Security Tips

Building and maintaining the server

  • Build your systems away from the public network as they are insecure, and could be attacked before you can harden them.
  • Always use NTFS format filesystems, and not FAT/FAT32, as it has no security. To convert FAT32 filesystems to NTFS: Open a "CMD" window, by clicking : Start>Run and entering "convert C: /FS:NTFS".
  • Remove the "guest" user, and replace "everyone" group with "authenticated users", throughout the filesystem(s).
  • Use strong passwords, ones that are at least eight characters, contain at least one capital letter, and some numbers. (See: Choosing a good password).
  • When you add a user to XP-Home they are given full administrative powers. Where possible convert these to basic/limited-users, and use the Run-As function rather than logging in as Administrator. In Windows-2000 and XP-Pro you should convert these users to "Power Users" if they still require some administrative powers.
  • Set account lockout policies: passprop /adminlockout (locks remote access to "Administrator"). The console login cannot be locked. (Windows NT/2000).
  • Remove the "Everyone" group access from as many files and directories as possible, especially IIS.
  • Change the account name "Administrator", this adds another layer of security.
  • Remember to create a password-reset disk for any sensitive users, and store the disks in a safe place.
  • Force all "administrator" users to logon using their own accounts, and never allow users to share accounts.
  • Create a new dummy Administrator account that has no privileges, and use this to track any attempts to logon as "Administrator". Experienced hackers can still gain access via the SID, however this makes it harder for them, and will likely fool most of the script-kiddies.
  • In Home manage users from the command-line: control userpasswords2
  • Sensitive folders should be made private by right-clicking on them, and selecting "Make this folder private".
  • To set all advanced security properties in NT/2000/XP Professional use the Group Policy Editor (gpedit.msc).
  • Limit the times that users can login:

Type "net user <username> /time:M-F,8am-5pm" (without the quotes) to restrict logon from 8 a.m. to 5 p.m. or "net user username /time:M,3pm-5pm;W,4pm-7pm".

  • For any "Support" or "Guest" accounts:
    From the "Advanced" tab click the "Advanced" button. Select "User folder", and right-click "Help Assistant" account. Select "properties" and ensure the following settings are activated:

"User cannot change password"
"Password never expires"
"Account is disabled"
  • Manage XP and W2K extended security settings using "Group Policy "

    • To access: "Start>Run>gpedit.msc"

  • Do not allow users to install public-key certificates as this would allow them to use an encryption system that you could not monitor.
  • To temporarily give Administrator privileges right-click on the program and choose Run-As and pick the following user radio button (you have to enter a password every time). Or right-click on the shortcut and choose Shortcut->Advanced->Run with different credentials. Alternatively you can change the user account has for the specific folder that the program is in to "change" rather than "read". XP Home cannot change the permissions like Pro (unless you restart the system in Safe-Mode), however you can use the cacls command.
  • If an XP Pro installation the time clock will sync to a domain controller instead of the Internet. To setup your Windows-2000 server:
    net time /setsnp:time.windows.com
    NB. If a computer is not a member of a domain it does not auto sync to anywhere
  • ntpdate -u ntp.server.tld

    This will sync the time with ntp.server.tld .

