Free Monthly Newsletter...and much more!

5 Star Support - Free Computer Help and Technical Support

 

 
Google

Hardening Windows

Written by Dave
5 Star Support Security Specialist

01.30.06
This tutorial is written for the Intermediate level computer user.

First, it concerns me how many computers used in both home and business environments are running with default settings for everything, just as the computer was when it came out of the box. Worse yet, most of these machines are connected to an 'always-on' high speed Internet connection, or LAN, or both. Running with all the default settings may be the easy way to go, but it is not secure at all! Crackers and malware writers are counting on these types of settings.

Next, the sheer volume of ever-increasing Viruses, Worms, Trojans, Adware, Spyware and other malware assures that more and more users will encounter problems as time goes on. It is a simple mathematical certainty. Now that many crime organizations are thrown into the mix with great funding capabilities for their plans, the problem is constantly growing.

The problem for the average user is in not knowing where to begin or what to do. This article will guide you through the steps necessary to help you make a secure environment by “hardening” your Windows Operating System. I know the average computer user trusts that the default settings the computer ships with will be safe, but the truth is, it's not! The use of third party software is a must. You will need a good firewall, anti-virus software and a few anti-spyware programs. All of which can be found for free, here:

http://www.5starsupport.com/info/virusinfo.htm

Hardening your system will not cost you anything. However, you will need to spend some time changing your systems default values and adding adequate software. The process recommended here applies primarily to users of Windows XP Home and Windows XP Professional, including some small networks. Many of the tips will also apply to Windows 2000 also. I am not trying to shun users of earlier Windows Operating Systems, it’s just that the system settings we will discuss here are simply not available on Windows ME and earlier versions of Windows. Windows XP has also become the largest target during the past two years.

Before beginning, I strongly recommend backing up your system state and data before making any changes to your computer. If you do not have the means of backing up everything, you should at least back up the system state. After your backup, we are ready to begin.

<>Use a Non-Administrator Account

Windows ships with the Administrator account and Guest account by default. A password is not required to log-on. At least 60% of the machines I encounter in both home and business environments are running this way. Many current exploits are written to find and attack machines set up this way. Connected to the Internet and running as Administrator, an exploit is capable of:

  • Install any start services

  • Install AxtiveX controls, including IE and shell add-ins (common to both adware and spyware)

  • Install kernel-mode rootkits and keyloggers (hard to impossible to detect)

  • Access data belonging to all users on the machine

  • Cause code to run whenever anyone logs on to the computer (including capturing user names and passwords entered in the
    Ctrl-Alt-Delete logon dialog

  • Replace normal OS and program files with Trojan horses

  • Disable or even uninstall anti-virus programs

  • Cover its tracks in the event log to avoid detection

  • Access any other computer you are also Administrator on and gain control of those computers as well

  • The list goes on and on

Rename the Administrator account, and then password-protect it. Then, set up a limited account for yourself and all other users of the computer as well. Remember to use a password for the new accounts. Use the limited accounts for all general computing needs,
especially Internet and email uses. Never use the Administrator account unless it is necessary (Install or un-install programs, Windows updates etc.).

In some business environments, this can cause a problem because some everyday applications require Admin account privileges to run properly. Why you ask? Because in many cases it is easier to write a program this way. If you have program that needs Admin privileges
to run properly, you will have no choice, but I recommend pressuring the software vendor for a newer version being developed that will
run with a limited user. If enough users do this, the vendors will begin to respond rather than loose business.

If it helps you make the decision whether or not to take this step, remember that an exploit written to use Admin privilege is stopped
from installing, running or executing if you are a limited user.

The built-in administrator account and administrator group has the greatest number of default permissions and privilege as well as the ability to change their permissions and privileges. The object is to prevent an intruder from gaining control over the computer and administrator rights from the built-in Administrator account. To accomplish this, we will rename the Administrator account, change its description, and Password-protect it.

<>Renaming and password protecting the Administrator account

Windows 2000 computers:

  1. Right click on ‘My Computer’ then click on ‘Manage’, which opens the Microsoft Management console.

  2. Expand the “Local Users and Groups”, and open the ‘Users’ folder

  3. Right click on ‘Administrator’, then click ‘Properties’ and type in the new name for the account. Then, change the description so
    it no longer indicates it is the built-in account for administering the computer/domain.

