Urdu Poetry Forum

**SVhost** · #1 01-01-2008, 10:21 AM

Asalam-o-ALikum

Dear Members we are starting a new contest Name "Any OS Security Tips"
yahan par aap ko Kissi Bhi Oprating System k Security related tips share karnay hongay
umeed karta hoon k aap iss contest main bharpoor hissa lengay.

Rules Of Participation

01. Aik member ne sirif aik hi sharing kerni hogi

02.duplicate post ki soorat mai pehli wali post hi include ki jaye gi

03.posting ki last date 21st January hay

04.Discussion nahi kerni kisi bhi tarah ki

05.Agar koi member Discussion karta hai tu woh post "Delete" kar di jaigi.

Regards
SVHost

Hg Administration

**sahir_143** · #2 01-02-2008, 08:28 AM

How to secure Windows2000 / XP

IMPORTANT INFORMATION REGARDING WINDOWSXP SP2 Some security softwares have had problems with Service Pack 2, like for example ZoneAlarm and some antivirus software. Also, there has been other issues regarding the SP2, I have personally found out that after installing it my computer stops working properly, I have not yet managed to solve the situation. Also, the SP2 has some changes regarding the settings of Internet Explorer, Windows ICF and other issues, so this page is not updated to meet SP2 details for now. My suggestion regarding SP2 is, that you should backup and try it out. If it works, fine, Microsoft has fixed some major security issues with it so you likely safe enought for now on default install on SP2 if you follow its security center guides. If you cannot install SP2 or get it working, then restore the old WindowsXP and use the settings and tips in this page as it is. Try later to install SP2 when Microsoft either fixes its bugs or we can discover some way to counter them.
These settings can be used with both Windows 2000 and WindowsXP to *really* secure the system and also boost up its performance. Depending upon your version and whether it is Win2k or XP, you might notice that some of the features/options arent there. Just skip and move on until you hit something that IS on YOUR Windows2k/XP. The "best" option of all is to have WindowsXP professional, since the screenshots are from WindowsXP professional. However, please notice that you can access some of the features in WindowsXP professional even if you are installing home edition, by booting into "Safe Mode" some time.

WindowsXP offers pretty good security features, but only if you know how to use them. By default, WindowsXP is clumsy and has many possible security holes due to its poor default settings. If you use WindowsXP pro, you can really make your computer your fortress against almost any invader. The build-in EFS (Encrypting File System with NTFS), strong authentication methods, firewall, etc. give you good tools for it. Home edition does not have all these features but you can always implement your own according to these guidelines. These principles are designed for ONLY single-user "home" computers (standalone), NOT computers in, lets say, corporate networks! On standalone computers you can and should fill all holes possible but in corporate enviroment, the whole point is to allow computers to be used via corporate networks or intranet. You can still take suggestions and clues here and implement them properly if you are installing or using Windows2k/XP in corporate enviroment or are using multiple user accounts.
PLEASE READ THIS CAREFULLY! Even if you are not planning on securing WindowsXP of yours, please read this and implement it. Even if you dont care about computer security or think this is not important to do, read and implement it anyway. Trust me on this one. If you think you dont know how to do it or are not sure on whether or not to do it, do it anyway. Its very easy and implementing just these 7 simple things will GREATLY improve your security. Its just 7 easy steps to make! You can ofcourse also print this page to help you look at it better and implement it.
If you want to download and print this page, you can do it easily by downloading/printing this .rtf document. It has everything that is sayed in this page. I recommend that if you are about to install Windows 2000 / XP, download and print it so you can easily use it to secure your computer offline.
Back to Top

Important information about Windows 2000 and Encrypting File System insecurity
There is very little reason to use EFS on Win2k standalone installation since it does not offer real protection in Windows2k. It is possible to reset the administrators passphrase (even with Syskey enabled and stored in floppy) and login as admin. This can be done by simply booting the computer in other operating system and deleting the SAM file and manipulating the registry so that Windows does not want to have Syskey during startup. If Syskey is not present, resetting the administrators passphrase is much easier. Administrator can do many things and is the default recovery agent of EFS. In any case, once you have logged in as admin, you can decrypt all data encrypted with EFS in that computer.
In theory, it *is* possible in standalone Windows 2000 to have secure EFS, but it is very, very, very complicated to archive. In theory, by exporting the administrators recovery certificate or designating some other recovery agent AND implementing Syskey to passphrase or floppy, it *might* be possible to prevent anyone from reading EFS encrypted files. It is always possible to login as administrator, but if the administrator does not have the recovery keys, he cant decrypt EFS files... And since the Syskey *prevents* tampering the other accounts, it is in *theory* safe (if hacker deletes SAM file, then other accounts loose their vital piece of information and cant be used and therefore they cant get access to private key). But in practise...well...wh o really knows? I STRONGLYrecommend not to use EFS in Windows 2000 unless the computer is a part of domain and the settings/security policies are good and the actual computer where the certificates are stored is in safe place so nobody can get a physical access to it and Syskey for each computer is stored in passphrase or in floppy format. Use PGPdisk instead and you dont have to worry about these kinds of issues with Windows 2000!

