Windows 2000 extras
Windows-2000 can be pre-configured and installed over the network using Remote Installation Services (RIS). RIS creates a client boot floppy, which is used on a client, to start the installation.
Most Win-2k security is now done from within the Microsoft Management Console (MMC).
Group policies are pushed from the domain controller every 90 minutes and during login, and override local settings.

Browsing the Internet Back to top

Internet Explorer Tips
Explorer is an integral part of the Windows operating system, and has hooks that go deep inside. This makes it a big security risk, since all you need do, is compromise Explorer, and you have access to almost the entire system. To make things worse the default installation is configured for "ease of use", rather than safety.
One of the most essential tasks is to try and keep "rogue" programs from taking control of your system. Some programs can only be installed after you have given your permission, or have consciously, downloaded and saved the installer program onto your hard disk. You then have to run the installer program to activate this code, however there are others that are installed automatically when you access specific parts of a web page.
NB. Windows-XP Service-Pack 1 contains a new utility to disable and replace Internet Explorer or Outlook Express, as your default web clients. This is in accordance with the findings of the US Governments Antitrust case. NB. Microsoft applications are not un-installed, but simply hidden!

Another trick is to get you to agree to download one program, and then to hide something in the small print of the EULA (End User Licence Agreement), that gives permission to install further programs.

Typical examples of this are "Adware" and "Spyware". The authors of these kinds of code are very clever and can configure your system to "trickle" downloads of data and code, in the background as you surf, so they go totally unnoticed. Remember that whilst many people hate Internet advertising, it does pay for a good deal of "free" Internet content.

  • Watch-out for browser extensions (helpers) that may have been installed by the user
  • Active-X is all or nothing. Signature maybe bogus
  • JVM (Java Virtual Machine) cannot protect itself against bogus bytecode

Carefully examine your browser history if you suspect another user has accessed your system"
"Do not allow Explorer to save passwords, as this may allow another user access to your confidential data, or to impersonate you.

Right-Click on the connection icon in the Control-Panel, and select "Properties->Advanced" and check the "Protect my computer and network by limiting or preventing access to this computer from the Internet".

Browser Helper Objects (BHO) attach extensions and executables to Internet Explorer. Many BHO's are legitimate, however they are also used to attach "Spyware" to your browser, and secretly transmit information to a marketing site, or to run malicious code. BHOs are .DLL libraries that are installed by registering their location in the registry. The currently installed BHOs are registered as subkeys of the key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Explorer\Browser Helper Objects\
The subkeys are named with the CLSID of the BHO. A CLSID is a number that uniquely identifies a particular executable. For example, the following CLSID for Adobe Acrobat Reader 5 is,
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

An easier way is to download and install the freeware program BHO Cop, available from CNET Downloads. When you run PC Mag's BHO Cop, it lists all the BHOs registered on your system.

To tighten the security settings in Internet Explorer (5.5 or 6.0)
Open Internet Explorer and choose Tools->Internet Options,->Security.
Select the Internet zone and click the Custom button.
Set the options, Download signed ActiveX control, and Download unsigned ActiveX control to Prompt or Disable and click OK twice.
In future you will be prompted before any tools are installed. Before allowing an installation, be sure you read and understand any EULA or documentation supplied with the product, and where possible, open another window and visit the software publisher's site, to see what the software actually does!
Click on the Internet zone->Custom Level button. The Security Settings panel appears.
Select the High from the pull-down list, then click the Reset button. A dialog box appears: asking that "Are you sure you want to change the security settings for this zone".
Click Yes and make the following changes:
Change "Scripting ActiveX controls marked safe for Scripting" to Disable or Prompt.
To disable Java (optional), select the radio button "Disable Java". NB: If you have Microsoft Virtual Machine installed, this setting will be under the Microsoft VM section.
Set "Active scripting" to Disable.
Click "OK" to accept the changes. And "Yes" to confirm
Select the "Advanced" tab, in the "Internet Options" dialog box Check the "Warn if changing between secure and insecure" setting. Click Apply to save your changes, then "OK", to close the "Internet Options" menu.

Other settings to check (from the Tools->Internet Options menu) are:

Privacy

Set to Medium

Advanced

Check for publisher's certification revocation
Check for server certificate revocation
Check signatures on downloaded programs
Empty Temporary Internet Files folder when browser is closed
Warn if changing between secure and non-secure mode
Warn if forms submittal is being redirected

Remember that most browser-based attacks rely on tricking the user into clicking a button or link, therefore you should be very careful when visiting new sites. It is a good idea to make use of Internet Explorer's "Security Zones". Set your security at Medium (or higher), and place any "suspect" sites into the "Restricted Sites" zone. See "Tools->Internet Options->Security".

