user only.
• Interactive logon: Do not display last user name.
• Network access: Do not allow anonymous enumeration of SAM accounts.
• Network access: Do not allow anonymous enumeration of SAM accounts & shares.
• Network security: Do not store LAN Manager hash value on next password change.
• System objects: Strengthen default permissions of internal system objects (e.g., Symbolic Links).
Securing Internet Explorer:
Now load Internet Explorer, click on Tools, then Internet Options. Now select the Security tab.
The main zone to be concerned with here is the Internet zone (As it’s what you’re in for the vast majority of the time you’re connected), so select it. Rather than using a pre-defined setup using the slider instead select the Custom Level button.
Options to consider adjusting here are;
• Download signed ActiveX controls. Being signed by a certifying authority is an indication that an ActiveX control should be safe & as such you should be comfortable setting this to Enable unless you have no desire for any ActiveX controls on your system in which case select Disable or Prompt so you can select to download it for certain websites, e.g. Windows Update, Shockwave Flash.
• Download unsigned ActiveX controls. Unsigned ActiveX controls can be much more of a potential security risk than signed ones & as such should certainly not be set to Enable, rather leave this set to Disable or Prompt for improved security, only allowing controls to be downloaded on site you know can be trusted.
• Initialize & script ActiveX controls not marked as safe. Similar to the previous option, if you’ve set the above to Disable set this to Disable also, otherwise set this to Prompt (recommended) or Enable (Not recommended) instead to allow such unsigned controls to be run.
• Run ActiveX controls & plug-ins. Assuming you don’t accept every ActiveX control/plug-in you come across you should be relatively safe setting this to Prompt or Administrator approved. I wouldn’t recommend selecting Enable though unless you have only Download signed ActiveX controls set to Enable or Download unsigned ActiveX controls to Disable. If you’ve not accepted any ActiveX control downloads you can set this to Disable.
• Script ActiveX controls marked safe for scripting. Similar to the previous option if you have that set to Enable/Administrator approved or Prompt then you should set this option accordingly. These will pose less of a risk than unsafe controls & you shouldn’t need to set this to Disable at all.
• Active scripting. One of the most popular ways of exploiting Internet Explorer is via scripting, though many legitimate websites use scripting also, e.g. Windows Update. While setting this to Disable will significantly aid in securing Internet Explorer it also will have a noticeable effect on website functionality, e.g. Windows Update will not function. One somewhat beneficial affect though is pop-up/under windows will not appear at all. It’s worth noting that this (Disabling Active Scripting) is recommended by many security experts, e.g. Georgi Guninski.
• Allow paste operations via script. This feature allows webpages that script DHTML to paste the contents on your clipboard, which obviously should be a rather serious issue for most of you. As such it is strongly recommended you set this to Disable, as an added bonus this will have zero effect on functionality/compatibility.
• Scripting of Java applets. JavaScript (Not to be confused with Java) is an open, cross-platform object scripting language & much like the Active Scripting option above also represents a big enough potential security risk, as such it is recommended you set this to Disable.
Now select the Content tab of Internet Options. The main thing to be concerned with here is AutoComplete (Click on the same named button).
While AutoComplete can be a great time saver it also represents a fairly big privacy concern, should someone be able to logon as you, what with it capable of storing usernames, passwords & various other details for various websites.
As such I’d strongly recommend Unticking Forms (This stores information such as phrases used in search engines), User names & passwords on forms (This stores information such as your username & password for logging into forums) & Prompt me to save passwords. After this be sure to click the Clear Forms & Clear Passwords buttons, then select Ok. This may make your browsing a bit less convenient, though obviously reduces access to personal information/passwords should your system be accessed/compromised by anyone.
Securing Internet Explorer (cont.)
Now select the Advanced tab of Internet Options. Several options to review here being:
Use Passive FTP (for firewall & DSL modem compatibility). Tick this setting to enable passive FTP mode. This mode is more secure as your IP address is not requested, although should you have problems connecting to some FTP sites than try Unticking this setting. For best security leave this setting Ticked.
Check for publisher’s certificate revocation. When Ticked Internet Explorer will check a Software Publisher's Certificate to see if it has been revoked before accepting it as valid. E.g. in the shot below a program I have downloaded, selecting Open when prompted how to save the file, it will not work if you select Save. In this case no Certificate has been found & it will not install/execute without your authorisation.
Untick this setting to disable this feature. For security reasons I’d strongly recommend leaving this setting Ticked.
Check for server certificate revocation. Ticking this setting will enable Internet Explorer to check if a websites certificate has been revoked before accepting it as valid. As before, this is useful for security reasons, although Untick it should you wish to disable this feature.
Check for signatures on downloaded programs. When Ticked Internet Explorer will verify the identity of any Programs that you have downloaded & you will be prompted with such information. This is useful for security reasons, although Untick it should you wish to disable this feature.