Two good links related to securing and tweaking Windows 2000 and Windows XP
Black Viper's guide on Windows 2000 and XP services
NSA security guides on securing WindowsNT, 2000 and XP (in corporate/network enviroment)

Please remember!As sayed earlier, these settings work like dream for me and most 2k / XP users too, but not with all of them. The best option would be to either make and "image" of your C-drive or write down your original settings before you start implementing these settings. The problems that might occur are mostly related to network connections / internet access. You can also troubleshoot the problems using the Windows Help and Support while going throught the settings to see what needs perhaps to be enabled. And if the worst happens...And you just cant revert the changes you made, run "repair install" using your Win2k/XP cdrom. It will keep all the programs etc. but restore regular settings. Remember to update and patch your software after this "repair install".

When you do some alterations to settings, make sure you exit that window by pressing OK or YES keys. If you simply close the window clicking from the X in the corner of it or press CANCEL, the alterations you just made will NOT become affective!

Before installing Windows 2000 / XP
-> Physically disconnect from the net!
- -> Do NOT plug the network cable/internet connection!

-> Backup all your personal files and documents to different HDD or partition
--> Optionally back up to CDRW or external HDD

During installation of Windows 2000 / XP
-> Delete old system partition(s), install from "fresh"!
--> Its a good idea to create atleast two partitions, one for the system (you need atleast 5 Gb for this one, but 10-20 Gb is better) and second for your own files and images from first partition (rest of the HDD space, but atleast double the amount of what is the size of first partition, so atleast 10, but 20-40 Gb is better). Ofcourse, if you have backed up your data to some other partition than C:, then do NOT remove or format that partition or your backups will be lost!
---> Format partitions to NTFS.

-> Create one account for yourself (besides the default "administrator account" there already is). This account does not have password by default.
-> Use good passphrases, atleast 14 marks long, containing both letters, numbers and special marks (like !"#¤%&/().). To be ultra-secure, use over 28 marks long Administrator passphrases.
--> Never use the same passphrase in two places/systems

After installation is done
-> When logging in first time when "Welcome" screen appears
--> Press ctrl+alt+del (couple times in row perhaps)
---> Login as Administrator and with administrator passphrase

Try to close all ports and shares
-> Control Panel
--> Network and Internet connections
---> Network connections
----> Select connections and right click on them
-----> Properties
------> Select all other items (one by one) than: TCP/IP
-------> Uninstall
------> Select: TCP/IP
-------> Properties
--------> Advanced
---------> WINS
----------> Remove: Enable LMhosts lookup
----------> Select: Disable Netbios over TCP/IP
---> Repeat the procedure on all other connections too

-> Control panel
--> Performance and maintenance
---> Administrative tools
----> Computer management
-----> Shared folders
------> Shares
-------> (delete everything inside)
-> (WindowsXP ONLY) Run: regedit.exe
--> Go to (if key/value does not exist, create one by right clicking in the right window)
---> HKEY_LOCAL_MACHINE\S OFTWARE\Microsoft\Ol e
----> EnableDCOM (REG_SZ)
-----> Set to: N
---> HKEY_LOCAL_MACHINE\S OFTWARE\Microsoft\Rp c
----> Value: DCOM Protocols
-----> Remove ncacn_ip_tcp
---> HKEY_LOCAL_MACHINE\S YSTEM\CurrentControl Set\Services\Dnscach e\Parameters\
----> Value: MaxCachedSockets (REG_DWORD)
-----> Set to: 0
---> HKEY_LOCAL_MACHINE\S YSTEM\CurrentControl Set\Services\NetBT\P arameters
----> SmbDeviceEnabled (REG_DWORD)
-----> Set to: 0
---> HKEY_LOCAL_MACHINE\S ystem\CurrentControl Set\Services\LanmanS erver\Parameters\
----> REG_DWORD
-----> AutoShareServer
------> Set to: 0
-----> AutoShareWks
------> Set to: 0
---> HKEY_LOCAL_MACHINE\S ystem\CurrentControl Set\Services\LanManS erver\Parameters\Nul lSession Pipes\
----> NullSessionPipes
-----> (Delete all value data INSIDE this key)
----> NullSessionShares
-----> (Delete all value data INSIDE this key)
---> HKEY_LOCAL_MACHINE\S YSTEM\CurrentControl Set\Control\SecurePi peServers\winreg\All owedPaths\
----> Machine
-----> (Delete all value data INSIDE this key)
-> (For Windows 2000) You can check this www-page for more details.

