From: "Mike McKee" Subject: W2K/XP Security Steps Date: Wed, 20 Feb 2002 11:51:10 -0500 Here are some security steps you can take for your W2K/XP systems. It's too bad that MS has so many holes on their systems that you have to take such enormous steps. 1. Service Pack and all security updates, using IE, Tools, Windows Update, Product Updates, and apply critical updates. 2. Turn off all non-essential services. This takes a little skill and experience and is too lengthy of a discussion to mention here. For instance, disabling your DHCP Client service might end up knocking you off the network, so you don't want to do that. 3. Rename FTP.EXE to XFTP.EXE. Because Windows now has system file protection for files which are deleted, you cannot delete this thing. Gosh, thank you Microsoft for screwing us over! You need to create a backdoor so that only an account called "lockout" (or other suitable name) can access the real FTP.EXE, just in case. HOW TO LOCKOUT ALL ACCOUNTS TO A FILE EXCEPT ONE a. Create a phony account called "lockout" and make it a user which can login to your system. b. Copy the file as x.exe or some other suitable prefix. c. Grab file and open security tab. d. Uncheck "inherit security" and when prompted choose Copy. e. Remove all accounts and, without clicking OK on security tab, add all local accounts on your system in there, as well as ANONYMOUS LOGON and anything starting with "Web". Give only the "lockout" account full privileges. For every other account, choose Deny Access. Do not use any groups because you may mistakingly disable the lockout account, such as the Everyone or Users groups. Click OK to save settings. f. Test this and see if only the "lockout" account can execute this file, not the other accounts. Oh, and you might be asking why? Well, there's a known virus which comes in a Word macro. It reads your registry for personal information, creates a hidden text file in the root with a name that looks like a DLL, then it executes an FTP script, passing information from this DLL. By disabling FTP except for those who know how to run the command, you thwart this effort. 4. Apply the same changes to CMD.EXE, COMMAND.COM, no matter where they are on your system. Use Search to ensure that they aren't in other places. 5. Apply the same changes to WSCRIPT.EXE and CSCRIPT.EXE. 6. Apply the same changes to TFTP.EXE. 7. Apply the same changes to XCOPY.EXE with name XXCOPY.EXE. 8. There's a Java directory under WINNT or Windows. It's old and came with the original MS operating system. This is when MS was in the business of making a Java virtual machine (runtime engine), which has major security loopholes, and so no real Java developer uses this anymore. Sun sued MS and won, remember? The new Sun Java or IBM Java runtime engine is more suitable, is more secure, and works better. You don't need this directory, and it may leave your system open for attack -- delete the Java directory and install the Sun or IBM version of the Java runtime, which also goes by the name of JRE, for Java Runtime Environment. 9. Disable all non-essential accounts, including the Guest account. 10. Rename the Administrator account to something else entirely. 11. Install a virus scanner. 12. Install Zone Alarm or Zone Alarm Pro, and get used to using it. It takes some getting used to. It's noisy at first but then quiets down after you train it. 13. Open Local Security Policy control panel and adjust: - Store password using reversible encryption. - audit account login events, account login events, and privilege use -- success and failure - Additional restrictions for anonymous connections - do not allow enumeration of sam accounts and shares. 14. Give your Administrator account, plus the account you most often use, a tough password that includes at least a number and perhaps uses the first letter out of every word to a phrase in some book you know well, such as the Bible. However, don't use common passages like the Lord's Prayer or "Yea though I walk in the valley of the shadow...." 15. If you run a website, you need to lock it down instead of using Microsoft's default settings. Microsoft has a tool called IIS Lockdown which you can get from their website. This wizard will ask you a series of questions on how you use your web server, and you can run it and test to see if you can still do things adequately. You can go back as many times as you want to reset to previous changes or redo with different settings. 16. Turn on full web logging, including URL and query parameters used, for every virtual directory. This is a great technique to see who's trying to hack you with their browser and how. Also, find out where that log is located and read it from time to time. 17. Put all your data files on another system on your network, and lock it down so that about the only thing one can do on this system is access files, and only with one specific account -- the one you use to login to your network. 18. [deleted] 19. Change your password to something illogical on a schedule. For instance, if my password is "ytiwivs1", don't make the follow-on one "ytiwivs2". If a hacker were ever to intercept your first password, they can almost guess the second one, so don't use that technique. Instead, outfox the hacker with an illogical password on a schedule. 20. If you're using Internet Connection Sharing as a kind of "router", switch it to NAT routing or a true router. A NAT router is not as secure, but it is more securable (you still have to configure that) than MS ICS. See KB article from MS: Q299801. 21. If Zone alarm indicates someone is trying to ping you, open up your command line (now probably XCMD.EXE) and ping them back in a loop with large packet sizes, as in: ping -n 2000 -l 65500 (that's a little L, by the way) If they're any kind of hacker, they'll notice that you're doing this back to them, letting them know that you're "on" to them. 22. Turn on MS Office macro virus protection. 23. Make it a rule to check out your email attachments carefully. I most often only open attachments with the following extensions: ZIP, DOC, PPT, XLW, XLS, VSD, XML, TXT, HTML, HTM, GIF, PNG, JPEG, JPG, WAV, or MID. Most everything else is so insignificant it's not even worth it. I also don't like to receive EXEs by email. You can also email the user back and ask if they sent it, verifying that they did indeed intend to send it to you.