More of my friends are starting to set up Win2000 systems, and out of curiosity (and boredom) I wanted to come up with a security guide. Most of this stuff has already been published, so this is more of a compilation.
I would be interested in mistakes, comments, and suggestions for new material.
It's so big now that it's in the realm of "extremely paranoid" if you follow everything, but it's been fun to put together anyway.
------------------------------------------
HARDENING WIN2000 -- WORKING COPY
This is mainly for individual workstations that are not running a server, and not in a network.
If you can, do a clean install of Win2000. An upgrade will leave all sorts of files behind that could possibly be exploited.
For purposes of this document, it is assumed you will be performing these steps in an Administrator account.
CREATE A RECOVERY DISK
You should always create a recovery disk before messing with system settings. Get a blank diskette. Start -> Programs -> Assessories -> System Tools -> Backup. Select Backup Tab, go to Tools, select "Create an Emergency Repair Disk".
If for some reason you don't have the Backup program in your system tools (it happens sometimes), you can access it by creating a shortcut. Right-click on the desktop -> New -> Shortcut. In the box type in:
%SystemRoot%\system32\NTBACKUP.EXE
Under the name type in "Backup", or whatever.
ACCOUNTS
The default Win2000 installation will come with two accounts: "Administrator", and "Guest". You should disable "Guest", rename "Administrator", and create at least one account which you will use as your main account.
The Guest account should be disabled by default, but it's good to check. Start -> Settings -> Control Panel -> Users and Passwords -> Advanced Tab -> Advanced Button -> click on "Users" group. The Guest Account should have a little red circle with a white "x" over it. If it doesn't, right-click on "Guest", go to Properties, go to General Tab, and click on the box "Account is disabled".
While you are in "Users and Passwords" we can change a few other things. Rename the Administrator account by right-clicking on it and going to "Rename". Make it something you can remember, but avoid having "Administrator" or "Admin" as part of the name. Right-click on the new name, go to Properties, and clear out the "Full Name" and "Description" boxes. (A lot of people argue this step is like putting tape on a safe, in that it does not increase security all that much. In a regular network system this is probably true. In fact NSA guidelines for hardening an NT workstation even leave this step out. There are so many ways to get a list of user names that it isn't worth it, and could be counter-productive in that it gives you a false sense of security. However, on a non-networked workstation, there are just a few ways you can get user names off the net, and we will be patching the known ones up for the most part, so this step is still useful for this type of setup).
Make a dummy Administrator account going to "Action" and selecting "New User". Name it Administrator. Right-click on it, go to Properties, and go to the "Member Of" tab. Make sure it is not a member of anything. If it is, highlight them and hit "Remove". Right-click on the dummy Administrator account, select "Set Password", and give it a (very) strong password (see below).
Create an account you will use every day. Click on "Add" in the "Users" tab. Put in the name and password when prompted (ALWAYS use a password, see below). At this point, you need to select what type of account this is. The standard advice is for your main account to be a "Standard User (Power Users Group)". This setting will allow you to add/remove programs, but restricts a lot of system settings. This setting is necessary for many programs written for Windows NT. Note that Power Users cannot install many programs written for NT, as they change system registry settings which Power Users do not have access to.
For more security (but bigger headaches) you can also try the "Restricted User (User Group)" setting for more security. This type of user can't even install or remove programs, and so are very safe from trojans. They should be able to run any program that was written to be compatible with Win2000.
If you need administrative rights to access a program (such as Regedit), you can use the "Run As" feature in Win2000. Just right click the program you want to run, and select "Run As". You can then type in the name and password of your renamed Administrator account.
Log in with Adminstrator access as rarely as possible. A trojan that is run by mistake, or a malicious ActiveX or Java component run by a webpage, will have access to anything the account has access to. Many bugs that let hostile web pages damage your system have already been found, more are most likely out there. If a dangerous program runs as an Administrator, it will have access to your system files, such as the registry. Running as a Restricted User can mean the difference between having your inidividual User profile wiped out, versus having your entire system wiped out as an Administrator. Note that running a trojan as a Standard User can affect some system-wide settings, but not all.
PASSWORDS
Always put in passwords, strong passwords. Meaning at least 8 characters, with a combination of at least three of the following: lower case, upper case, numbers, and symbols.
There are some utilties that can crack your passwords, like L0phtCrack. To defeat these programs, there are certain ascii characters accessed with the numeric keypad ALT key that you can include in your passwords, as shown at: http://sysopt.earthweb.com/articles/win2kpass/index.html
Next, go to Local Security Policy. Start -> Settings -> Control Panel -> Administrative Tools -> Local Security Policy -> Account Policy -> Account Lockout Policy
Some recommended settings are listed below.
Account lockout duration: (45 minutes)
Account lockout threshold: (5 invalid login attempts)
Reset account lockout counter after: (45 minutes)
The Account Lockout Policies should not affect you as long as you don't forget your password, and can restrict the number of tries some network user has to guess your Administrator password.