Enable Windows XP internet connection firewall (ICF)
-> Control Panel
--> Network and internet connections
---> Network connections
----> Select connection and right click on them
-----> Properties
------> Advanced
-------> Internet Connection Firewall (enable it)
--------> Settings
---------> Make sure NOTHING is selected/enabled
----> Repeat the procedure on all other connections too

Secure your Internet Explorer settings
-> Control Panel
--> Network and Internet connections
---> Internet Options
----> General
-----> Temporary internet files
------> Settings
-------> Set to: Every visit to page
-----> Days to keep pages in history
------> Set to: 0
----> Security
-----> Internet
------> Custom level
-------> Reset to: High
--------> Reset (yes)
------> Scroll down to "File download"
-------> Set to: Enable (yes) (THAT IS, IF YOU WANT USERS TO BE ABLE TO DOWNLOAD FILES FROM THE INTERNET!)
-----> Local intranet
------> Sites
-------> Make sure nothing is selected!
-----> Trusted sites
------> Sites
-------> Add this web site to the zone:
--------> Add all the domains here you can absolutely trust here (and press add after each domain)
---------> For example, add: *.microsoft.com
---------> For example, add: *.passport.com
---------> For example, add: *.msn.com
---------> For example, add: *.markusjansson.net
--------> Make sure "require server verification..." is not selected!
------> Move the tab to "Medium"
-----> Restricted Sites
------> Custom level
-------> Reset to: High
--------> Reset (yes)
------> Scroll down to "File download"
-------> Set to: Enable (yes)
----> Privacy
-----> Advanced
------> Override automatic cookie handling
-------> First party cookies: Block
-------> Third-party cookies: Block
-------> Enable: Always allow session cookies
----> Content
-----> Autocomplete
------> Disable all
------> Clear forms (yes)
------> Clear passwords (yes)
------> Programs
------> Disable: Internet Explorer should check whether it is the default web browser
----> Advanced
-----> Disable everything else, but enable the following
+ Always send URL

as UTF-8
+ Disable script debugging
+ Enable folder view on FTP sites
+ Enable page transitions
+ Show friendly http error messages
+ Show go button in address bar
+ Use passive ftp
+ Use smooth scrolling
+ Use http 1.1
+ Use http 1.1 through proxy connections
+ Dont display online media content in the media bar
+ Play animations in webpages
+ Play sounds in webpages
+ Play videos in webpages
+ Show pictures
+ Smart image dithering
+ Check for publishers certificate revocation
+ Check for server certificate revocation
+ Check signatures on downloaded programs
+ Do not save encrypted pages to disk
+ Use SSL 3.0
+ Use TLS 1.0
+ Warn about invalid site certificates
+ Warn if form submittal is being redirected
Secure Outlook Express
-> Start Outlook Express
--> Tools
---> Options
----> Read
-----> Enable: Read all messages in plaintex
----> Send
-----> Mail sending format
------> Select: Plain text
----> Security
-----> Disable: Do not allow attachments to be saved or opened that could potentially be a virus (if you dont disable this one, your ability to receive attachments is almost zero. Your email virus protection should rely on the fact that you do NOT open files that you receive as email attachments if you are not ABSOLUTELY sure they are safe to be run.)
----> Maintenance
-----> Enable: Purget deleted messages when leaving IMAP folders
Turn Telnet NTLM logings off
-> Run: telnet.exe
--> Type (and press enter): unset ntlm

Turn SYSKEY on
-> Run: syskey.exe
--> Encryption enabled
---> Update
----> Store key locally

Turn extra accounts off
-> Control Panel
--> Performance and maintenance
---> Administrator tools
----> Computer management
-----> Local Users and groups
------> Local Users
-------> Delete all users other than "Administrator" and "Guest" and the user accounts you specially have created.

