Windows Security

Important Legal NOTICE!

Click Here To Read Important Legal NOTICE!


Easy step by step on how to secure Windows
www.microsoft.com/security/protect


Common Sence

1. Create a Stronger Password Policy
When was the last time the administrator password was changed?
2. Lock Down Remote Administration
IF you need to administer a server remotely, that doesn't mean allowing that access to others. Where possible, use IPSec or other protected communications. You can also block access to ports required by your remote administrative programs, and then allow administrative access to the ports by allowing access from designated administrative workstations. It doesn't mean all servers must be managed this way. Require that computers with sensitive roles or data be administered from the console only, and enforce that by preventing administrative accounts from accessing the computer across the network.
3. Lock Down Administrative Workstations
Designate certain workstations as administrative workstations and harden them as hard as you can. Start by putting them in a secured area, reinstalling the operating system and adding the latest service pack and security patches (do this off the network). Use IPSec or a personal firewall to control what goes in and out and use software restriction policies to prevent the use of non-approved software. Use the workstations for administration only; no playing Solitaire, no e-mail.
4. Physically Secure All Systems
-Do you use a cable lock for your laptop when moving around with them, even in your own building?
-When you travel, do you leave it unlocked in the hotel room?
-What data is on the hard drive?
-Remember that with most laptops, the hard drive can be removed even if the computer is cable locked. Data is what the attacker wants anyway.
-What about your PDA? What's on it that would be damaging if lost?
-If your computer is a desktop, who can physically access it?
-Can it be stolen? The hard drive removed?
-Don't make it easy for theives; All they need to do is insert a CD-ROM with malignant code on it-or use her USB data-storing wristwatch to steal data?
-Keep ALL servers locked up, with controled access.
-Remove CD-ROMS and floppies and disable/restrict USB from computers in public areas.
-Don't allow tailgating-the process where someone follows an authorized person into the data center.
-Teach security guards to look for contraband. (Even picture-taking phones)
5. Learn To Shut Your Mouth
It's not rude to refuse to talk about issues that might compromise security. It's a good practice. It's one thing to share a security-hardening tip or to alert someone to a bad practice that can be corrected. You must become aware of what it is you're telling people or publishing sensitive information to your Web servers where any one can find it. What would your staff reveal on a phone if tricked by someone impersonating as you? Email address and logon name should be different.

Patching a poor configuration is useless until you add the first layer of security to your operating system: Locking down the operating system is the start of any deployment. After your operating system is secure, verify that your server isn't listening on any ports that aren't integral to its day-to-day operation and block all nonessential traffic from the Internet to your system. Security is a layered approach, and this list is by no means complete. But it's a start to hardening Internet-exposed servers.

The above was paraphrased from a Roberta Bragg (Roberta.Bragg@mcpmag.com) weekly security email
1) View Shares on a computer
At a DOS command type:
Net view \\computername
or
Net view \\"TCP\IP-Address"
2) UNC path to a share with a User Name and Password
At a DOS command type:
username:password@\\servername\share
3) Null Sessions
Allows you to see network resources without a login using the IPC$ system share
Try: net use \\computername\IPC$ "" /U:"
To stop this use the following registry change:
HK_LocalMachine\System\CurrentControlSet\Control\LSA
Add RegDword of RestrictAnonymous with a value of 1
4) NT 4 path spoofing example
1) Copy c:\winnt\system32\cmd.exe to the root directory (C:\)
2) Rename cmd in the root to explorer
3) Don’t use the extension (exe), if your extensions are hidden
4) Logoff and log back on (you should only have a DOS screen)
5) To exit this type c:\winnt\explorer.exe
6) Delete Explorer at root of C:
5) To disable the LANMAN protocol
MS. Knowledge Base Q147706 Lanman is only 40 bit encryption. NTLM is 50 bit. If you do this nothing less then NT 40 con connect to your server! - HKLocalMachine\System\CurrentControlSet\Control\Lsa
- Add Reg_DWORD LMCompatabilityLevel and give it a value (3-5 need >SP3)
– Will send LANMAN when server requests it never send LANMAN, but NTLM (56 Bit)
– set it to 3 the system will use only NTLMv2 authentication
– domain controllers refuse LM authentication
– 5 domain controller accept only NTLMv2 (128 Bit) authentication
- Can also be done in group policies for Windows 2000 and higher
6) Where is the SAM Stored - Four Locations
1) C:\Winnt\System32\Config
2) Emergency Repair Disk (Do Not leave it on your desk)
3) C:\Winnt\Repair 4) Backup Tapes (Make sure they are Offsite and in a secure location – Data fire proof safe)
7) NTFS File & Share Permissions
Share Level Permissions are cumulative except for Deny
File Level Permissions are cumulative except for Deny
Combination of File and Share permissions are most restrictive of the 2 cumulatives
8) Disable unnecessary file sharing
Unless absolutely necessary, remove hidden drive letters and remote admin shares (ADMIN$, C$, D$, etc.). To remove these admin shares permanently,
1) Start the registry
2) Goto HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters
3) Set the REG_DWORD AutoShareServer to 0.
This permanently disables all automatic hidden shares. Some network software may not work!!
9) WIN2K Server Security by Change User or Group Rights
1. Access this computer from the network - Remove the Everyone Group and replace it with a group that's more restrictive, such as Authenticated Users. (some software may not work anymore!!)
2. Bypass Traverse Checking - Remove the Everyone Group and replace it with Authenticated Users.
3. Create Permanent Shared Objects - Replace with Administrators Group only.
4. Logon Locally - Replace with Administrators by username and Service Accounts. I recommend by username because this creates an additional security mechanism in case a rogue user tries to gain console access with a tool that escalates the user's privilege to Administrator.
5. Shutdown System - Replace with Administrators Group only.

