Windows XP Security - Submitted by UNSTABLE
--------------------------------------------------------------------------------
There is so much ground to cover here that I’ve decided to break this up into several parts. I will continue to add information and walk-throughs as I write it. If you have some notable information, please PM me and I will work toward including it in this document.
Intro
Let’s talk security. When I think security I think of a set of antique balance scales. Why balance scales? Simple, security is offset by functionality. The more secure a computer is, the less functional it will be. I can tell you how to configure your computer quickly and easily for the most security and least amount of functionality…unplug it and lock it inside a closet. You won’t be able to use it and neither will the hackers. In this scenario the scales are tipped heavily by security with no functionality to counter balance it. On the other end of the spectrum would be no security (default installation of XP) with plenty of functionality. It’s ultimately up to YOU, how secure you want your computer, keeping in mind the more you secure it, the less functional it will be.
Various considerations
Operating System / Windows Updates
Application patches and updates (office updates)
Antivirus Software and signatures
File Level (ntfs) security
Share Level security
User accounts / Passwords
Hacker-Friendly Files
Services
Local security policy / Account restrictions
Network Security (desktop firewalls, routers, hardware firewalls)
…and more!
Patches
Let’s first begin with the “no brainers”, Windows Updates. Perfect software and perfect operating systems do not exist. There are flaws in the code that sometimes allow the bad guys to do bad things to your computer. The easiest way to combat this threat is, install your patches, for both your operating system and all of the applications you run…even your games.
The only downside to applying patches is, sometimes the patches break programs or cause further issues. I think that most of us can live with this, being that this document is mostly geared toward home-users who need not worry about a patch breaking a mission critical application.
To stay abreast of the latest security vulnerabilities, sign up for a free newsletter from
http://portal.sans.org or a similar organization. When you receive these emails, make it a priority to ensure your applications are not on the “naughty” list.
Antivirus Software
If you didn’t already know, antivirus software is a must-have these days. I personally prefer Norton Antivirus Corporate Edition. Whatever you decide to run is fine as long as you download the virus signatures when they are released. Antivirus software relies on a “compare” method to detect and remove viruses. The virus signature updates that you download from your vendor contain little pieces of virus code. When you run a scan of your system, each file is compared against the signature file to check for a match. Without the signature (virus code), your antivirus software is worthless.
NTFS Security
If you are running Windows 2000 or later, all of your hard disks should be formatted as NTFS…not FAT. NTFS allows for permissions to be set on files and directories based on user accounts and groups. So, for example, assume that you have a particular directory that contains files that you do not want your (wife, girlfriend, mom, dad etc) to see; you can lock them out using NTFS permissions.
When Windows is booted the first time, the NTFS permissions are set very loosely on the computer. The “Everyone” group has full control on every file on the computer, this is a bad thing.
Administrators, Creator/Owner and System are must haves! If you modify the permissions, ensure these three are ALWAYS included; otherwise there is a good chance you are going to lock yourself out of your computer and unless you are extremely
savvy you’re going to be doing a complete reinstall of the system. Also, stay away from “DENY” and groups. Deny takes precedents over allow permissions. If you “Allow Administrators” then “Deny everyone” you just effectively locked everyone (including the Administrators) out of the computer.
I recommend granting explicit access to whoever needs access to the computer. Keep Administrators, Creator Owner, System, then add each additional user that uses the computer. Alternatively, you could make a group in “user manager”, add everyone to that group and allow permission to that group using NTFS permissions. Groups aren’t necessary if you’ve only got a couple people using the computer; in fact, groups make reading permissions more difficult in this situation. Ensure that you grant access to the system folders and files (Windows, Documents and Settings, Pagefile etc). Modifying permissions on these can result in user profiles not loading.
Share Level Security
File and Print Sharing. If you have more than one computer on your home network, you may share files between both computers using File and Print Sharing for Microsoft Networks. If you have ever played with this, it can be pretty tricky. Not only are NTFS permissions enforced but Share Level permissions are also enforced.
So if you created a share c:\music, and granted permission to everyone and then examined the NTFS permissions on the c:\music directory and it said “Administrators – Full Access”, who would be able to access the c:\music directory? Only the administrators would.
In the past, this used to really kick my butt, until I found a way of standardizing all of my shares. I like to set the shares to allow authenticated users, I grant them full access on the share. I use NTFS permissions to regulate the authenticated users. This should prevent unauthenticated users from accessing the share.