Create/edit user level accounts
-> Run: control userpasswords2
--> Here you can easily add, remove and edit existing accounts. Ideal composition is that you have administrator account and one user account per every user who uses your computer (and they all are protected by good passwords). If you didn't create a user level account during setup, you can easily change one of the accounts here from "administrators group" to "user".
--> Enable: Users must enter a user name and password to use this computer
--> After installing, you usually have TWO accounts that are in administrator group. One that is "administrator" and other that is account in administrators group (named as you named it during Windows XP installation).
---> Select the latter account
----> Properties
-----> Group membership
------> Set to "Restricted User"
----> Reset password
-----> Set the password what you desire, but do not use the same password as you used with your administrator account

Turn safer login on
-> Control Panel
--> User Accounts
---> Change the way users login
----> Disable: Use welcome screen

-> Run: regedit.exe
--> HKEY_LOCAL_MACHINE\S oftware\Microsoft\Wi ndows NT\CurrentVersion\Wi nlogon\
---> DefaultPassword
----> (Delete this KEY if present)

(Optionally) Create password reset diskettes
-> Control Panel
--> User Accounts
---> Click onto account you want to create password reset diskette to
----> Related tasks
-----> Prevent a forgotten password, etc.
------> Keep that diskette in SAFE place!

Close all not-needed services
-> Control Panel
--> Performance and maintenance
---> Administrative tools
----> Services
-----> Go to every service EXCEPT
+ Application Layer Gateway Service
+ Application Management
+ Automatic Updates
+ Backround Intelligent Transfer Service
+ Cryptographic Services
+ DHCP Client
+ Event Log
+ Help and support
+ Human Interface Device Access
+ Internet Connection Firewall
+ Network Connections
+ Network Location Awareness (NLA)
+ Plug and Play
+ Print Spooler (if you have printers)
+ Remote Access Connection Manager
+ Remote Procedure Call (RPC)
+ System Event Notification
+ Task Scheduler
+ Telephony
+ Themes (hey, you dont want to shutdown cute themes right?)
+ Windows Audio
+ Windows Image Acquisition (if you have scanners or digital cameras attached)
+ Windows Installer
+ Windows Management Instrumentation
+ Windows Management Instrumentation Driver Extensions
------> Doubleclick with left mouse button or click right mouse button and select "Properties"
-------> Startup type
--------> Set to: Disabled
-----> Go to
+ Automatic Updates
------> Startup type
-------> Set to: Automatic

Prevent not-needed programs from starting up
-> Run: msconfig.exe
--> Startup
---> Unselect all (unless you KNOW that there is some specific program launching up that you need, for example third party application for your printer, xDSL connection or similiar).
----> If you are unsure, still unselect all. You can later come back and re-select some if it was important