Look in Password Policies too. Settings may be needed if have other users on your system. Generally, these settings can be a real pain to use.
UPDATE WINDOWS
Go to Start -> Windows Update. If you don't have a Windows Update icon in your start menu (some installs don't do this, I don't know why), you can make one. Do it as shown in the section above for creating a shortcut to the Backup program, but the path this time is:
%SystemRoot%\system32\wupdmgr.exe
Under the name type in "Windows Update", or whatever. Drag it to the Start button, when it shows the menu release. It will be put into the upper menu.
Make sure you get the latest Service Packs (SP2 is almost out at time of writing), as well as the critical updates, and the High Encryption pack.
AUDITING
If someone does break in, you may not know it unless you have auditing enabled and actually check your logs.
Start -> Programs -> Administrative Tools -> Local Security Policies -> Local Policies -> Audit Policy
Audit account logon events records logons. Audit success (to see if someone stole a password) and failure (for random password hacks).
Audit policy changes tracks security policy changes. Audit success and failure.
Audit privilege use can identify when a user tries to use a right not assigned to them. Audit failure.
Audit system events can monitor if someone clears the event log. Audit success and failure.
Event viewer lets you see the logs.
FIREWALLS
Download and install a Firewall. ZoneAlarm is good and free, and it is at www.zonelabs.com. Go into Security, and set security at "High" for both Local and Internet. Under the "MailSafe e-mail protection" section, click on the box labeled "Enable MailSafe protection to quarantine e-mail script attachments". Under "Lock", Enable "Automatic Lock", and "Engage Internet Lock when screen saver activates." To set up a screen saver, right-click on the desktop, select "Properties", go into Screen Saver and set one up. If you need to have some programs access the internet while the Automatic Lock is enabled (like email programs that check for new messages), you need to select the "Pass Lock" box next to the program in the "Programs" directory of ZoneAlarm.
If you have Zonealarm, download ZoneLog Analyser (shareware, nag screens). This will read in your Zonealarm log file and sort your alerts by type (such as trojan and DOS attacks) and date.
http://www.zonelog.co.uk
It is a good idea to probe your ports when you are done setting up your firewall, to make sure you didn't miss anything. You can do this at www.grc.com (follow links to ShieldsUp!).
VIRUS SCANNERS / BEHAVIOR BLOCKERS/ SANDBOXES
If you don't already have a virus scanner, you need one. While many are out there, one good free one is Inoculate IT Personal Edition, at http://antivirus.cai.com provided you are using it on your personal computer (similar to ZoneAlarm, business copies are not free). It is ICSA Certified and consistently rates extremely high in detection rates. It has good user support too, with timely update notifications emailed frequently.
Note that virus scanners only detect certain patterns. If the virus/trojan/worm is zipped up, it probably won't detect it. If it is a new virus/torjan/worm which isn't in the database yet, it won't detect it. Some virii change their code to fool virus scanners (polymorphic virii). One way to detect these types of malicious programs is to install a behavior blocker / sandbox. Behavior blockers restrict the rights of code accessing parts of your computer. For example, if a Java applet on a web page attempts to access your registry, a warning box can pop up asking if you really want to do this. Sandboxes can allow you to run code in a safe environment that will not affect system resources, to see what it actually does.
One good, free combination behavior blocker / sandbox is SurfinGuard Pro at http://www.finjan.com/surfinguard. This program can be configured to simply block certain types of access, or to prompt you to run the code / stop the code / run the code in a sandbox.
DISABLE NetBIOS
Start -> Settings -> Control Panel -> Network and Dial-up Connections -> Local Area Connection -> Properties -> Internet Protocol (TCP/IP) -> Advanced -> WINS tab -> Disable NetBIOS or TCP/IP. If you have a dial up connection, you will need to go into that as well after "Network and Dial-up Connections" and follow the same procedure.
DISABLE NETWORK BINDINGS
Start -> Settings -> Control Panel -> Network and Dial-Up Connections. In here you will have your network information -- you need to go into everything except for "Make New Connection". If you have DSL or Cable, you will probably have one that says "Local Area Connection". Hit "Properties". If there are tabs, select the one that says "Networking". Uncheck every box that does not say "TCP/IP" somewhere in it. The most important category that should be UNchecked is "File and Print Sharing for Microsoft Networks", which can allow other computers to access your files.
CONVERT YOUR DRIVES TO NTFS
If you didn't set up your disks as "NTFS", you need to do that now. Go into Windows Explorer, expand "My Computer", right-click on your hard drive(s), and select "Properties". It should say somewhere in there "File System: NTFS". If it says "File System: FAT" or "File System: FAT32", you need to change it. IMPORTANT NOTE: you NEED to have your disks in FAT if you have Win95, Win98 or WinME installed, as they can only read FAT disks. If you convert your disks to NTFS, they will not be able to read the data. You can convert only the hard drive/partition you have Win2000 on, but your older Windows will not be able to read any files on it. If you convert the disk/partition that your older Windows is on, the older Windows won't even start.
