|
Windows XP Screenshots, walkthru's & Tutorials.
Securing tip's Windows2000 / XP
These settings can be used with both Windows2000 and WindowsXP to *really* secure the system and also boost up its performance. Depending upon your version and whether it is Win2k or XP, you might notice that some of the features/options arent there. Just skip and move on until you hit something that IS on YOUR Windows2k/XP. The "best" option of all is to have WindowsXP professional, since the screenshots are from WindowsXP professional.
WindowsXP offers pretty good security features, but only if you know how to use them. By default, WindowsXP is clumsy and has many possible security holes due to its poor default settings. If you use WindowsXP pro, you can really make your computer your fortress against almost any invader. The build-in EFS (Encrypting File System with NTFS), strong authentication methods, etc. give you good tools for it. Home edition does not have all these features but you can always implement your own according to these guidelines. These principles are designed for ONLY single-user "home" computers (standalone), NOT computers in, lets say, corporate networks! On standalone computers you can and should fill all holes possible but in corporate enviroment, the whole point is to allow computers to be used via corporate networks or intranet. You can still take suggestions and clues here and implement them properly if you are installing or using Windows2k/XP in corporate enviroment or are using multiple user accounts.
Getting started
During the installation, you are prompt whether or not you want to use NTFS or FAT. Now this is a tought decision...If you are using Home edition, there is really no reason to use NTFS, its slightly better file system than FAT32, but it has "alternative data streams" and other privacy conciderations...and since you cant use EFS in home edition, I would suggest using FAT32 and PGPdisk. If you are using WindowsXP Pro version, then you should move to NTFS.
There is very little reason to use NTFS/EFS on Win2k standalone installation since it does not offer real protection in Windows2k. It is possible to reset the administrators passphrase (even with Syskey enabled and stored in floppy) and login as admin. This can be done by simply booting the computer in other operating system and deleting the SAM file and manipulating the registry so that Windows does not want to have Syskey during startup. If Syskey is not present, resetting the administrators passphrase is much easier. Administrator can do many things and is the default recovery agent of EFS. In theory, it *is* possible in standalone Windows2000 to have secure EFS, but it is very, very, very complicated to archive. In theory, by exporting the administrators recovery certificate or designating some other recovery agent AND implementing Syskey to passphrase or floppy, it *might* be possible to prevent anyone from reading EFS encrypted files. It is always possible to login as administrator, but if the administrator does not have the recovery keys, he cant decrypt EFS files... And since the Syskey *prevents* tampering the other accounts, it is in *theory* safe (if hacker deletes SAM file, then other accounts loose their vital piece of information and cant be used and therefore they cant get access to private key). But in practise...well...who really knows? I STRONGLY recommend not to use EFS in Windows2000 unless the computer is a part of domain and the settings/security policies are good and the actual computer where the certificates are stored is in safe place so nobody can get a physical access to it and Syskey for each computer is stored in passphrase or in floppy format. Use PGPdisk instead and you dont have to worry about these kinds of issues with Windows2000!
Additional points:
Before you do anything else...UPDATE!!! There are plenty of dangerous holes in Windows2k/XP, so go HERE with your Internet Explorer and update your version of Windows NOW! There are plenty of automated and possible privacy problematic issues related to WindowsXP. There is only one good program how to control and disable most of them with a click of a button. It is called XP-Antispy. I strongly recommend you to run it.
You should use strong passphrases, over 14marks long. Remember to login as administrator (not just userX who is part of group called "administrators") and change set the administrators passphrase too! Even if you have disabled Guest account, I still suggest you put a good passphrase onto it...just to be sure!
Create password reset disk for your account(s) and store it in SAFE place. Because if you forget that passphrase, you are in trouble... You cant login, and there is no way you can decrypt your EFS encrypted files (unless you use Windows2000 where it is always possible to decrypt EFS encrypted files altought very difficult). You can create this disk from Control Panel / User accounts / [select the user] / Prevent forgotten password. You need one formatted floppy. Dont use WindowsXP:s "firewall" (Internet connection firewall). Its not a real firewall, its just a inbound port blocker.
NTFS has alternative data streams, which means that information can be hidden in your HDD without your knowledge or permission. One way to use alternative data streams is to put a trojan horse in your computer and hide it in alternative data streams. This is serious security issue.
If you are serious about security, dont use NTFS and EFS. PGP is better researched and does not have any backdoors planted, in one form or an other. We cant know for sure about EFS, altought the actual EFS is well documented, the Windows that "runs it" isnt. In Windows2000 Microsoft totally blew the idea of EFS by implementing it so poorly that (in default configuration) all what the hacker had to do, was to change the users passphrase (easily done with third-party boot diskette and program) and then use that altered passphrase and username to login and...bingo: EFS was wide open because access to privatekey was allowed! This has been fixed in WindowsXP: while it is still possible to manipulate (not read in plaintext form!) the passphrases and that way get access to system (unless Syskey is used and its passphrase protected or stored in floppy), hacker cannot access EFS encrypted files since privatekey is encrypted using "real", salted passphrase from the user. Resetting the original user passphrase one way or the other results the privatekey being still encrypted. Also, it is unclear can the hacker even login as Administrator by deleting the SAM file in WindowsXP as he can do in Windows2000. Anyway, the point is that M$ is not very famous about security implementations and the faults the made with Win2k EFS make me seriously doubt about their abilities to do anything right.