10) Auditing Servers, issues to look at
Synchronize your clocks and enable auditing. If you're going to compare logs from different systems after a security incident, all of your systems must have the same time. Audit all 7 events types except process tracking for both Success and Failure:
* Object access (failure only) You need to also specify which folders and registry keys

11) Set and enforce strict file level and registry permissions
Go through your directories and verify that only specific groups have access to the information contained within them. Restrict anonymous users from accessing the registry. This can be done by a registry key:
HKLM\System\CurrentControlSet\Control\LSA\restrictanonymous
Or via a Group Policy:
Group Policy\Computer Configuration\Windows Settings\Security Settings\LocalPolicies\Security Options\Additional restrictions for anonymous connections
The values for the registry key or the Group Policy Object are:
1=Do not allow enumeration of SAM accounts and shares.
2=No access without explicit anonymous permissions.

12) Minimize your servers' exposure to denial of service attacks
Windows 2000 allows you to adjust the TCP/IP parameters to have greater control over connection state. Take advantage of this by modifying the following hive with these registry entries:
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
1. SynAttackProtect: REG_DWORD=2. Drops third packets of the TCP/IP handshake in an attempt to consume available session handles.
2. TcpMaxHalfOpen: REG_DWORD=500. Limits the number of half-opened TCP sessions.
3. EnablePMTUDiscovery: REG_DWORD=0. Prevents the use of nonstandard Path Maximum Transmission Unit size for all external connections.
4. Netbt\Parameters\NoNameReleaseOnDemand: REG_DWORD = 1. Prevents an external host request for the server's NetBIOS name.
5. EnableDeadGWDetect REG_DWORD = 0. Prevents a server from switching gateways and allowing an attacker to hijack a session.
6. EnableICMPRedirects: REG_DWORD = 0. Prevents an external host from modifying the server's routing table.
7. DisableIPSourceRouting: REG_DWORD=1. Disables client source routing attempts.
13) Locked Down IE from typing drive path
If you do not want users from typing \\computernameor c:\directory in Internet Explorer
Use registry and go to:
HKEY_LOCAL_MACHINE\Software\Microsoft\CurrentVersionPolicies\Explorer
Then set NORUN DWord to a value of 1
MS Knowledgebase Q179221
14) Stop Automatic Plug and Play Devices
Windows 2000/XP PnP device installation allows any user to plug in a USB storage device and use it without your approval or knowledge. Please can take data out of the company with USB stroage devices. This is an big theat to your workstation security plan.
You can't control or regulate the USB instalation by using group policy.
One solution is moving the Driver.cab file found in the Winnt\Driver Cache\i386 directory to a location that users can't access (with admin NTFS permissions). Using the administrator profile logon and logoff policy, you could creat a script that copies these files to the proper place and delete them when you log off.
By default WIN2K will not block port 88 Kerberos and 500 Internet Key Exchanger using TCP packet filtering in advanced tab properties
HKLM\system\CurrentContolSet\services\ipsec
nodefaultExempt = 1
15) False security assumptions about work from home personal computers
· Do not allow unmanaged and unsecured systems to connect to an enterprise's VPN.
· Warn employees about leaving unprotected personal and business data stored on PCs turn in for service. Encourage users to use system passwords and file encryption.
· Warn users of the danger in downloading file-sharing and remote control programs on personal systems. For company-owned workstations, block the installation of such programs.
· Prohibit the use of home wireless LANs for work-connected systems. Home wireless LANs should be configured with at least 128-bit Wired Equivalent Privacy, and users should be required to log in with unique IDs from each of their systems, MAC address authentication, do not use DHCP.
· Do not allow LAN-to-LAN VPN tunnels to be created between enterprise and home networks.
· Consider implementing thin client computing solutions, which minimize the risk of data exposure on none enterprise-owned systems.