If you need to change to NTFS, go to Start -> Run (or just type the Windows key + "r"
. At the command line, type in:
convert c: /fs:ntfs
Replace "c:" with every drive you wish to convert. Follow instructions, which will probably include restarting your computer. Make sure you do this at a time the power will not go out. It will take a few seconds to a few minutes, depending on how much stuff is on the drive. After converting, you should run Disk Defragger (Start -> Programs -> Assessories -> System Tools).
DRIVE PERMISSIONS
You can set up NTFS drives to allow read/write/edit permissions for different users/files. This is another way to ensure protection of your system in case an anonymous user gets access.
First, we need to replace the default permission for "Everyone" or anonymous users to access your drives (including anonymous users/guests), and set it up so only real users that have logged in have access. Go into Windows Explorer, expand "My Computer", right-click on your hard drive(s), and select "Properties". Go into the "Security" tab. Click Advanced. Under the Permissions Tab, select "Everyone". Hit View/Edit. Hit Change. Select "Authenticated Users". Hit OK, and OK again.
Next, we need to deny access to our dummy Administrator account, in case someone actually manages to log on with it. If you have not created a dummy Administrator account, don't follow the rest of these instructions or you may lock yourself out of your computer. Hit the "Add" button, and select "Administrator". IMPORTANT: Do NOT hit "Administrators", as this is the entire GROUP of (real) Administrators. You want the USER "Administrator" . It will have an entry in the "In Folder" section next to the name; the "Administrators" GROUP will NOT. Hit "OK". Back in the main Security Tab, hit Advanced. Select Administrator. Hit View/Edit. For "Apply Onto:", make sure "This folder, subfolder and files" is selected. Then click all boxes under "Deny". Hit OK three times.
(If you have any other Names in the top box besides "Administrator" and "Authenticated Users", remove them unless you know they belong for some reason. There should not be anything else in a clean install.)
You have to repeat this for every drive / partition.
SERVICES
Services are background programs your computer uses to run correctly. Many services are unnecessary, and some are actually dangerous. A secure system needs to disable certain services. Many services are included by default as Microsoft expects your system to be operated in a network. This includes allowing remote users to access your registry, view your clipbook, browse your directory, or connect to it via Telnet. These can open large holes in your system, and should be removed. This also has the advantage of improving system performance, as each service can take up megabytes of RAM. I cleared up over 20 MB of memory simply by disabling services I never used.
Rather than repeating basic info on services, as well as lengthly descriptions of what each service does, this guide recommends you read the following. The "Windows 2000 Services tweak guide" is a good introduction to services, and also describes what to do if you accidently disable a service that you actually need to run your computer.
http://www.3dspotlight.com/tweaks/win2k_services/index.shtml
The following article (broken into parts) is more focused on the security aspect of services:
http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=16301
http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=16363
Services that I have disabled include:
Clipbook
Computer Browser
DHCP Client (Warning: some internet connections need this service)
Fax Service
Indexing Service
Internet Connection Sharing
IPSEC Policy Agent
Net Logon
Netmeeting Remote Desktop Sharing
Remote Registry Service
Routing and Remote Access
Server
SNMP Service
SNMP Trap Service
Task Scheduler
TCP/IP NETBIOS Helper Service
Telnet
SHARING
Run or create a shortcut to Regedit (the path is X:\WINNT\regedit.exe, where X is your Win2000 drive) Go into Regedit. Under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters. Select Edit -> New -> Dword Value. As the name, put in "AutoShareServer". The value should come out to "REG_DWORD : 0" by default. If not, hit modify and change. Exit Regedit.
Note: disabling shares with Windows Explorer (as written in some other guides) will only work until the next reboot.
OTHER SECURITY SETTINGS
Start -> Settings -> Control Panel -> Users and Passwords -> Advanced Tab -> under "Secure Boot Settings" enable the box marked "Require users to press Ctrl-Alt-Delete before logging in". This defeats trojans that attempt to intercept your password.
Start -> Programs -> Administrative Tools -> Group Policy -> Computer Configuration -> Administrative Templates -> Windows Components -> Netmeeting:
Enable "Disable remote desktop sharing." Of course, if you use Netmeeting you need this disabled.
Start -> Programs -> Administrative Tools -> Local Security Policy -> Security Setting -> Local Policies -> Security Options:
Set "Additional restrictions for anonymous connections" to "No access without explicit anonymous permissions." (By default, an anonymous user is considered part of the "Everyone" group. Even though we restricted access to the "Everyone" group earlier, this provides another layer of protection. Note that in NT, the highest setting was "Do not allow enumeration of SAM accounts and shares", which replaces "Everyone" with "Authenticated Users" in the security permissions for resources. Win2000 has added the "no access" setting to provide even more security - this will take out both Everyone and any network connections which don't have explicit permission. Both these settings will defeat programs (i.e. "Redbutton" that log anonymously and are designed to find the names of user accounts and/or the name of the renamed Administrator account.)