Do not save encrypted page to disk. When Ticked secured webpages are not saved in your Temporary Internet Files folder. Secured websites are those whose URL beings with https rather than http. This is most useful on shared computers where you would want to ensure no one accesses such data (e.g. credit card numbers). Unticking this setting will disable this feature, which isn't recommended, particularly if others have access to your system.
The next 3 settings (Use SSL 2.0, Use SSL 3.0 & Use TLS 1.0) are in relation to security protocols used on secure Websites on the Internet, e.g. most websites use SSL for carrying out secure transactions, such as when you are entering your credit card number into an online order page. Personally I’d recommend Ticking all 3 of these (Use SSL 2.0, Use SSL 3.0 & Use TLS 1.0). If you have problems on some secured websites then trying Unticking all but Use SSL 2.0 (As all secured websites support this).
Warn about invalid site certificates. When Ticked Internet Explorer will display a warning message if the website address in a Website’s security certificate is invalid which is a very useful security feature. Untick this setting to disable this feature.
Warn about changing between secure & not secure mode. When this setting is Ticked a warning message is displayed when changing from a Secure to Unsecure Internet connection. This is probably of most use when shopping/purchasing goods online & you want to ensure that you are on a secure webpage when giving Credit card details & so on. Leave this setting Unticked if this feature is of no use to you (Not recommended).
Warn if forms submittal is being redirected. Tick this setting to enable a warning message to be displayed when webpage forms are submitted to a location other than the website it is located on. I’d recommend leaving this Ticked for best security of your information. You will be prompted as to whether or not you want to continue submittal. Untick this setting to disable this feature, which isn’t recommended.
Tightening Your Connections:
By default Windows will install several Protocols/Services/Clients for any Network/Internet connection created, though for most users these aren’t required & make your system more vulnerable, i.e. NetBIOS & File & Printer Sharing. This can be resolved easily enough, steps being as follows;
Windows 2000/XP
1. Click on Start, Control Panel, then Network Connections. Right click on your Internet connection & select Properties, then the Networking tab.
2. Select & Uninstall (Or at least Untick) File & Printer Sharing for Microsoft Networks & Client for Microsoft Networks if not required for your system.
3. Select Internet Protocol (TCP/IP) then the Properties button, then the Advanced button.
4. Now select the WINS tab & Untick Enable LMHOSTS Lookup & Disable NetBIOS over TCP/IP.
5. Now click on Start, Control Panel, Administrative Tools then Services.
6. TCP/IP NetBIOS Helper. Enables support for NetBIOS over TCP/IP (NetBT) service & NetBIOS name resolution. For best Internet security it would be best not to use NetBIOS & as a result you should set this to Manual or Disabled.
7. Close the Services utility & Network Connections & restart your PC as required.
Outlook Express:
Load Outlook Express, select Tools, then Options. Now select the Security tab. The latest versions of Outlook Express contain extra anti-virus features over older versions which are well worth checking into.
Select the Internet Explorer security zone to use. This option lets you set which Security zone to treat email as (particularly that of HTML based email). The zones available for use are the Internet & Restricted sites zones. Set this to Restricted sites zone to minimize your systems vulnerability to maliciously coded emails. This should have a minimum effect on functionality.
Warn me when other applications try to send mail as me. This setting is fairly self-explanatory. I'd recommend leaving this setting Ticked, should you be prompted that an application is attempting to perform this task, check the contents of your Outbox to see what it is sending.
Do not allow attachments to be saved or opened that could potentially be a virus. When this option is Ticked it will essentially disable the opening of email attachments.
For best virus protection you should leave this setting Ticked & only Untick it if you wish to save/run attachments from people whom you know, or are expecting email from. Remember, in nearly all circumstances it is you who must execute a virus in order to infect your machine. So a certain amount of caution should be exercised whenever you get email with attachments in them.
Firewalls & Anti-Virus:
There’s only so much you can do to secure your system before you’ll also want to look into help from external sources. One important application to have is a Firewall, which basically is there to protect your PC from the outside world. As such you can’t really go wrong with Zone Alarm, which also provides logging & some level of email protection too.
Those of you with Windows XP can take advantage of the built-in firewall should you so wish to not use an external firewall application. Click on Start, Control Panel then Network Connections. Right click on your Internet connection & select Properties, then the Advanced tab. Simply Tick the Internet Connection Firewall option to enable it. Use the Settings button to further tune it.
If you’re an advancer user & have a Firewall/Router in Windows 2000/XP which allows you to block Ports on your system you can find a good listing of ports (& services) you may want to close by opening Windows Explorer, navigate to your Windows directory, then go to system32\drivers\etc, e.g. C:\Windows\system32\drivers\etc, right click on the services file & Open with Wordpad or Notepad (Well, any text editor really). Do what you will with this listing.
There’s also a large variety of Anti-Virus programs out there should your system manage to be infected by one, or you need to minimize the chances of being infected with one.
Updates:
Goto Windows Update and scan your computer for Updates to the system to fix many diffrent things, includeing security risks:
http://v4.windowsupdate.microsoft.com/en/default.asp
Hope these help ya out!
;)