  4. Left click on ‘OK’.

  5. Right click the newly named account, click ‘Set Password’ and type in and confirm the new password for the account.

Windows XP Pro computers:

  1. Right click on ‘My Computer’ then click on ‘Manage’, which opens the Microsoft Management console.

  2. Open the Users folder under Local users and groups, right click on ‘Administrator’ and click ‘Rename’ and type in the new name
    for the account.

  3. Right click the newly named account, click ‘Properties’ and change the description for the account so as not to reveal its true
    nature.

  4. Click on ‘OK’

  5. Right click on the new ‘Administrator’ account, and click ‘Set Password’.

  6. Click ‘Proceed’ in the message box

  7. Type in and confirm the new password for the account in the boxes and then click ‘OK’

<>Use Strong Passwords

I really can’t stress this enough, especially for business use. Please, do not pick a pet name, spouse name or anything else easily
guessed by people who know you.

Pick a password at least 8 characters long. I prefer 15 or more characters. Windows will accept a maximum of 127 characters.
Use both upper and lower case letters, numbers, and try to use characters as well. If you have multiple computers, do not repeat the
same passwords on each one. Never write down passwords and leave them in plain sight, or send them in email.

It is very scary to me to sit at a workstation that has all the account names, login names and passwords written on post-its and stuck on
the monitor. In a business environment, this is just inviting misuse.

The easiest way to pick a long, effective password is to think of an easy to remember phrase. Then change the letter o to the number 0, and all letter l to number 1. For example:

I like Tootsie-Roll becomes: I1iket00tsie-R011. Much harder to break that. Also, remember that Windows will accept spaces as a
password character.

<>Use a BIOS and Bootlevel Password

Once you set a Boot level BIOS password, it will be required every time the system is started. The system is completely disabled until
the password is entered. This is normally accomplished by selecting the password option in the BIOS setup. You may also want to
consider an additional password for accessing the BIOS settings in order to prevent unauthorized changes in the BIOS settings.

<>Use the Screensaver

Proper use of the screensaver will help protect your computer while you are away from it for short periods of time. This is especially important in business environments. Just bring up the screensaver settings and enable password protection. Here's how:

  1. Right click an open area of the desktop

  2. Left click properties from the choices

  3. Left click the screensaver tab

  4. Check the box to “On resume, password protect”

On Windows 2000 machines, left click the Power button, then left click the advanced tab, then check the box to “Prompt for password
when computer goes off standby”.

Remember to pick a time period for the screensaver to start, perhaps 10 minutes. If you are going to be away for an unknown time
period, you can always start the screensaver manually when you are called away. Another quick way to secure things is to simply hit
Ctrl-Alt-Delete which brings up the task manager. You then select ‘Lock Computer’ by left clicking the button, or hitting ‘Alt-k’ on the keyboard.

<>Guest Account

The guest account is known to exist on all Windows 2000 Server, Windows 2000 Professional, and Windows XP computers. Microsoft recommends against disabling the Guest account in Windows XP or removing it in either Win2k or XP. For more security of this account,
I recommend the following.

Windows 2000 computers:

Rename Guest account, password protect it, then disable it. Here's how:

  1. On the desktop, right click on ‘My Computer’ then click on ‘Manage’, which opens the Microsoft Management console.

  2. Expand the “Local Users and Groups”, and open the ‘Users’ folder

  3. Right click on ‘Guest’ then click ‘Rename’ and type in the new preferred name

  4. Right click on ’Guest’ then click ‘Properties and check to box ‘Account is disabled’. Also check the box for ‘User cannot change password’. Then type in the new full name, and change the description of the account as well.

Windows XP Pro computers:

  1. Right click on ‘My Computer’, then click ‘Manage’ which opens the Microsoft Management Console.

  2. Open the Users folder under Local users and groups, right click on ‘Guest’ and click ‘Rename’ and type in the new name for the account.

  3. Right click on ‘Guest’, click properties and edit the description for the account so its true nature will not be revealed.