Enable "Do not display last name in logon screen."
Enable "Restrict CD-ROM access to locally logged-on user only". This will prevent users logged in over the internet from reading your CD-ROM.
Enable "Restrict floppy access to locally logged-on user only". This will prevent users logged in over the internet from deleting/stealing info in your floppy (or write a boot virus to your floppy that will run the next time you start up your computer).
Enable "Restrict users from installing printer drivers" This prevents others from installing bogus printer drivers. You will have to disable this if you replace or add a printer driver.
Disable "Disable CTRL+ALT+DEL requirement for logon". This will grey out the box marked "Require users to press Ctrl-Alt-Delete before logging in" in the Users and Passwords utility, adding another layer of protection as a trojan will have to disable both before trying to steal your passwords.
Think about enabling "Clear virtual memory pagefile when system shuts down". This is for the truly paranoid -- it wipes out the pagefile memory (the part of the harddrive that acts as RAM memory when you don't have enough RAM) on shutdown. This is mainly for those computers that have to be secure in case someone steals the harddrive, or laptaps. Of course, there is the chance on a home system that a network user could gain control of your computer and mine this memory looking for stuff like admin passwords and credit cards. This option can add a long time to your shutdown time.
Start -> Programs -> Administrative Tools -> Local Security Settings -> Security Setting -> Local Policies -> User Rights Assignment:
Go into "Deny access to this computer from the network"; add "Everyone", "Guests", the "Administrators" group, and each separate individual account. Note this settings takes precedence over the "Access this computer from the network" right, so you don't have to modify both. This theoretically makes it so you can only log in from your local computer.
ENCRYPTING FILE SYSTEM (EFS)
You can set up your NTFS drives for automatic encyption of files. I don't go into this here as this is really only useful if you think someone is going to physically access your computer, such as booting up from a floppy and reading your files. If someone gets access to your Administrator account, it doesn't matter if the files are encrypted or not.
CONFIGURE WINDOWS EXPLORER TO SHOW EXTENSIONS
This helps prevent you from running dangerous programs that you might have downloaded by mistake, such as Registry files or .VBS files.
Windows Explorer -> Tools -> Folder Options -> View -> UNclick "Hide file extensions for known file types".
EMAIL
You should turn off your email's ability to automatically run programs. Some can run just by viewing the mail, without opening any attachments (although the latest patches to Express are designed to avoid this from happening by giving you a warning box). To do this in Outlook or Outlook Express, refer to:
http://www.microsoft.com/technet/security/crsstQS.asp
It's a little easier in Eudora and Netscape. In Eudora, go to Tools -> options -> Viewing Mail. Uncheck "Allow executables in html content".
In Netscape Navigator, go to Edit -> Preferences -> Advanced. Deselect the option "Enable Javascript for mail and news".
DISABLE AUTOMATIC RUNNING OF .REG FILES
If a file with the extension .reg is run, the registry is changed (provided the user has access to the registry). This is a good way for trojans to do nasty things to your computer. A nifty trick is to change the file association for the .REG extension. This prevents (for example) a malicious Web site from inserting new keys into your registry while you are browsing the Web.
To do this, you need to have a reg file you can play with. If you don't, go into Wordpad and save a sample file as sample.reg, or rename a file you don't need to *.reg. In Windows Explorer, right-click on the file, and select Properties. In the section of the box that says "Type of file:", hit Change, select Wordpad, and hit OK twice. Wordpad is good because when *.reg files are run, it will run Wordpad and actually show you the code that would have ran instead of running Regedit and executing it. The fastest way to actually run reg files is to right-click on the file, go to "Open With", choose "Other", go into the /WinNT folder, and choose Regedit.
REMOVE THE OS/2 and POSIX SUBSYSTEMS
These systems are only installed so Microsoft can sell the OS to the government. No one else really needs them (if you do, you should know). There are no known security problems with having these installed, but as with any operation running on your computer, if you don't need it, it might be better not to have it run in case a future exploit is found. This will clear up a little bit of system resources too.
Using Regedit. preform the following changes to the listed keys:
HKEY_LOCAL_MACHINE\SOFTWARE \Microsoft\OS/2 Subsystem for NT -- Delete all sub keys
HKEY_LOCAL_MACHINE\SYSTEM \CurrentControlSet\Control\Session Manager\Environment -- Delete the value for Os2LibPath
HKEY_LOCAL_MACHINE\SYSTEM \CurrentControlSet\Control\Session Manager\SubSystems -- Delete the value for Optional
HKEY_LOCAL_MACHINE\SYSTEM \CurrentControlSet\Control\Session Manager\SubSystems -- Delete entries for Posix and OS/2
Delete the \winnt\system32\os2 directory and all its subdirectories.