Secure settings
-> Control panel
--> Performance and maintenance
---> Administrative tools
----> Local security policy
-----> Account policies
------> Password policy
------> Enforce password history - 0 passwords remembered
------> Maximum password age - 360 days
------> Minimum password age - 0 days
------> Minimum password lenght - 14 characters
------> Password must meet complexity requirements - Enabled
------> Store passwords using reversible encryption for all users in the domain - Disable
-----> Account lockout policy
------> Account lockout threshold - 3 invalid logon attempts.
------> Account lockout duration - 15 minutes
------> Reset account lockout counter after - 15 minutes
-----> Local policies
------> Audit policy
-------> Audit account logon events - Success, failure
-------> Audit account management - Success, failure
-------> Audit logon events - Success, failure
-------> Audit Object access - Success, failure
-------> Audit policy change - Success, failure
-------> Audit system events - Success, failure
------> User rights assignment
-------> Access this computer from the network -
-------> Act as part of the operating system -
-------> Add workstations to domain -
-------> Adjust memory quotas for a process - LOCAL SERVICE,NETWORK SERVICE,Administrato rs
-------> Allow logon through Terminal Services -
-------> Back up files and directories - Administrators
-------> Bypass traverse checking - Authenticated Users,Administrators
-------> Change the system time - Administrators
-------> Create a pagefile - Administrators
-------> Create a token object -
-------> Create permanent shared objects -
-------> Debug programs - Administrators
-------> Deny access to this computer from the network - Everyone
-------> Deny logon as a batch job -
-------> Deny logon as a service -
-------> Deny logon locally -
-------> Deny logon through Terminal Services - Everyone
-------> Enable computer and user accounts to be trusted for delegation -
-------> Force shutdown from a remote system -
-------> Generate security audits - LOCAL SERVICE,NETWORK SERVICE
-------> Increase scheduling priority - Administrators
-------> Load and unload device drivers - Administrators
-------> Lock pages in memory - LOCAL SERVICE, Authenticated Users,Administrators
-------> Log on as a batch job -
-------> Log on as a service -
-------> Log on locally - Authenticated Users, Administrators
-------> Manage auditing and security log - Administrators
-------> Modify firmware environment values - Administrators
-------> Perform volume maintenance tasks - Administrators
-------> Profile single process -
-------> Profile system performance -
-------> Remove computer from docking station - Authenticated Users,Administrators
-------> Replace a process level token - LOCAL SERVICE
-------> Restore files and directories - Administrators
-------> Shut down the system - Authenticated Users, Administrators
-------> Synchronize directory service data -
-------> Take ownership of files or other objects - Administrators
------> Security options
-------> Accounts: Administrator account status - Enabled
-------> Accounts: Guest account status - Disabled
-------> Accounts: Limit local account use of blank passwords to console logon only - Enabled
-------> Accounts: Rename administrator account - (TYPE SOME NAME HERE AND USE IT WHEN YOU LOGIN AS ADMINISTRATOR IN THE FUTURE)
-------> Accounts: Rename guest account - Guest
-------> Audit: Audit the access of global system objects - Disabled
-------> Audit: Audit the use of Backup and Restore privilege - Disabled
-------> Audit: Shut down system immediately if unable to log security audits - Disabled
-------> Devices: Allow undock without having to log on - Disabled
-------> Devices: Allowed to format and eject removable media - Administrators
-------> Devices: Prevent users from installing printer drivers - Enabled
-------> Devices: Restrict CD-ROM access to locally logged-on user only - Enabled
-------> Devices: Restrict floppy access to locally logged-on user only - Enabled
-------> Devices: Unsigned driver installation behavior - DO not allow installation
-------> Domain controller: Allow server operators to schedule tasks - Disabled
-------> Domain controller: LDAP server signing requirements - Not defined
-------> Domain controller: Refuse machine account password changes - Enabled
-------> Domain member: Digitally encrypt or sign secure channel data (always) - Enabled
-------> Domain member: Digitally encrypt secure channel data (when possible) - Enabled
-------> Domain member: Digitally sign secure channel data (when possible) - Enabled
-------> Domain member: Disable machine account password changes - Enabled
-------> Domain member: Maximum machine account password age - 1
-------> Domain member: Require strong (Windows 2000 or later) session key - Enabled
-------> Interactive logon: Do not display last user name - Enabled
-------> Interactive logon: Do not require CTRL+ALTEL - Disabled
-------> Interactive logon: Message text for users attempting to log on -
-------> Interactive logon: Message title for users attempting to log on -
-------> Interactive logon: Number of previous logons to cache (in case domain controller is not vailable) - 0 logons
-------> Interactive logon: Prompt user to change password before expiration - 14 days
-------> Interactive logon: Require Domain Controller authentication to unlock workstation - Enabled
-------> Interactive logon: Smart card removal behavior - Lock Workstation
-------> Microsoft network client: Digitally sign communications (always) - Enabled
-------> Microsoft network client: Digitally sign communications (if server agrees) - Enabled
-------> Microsoft network client: Send unencrypted password to third-party SMB servers - Disabled
-------> Microsoft network server: Amount of idle time required before suspending session - 1
-------> Microsoft network server: Digitally sign communications (always) - Enabled
-------> Microsoft network server: Digitally sign communications (if client agrees) - Enabled
-------> Microsoft network server: Disconnect clients when logon hours expire - Enabled
-------> Network access: Allow anonymous SID/Name translation - Disabled
-------> Network access: Do not allow anonymous enumeration of SAM accounts - Enabled
-------> Network access: Do not allow anonymous enumeration of SAM accounts and shares - Enabled
-------> Network access: Do not allow storage of credentials or .NET Passports for network authentication - Enabled
-------> Network access: Let Everyone permissions apply to anonymous users - Disabled
-------> Network access: Named Pipes that can be accessed anonymously -
-------> Network access: Remotely accessible registry paths -
-------> Network access: Shares that can be accessed anonymously -
-------> Network access: Sharing and security model for local accounts - Classic local users authenticate as themselves
-------> Network security: Do not store LAN Manager hash value on next password change - Enabled
-------> Network security: Force logoff when logon hours expire - Disabled
-------> Network security: LAN Manager authentication level - Send NTLMv2 response only\refuse LM & NTLM
-------> Network security: LDAP client signing requirements - Require signing
-------> Network security: Minimum session security for NTLM SSP based (including secure RPC) clients - Require message integrity,Require message confidentiality,Requ ire NTLMv2 session security,Require 128-bit encryption
-------> Network security: Minimum session security for NTLM SSP based (including secure RPC) servers - Require message integrity,Require message confidentiality,Requ ire NTLMv2 session security,Require 128-bit encryption
-------> Recovery console: Allow automatic administrative logon - Disabled
-------> Recovery console: Allow floppy copy and access to all drives and all folders - Disabled
-------> Shutdown: Allow system to be shut down without having to log on - Disabled
-------> Shutdown: Clear virtual memory pagefile - Enabled
-------> System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing - Enabled
-------> System objects: Default owner for objects created by members of the Administrators group - Object creator
-------> System objects: Require case insensitivity for non-Windows subsystems - Enabled
-------> System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links) - Enabled