<>Use NTFS File system

When Windows XP or Windows 2000 is installed, it should be installed on a separate partition formatted with the NTFS File system
rather than the older FAT File system. The NTFS system allows you to configure which users have access to which data, who can
perform what kinds of operations, and allows you to encrypt files and data.

<>Disable auto-logins

Do not use any automated logins and be sure all users are password protected. Go to the control panel, click on administrative tools,
click local security policy. Make sure all users have a password set for the account. I also recommend having only one administrator
account on each machine.

<>Limit unnecessary accounts

Limit any unnecessary or unused accounts and remember, I recommend only one administrator account per machine. If you see
accounts that are not needed, or not used, delete them.

<>Disable Enumeration of SIDS

Even after renaming Guest and Administrator accounts, an intruder armed with the right software can still find the real account by enumerating the account SIDs (Security Identifiers) because renaming an account does not change its SID. Once an account name has been identified (an attacker is looking for an Administrator account here) a brute force attack on the password is usually the next step.
This can be avoided by not allowing the enumeration of Account SIDs.

On a Windows XP machine, follow these steps:

  1. Click Start, go to Control Panel, click administrative tools, and click local security policy.

  2. Click the ‘Security Options’ folder in the left pane

  3. Double click ‘Network access: Do not allow anonymous enumeration of SAM accounts and shares’ on the right pane.

  4. Choose ‘Enabled’ and then click ‘Apply’ and ‘OK’ to save your settings.

On a Windows 2000 machine, follow these steps:

  1. Click Start, go to control panel, click administrative tools, and open ‘Local Security Policy’

  2. Click on + on the ‘Local Policies’ folder in the left pane

  3. Left click ‘Security Options’ folder under local policies

  4. Right click on ‘Additional restrictions for anonymous connections’ in the right pane

  5. Left click ‘Security…’ from the box that opens

  6. Under local policy setting, click the down arrow at the right end of the window and choose (left click) ‘Do not allow enumeration
    of SAM accounts and shares’

  7. Left click ‘OK’ to save your settings, and exit all windows

<>Disable File and Print Sharing

If you are not connected to a domain, simplified file sharing is automatically enabled in Windows XP. It should be noted here that simple
file sharing cannot be turned off in Windows XP Home Edition. Why disable print and file sharing? Well, if you use an always-on
high-speed Internet connection, leaving these services turned on is like leaving your doors open when you are not at home. Unless it is absolutely necessary, I recommend you turn these services off.

In Windows XP, follow these steps:

  1. Click Start, then go to settings, then click Control Panel

  2. Double click Internet Options.

  3. Click on the ‘Connections’ tab, select your connection, and then click ‘Settings’

  4. Click ‘Properties’, click the ‘Networking’ tab, and then uncheck the box for ‘File and Printer Sharing for Microsoft Networks’.

  5. Click ‘OK’ to save the settings

While you are here, let’s do one more thing, and choose not to save temporary Internet files:

  1. Left click on the Advanced tab of Internet Properties

  2. Scroll down to ‘Security’ at the bottom of the window, and check the box to ‘Empty Temporary Internet Files when browser is
    closed’

  3. Click ‘OK’ to save the settings, and exit the control panel

On Windows 2000 machines, use the following steps:

  1. Click Start, then go to settings, then click Control Panel

  2. Double click ‘Network and Dial-up Connections’

  3. Right click ‘Local Area Connection’ and choose ‘Properties’

  4. From the box that opens, uncheck ‘File and Print Sharing for Microsoft Networks’

  5. Click ‘OK’ to save the settings

To choose not to save Temporary Internet Files:

  1. In the Control Panel, open Internet Options

  2. Left click on the Advanced tab of Internet Properties

  3. Scroll down to ‘Security’ at the bottom of the window, and check the box to ‘Empty Temporary Internet Files when browser is
    closed’

  4. Click ‘OK’ to save the settings, and exit the control panel

<>Unhide File Extensions

By default, Windows XP and Windows 2000 hides known file extensions to simplify displays. The problem with this is that a malware
writer can hide a file extension type after the file display and keep you from knowing what kind of file you are about to open. This is especially true for files hiding Trojans. Let’s not let this happen for most file types.