I would be interested in mistakes, comments, and suggestions for new material.
It's so big now that it's in the realm of "extremely paranoid" if you follow everything, but it's been fun to put together anyway.
------------------------------------------
HARDENING WIN2000 -- WORKING COPY
This is mainly for individual workstations that are not running a server, and not in a network.
If you can, do a clean install of Win2000. An upgrade will leave all sorts of files behind that could possibly be exploited.
For purposes of this document, it is assumed you will be performing these steps in an Administrator account.
CREATE A RECOVERY DISK
You should always create a recovery disk before messing with system settings. Get a blank diskette. Start -> Programs -> Assessories -> System Tools -> Backup. Select Backup Tab, go to Tools, select "Create an Emergency Repair Disk".
If for some reason you don't have the Backup program in your system tools (it happens sometimes), you can access it by creating a shortcut. Right-click on the desktop -> New -> Shortcut. In the box type in:
%SystemRoot%\system32\NTBACKUP.EXE
Under the name type in "Backup", or whatever.
ACCOUNTS
The default Win2000 installation will come with two accounts: "Administrator", and "Guest". You should disable "Guest", rename "Administrator", and create at least one account which you will use as your main account.
The Guest account should be disabled by default, but it's good to check. Start -> Settings -> Control Panel -> Users and Passwords -> Advanced Tab -> Advanced Button -> click on "Users" group. The Guest Account should have a little red circle with a white "x" over it. If it doesn't, right-click on "Guest", go to Properties, go to General Tab, and click on the box "Account is disabled".
While you are in "Users and Passwords" we can change a few other things. Rename the Administrator account by right-clicking on it and going to "Rename". Make it something you can remember, but avoid having "Administrator" or "Admin" as part of the name. Right-click on the new name, go to Properties, and clear out the "Full Name" and "Description" boxes. (A lot of people argue this step is like putting tape on a safe, in that it does not increase security all that much. In a regular network system this is probably true. In fact NSA guidelines for hardening an NT workstation even leave this step out. There are so many ways to get a list of user names that it isn't worth it, and could be counter-productive in that it gives you a false sense of security. However, on a non-networked workstation, there are just a few ways you can get user names off the net, and we will be patching the known ones up for the most part, so this step is still useful for this type of setup).
Make a dummy Administrator account going to "Action" and selecting "New User". Name it Administrator. Right-click on it, go to Properties, and go to the "Member Of" tab. Make sure it is not a member of anything. If it is, highlight them and hit "Remove". Right-click on the dummy Administrator account, select "Set Password", and give it a (very) strong password (see below).
Create an account you will use every day. Click on "Add" in the "Users" tab. Put in the name and password when prompted (ALWAYS use a password, see below). At this point, you need to select what type of account this is. The standard advice is for your main account to be a "Standard User (Power Users Group)". This setting will allow you to add/remove programs, but restricts a lot of system settings. This setting is necessary for many programs written for Windows NT. Note that Power Users cannot install many programs written for NT, as they change system registry settings which Power Users do not have access to.
For more security (but bigger headaches) you can also try the "Restricted User (User Group)" setting for more security. This type of user can't even install or remove programs, and so are very safe from trojans. They should be able to run any program that was written to be compatible with Win2000.
If you need administrative rights to access a program (such as Regedit), you can use the "Run As" feature in Win2000. Just right click the program you want to run, and select "Run As". You can then type in the name and password of your renamed Administrator account.
Log in with Adminstrator access as rarely as possible. A trojan that is run by mistake, or a malicious ActiveX or Java component run by a webpage, will have access to anything the account has access to. Many bugs that let hostile web pages damage your system have already been found, more are most likely out there. If a dangerous program runs as an Administrator, it will have access to your system files, such as the registry. Running as a Restricted User can mean the difference between having your inidividual User profile wiped out, versus having your entire system wiped out as an Administrator. Note that running a trojan as a Standard User can affect some system-wide settings, but not all.
PASSWORDS
Always put in passwords, strong passwords. Meaning at least 8 characters, with a combination of at least three of the following: lower case, upper case, numbers, and symbols.
There are some utilties that can crack your passwords, like L0phtCrack. To defeat these programs, there are certain ascii characters accessed with the numeric keypad ALT key that you can include in your passwords, as shown at: http://sysopt.earthweb.com/articles/win2kpass/index.html
Next, go to Local Security Policy. Start -> Settings -> Control Panel -> Administrative Tools -> Local Security Policy -> Account Policy -> Account Lockout Policy
Some recommended settings are listed below.
Account lockout duration: (45 minutes)
Account lockout threshold: (5 invalid login attempts)
Reset account lockout counter after: (45 minutes)
The Account Lockout Policies should not affect you as long as you don't forget your password, and can restrict the number of tries some network user has to guess your Administrator password.