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
"Show_StatusBar"="yes"
"Show_URLinStatusBar"="yes"

lock' the status bar so that even scripts on web sites cannot switch it off?
try running regedit, going to the key mentioned above, and changing the permissions of the keys to read-only
to do this:

go to HKCU\Software\Microsoft\Internet Explorer\Main
select "Show_StatusBar"
go to 'Permissions...' from Edit menu
click 'Advanced'
find your user name in the list & click 'edit' button
put a check next to 'Set value' under 'Deny'
OK, OK, OK, OK.

Normally hidden from site is the 5th security zone in Internet Explorer, AKA My Computer. You can use this to tighten security. To make it visible HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\0\flags is currently set to 0X00000021 (33). Choose Modify and change it to 0X00000001 (1). This zone should be visible after a reboot.

Internet Explorer Tools->Internet Options->Advanced->Security->Empty Temporary Internet Files when browser is closed.

Add spammers to the Outlook blocked to the Tools->Blocked senders list.
File->Folder->Compact all folders.

Remove unwanted items from the File->New menu in Internet Explorer: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer and create a new DWORD value: "NoExpandedNewMenu" and set it to 1

Clear auto-complete history. Tools->Internet Options->Content->Auto Complete. Tick web addresses and clear other boxes.
Profile Assistant can store even more information than what you type into fields monitored by Autocomplete. After you've picked a profile on the Content tab, you can turnoff Profile Assistant from Advanced Options.

To add a site to Network Places. Add a network place. Enter the address ftp:// then uncheck log on Anonymously. You can save the password and then access the link from within an app such as Word.

Internet Explorer->Security Zones: Tools->Internet Options->Security. Put sites you don't trust into the "Restricted Zone", and those you do into the "Trusted Zone". The status-bar shows which zone -> Internet Icon->Status Bar->Security Properties dialog.

Add a site by copying the URL. You can manage zones by choosing the custom-level.

For certificates choose: Tools->Internet Options->Contents->Certificates

Tools->Internet Options->Advanced->Security - Check for Publishers certificate and Check for Server Certificate Revocation.

If your using AutoComplete your details are stored so anyone can login.

The no-entry icon shows that this site does not match the Privacy Settings.

Beware of URLS with @ in the middle e.g.. www.microsoft.com%26item%3Dq209354@www.hardware.no. The second address is the real one.

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
"Show_StatusBar"="yes"
"Show_URLinStatusBar"="yes"

'lock' the status bar so that even scripts on web sites cannot switch it off?

try running regedit, going to the key mentioned above, and changing the permissions of the keys to read-only
to do this:

Normally hidden from site is the 5th security zone in Internet Explorer, AKA My Computer. You can use this to tighten security. To make it visible HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\0\flags is currently set to 0X00000021 (33). Choose Modify and change it to 0X00000001 (1). This zone should be visible after a reboot.

Internet Explorer Tools->Internet Options->Advanced->Security->Empty Temporary Internet Files when browser is closed.

Remove unwanted items from the File->New menu in Internet Explorer: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer and create a new DWORD value: "NoExpandedNewMenu" and set it to 1

Clear auto-complete history. Tools->Internet Options->Content->Auto Complete. Tick web addresses and clear other boxes.
Profile Assistant can store even more information than what you type into fields monitored by Autocomplete. After you've picked a profile on the Content tab, you can turnoff Profile Assistant from Advanced Options.

Remember to clear the Autocomplete History.

Internet Explorer->Security Zones: Tools->Internet Options->Security. Put sites you don't trust into the "Restricted Zone", and those you do into the "Trusted Zone". The status-bar shows which zone -> Internet Icon->Status Bar->Security Properties dialog.

Add a site by copying the URL. You can manage zones by choosing the custom-level.

For certificates choose: Tools->Internet Options->Contents->Certificates

Tools->Internet Options->Advanced->Security - Check for Publishers certificate and Check for Server Certificate Revocation.

If your using AutoComplete your details are stored so anyone can login.

Internet Explorer->Tools->Internet Options->Security and click on the Internet(world) symbol. Ensure that the setting is at least set to Medium

To customise the Internet-Explorer menu buttons, right click on the toolbar. Remember to unlock the bar before making changes, then lock it again afterward. To remove the "GO" button, right-click on the word "Address" and un-tick the "Go button".