On both Windows XP and Windows 2000, follow these steps:

  1. Click Start, go to settings, open the Control Panel, and double click ‘Folder Options’

  2. Left click the ‘View’ tab

  3. Uncheck the box for ‘Hide extensions for known file types’

There are still three known file extensions that will remain hidden even after the above procedure. They are .shs, .pif, and .lnk so if in doubt, the rule should be not to open or run the file. The file extensions on my personal banned list are: .exe .dll .ocx .wav .jpeg .gif
.bat .com .cmd .pif .scr .zip .mime .mim .uue .uu .b64 .bhx .hgx .xxe .doc .vbs .ico .bmp .ani .cur .hlp .upm .shs .lnk. I never open any
of these unless I am specifically expecting them.

<>Disable Remote Assistance and Remote Desktop

This applies to Windows XP machines only. Remote assistance allows you to invite another person to logon to your machine for remote troubleshooting. I recommend you leave it disabled. You can always re-enable it later if the service is ever needed. Remote desktop is available on XP Professional and allows you access to a Windows session on one computer while you are at another computer in
another location, not only over a LAN, but over the Internet as well.

To disable these functions, follow this procedure:

  1. Click Start, go to settings, then Control Panel

  2. Double click on the System icon

  3. Click on the ‘Remote’ tab, and uncheck the boxes to ‘Allow Remote Assistance invitations to be sent from this computer’, and
    ‘Allow users to connect remotely to this computer’

  4. Click ‘Apply’ to save the settings, and close the windows.

<>Disable any unnecessary and potentially dangerous service

The three most common services to turn off are Windows Plug and Play, DCOM, and Windows Messenger. I have been using PC’s for
"over twenty years now and cannot imagine a situation where any of these services are needed. I have never used any of them, but
many a malware writer has. The easiest way to disable these services is to use very small programs from Steve Gibson, of Gibson Research Corporation.

To disable Windows Plug and Play, go here:

http://www.grc.com/unpnp/unpnp.htm

To disable Windows DCOM, go here:

http://www.grc.com/dcom/

To disable Windows Messenger, go here:

http://www.grc.com/stm/shootthemessenger.htm

All three of these programs are freeware and are a very small file size.

<>Encrypt the My Documents and Temp folders

Both Windows XP and Windows 2000 allow you to encrypt selected data files and folders in your computer. By doing this, even if your computer is compromised by an attacker, you have an extra layer of security for your most used files by denying access to anyone
except the user that encrypted the files to begin with.

In Windows XP computers, follow this procedure:

  1. Open Windows Explorer

  2. Right click the folder you want to encrypt, and then click ‘Properties’

  3. On the ‘General’ tab, click ‘Advanced’

  4. Check the box to ‘Encrypt contents to secure data’

  5. Click ‘OK’ to save your settings

In Windows 2000 computers, follow this procedure:

  1. Right click “start” and then choose ‘Explore’

  2. In the left pane, right click the folder you want to encrypt, then left click ‘Properties

  3. Left click ‘Advanced’

  4. Left click the box to ‘Encrypt contents to secure data'

  5. Click ok to save your settings, and close open windows.

I recommend that you encrypt at least the following two folders:

1. ‘My Documents’ that contains the personal files in which most Microsoft Office documents are stored.
2. ‘Temp’ folder that contains the files created by most applications programs

<>Registry changes

The last few suggestions I have involves changes to the system registry. If you are at all squeamish about this, I suggest you stop your Windows hardening efforts at this point, or get help from someone that is familiar with registry edits and changes. If you elect to
proceed, I strongly suggest you do a system state backup before making any changes to the registry.

<>Clear Page File at System Shutdown

Default settings allow process memory files to be paged to the hard disk in clear text form at shutdown. Although this allows more
rapid recovery of this information the next time the system is started, it’s a great place for an intruder to look for any sensitive
information, and it is displayed in plain text form.