Look in Password Policies too. Settings may be needed if have other users on your system. Generally, these settings can be a real pain to use.
UPDATE WINDOWS
Go to Start -> Windows Update. If you don't have a Windows Update icon in your start menu (some installs don't do this, I don't know why), you can make one. Do it as shown in the section above for creating a shortcut to the Backup program, but the path this time is:
%SystemRoot%\system32\wupdmgr.exe
Under the name type in "Windows Update", or whatever. Drag it to the Start button, when it shows the menu release. It will be put into the upper menu.
Make sure you get the latest Service Packs (SP2 is almost out at time of writing), as well as the critical updates, and the High Encryption pack.
AUDITING
If someone does break in, you may not know it unless you have auditing enabled and actually check your logs.
Start -> Programs -> Administrative Tools -> Local Security Policies -> Local Policies -> Audit Policy
Audit account logon events records logons. Audit success (to see if someone stole a password) and failure (for random password hacks).
Audit policy changes tracks security policy changes. Audit success and failure.
Audit privilege use can identify when a user tries to use a right not assigned to them. Audit failure.
Audit system events can monitor if someone clears the event log. Audit success and failure.
Event viewer lets you see the logs.
FIREWALLS
Download and install a Firewall. ZoneAlarm is good and free, and it is at www.zonelabs.com. Go into Security, and set security at "High" for both Local and Internet. Under the "MailSafe e-mail protection" section, click on the box labeled "Enable MailSafe protection to quarantine e-mail script attachments". Under "Lock", Enable "Automatic Lock", and "Engage Internet Lock when screen saver activates." To set up a screen saver, right-click on the desktop, select "Properties", go into Screen Saver and set one up. If you need to have some programs access the internet while the Automatic Lock is enabled (like email programs that check for new messages), you need to select the "Pass Lock" box next to the program in the "Programs" directory of ZoneAlarm.
If you have Zonealarm, download ZoneLog Analyser (shareware, nag screens). This will read in your Zonealarm log file and sort your alerts by type (such as trojan and DOS attacks) and date.
http://www.zonelog.co.uk
It is a good idea to probe your ports when you are done setting up your firewall, to make sure you didn't miss anything. You can do this at www.grc.com (follow links to ShieldsUp!).
VIRUS SCANNERS / BEHAVIOR BLOCKERS/ SANDBOXES
If you don't already have a virus scanner, you need one. While many are out there, one good free one is Inoculate IT Personal Edition, at http://antivirus.cai.com provided you are using it on your personal computer (similar to ZoneAlarm, business copies are not free). It is ICSA Certified and consistently rates extremely high in detection rates. It has good user support too, with timely update notifications emailed frequently.
Note that virus scanners only detect certain patterns. If the virus/trojan/worm is zipped up, it probably won't detect it. If it is a new virus/torjan/worm which isn't in the database yet, it won't detect it. Some virii change their code to fool virus scanners (polymorphic virii). One way to detect these types of malicious programs is to install a behavior blocker / sandbox. Behavior blockers restrict the rights of code accessing parts of your computer. For example, if a Java applet on a web page attempts to access your registry, a warning box can pop up asking if you really want to do this. Sandboxes can allow you to run code in a safe environment that will not affect system resources, to see what it actually does.
One good, free combination behavior blocker / sandbox is SurfinGuard Pro at http://www.finjan.com/surfinguard. This program can be configured to simply block certain types of access, or to prompt you to run the code / stop the code / run the code in a sandbox.
DISABLE NetBIOS
Start -> Settings -> Control Panel -> Network and Dial-up Connections -> Local Area Connection -> Properties -> Internet Protocol (TCP/IP) -> Advanced -> WINS tab -> Disable NetBIOS or TCP/IP. If you have a dial up connection, you will need to go into that as well after "Network and Dial-up Connections" and follow the same procedure.
DISABLE NETWORK BINDINGS
Start -> Settings -> Control Panel -> Network and Dial-Up Connections. In here you will have your network information -- you need to go into everything except for "Make New Connection". If you have DSL or Cable, you will probably have one that says "Local Area Connection". Hit "Properties". If there are tabs, select the one that says "Networking". Uncheck every box that does not say "TCP/IP" somewhere in it. The most important category that should be UNchecked is "File and Print Sharing for Microsoft Networks", which can allow other computers to access your files.
CONVERT YOUR DRIVES TO NTFS
If you didn't set up your disks as "NTFS", you need to do that now. Go into Windows Explorer, expand "My Computer", right-click on your hard drive(s), and select "Properties". It should say somewhere in there "File System: NTFS". If it says "File System: FAT" or "File System: FAT32", you need to change it. IMPORTANT NOTE: you NEED to have your disks in FAT if you have Win95, Win98 or WinME installed, as they can only read FAT disks. If you convert your disks to NTFS, they will not be able to read the data. You can convert only the hard drive/partition you have Win2000 on, but your older Windows will not be able to read any files on it. If you convert the disk/partition that your older Windows is on, the older Windows won't even start.