Secure various other settings
-> Control Panel
--> Appearance and Themes
---> Display
----> Screen Saver
-----> Set to: Blank
-----> Set to: Wait 15 minutes
-----> Enable: On resume, password protect
---> Folder options
----> View
-----> Make sure the following are enabled:
+ Display the content of system folders
+ Display full address in address bar
+ Show hidden files and folders
+ Show encrypted and compressed NTFS files in color
-----> Make sure the following are NOT enabled:
+ Automatically search for network folders and printers
+ Hide extension of known file types
+ Hide protected operating system files
+ Restore previous folder windows at logon
+ Use simple sharing
--> Performance and maintenance
---> System properties
----> Advanced
-----> Performance - Settings
------> Advanced
-------> Virtual memory
--------> If you have plenty or RAM (lets say 512MB or more), you can disable Windows Swapfile. This will increase performance and security, since no sensitive data can be written on the hdd (swapfile) in any situation. If you dont have that much RAM, in theory it is good idea to have fixed size swap file, lets say 256 or 512MB.
---------> Select each partition and "No paging file" (or set it as fixed on one partition if you dont have 512MB or more RAM)
-----> Startup and recovery - Settings
------> System failure
-------> Unselect all
-------> Write debugging information
--------> None
-----> Error reporting
------> Select: Disable error reporting, but notify me when critical errors occur
----> Automatic Updates
-----> Enable: Keep my computer up to date
-----> Select: Download the updates automatically and notify me when they are ready to be installed
----> Remote
-----> Unselect: Remote Assistance
-----> Uselect: Remote Desktop
---> Power Options
----> Hibernate
-----> Disable: Enable Hibernation

-> Run: mmc.exe
--> File
---> Add/Remove snap-in
----> Add
-----> Select: Group policy
------> Finish/Close/OK
--> Local Computer Policy
---> Computer configuration
----> Administrative Templates
-----> Windows Components
------> Netmeeting
-------> Disable remote desktop sharing - Enabled
-----> System
------> User profiles
-------> Only allow local user profiles - Enabled
------> Remote assistance
-------> Solicited remote assistance - Disabled
-------> Offer remote assistance - Disabled
------> Turn off autoplay - Enabled (all drives)
------> Network
-------> Offline Files
--------> Allow or disallow use of the Offline Files feature - Disabled
-> Notice that you can use this group policy tool to restric users from altering all kinds of settings in your computer. For example, you could set up Internet Explorer settings very secure (and prevent downloading of files), and then prevent users from altering those settings. This is excellent tool when you learn to use it properly.

Adjust event viewer settings
-> Control Panel
--> Performance and maintenance
---> Administrative tools
----> Event viewer
-----> Right click: Application
------> Properties
-------> Maximum log size: 10048
-------> Select: OVerwrite events as needed
-----> Right click: Security
------> Properties
-------> Maximum log size: 10048
--------> Select: Overwrite events as needed
-----> Right click: System
------> Properties
-------> Maximum log size: 10048
--------> Select: Overwrite events as needed

Secure file and folder permissions
-> My Computer
--> Right click on your mouse to C:\
---> Properties
----> General
-----> Disable: Allow indexing service to index this disk for fast file searching
----> Security
-----> Add
------> Type: Authenticated Users
-------> Press enter
-----> Select: Authenticated Users
------> Allow: Read & Execute, List folder content, Read
-----> Advanced
------> Unselect: Inherent from parent permission entries...
-------> Copy
------> Remove all other users except: Administrator, System and Authenticated Users
-------> Select: Replace permissions entries...
--------> OK
---------> Yes
--> Go to C:\documents and settings\
---> Right click on your mouse to Administrator folder
----> Properties
-----> Security
------> Advanced
-------> Unselect: Inherent from parent permission entries...
--------> Copy
---------> Remove: Authenticated Users
----------> Select: Replace permission entries...
-----------> OK
------------> Yes
---> Right click on your mouse to, one at the time, all other user folders (like "mom", "userX", etc.)
----> Properties
-----> Security
------> Advanced
-------> Unselect: Inherent parent permission entries
--------> Copy
--------> Remove: Authenticated users
---------> Add that users name (like "mom", "userX", etc.) who's folders these are. This will prevent all other users except admins from getting into their folders.
----------> Allow: Full Control
---------> Select: Replace permission entries...
----------> OK
-----------> Yes
--> Go to C:\windows (or if your Windows is installed onto some other directory, then go there)
---> Select "temp" folder
----> Properties
-----> Security
------> Select: Authenticated Users
-------> Allow: Full Control
--> You can also set permissions like this in other partitions and folders. Please be adviced, that if you store something like games in somewhere, users who need to play those games need to have, usually, full control on those folders so that they can save games etc. Same goes if you store other files in those partitions, like music, documents etc. that other people want to not only access, but also save and edit. Then you should give "Authenticated Users" full permissions on those folders. The main thing is, that your personal folders (C:\documents and settings\userX\) are safe from other peoples tampering and so are important system folders (C:\windows\).