16) What Software Restrictions in Group Policies don't do
1) Drivers or other kernel mode software will still run
2) Programs run by the SYSTEM account will still run
3) Macros in Microsoft Office 2000 or Office XP documents are not restricted (manage macros in Office with the Office Macro security settings). 4) Programs written for the common language runtime aren’t restricted
5) Members of the local Administrators group aren’t affected by software restriction policies 6) Treated dlls as executables. Need to be explicily restricted
18) Hide your internet surfing tracks
Launch Internet Explorer and choose Tools | Internet Options. Then, select the General tab. Change the value in the Days To Keep Pages In History text box to 0, so that IE doesn't keep track of the Web sites you're visiting. Next, select the Advanced tab, scroll down and select the Empty Temporary Internet Files When Browser Is Closed check box. Click OK and restart IE for the changes to take place.
19) Finding Wireless connections on the road or office
NetStumbler lets users investigate an WirelessLAN's security. Security administrators can use it to test their sites.
www.netstumbler.com War Driving!!! It is against the law to have a computer screen on in the front seat while you are driving.
20) Event Log Query Tool
Event Log Query Tool is an automated tool for examining event logs, is available in the Microsoft Windows Server Resource Kit. The tool dumps an event-log summary to the screen. You can then search the output for particular keywords or pipe it into a batch file for processing.
Elogdmp's syntax is: elogdmp
21) Disable LM hashes
To disable the storage of LM hashes of a user's passwords (as mention in NT / 2000 / 2003 web pages). Keep in mind that these changes won't take effect until the user changes his or her password and Windows creates a new hash.
22) SECURE A MYSQL DATABASE
The first step to building a secure MySQL database is applying a basic security principle that's applicable to every process a remote user invokes.
This principle is "define and confine."
DEFINE YOUR USERS
First, you must define a new user group and a user dedicated solely to running the database processes.
For Windows Server 2000 or Windows Server 2003 systems, follow these steps:
1. Go to Start > Settings > Control Panel.
2. Double-click Administrative Tools, and double-click Computer Management.
3. Expand Local Users And Groups.
4. Right-click Groups, and select New Group.
5. Create the MySQL group.
6. Right-click Users, and select New User.
7. Create the MySQL user, and give it a complex password that won't expire and that the user can't change.
8. After creating the MySQL user, open the account's properties, add it as a member of the MySQL group, and remove its membership from the User group.
9. Close Computer Management, and double-click Local Security Settings.
10. Expand Local Policies, and select User Rights Assignment.
11. Double-click Access This Computer From The Network, and add the MySQL group.
12. Double-click Log On As A Batch Job, and add the MySQL group.
Using a different user to run these processes is essential so you can confine your database processes. If an account or service compromise occurs because of an unpatched exploit, this can minimize exposure to the rest of your system.
CONFINE YOUR USERS
Follow the installation instructions, and install the database on a separate drive from your system drive (typically C:). Remove the Everyone group, add the MySQL group, and give full control to the directory structure.
If your database is colocated on your Web server, you need to disable access to TCP port 3306. This eliminates direct attacks from remote connections.