  • Install a virus scanner and subscribe to the vendor's update service.
  • Choose different passwords for Internet access, from those you use internally. Do NOT allow your browser to remember passwords and other sensitive information, or to store encrypted pages on disk.
  • Obtain the latest OS patches from the Microsoft website, and application patches from the relevant vendor sites.
  • Make use of the tools included with the operating system (E.g. Microsoft Windows 2000/XP includes a basic firewall known as the ICF (Internet Connection Firewall)). NB. ICF does not protect IPv6 traffic, nor does it monitor outbound programs.
  • Always use the Internet Connection Firewall (or IPSEC, or a third party firewall E.g. Zonealarm) for all Internet connections.
  • Get some or all of the free Microsoft security tools, and ensure you use them.
  • Disable Windows: "file and printer sharing", unless you really need this feature. Alternatively don't use TCP/IP for "File and Printer sharing".
  • If using Windows-2000/3 or XP, encrypt any files that are stored in a shared directory using a separate product, or use the Windows EFS (Encrypted Filesystem: http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q222054&)
  • Disable the "Hide file extensions for known file types" option (folder view options). After disabling this option, there are still some file extensions that, by default, will continue to remain hidden.
    This registry value causes Windows to hide certain file extensions, regardless of user configuration choices:
    The "NeverShowExt" registry value hides the extensions for basic Windows file types. E.g. ".LNK" (Windows shortcuts) remains hidden, even after a user has deselected the "hide extensions" option. Specific instructions for disabling "hidden" file name extensions are given here.
  • If using Windows 2000 and XP Pro include the Encrypting File Service (EFS) that can encrypt files and folders stored on local or network disks.
  • Disable and/or remove any Internet Relay Chat (IRC) clients. These are a very popular place for hackers to hide virus's and "Trojans".
  • Register your software products, to receive product alerts, and to cover you legally.
  • Sign up to receive automatic update notifications, but ensure that any updates at least prompt you before attempting to install.
  • Schedule tasks to run automatically (such as virus scans, update notifications, system maintenance).
  • Remove any unwanted network shares: "net share share_name /delete" (net share without arguments shows current shares).
  • Check the "System properties" and ensure that all devices are working properly (i.e. no yellow exclamation marks).
  • Use "Regcleaner" to remove any unused Registry entries (This can increase speed and stability)
  • Delete any temporary files, and empty the "Recycle Bin".
  • Set the paging file to delete during shutdown http://support.microsoft.com/default.aspx?scid=KB;en-us;q182086 prior to XP
    http://support.microsoft.com/default.aspx?scid=KB;en-us;q314834 for XP
  • Use "msconfig", and "Services" to disable any programs that you don't want.
  • Go to the "C:\Windows\Prefetch" folder, and delete the entire contents.
  • Run "Defrag" and "disk checker" on all your drives (requires a reboot to get exclusive access).
  • Deselect "Enable Offline Files". You'll still be able to view saved/cached web pages off-line.
  • Select only "TCP/IP" (By default, Windows binds both IPX and TCP/IP). Many firewalls do not filter IPX. If your system is routing IPX, all IPX traffic will go right through the firewall.
  • Make maximum use of "user" and "group" permissions, and ensure that users only have exactly what they need!
  • Regularly empty, or even disable the "Recycle Bin".
  • Change the login herald to include a legal warning (In XP this message appears at the top of the login Window):

Start the Windows XP Registry: Start->Run. Type "regedit".

Find the key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon.
Create a new String Value called "LogonPrompt" and set its value to your login message.

There are many more security-based registry hacks available e.g.

Change Default Administrator Ownership
Disable Command Prompt and Batch Files
Disable Recent Shares in Network Places
Disable the Recycle Bin
Disable Web Printing
Enable Shutdown Event Tracker
Hide Computer Management Option
Hide or Display Administrative Tools Menu
Hide the Logon Scripts
Hide the Shutdown Scripts
Hide Usernames from the Logon Screen
Network Connection Restrictions
Remove the Hardware Tab
Remove the Map and Disconnect Network Drive Options
Remove the Security Tab
Restrict Access to the Event Logs
Restrict Anonymous User Access
Run Startup Programs in a Command Prompt
Show Encryption Commands on the Shortcut Menu
User Environment Event Logging
Change the Maximum Transmission Unit (MTU) Size (Windows NT-2000-XP)
Change the Message Shown on the Logon Box (Windows NT-2000-XP)
Clear the Page File at System Shutdown (Windows NT-2000-XP)
Customize the Windows Logon and Security Dialog Title (Windows NT-2000-XP)
Hide Control Panel Applets (Windows NT-2000-XP)
Network Connection Restrictions (Windows 2000-XP)
Restrict Showing the Last Username (Windows 2000-XP)
Restrict Users from Running Specific Applications (Windows 2000-Me-XP)
Show User and Computer Name on Desktop (Windows NT-2000-XP)
Use Personalized Menus (Windows 2000-Me-XP)

For full instructions see: Windows Registry Guide

  • Change your folder "view" options to increase the available security information:
"Tools"->"Folder Options->View" and select:

"Display file size information in folder tips"
"Display simple folder view in Explorer's folder list"
"Display the contents of system folders"
"Show hidden files and folders"
"Remember each folder's view settings"
"Show encrypted or compressed NTFS files in color"
"Use Simplified File Sharing".
"Do not cache thumbnails" for quicker thumbnail display".
"Launch folder windows in a separate process" for improved performance".
"Show popup description for folder and desktop items"

Deselect:

"Automatically search for network folders and printers"

To prevent the logon name of the last user from being displayed on the screen. Set
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\
"DontDisplayLastUsername": DWORD=1

"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon"
  • Create a logon banner containing a legal warning regarding usage and access. Set "LegalNoticeCaption" with a short caption, and "LegalNoticeText" with the entire message.