If you need to change to NTFS, go to Start -> Run (or just type the Windows key + "r"
. At the command line, type in:convert c: /fs:ntfs
Replace "c:" with every drive you wish to convert. Follow instructions, which will probably include restarting your computer. Make sure you do this at a time the power will not go out. It will take a few seconds to a few minutes, depending on how much stuff is on the drive. After converting, you should run Disk Defragger (Start -> Programs -> Assessories -> System Tools).
DRIVE PERMISSIONS
You can set up NTFS drives to allow read/write/edit permissions for different users/files. This is another way to ensure protection of your system in case an anonymous user gets access.
First, we need to replace the default permission for "Everyone" or anonymous users to access your drives (including anonymous users/guests), and set it up so only real users that have logged in have access. Go into Windows Explorer, expand "My Computer", right-click on your hard drive(s), and select "Properties". Go into the "Security" tab. Click Advanced. Under the Permissions Tab, select "Everyone". Hit View/Edit. Hit Change. Select "Authenticated Users". Hit OK, and OK again.
Next, we need to deny access to our dummy Administrator account, in case someone actually manages to log on with it. If you have not created a dummy Administrator account, don't follow the rest of these instructions or you may lock yourself out of your computer. Hit the "Add" button, and select "Administrator". IMPORTANT: Do NOT hit "Administrators", as this is the entire GROUP of (real) Administrators. You want the USER "Administrator" . It will have an entry in the "In Folder" section next to the name; the "Administrators" GROUP will NOT. Hit "OK". Back in the main Security Tab, hit Advanced. Select Administrator. Hit View/Edit. For "Apply Onto:", make sure "This folder, subfolder and files" is selected. Then click all boxes under "Deny". Hit OK three times.
(If you have any other Names in the top box besides "Administrator" and "Authenticated Users", remove them unless you know they belong for some reason. There should not be anything else in a clean install.)
You have to repeat this for every drive / partition.
SERVICES
Services are background programs your computer uses to run correctly. Many services are unnecessary, and some are actually dangerous. A secure system needs to disable certain services. Many services are included by default as Microsoft expects your system to be operated in a network. This includes allowing remote users to access your registry, view your clipbook, browse your directory, or connect to it via Telnet. These can open large holes in your system, and should be removed. This also has the advantage of improving system performance, as each service can take up megabytes of RAM. I cleared up over 20 MB of memory simply by disabling services I never used.
Rather than repeating basic info on services, as well as lengthly descriptions of what each service does, this guide recommends you read the following. The "Windows 2000 Services tweak guide" is a good introduction to services, and also describes what to do if you accidently disable a service that you actually need to run your computer.
http://www.3dspotlight.com/tweaks/win2k_services/index.shtml
The following article (broken into parts) is more focused on the security aspect of services:
http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=16301
http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=16363
Services that I have disabled include:
Clipbook
Computer Browser
DHCP Client (Warning: some internet connections need this service)
Fax Service
Indexing Service
Internet Connection Sharing
IPSEC Policy Agent
Net Logon
Netmeeting Remote Desktop Sharing
Remote Registry Service
Routing and Remote Access
Server
SNMP Service
SNMP Trap Service
Task Scheduler
TCP/IP NETBIOS Helper Service
Telnet
SHARING
Run or create a shortcut to Regedit (the path is X:\WINNT\regedit.exe, where X is your Win2000 drive) Go into Regedit. Under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters. Select Edit -> New -> Dword Value. As the name, put in "AutoShareServer". The value should come out to "REG_DWORD : 0" by default. If not, hit modify and change. Exit Regedit.
Note: disabling shares with Windows Explorer (as written in some other guides) will only work until the next reboot.
OTHER SECURITY SETTINGS
Start -> Settings -> Control Panel -> Users and Passwords -> Advanced Tab -> under "Secure Boot Settings" enable the box marked "Require users to press Ctrl-Alt-Delete before logging in". This defeats trojans that attempt to intercept your password.
Start -> Programs -> Administrative Tools -> Group Policy -> Computer Configuration -> Administrative Templates -> Windows Components -> Netmeeting:
Enable "Disable remote desktop sharing." Of course, if you use Netmeeting you need this disabled.
Start -> Programs -> Administrative Tools -> Local Security Policy -> Security Setting -> Local Policies -> Security Options:
Set "Additional restrictions for anonymous connections" to "No access without explicit anonymous permissions." (By default, an anonymous user is considered part of the "Everyone" group. Even though we restricted access to the "Everyone" group earlier, this provides another layer of protection. Note that in NT, the highest setting was "Do not allow enumeration of SAM accounts and shares", which replaces "Everyone" with "Authenticated Users" in the security permissions for resources. Win2000 has added the "no access" setting to provide even more security - this will take out both Everyone and any network connections which don't have explicit permission. Both these settings will defeat programs (i.e. "Redbutton"
that log anonymously and are designed to find the names of user accounts and/or the name of the renamed Administrator account.)Enable "Do not display last name in logon screen."
