There are many howto's , books dealing with security and hardening operating systems in general.However there aren't a lot off sites that cover a broader range off hardening / security settings.Personally i like windows xp for its drivers and compattibillity , configurablility and looks.What i certainly dont like is the huge amount off build in features (flaws) like remote desktop connection , etc making xp vulnerable in its default state. My goal is to display the fast security options and emphasizing what the side effects / advantages are, and then let u see some additional security settings with the use off the build in mmc ( microsoft management console) and the default
security templates which is allready present at every XP box.
In my opinion, u don't have to read a whole security book with average page lenght off 500 for some sec settings which would fit on 1 page.
1) disable netbios over tcp/ip {no side effect unless u using netbios names}
goto start--->control panel ---->network and internet connections
--->network connections
right click on your (local , whatever u use) connection and goto properties
right click tcp/ip goto options , click on advanced and select the tab WINS, clear the disable netbios over tcp/ip checkbox.
2) While being there you might ass well disable (better uninstall)
client for microsoft networks and file and printer sharing.
Really the only thing you need is tcp/ip ( the standard internet protocol)
this might affect sharing files with icq or msn, aim etc, which is bad anyway. Kazaa and overnet file sharing programs remain unaffected by this
procedure.
3)Change your computer name to something less usual like a underscore
4)goto start ---> run and press browse
browse to C:\WINDOWS\system32\ddeshare.exe
and press enter, disable all mentioned shares present, like the hearts (port 135), blackjack etc, ever wondered where this port 135 comes from ?
6)Regedit part
goto start--->run and enter "regedit"
before going any further make a backup off the registry by exporting the current registry settings under file--->export etc
goto HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset\Control\Lsa\restrictanonymous
double click on this reg key and enter the the value 2
this disables totally null session enumeration (nobody can't enumerate
accounts etc)
restrictanonymoussam should be at value 1 , can't go to a higher value
7)goto
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset\Control\Services\LanManServer
click on the + in front off LanManServer and click on Parameters
on the right half off the regeditor double click on NullSessionPipes
Delete everything what's there as value
Same goes for lanmanworkstation
8) goto
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset\Control\Services\Tcpip\Parameters
double click on EnableIcmpRedirect and enter the value 0 ( disabled)
same goes for DeadGwDetect
double click on EnableSecurityFilters and enter the value 1 ( enabled)
export ( save) your new registry settings to a floppy , for later use .
------------------------------------------------------------------------
Windows XP Professional
9) goto start--->run and enter mmc
this will open the microsoft management console
goto File--->Add/Remove Snap-in..
goto Add and select the snap-in's 1) security templates
2) security configuration and analysis
once done corect u should see 2 windows:
one named console 1 and one named Console Root\Security Templates
right click on Security Configuration and Analysis and goto open database
in the new window just enter a nonexistant name and u will see a new screen coming up with the standard security templates , like securews
(secureworkstation) hisecws, etc , click on securews and open it
Right click on Security Configuration and Analysis and goto
Analyze computer now
after the pc finished analysing the local sec policy
u will see a similar tree structure as in regedit.
click on the + in front og Sec... Confi... And Analy...
and goto Local Policies\User Rights Asignment
doulble click on the right side on : Deny access to this computer from ...
check : define this policy
click on " add user group "
click advanced --->findnow
and select everyone
after this right click on Security Configuration and Analysis
goto configure computer now
exit the program and save the newly made console to whatever name u
like best.
(this is the whole procedure, as security templates are concerned)
There are a lot more settings, user right assignments etc etc
That all will be in part 2 ( I hope to finish an automated script that
does all the above and above automatically with less user interaction)
security templates which is allready present at every XP box.
In my opinion, u don't have to read a whole security book with average page lenght off 500 for some sec settings which would fit on 1 page.
1) disable netbios over tcp/ip {no side effect unless u using netbios names}
goto start--->control panel ---->network and internet connections
--->network connections
right click on your (local , whatever u use) connection and goto properties
right click tcp/ip goto options , click on advanced and select the tab WINS, clear the disable netbios over tcp/ip checkbox.
2) While being there you might ass well disable (better uninstall)
client for microsoft networks and file and printer sharing.
Really the only thing you need is tcp/ip ( the standard internet protocol)
this might affect sharing files with icq or msn, aim etc, which is bad anyway. Kazaa and overnet file sharing programs remain unaffected by this
procedure.
3)Change your computer name to something less usual like a underscore
4)goto start ---> run and press browse
browse to C:\WINDOWS\system32\ddeshare.exe
and press enter, disable all mentioned shares present, like the hearts (port 135), blackjack etc, ever wondered where this port 135 comes from ?
6)Regedit part
goto start--->run and enter "regedit"
before going any further make a backup off the registry by exporting the current registry settings under file--->export etc
goto HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset\Control\Lsa\restrictanonymous
double click on this reg key and enter the the value 2
this disables totally null session enumeration (nobody can't enumerate
accounts etc)
restrictanonymoussam should be at value 1 , can't go to a higher value
7)goto
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset\Control\Services\LanManServer
click on the + in front off LanManServer and click on Parameters
on the right half off the regeditor double click on NullSessionPipes
Delete everything what's there as value
Same goes for lanmanworkstation
8) goto
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset\Control\Services\Tcpip\Parameters
double click on EnableIcmpRedirect and enter the value 0 ( disabled)
same goes for DeadGwDetect
double click on EnableSecurityFilters and enter the value 1 ( enabled)
export ( save) your new registry settings to a floppy , for later use .
------------------------------------------------------------------------
Windows XP Professional
9) goto start--->run and enter mmc
this will open the microsoft management console
goto File--->Add/Remove Snap-in..
goto Add and select the snap-in's 1) security templates
2) security configuration and analysis
once done corect u should see 2 windows:
one named console 1 and one named Console Root\Security Templates
right click on Security Configuration and Analysis and goto open database
in the new window just enter a nonexistant name and u will see a new screen coming up with the standard security templates , like securews
(secureworkstation) hisecws, etc , click on securews and open it
Right click on Security Configuration and Analysis and goto
Analyze computer now
after the pc finished analysing the local sec policy
u will see a similar tree structure as in regedit.
click on the + in front og Sec... Confi... And Analy...
and goto Local Policies\User Rights Asignment
doulble click on the right side on : Deny access to this computer from ...
check : define this policy
click on " add user group "
click advanced --->findnow
and select everyone
after this right click on Security Configuration and Analysis
goto configure computer now
exit the program and save the newly made console to whatever name u
like best.
(this is the whole procedure, as security templates are concerned)
There are a lot more settings, user right assignments etc etc
That all will be in part 2 ( I hope to finish an automated script that
does all the above and above automatically with less user interaction)