-> To encrypt (EFS) the content of directories and prevent all other users (including administrators) from reading the content of files inside (only in XP pro version) the directory (notice: they can still see the file names and alter folder settings)
-> Only use this for YOUR personal directories (like to folders where you keep personal documents etc.), do not use on system, program, etc. directories!
--> Right click on your mouse to the directory you wish to encrypt
---> Properties
----> General
-----> Advanced
------> Enable: Encrypt the contents to secure data (notice: If you are logged in as administrator, this will encrypt the data for administrator account only. To encrypt data for your USER account, please secure you WindowsXP installation, login as user and then start encrypting your folders)

(Optionally) Export your EFS certificate
-> Make sure you have encrypted some directory with the user that you wish to export the EFS certificate from (otherwise you dont have EFS certificate which to export)
-> Run: MMC
--> File
---> Add/Remove Snap-in
----> Add
-----> Select: Certificates
------> Add
-------> Select: My user account
--------> Finish/close/OK
--> Certificates - Current User
---> Personal
----> Certificates
-----> Select your certificate from the right window
------> Right click with your mouse
-------> All tasks - Export
--------> Next
---------> Select: Yes, export the private
----------> Next
-----------> Write a passphrase to protect the certificate and remember it!
------------> Choose where and under what name to export it
-------------> Next, etc. etc.

Reboot your computer
-> If/When "Welcome" screen appears
--> Press ctrl+alt+del (couple times in row perhaps)
---> Login as (WHATEVER NAME YOU RENAMED THE ADMINISTRATOR ACCOUNT AS) and with administrator passphrase

Now you can physically connect to internet!
-> Plug in the network cable etc.
--> Set whatever settings needed to make it possible for you to connect to internet.

Update Windows
-> Go to Microsoft Windows Update
--> Download ALL updates available
---> Reboot when asked to administrator account again
----> Return to this site to download more and more and more patches
-----> Continue to download/install patches, rebooting and returning to this page until you have downloaded ALL patches and cannot download any more patches.
-> Remember to come back to see new patches hopefully every week but atleast once a month! We have set automatic Windowsupdate, but I STILL insist that you recheck for ANY new updates every once and while. Just to be sure. Updating your Windows, Windows Media Player, Internet Explorer, Outlook Express etc. is REALLY THAT IMPORTANT!

Download, install and use free software to secure your computer
-> Remember to login as administrator before installing anything to your computer!
-> For more info, go to Some Free Resources, Programs, etc.

And finally...
-> Go throught this list AGAIN, since so might have missed something, or some updates/patches might have changed some settings, for example downloading Windows Messenger update automatically changes your ICF setting (!!!), opening few ports on your system!
-> When you are done installing, updating and securing your Windows XP, login as USER with the passphrase you resetted it to previously. Only use ADMINISTRATOR account/permissions when you REALLY need to install/update/modify some settings. Logging in as administrator permissions is severe security risk and it should be avoided at all costs.
--> Remember to change the password in all new account when you login for the first time. By default, new accounts have NO password set. Press Ctrl+Altel and Change Password to change your password.

**hotkhan** · #3 01-10-2008, 09:41 PM

I want to give a simple and easy to understand guide for part of the OS Security

Preventing Viruses, Worms, and Trojans
What is Malware?

The term malware encompasses 3 main types of unsolicited, unwanted computer intrusions:

Viruses - self-replicate to spread, use a host program
Worms - self-replicate to spread, do not need a host, and spread via networks
Trojans – do not replicate, often contain hidden intent

Viruses

A virus is a computer program or code that attaches itself to a "host" program on another computer. It then makes copies of itself and tries to spread to other computers. To qualify as a true virus, a program must be able to self-replicate. When the host program is shared with another computers and the host program code is run, the virus is executed. Not all viruses are destructive to computer programs or data.

Common modes of transmission include:

Email attachments – most popular
Social engineering (tricks that rely on human nature)
Shared disks (floppy, flash drives, external hard drives, CD's)
Macros and Visual Basic scripts
File sharing applications
P2P (peer-to-peer) such as BearShare, Gnutella, KaZaA, Limewire, Morpheus, etc.