23) Disable Internet Explorer
Remove users' ability to browse with IE by add a fake proxy server to the Internet Settings.
1. In IE, go to Tools then Internet Options.
2. On the Connections tab, click the LAN Settings button.
3. In the resulting dialog box, select the following check box in the Proxy Server section: Use a Proxy Server For Your LAN
(These Settings Will Not Apply To Dial-up Or VPN Connections).
4. Enter 0.0.0.0 in the Address text box.
5. Enter 80 in the Port text box, and click OK.
You should also restrict Internet settings and lock the user out of them with Group Policy.
24) Wireless Access Point Detector
Kingston wireless access point detector. Retailing for less then $35, it's a small, thin plastic box with a red light, green light and "On" button. War Driving here we go.
25) Automates the process of using the RunAs command
MakeMeAdmin is a command-line script for Windows that can help you run applications in a more privileged security context. MakeMeAdmin automates the process of using the RunAs command to elevate your privileges. The script performs three actions: Adds your current user account to the local Administrators group, launches a command shell and any other application you want to run, and removes your account from the local Administrators group.
www.speakeasy.org/MakeMeAdmin
Running with an administrative account is dangerous to the health of your computer and your data. You don't want to browse the Web? Or read e-mail? Or do Instant Messaging and so on, and for some reason must run in an administrative context?
msdn.microsoft.com/secure11152004.asp
26) Stop USB storage key data theift (Make them read only
XP Service Pack 2 (SP 2) lets you make USB storage devices read only, stopping the possibility of data leaving your company via a USB key.
To configure USB storage for read only, perform the following steps:
1. Launch the registry editor.
2. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control
3. There should be a key called StorageDevicePolicies. If not, create it.
4. In the StorageDevicePolicy key, create a REG_DWORD value called WriteProtect.
5. Set the data value of WriteProtect to 1.
6. To enable read/write over USB, set the value to 0.
7. Exit the editor.
27) The best way of assigning permissions to users and groups
In general, the best way to assign permissions is by performing the following steps:
1. Assign user accounts to global groups within the user's domain.
2. Place global groups from any domain into universal groups.
3. Place universal groups into domain local groups on the domain controllers (DCs), and place local groups on member servers and workstations.
4. Assign permissions to the domain local groups or local groups as necessary to access the network resources.
One advantage of establishing this hierarchy is that universal group memberships are unlikely to change because they contain only global groups. A good way to remember this hierarchy is to use the following mnemonic device:
All Good Users Do Love Permissions
All-- Accounts are placed in global groups.
Good -- Global groups are placed in universal groups.
Users -- Universal groups are placed in domain local groups.
Do Love Permissions -- Domain Local groups are assigned Permissions.
28) The RestrictAnonymous setting
If you set the RestrictAnonymous setting (the setting is different across different Microsoft OSs; check the document for the OS-specific setting), the Outlook client will show an empty Global Address List; multiple Microsoft server applications running where downlevel domain controllers are present may be unreachable; and many network functions such as trust setup, resource assignment across trusts, printer selection via Active Directory and so on will fail.
29) The right to Access this Computer from the Network
Removing the Everyone group and Authenticated Users from the right Access this Computer from the Network, and adding only the specific groups that are allowed to access the computer from the network, can cause problems. They include preventing AD replication, user authentication to AD and so on, if the list of allowed users and computers isn't carefully constructed. For example, the group Enterprise Domain Controllers must be added to the list or AD replication will fail.
30) Kerberos and Preshared Keys
kerberos isn't as secure as Certificates and preshared keys
Understanding Kerberos RFC1510
31) Limit User Access to Local Computer or Hard Disks with Internet Explorer
do not want users in a locked down desktop from typing file path in IE
\\computername or c:\directory
HKEY_LOCAL_MACHINE\Software\Microsoft\CurrentVersionPolicies\Explorer or Current_User
Set NORUN DWord
to a value of 1
support.microsoft.com/kb/179221
If your workstations are running Windows XP Professional Edition or Windows 2000 Professional and are members of an Active Directory (AD) domain, you can use Group Policy to achieve your goals. Open a Group Policy Object (GPO), go to User Configuration\Administrative Templates\Start Menu & Taskbar, and enable Remove Run menu from Start menu.
32) Forcing users to use strong passwords
-Use Regedt32 (You will need to restart)
HKeyLocalMachine\System\CurrentControlSet\Lsa
Notification Packages to add PASSFILT filter without the .dll extension
-This sets that passwords must be - Upper & Lower Case & Numbers & 6 Char.
-Only enforced when you do Ctrl Alt Del
-Remove FPNWCLNT - Possible Trojan Horse- Capture password
33) Hide the Security Log on NT
Hide the current log because it can be altered
HKeyLocalMachine\System\CurrentControlSet\Services\EventLog\Security
Change the File entry to a new path
34) Add Encrypt command to a folder's right-click context menu
performing the following registry change:
1. Open the registry editor.
2. Navigate to the
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\A dvanced registry subkey.
3. In the right pane, right-click and add a new REG_DWORD called EncryptionContextMenu.
4. Set the Decimal Value of the new entry to 1.
5. Exit the editor.

35) Turn of the ablity to view the SID of the user accounts.
1. Open the Default Domain Security Policy.
2. Drill-down to Computer Configuration | Windows Settings | Security Settings | Local Policies | Security Options.
3. Double-click Additional Restrictions For Anonymous Connections, and select the Define This Policy option.
4. Select Do Not Allow Enumeration Of SAM Accounts And Shares from the drop-down list.
5. Select Allow Anonymous SID/Name Translation and disabled it
5. Click OK, and close the window.
6. Click the Start Menu | Run.
7. Type gpupdate, press [Enter].
*** There are some instances where you might have to allow anonymous users to connect (such as to a SQL Server) and you can't disable Allow Anonymous SID/Name Translation
36) Add the Encrypt/Decrypt command to right-click menu.
You can add the Encrypt/Decrypt command to a folder's right-click context menu by performing the following registry change:
1. Open the registry editor.
2. Navigate to
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\A dvanced
3. In the right pane, right-click and add a new REG_DWORD called EncryptionContextMenu.
4. Set the Decimal Value of the new entry to 1.
5. Close the editor.

Back To Main Page Important Legal NOTICE!

Click Here To Read Important Legal NOTICE!


Updated October 10, 2007
Copyright© 2007 by Dana Shea

Copyright© All rights Reserved. No part of the contents of this site may be reproduced
or transmitted in any form or by any means without written permission.
Any questions or problem links please email