Enable "Restrict CD-ROM access to locally logged-on user only". This will prevent users logged in over the internet from reading your CD-ROM.
Enable "Restrict floppy access to locally logged-on user only". This will prevent users logged in over the internet from deleting/stealing info in your floppy (or write a boot virus to your floppy that will run the next time you start up your computer).
Enable "Restrict users from installing printer drivers" This prevents others from installing bogus printer drivers. You will have to disable this if you replace or add a printer driver.
Disable "Disable CTRL+ALT+DEL requirement for logon". This will grey out the box marked "Require users to press Ctrl-Alt-Delete before logging in" in the Users and Passwords utility, adding another layer of protection as a trojan will have to disable both before trying to steal your passwords.
Think about enabling "Clear virtual memory pagefile when system shuts down". This is for the truly paranoid -- it wipes out the pagefile memory (the part of the harddrive that acts as RAM memory when you don't have enough RAM) on shutdown. This is mainly for those computers that have to be secure in case someone steals the harddrive, or laptaps. Of course, there is the chance on a home system that a network user could gain control of your computer and mine this memory looking for stuff like admin passwords and credit cards. This option can add a long time to your shutdown time.
Start -> Programs -> Administrative Tools -> Local Security Settings -> Security Setting -> Local Policies -> User Rights Assignment:
Go into "Deny access to this computer from the network"; add "Everyone", "Guests", the "Administrators" group, and each separate individual account. Note this settings takes precedence over the "Access this computer from the network" right, so you don't have to modify both. This theoretically makes it so you can only log in from your local computer.
ENCRYPTING FILE SYSTEM (EFS)
You can set up your NTFS drives for automatic encyption of files. I don't go into this here as this is really only useful if you think someone is going to physically access your computer, such as booting up from a floppy and reading your files. If someone gets access to your Administrator account, it doesn't matter if the files are encrypted or not.
CONFIGURE WINDOWS EXPLORER TO SHOW EXTENSIONS
This helps prevent you from running dangerous programs that you might have downloaded by mistake, such as Registry files or .VBS files.
Windows Explorer -> Tools -> Folder Options -> View -> UNclick "Hide file extensions for known file types".
You should turn off your email's ability to automatically run programs. Some can run just by viewing the mail, without opening any attachments (although the latest patches to Express are designed to avoid this from happening by giving you a warning box). To do this in Outlook or Outlook Express, refer to:
http://www.microsoft.com/technet/security/crsstQS.asp
It's a little easier in Eudora and Netscape. In Eudora, go to Tools -> options -> Viewing Mail. Uncheck "Allow executables in html content".
In Netscape Navigator, go to Edit -> Preferences -> Advanced. Deselect the option "Enable Javascript for mail and news".
DISABLE AUTOMATIC RUNNING OF .REG FILES
If a file with the extension .reg is run, the registry is changed (provided the user has access to the registry). This is a good way for trojans to do nasty things to your computer. A nifty trick is to change the file association for the .REG extension. This prevents (for example) a malicious Web site from inserting new keys into your registry while you are browsing the Web.
To do this, you need to have a reg file you can play with. If you don't, go into Wordpad and save a sample file as sample.reg, or rename a file you don't need to *.reg. In Windows Explorer, right-click on the file, and select Properties. In the section of the box that says "Type of file:", hit Change, select Wordpad, and hit OK twice. Wordpad is good because when *.reg files are run, it will run Wordpad and actually show you the code that would have ran instead of running Regedit and executing it. The fastest way to actually run reg files is to right-click on the file, go to "Open With", choose "Other", go into the /WinNT folder, and choose Regedit.
REMOVE THE OS/2 and POSIX SUBSYSTEMS
These systems are only installed so Microsoft can sell the OS to the government. No one else really needs them (if you do, you should know). There are no known security problems with having these installed, but as with any operation running on your computer, if you don't need it, it might be better not to have it run in case a future exploit is found. This will clear up a little bit of system resources too.
Using Regedit. preform the following changes to the listed keys:
HKEY_LOCAL_MACHINE\SOFTWARE \Microsoft\OS/2 Subsystem for NT -- Delete all sub keys
HKEY_LOCAL_MACHINE\SYSTEM \CurrentControlSet\Control\Session Manager\Environment -- Delete the value for Os2LibPath
HKEY_LOCAL_MACHINE\SYSTEM \CurrentControlSet\Control\Session Manager\SubSystems -- Delete the value for Optional
HKEY_LOCAL_MACHINE\SYSTEM \CurrentControlSet\Control\Session Manager\SubSystems -- Delete entries for Posix and OS/2
Delete the \winnt\system32\os2 directory and all its subdirectories.
Facebook
Twitter