To restrict anonymous connections to list account names, set "RestrictAnonymous" to 1
HKLM\SOFTWARE\Microsoft\Windows [NT]\CurrentVersion\Winlogin
LegalNoticeCaption = "The caption text."
LegalNoticeText = "The entire login banner."
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Winlogin
LegalNoticeCaption = "The caption text."
LegalNoticeText = "The banner text."
Create a new String Value named "LogonPrompt" and create a message to be displayed at each login.
  • "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa"
    To restrict network access to the registry, create the following key:
    "HKEY_LOCAL_MACHINE\SYSTEM\CurrentcontrolSet\Control\SecurePipeServers\winreg"
  • Windows XP system errors are sent to http://oca.microsoft.com (Windows Online Crash Analysis). You can analyse any data that you have submitted by visiting this site.
  • Remove Recycle Bin Icon from Desktop

User "configuration\Administrative Templates\Desktop\"Remove Recycle Bin icon from Desktop" (leave at default).
  • Stop programs from automatically starting when booting up

"[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]" and
"[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]"

(None of the entries under these folders are really necessary for WinXP to operate properly).

  • Turn off MSN Messenger

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client]

PreventRun=1 Prevents MSN Messenger from running

PreventAutoRun=1 Prevents MSN from popping up automatically.

Setting(creating) both these "Dword" entries to "1", disables MSN Messenger
  • Fix Outlook Express slowdown when MSN Messenger is disabled

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID]

Locate the key "{FB7199AB-79BF-11d2-8D94-0000F875C541}" and select the folder "IniProcServer32". In the right panel of regedit double-click on the (Default) entry at the top and completely delete the value data it contains. Repeat for the LocalServer32 folder.
  • To clear the registry on shutdown: HKEY_LOCAL_MACHINE\CurrentControlSet\Control\Session Manager\Memory Management and locate ClearPageFileAtShutdown and give it a value of 1.

  • If you export your registry to a text file you can edit it.
    Merging a reg file will overwrite altered values but it won't removed ones that have been added.

  • For each disk drive deselect:

"Compress drive to save disk space" to speed up reading from the drive.

"Allow Indexing Service to index this disk for fast file searching"

and then select "Apply changes to [Drive letter]\, subfolders and files" to improve performance and increase free disk space.
  • If this is a desktop system: Right-click on the desktop and select "Properties". From the "Screen Saver" tab, and select the "Power" button. Under "Power Schemes", set all three options to "Never". Under the "Advanced" tab, deselect both boxes. Set "When I press the power button on my computer" to "Shut Down". Under the "Hibernate" tab, Select "Enable Hibernation" to improve stability and free up disk space.
  • If you don't have a UPS (Un-interruptible Power Supply) disable the service completely.
  • Use "create system restore points" in Windows 2000/XP to save vital configuration files, and press F8 during boot to restore from them in the event of a problem.
  • Lock User's menu by preventing Right-click: HKEY_CURRENT USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer. Right-Click on Explorer and add new DWORD as NoChangeStartMenu and set the value to 1.
  • To clear the Start Menu after every reboot: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer. Create DWORD ClearRecentDocsOnExit. 1=enable, 0=disable.
  • To disable CD burning: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer. Create DWORD NoCDBurning. 1=disable, 0=enable.
  • To clear the Internet Explorer history-->HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs\key
  • Check that a site that claims to be secure, really are who they claim to be. Right-Click on the page and examine the properties(Navigator users should click the "Security Button" in the main toolbar.). If the site is encrypted check that the certificate belongs to this site, and if this is a financial site ensure that they are using 128bit (not 40) certificates.
  • In Windows XP NTFS volumes. Right-Click choose "Sharing->Security" and select "Make Private".
  • To compress data Right-Click and send-to compressed folder.
  • Use Internet time by double-clicking on the clock in the task-bar, and select Internet-time.
  • Download Bootvis from www.microsoft.com/hwdev/platform/performance/fastboot/BootVis.asp to make changes to your startup.
  • Edit "c:windows\Inf\sysoc.inf" using Notepad and delete the word "hide" to display items on the Add/Remove Programs.
  • Automatically end tasks that aren't responding, goto HKEY_CURRENT_USER\Control Panel\Desktop\AutoEndTasks and set it to 1 Then go to WaitToKillAppTime and enter the number of milliseconds to wait.
  • Install "Windows Support Tools" from "\support\tools" on the Windows CD.
  • To move your spool folder: Control Panel->Printers and faxes . Click on File->Server Properties and select Advanced. Enter the new path in the Spool folder box.
  • Normally hidden from site is the 5th security zone in Internet Explorer, AKA "My Computer". You can use this to tighten security. To make it visible HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\0\flags is currently set to 0X00000021 (33). Choose Modify and change it to 0X00000001 (1). This zone should be visible after a reboot.
  • Internet Explorer Tools->Internet Options->Advanced->Security->Empty Temporary Internet Files when browser is closed. Remember to clear the Autocomplete History.
  • Add spammers to the Outlook blocked to the Tools->Blocked senders list.
  • Remember that messages marked as "Deleted" in Outlook (Express) are not truly deleted until you compact the folders as follows: File->Folder->Compact all folders.
  • Internet Explorer->Security Zones: Tools->Internet Options->Security. Put sites you don't trust into the "Restricted Zone", and those you do into the "Trusted Zone". The status-bar shows which zone -> Internet Icon->Status Bar->Security Properties dialog. Add a site by copying the URL. You can manage zones by choosing the custom-level.
  • For certificates choose: Tools->Internet Options->Contents->Certificates.
  • Setup Explorer to check for certificates that have been revoked: Tools->Internet Options->Advanced->Security - Check for Publishers certificate and Check for Server Certificate Revocation.
  • Terminal Services can be made more secure by tunneling the traffic through another tool called Zebedee. Zebedee is an open source program that allows you to redirect TCP or UDP traffic over encrypted, compressed tunnels.
  • Many versions of Windows use the SYSTEM user to give it user privileges on remote systems. You cannot login as this user but it can be used to mount NULL attacks on network systems. If this command succeeds you are vulnerable: net use \\a.b.c.d\ipc$ "" /user:"" (where a.b.c.d is the IP address of the remote system).
  • To protect MS Office: Turn on macro security in Office (Tools->MacroSecurity) in order to any avoid macro virus's.