Before you start implementing what I have down here, put your other settings in order. Like network settings, themes, etc. etc. This is because some of these settings disable you from altering those other settings. If you want to alter them later, get back to these settings and enable/disable/alter the proper setting.
Warnings!
Before you do ANY alterations to your system...As sayed earlier, these settings work like dream for me and most 2k / XP users too, but not with all of them. The best option would be to either make and "image" of your C-drive or write down your original settings before you start implementing these settings. The problems that might occur are mostly related to network connections / internet access. You can also troubleshoot the problems using the Windows Help and Support while going throught the settings to see what needs perhaps to be enabled. And if the worst happens...And you just cant revert the changes you made, run "repair install" using your Win2k/XP cdrom. It will keep all the programs etc. but restore regular settings. Remember to update and patch your software after this "repair install".
Network - lets secure it first
This example is about when you are using LAN based connection but it pretty much applies to other connections aswell. As you can see from the first picture, I have disabled Client for Microsoft Networks and other stuff aswell...because I dont need them! Try out if you need them or not and if you dont...rip them off! The second picture is about disabling Netbios which is something you should REALLY concider doing too due to security vulnerabilities that may rise from it. Again, if your connection doesnt work, restore it the way it was. There is no reason keep anything in here you dont need. You may need to reboot to apply the changes. Also, we can tweak your connection a bit to give it some protection against DoS attacks in Windows2000. Open up your registry editor (regedit) and commit the following keys:
HKLM/SYS/CCS/Services...
- Tcip/Parameters/SynAttackProtect (value 2 gives best protection but might cause some problems with connections)
- Tcip/Parameters/EnableDeadGWDetect (value 0 makes sure attacker cannot force you to move onto he's chosen gateway)
- Tcip/Parameters/EnablePMTUDiscovery (value 0 makes sure that 576byte Maximum Transmission Units are always used which makes it harder to attacker to DoS the system)
- Tcip/Parameters/KeepAliveTime (value 300000 is recommend)
- Tcip/Parameters/Interfaces//NoNameReleaseOnDemand (value 0 protects against name release attacks)
- Tcip/Parameters/Interfaces//PerformRouterDiscovery (value 0 prevents spoofing) |
Security settings
Now, go to "Administrator tools" and "Local Security Policy" These are the very hearth of Windows2k/XP security settings! Here you should enforce password security, enable strong crypto and so on. Also you can disable Guest account which is recommend. Again, these security guidelines are based on NSA security guidelines for Windows2000 but I have added few tweaks and made them a bit more compatible with WindowsXP. If you are not running a server or anything, then these are just fine for you. Please notice that if you have multiple user accounts, you might need to add to security settings those accounts too inorder to be able to use them. Be very careful however what you allow others than administrators to do on your system. |
Services - what about them?
Then its time to rip off some services, go to "Administrator Tools" / "Services". Please note that if you are using some "weird" network systems link ICS or similiar, you should check the "dependecies" upon each of the items you disable, or your internet connection might freeze. If it happens, you can also try to enable services one by one to see what caused it. By default, Windows 2k/XP has DOZENS of services set to start. 80% of them are useless for normal users and usage and not only can but also should be disabled for security and performance reasons. There is no reason to have "remote registry" or "Telnet" running! They are like invitations for hackers to test and perhaps breach your system. Then there are annoying services like "indexing service" which creates a log file on files on your computer and stores it in "\system volume information" directory. Please notice that if you are using DSL connection or similiar, you might need to set to "Automatic" services like "Remote Access Auto Connection Manager" and "Remote Access Connection Manager". Again, I recommend consulting Viper's pages about these services if you want more information about them and how to solve problems related to them. |
EFS certificate
If something bad happens, like you have to reformat your partition / reinstall Windows or similiar, you can still decrypt your files (unless you formatted the partition where the files where ofcourse) if you have exported your EFS certificate in safe place. The exported certificate can and should be passphrase protected, but honestly, I dont believe the passphrase protection in it is any good...I recommend that you, instead, use PGP to create a self-decrypting archive from it and use a good passphrase to protect it. Then all you need to do is to import that certificate and you can decrypt the files again. Run "mmc.exe" and add a snap-in called "Certificates". Then select your certificate and export it. Remember to include private key in export and DO NOT delete private key if export was succesfull! |
Syskey etc.
Lets make Syskey to make it a bit more difficult for anyone else starting your computer [run "syskey.exe" + and press "Update"]. Syskey encrypts the SAM database. Nobody can try to break your Windows passphrases if you have syskey set to diskette or password protected...but again, remember that that is not needed to boot the computer as administrator in Win2k. You might concider not using the floppy disk, but I recommend you do. In the floppy disk, there is then a file called "StartKey.key"...you can copy it to any floppy you want. I suggest you make atleast one backup copy of it. Then we should also disable remote connections / assistance [Control Panel / System]. If you need them, you can always later turn them on. |
Message from the Salty one:
If you have any Questions/comments /suggestions or you would like to contribute to NeoTech email me SaltyNetGuru@NeoTechCC.org or AIM me at SaltyNetGuru.
| | | | | | | | | | | | | | | | | | | | | | |
|