Internet->Tools->Internet Options->Enable Page Transitions. Allows pages to fade into one another.

To make the Explorer status-bar permanent: HKEY_CURRENT_USER\Software\Microsoft Internet Explorer\Main\Show_StatusBar = yes.

You can move the Internet Temporary Files :Tools->Internet Options->General->Temporary Internet files->Settings->Move Folder.

To discover which Active-X controls have already been downloaded:
ls c:\Windows\Downloaded Program Files\
Tools->Internet Options->General->Temporary Internet Files->Settings->View Objects. Right-click on a control to delete or un-install.

Passport
Ensure that you are online then go to Start>Control Panel>User Accounts and click on your account at the foot of the page. On the next page choose: "Change Passport Attributes" to see how much is being viewed on the Passport Site.

To delete .NET passwords run: userpasswords2 and hit OK. Choose the advanced tab and click on Manage Passwords.
The basic Passport.NET entry is attached to your windows login, with all others listed below.

In Messenger select Tools>Options>Privacy and ensure that "Always ask for my password when checking Hotmail or reopening other .NET Passport Enabled websites" is selected.

Whenever you download a Windows Update the .exe file goes into the "Temporary Internet Files" folder. You can check for the files by choosing "Tools>Internet>General>Settings>View Files" Choose the details view and then sort the output.

Outlook Express
Select "Tools->Options->Security", and ensure that the "Warn me when other applications try to send mail as me", is checked. If you don't trust the users to take care when downloading, you can also check "Do not allow attachments to be saved that potentially could be a virus".
Under "Advanced", enable "Check for Revoked Digital ID's", though this is only of use if you receive signed mail.
Set the "Empty deleted items on exit"

If this is a shared machine, remove your e-mail password from the "Accounts->Options", or create multiple identities

The simplest security measure you can take is to surf and collect mail as a non-administrative or unprivileged user.

Add Spammers to the Outlook blocked to the Tools->Blocked senders list.
File->Folder->Compact all folders.

Outlook blocks 39 types of file (.bat, .msi, .exe...) from being opened within an e-mail. To increase security you can also click on the Tools->Security Tab and check:

Virus Protection:
"Restricted Sites (more secure)"
"Warm me when other applications try to send e-mail as me"
"Do not allow attachments to be saved that could potentially be a virus"

Security: Outlook has a security function for dealing with macros. Tools>Macro>Security and choose between high, medium and low.
Outlook-2000 has a security update available from: http://office.microsoft.com/Downloads/2000/Out2ksec.aspx

Netscape 3.0 or higher
From the Edit menu, select Preferences->Category list, click on Advanced. (Do NOT click on the plus (+) sign.) The "Advanced Preferences" panel appears.
Uncheck "Enable JavaScript". (optional).
Click "OK" to save the changes.
Click the "Padlock" icon in the lower left-hand corner and the Security Info dialog box will appear.
Click the "Navigator" link to open the "Navigator Security Settings" panel.
Set the options: "Viewing a page with encrypted/unencrypted mix", and "Leaving an encrypted site", in the "Show a warning before" section

Click the Security Button in the Navigator's toolbar.
Check whether the certificate is 128 or 40 Bit.

Internet Information Server (IIS)
See: http://www.port80software.com/support/art_maskyourwebserver.asp

  • Remove IIS "IWAM_ " and "IUSR_" accounts, unless you are using IIS to host a website on this system.
  • Ensure that web users only have access to web pages
  • Remember all IIS users start as: "IUSR... ", and only have to authenticate, when they try to download something!
  • " IUSR_machine_name" should only have access to files that should be seen from the web, and the user account removed if you are not running IIS.
  • "IWAM" is used for the initial connection, and should removed if IIS is not required.
  • Where possible, obtain an SSL certificate (even self-generated). Use the: "IIS Control Centre->Directory Security Tab->Secure Communications->Edit" to configure this feature.
  • Delete "c:\inetpub\iissamples", "c:\AdminScripts", and any other sample scripts and files.
  • Disable any extension functions in IIS that you are not actually using. E.g. RDS Active-X support.
  • Delete "\Program Files\Common Files\system\msadc", and the MSADC Virtual Directory.
  • Check for links that go outside of webroot
  • Ensure that you obtain the latest patches and use the IIS_Lockdown tool.
  • If your site uses ASP or has database links, ensure that your applications do NOT administrative access to your database, and correctly validates all user input (For more information refer to the SANS Top 10 vulnerabilities).