User Accounts
Ah yes, user accounts. How many of us create login with Administrative privileges? I’ll admit it, I do! It’s quite funny because only a fraction of my time during a day do I require administrative power on my computer. LOGGING ON AS AN ADMINISTRATOR IS BAD NEWS. I should practice what I preach, but old habits are hard to break.
I recommend creating a regular user account for yourself, with a different password than you administrative account. If you ever need to perform an administrative task, you can hold down the shift key while right clicking an icon, this will launch the “Run As” dialog and allow you to function as an administrator for a brief period of time. Using this method is much more secure than running as an administrator 100% of the time. Any processes spawned while you are an administrator have the same capabilities as you.
Additionally, passwords for the system should be as long as possible and not found in the dictionary. I personally prefer to use web URL’s as passwords, maybe something like:
http://unstable.machine1** The reason passwords should be hard to guess is because there are automated tools that use dictionaries to make password attempts.
Lastly, the master administrator account can never be locked out. Assuming someone was trying to crack this account, unless you had auditing enabled and reviewed your logs daily, you would never know that someone was attacking you. If you logon as a regulator user and setup account lockouts to occur, you will know immediately when your account is locked out.
Hacker Friendly Files
Assuming a hacker compromised your computer, there are many files that are installed with Windows that would prove to be most useful to him. Most of these files and programs are based in command-line world. By the book, on any sensitive system, you are supposed to remove these files, put them on CD-ROM for when you need them. I have tried this a few times and it turns out to be a real pain in the butt.
Arp.exe
Ping.exe
AT.exe
Poledit.exe
ATsvc.exe
Posix.exe
Attrib.exe
Qbasic.exe
Cacls.exe
QFEcheck.exe
Clipsrv.exe
RCP.exe
rcp.exe
cmd.exe
rdisk.exe
command.com
regedit.exe
cscript.exe
regedt32.exe
debug.exe
regini.exe
dialer.exe
regsvr32.exe
edit.exe
rexec.exe
edlin.exe
route.exe
finger.exe
rsh.exe
ftp.exe
runas.exe
hypertrm.exe
runonce.exe
htimage.exe
secfixup.exe
imagemap.exe
sysedit.exe
ipconfig.exe
syskey.exe
issync.exe
telnet.exe
msiexec.exe
tftp.exe
nbtstat
exe
traceter.exe
net.exe
tskill.exe
net1.exe
uninst.exe
netsh.exe
wscript.exe
netstat.exe
xcopy.exe
nslookup.exe
How you choose to handle these files is up to you. At the very least, it may be worthwhile to apply explicit access to only select users and deny others. If you’re shooting for high security, copy all of these to a CD-ROM and delete them off of the hard disk. Be warned that things may not function as they once did if you do this.
Services
Windows XP has a ton of services. Some you need some you don’t. Some are installed with the operating system others are installed with third-party applications. The short of this is the more “crap” you have running that you don’t need, leaves you susceptible to attacks, back to the functionality thing. If you only have one computer on your home network, why leave file and printer sharing enabled? Why run the server and workstation service?
Rather than go into the details of each and every service, I’m going to defer this one to Black Viper, who has a very good list of the services and what they do. Disabling services is going to take a fair amount of research and experimentation on your part. It will be well worth it in the end. Not only will your computer be more secure, but it will also run faster, being that fewer services are loaded in the background.
http://www.blackviper.com/WinXP/servicecfg.htmLocal Security Policy
There is such an abundance of information on the internet for securing a Windows XP desktop that I find it almost pointless to bother putting this document together.
The local security policy is basically a registry hacking mechanism. Back in the days of Windows NT 4.0, people found that they could do certain things to their workstations and servers by changing flags in the registry, requiring complex passwords, displaying logon banners, etc. Apparently Microsoft decided it was time to give the people what they wanted to some degree and offered the Local Security Policy tool…which you probably noticed in your Administrative tools, but never played around with too much.
Most of the items in the Local Security Policy are pretty self explanatory. “Access this computer from the network.” Well, if you only have one computer on your network, and don’t intend on sharing files out to the internet, you might as well take everyone out of this policy.
Here’s a brief walkthrough on LSP.
http://www.windowsecurity.com/tutor...r /> icies.html
More information on configuring LSP is available on the internet. You may also consider using templates to save you time.
Stay tuned...more to come...
if you have something in particular that you would like more information on, please feel free to PM me and I will do my best to answer your question and possibly include specific information in this document
Contact the author of this guide >> UNSTABLE >>
http://testmy.net/forum/index.php?action=pm;sa=send;u=598
Author
Print
Advanced search