Windows-XP Automatic Updates
Select "Turn off automatic updating. I want to update my computer manually" and manually run Windows Updater (Internet Explorer>Tools Menu>Windows Update) to view a list of updates, and download them individually.

SQL Server
Consult Microsoft's Technet to ensure that you have all the latest security patches.

Emergency Repair Disk
Windows NT stores an unprotected copy of hashed passwords on this floppy disk. If an attacker gets access to your Repair diskette they can decrypt your Administrator password, and gain access to your server.
You should also protect your Windows-XP password-reset disks for the same reason.

Shortcut Keys and enhancements
Holding shift whilst clicking on the [X] c loses all parent windows.
<Win+E> opens "My Computer".
<Win+U> launches the "Utility Manager":
<Alt+D> selects the Address bar in Internet Explorer.

To display your XP version number on the desktop: HKEY_CURRENT_USER\Control Panel\DesktopVersion = 1.

Install "Windows Support Tools" from "\support\tools" on the Windows CD.
To add items to the "Send To" menu: Start->Run: sendto. Right-Click to create a new shortcut or drag to the folder.

When dragging and dropping files hold-down shift to ensure the move is permanent.

Start->Run: . Opens this users home dir/ the current working folder.

Remove the arrow from shortcut icons: HKEY_CLASSES_ROOT\lnkfile and delete the IsShortcut value.

To reverse your selection in a folder click Edit->Invert Selection.

Right-Click on the Menu of the CMD Window and you can make permanent or temporary changes to the way the window looks.

To change the name of the "Recycle Bin": HKEY_CURRENT_USER\Software\Microsoft Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} Right-Click on Default and choose a name.
"My Network Places" = {208D2C60-3AEA-1069-A2D7-08002B30309D}
"My Computer" = {20D04FE0-3AEA-1069-A2D808002B30309D}
"My Documents" = {450D8FBA-AD25-11D0-98A8-0800361B1103}
"Internet Explorer" = {871C5380-42A0-1069-A2EA-08002B30309D}

To display your XP version number on the desktop: HKEY_CURRENT_USER\Control Panel\DesktopVersion = 1.

Folder->Customize This Folder can change the icon.

To add "Defrag" on a drive's right-click menu. HKEY_CLASSES_ROOT\Drive\Shell\ Right-click on shell and click New Key and label it Defrag. Then right-click, New-Key and call it command. Right-click on (default) choose Modify and enter: DEFRAG.EXE %