To clear the Page File at shutdown, follow this procedure:

  1. Click Start and go to settings and open the Control Panel

  2. Open ‘Administrative Tools, and choose ‘Local Security Policy’ followed by ‘Local Policies’ in the left pane, and then ‘Security
    Options’

  3. In the right pane, right click on ‘Clear virtual memory pagefile when system shuts down’ , left click ‘Security’, and choose
    ‘Enabled’

  4. Left click ‘OK’ to save your settings, and close all open windows.

<>Disable dump file creation

When Windows stops unexpectedly as the result of a Stop Error (“blue screen of death” or system crash), a Memory.dmp file is
created and it can be helpful when using debugging tools and software. Like the page file above, it can contain sensitive information and
passwords displayed in plain text form. I have never found this information of much use, but an intruder can definitely make use of it. To disable the dump file creation, follow this procedure:

  1. Click on Start, go the settings, and open the Control Panel

  2. Double click the ‘System’ icon and then click the ‘Advanced’ tab

  3. Click the ‘Startup and Recovery button, and look for ‘Write Debugging Information’ toward the bottom of the window (XP users
    will have to first click on ‘Settings’)

  4. Click on the down arrow at the right of the top window. Default setting is Small Memory Dump (64 KB). Choose ‘(none)’

  5. Click ‘OK’ to save your settings and close all open windows.

<>Disable Dr. Watson dump file creation

Another memory dump file similar to the ones above is created by Dr Watson. This is a program error debugger that gathers all kinds
of information about your computer when a user error or user-mode fault occurs within a program. I have never found these files to be useful either. To stop creation of these files, follow this procedure:

  1. Go to start, then run, then type in ‘regedit.exe’ and hit ‘Return’

  2. Browse to the following location in the left pane:

HKEY_LOCAL-MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug

  1. Left click on the value ‘Auto’ on the right pane, and change the value from ‘1’ to ‘0’

  2. Close the registry editor.

To delete the dump files created by Dr Watson on earlier occasions, you will have to delete them manually with this procedure:

  1. Open Windows explorer

  2. Browse to C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson and delete files named User.dmp and Drwtsn32log.

<>The Scrap File danger

A scrap file is used by Windows machines to transfer data between programs, and it can contain just about anything from data to an executable program. Remember that in our discussion of file types, we chose to uncheck the box to ‘Hide known file extension types’ to show all file extensions and that I told you three file types would still remain hidden, one of them being .shs?

Herein lies the danger. A scrap file can be renamed with a different file extension to make it look benign. Windows assigns
‘RUNDLL32.EXE SHSCRAP.DLL, OPENSCRAP_RUNDLL %1’ to the .SHS extension by default. When the file is opened, Windows will unpack the scrap file and open or execute whatever is in the file. Once the scrap file is opened, you have absolutely no control over it. The trick here is to get the file to show its true .shs extension. To do this, we need yet another registry edit by following this procedure:

  1. Go to ‘Start’, ‘Run’ and then type in “regedit.exe’

  2. Left click ‘Edit’, then ‘Find’, and type in: HKEY_CLASSES_ROOT\ShellScrap and click ‘Find’

  3. Once found, in the right pane, right click on ‘NeverShowExt’ and choose ‘Modify’

  4. Type in ‘AlwaysShowExt’ and hit ‘Return’

  5. Close the Registry Editor

  6. Complete shut-down and re-boot

.SHS files should now show the true file extension even when saved to disk.

As I said at the beginning, there is no such thing as a bulletproof computer, but the procedures outlined in this paper should go a
long way toward making your operating system much more secure than the default settings ever could. You didn’t have to spend any
money and you are only out an hour or so of your time. A small price to pay for a lot of security not offered by any program currently available. I hope this paper helps you enjoy a safe and happy computing experience under all conditions.

Best regards,

Dave

Sources:

Microsoft Windows 2000 Professional, Que Publishing
Microsoft Windows Security Resource Kit, Microsoft Press
Windows 2000 Secrets, Hungry Minds Inc
Anti-Hacker Toolkit, Osborne
Windows 2000 Server, Que Publishing
Windows 2000 Professional Bible, Hungry Minds Inc
Windows XP Professional, Microsoft Press

[Top]

 

 

Use the above information at your own risk.  See "Terms of use"

 

   Site Map  | About 5 Star Support  | Links | Comments
    Privacy Policy  | Terms of Use  | Newsletter Archive  | Awards
Usage of this site constitutes acceptance of our Terms of Use
Copyright © 2000-2014  5 Star Support All rights reserved.