Other modes of transmission that are less common, but on the rise include:

IM (Instant Messaging)
Cell phone viruses

Worms

A worm is a stand-alone program that does not need a host program to replicate and spread. It typically modifies the operating system to become part of the boot process and it can also write changes to the registry. Unlike most viruses, worms can travel and spread via networks.

Common modes of transmission

Social engineering (tricks that rely on human nature)
Email attachments
Over networks/Internet
Exploits of security vulnerabilities and bugs found in applications

Trojan (trojan horse)

A trojan, in the world of computers, describes a harmful program disguised as a helpful one. A trojan is sometimes defined as any program with hidden intent. They may be attached to and hiding behind a legitimate program or be a program whose intent is misrepresented. Trojans do not self-replicate, but can be used to spread, activate, or hide other viruses.

Common modes of transmission include:

Social engineering
E-mail attachments
Seemingly harmless links on web sites or pop-up windows

A RAT is a type of trojan that gives a hacker full access to your computer whenever you are online. Once installed, RATs:

Can delete, add, or transfer files and programs
Can control mouse and keyboard
Often include key-loggers

Keyloggers track, record, and reply back to the hacker with the text of everything you type, including passwords and bank account numbers and credit card information.

One of the most dangerous and difficult types of trojans to detect and remove is the Backdoor Root Kit. These contain hacker tools that create a backdoor into your system, giving the hacker “root” (administrative) access to your computer. The tools then cover their tracks, making the hack very difficult to detect and remove.

Protecting Your Computer and Identitiy

Fortunately, protecting your computer from unwanted intrusions is simpler than you may think. With a few simple steps and adjustments to how you think about surfing and downloading from the Internet, you can increase your computing safety dramatically. Listed below some common-sense steps and tipss you can take increase you computing safety.
Antivirus Software- Install it and keep it up-to-date!

Most antivirus software can be set to automatically update the virus definition files and you should use this feature. If you're using Trend Micro OfficeScan, definition files are automatically updated from the UITSC server.

Keep software, such as Microsoft XP Microsoft Office, Internet Explorer, Mac OSX.x, and Firefox patched and up-to-date.

Use a complex passwords:
Minimum password length is 8 characters (can contain more).

Passwords must not match any portion of your user name
Passwords must not match any portion of your full name.
Cannot use 4 or more repeating characters

Install and use a firewall.

This is more critical for laptops that travel on and off ,You can use the Microsoft firewall, located under Start, Settings, Control Panel.

Be a suspicious user.

Email attachments - Don’t open attachments directly from your e-mail. Instead, save them to a location on the hard drive where your virus scanner will have the opportunity to examine it before you open it.
Be cautious when clicking on links in emails. To preview the true link path, hover your mouse cursor above the link and looking at the bottom of your email window. If the URL appears to be garbage text or includes a long string of numbers before the actual link, it's probably not legitimate
Never “unsubscribe” to junk by clicking a "remove me" link in an email.
“A 2002 study performed by the FTC demonstrated that in 63% of the cases where a spam offered a "remove me" option, responding either did nothing or resulted in more email”.
Consider a “trash” email account to use for web registrations.
Be a cautious Internet surfer.
Do not click “Yes” or “No” or “Cancel” on pop-up windows. Clicking can cause a drive-by download, where software is dropped onto your computer, without your knowledge, no matter which of the three responses you choose. Instead, find the page on the Taskbar, right-click on it and select Close.
Use the built-in popup blockers that come with most current Internet browsers.

Be a conservative and informed downloader.
If it’s free (and the site doesn’t end in .org), be suspicious.
Do your homework
Do a search on the product/service name.
Look to user forums for the true story.
Take the time to read the license agreement – be suspicious of extremely long ones.
Take your time installing applications and look for tricks that ask your to sign up for email notifications or install other applications (browser toolbars, desktop weather info, etc.).

Recognizing the Signs

How can you tell if your PC has been compromised by an intrusion, virus, worm, or excessive amount of adware and spyware? The most common signs are:

Your browser home page has changed and reverts to the new one after reboot, even if you manually change it.
Mistyping a URL redirects you to an odd (sometimes pornographic) web site.
You have new toolbars, favorites and/or icons on your desktop without any action by you.
Some sites, such as Microsoft Updates or reputable antivirus and spyware removal sites no longer connect/function. Clicking their links leads you to what appear to be junk sites.
Tons of pop-up ads – may even pop up when you aren’t actively on the web.
You’re PC slows to a crawl and takes forever to boot.
If your intrusion includes viruses, your antivirus software may also be disabled or unable to update.

If you suspect the worst has happened, contact your departmental IT support organization or your Frontline Support Provider.

Urdu Poetry Forum

Any OS Security Tips Contest For The Month Of January - 2008

Any OS Security Tips Contest For The Month Of January - 2008