Hardening Windows Servers


These spyware prevention and other malware prevention tips and ideas are designed for a Home PC running Windows XP Professional and certain tips may apply to small home network running Windows XP Professional, as such some of the recommendations may not work for other versions of Windows. As always, it is recommended to back up the data before making any changes to your computer.

Out of the box Windows installs with certain dangerous defaults which when left alone will prove to be the biggest bottle neck when you set upon to secure your system against malware and hackers.

Use a Non-Admin Account

If there is one magic silver bullet Malware prevention solution to prevent against installation of Malware, it is using a non-admin account AKA a LUA (Least privileged User Account)AKA a limited user account when performing normal day-to-day tasks such as writing documents, browsing the Internet, reading E-mail, instant messaging etc and use an account with administrator privileges only for specific tasks that require them. This will drastically limit your exposure to Malware.

…….If the exploit happens to be written so that it requires admin privileges (as many do), just running as User stops it dead. But if you are running as admin, an exploit can:

* install kernel-mode rootkits and/or keyloggers (which can be close to impossible to detect)

* install and start services

* install ActiveX controls, including IE and shell add-ins (common with spyware and adware)

* access data belonging to other users

* cause code to run whenever anybody else logs on (including capturing passwords entered into the Ctrl-Alt-Del logon dialog)

* replace OS and other program files with trojan horses

* access LSA Secrets, including other sensitive account information, possibly including account info for domain accounts

* disable/uninstall anti-virus

* cover its tracks in the event log

* render your machine unbootable

* if your account is an administrator on other computers on the network, the malware gains admin control over those computers as well

* and lots more.

Aaron Margosis’ WebLog : Why you shouldn’t run as admin…

So why not everybody run as a limited user ?

The downside to running as a non-admin user is that not everything works like it should. Check out this MSKB article, Certain Programs Do Not Work Correctly If You Log On Using a Limited User Account

Why does least-privilege computing break applications?

Because of programmers who write everyday applications that require them. Why do they do this? Because using admin rights made it easier to write certain programs. It also didn’t used to be a big deal. This type of development, however, encouraged all user accounts to be set up with admin privileges by default, opening the door for some of the malicious code we’re fighting today.‘Least Privilege’ Can Be the Best

Finally, a must read if you decide to go the “limited user” way, Aaron Margosis’ WebLog : Non-admin for home users

Use effective passwords

A weak password will not offer protection against determined hacker. So when you choose a password, don’t pick one that is obvious like your name, your spouse’s name or your pet’s name.

  • Select a password that is atleast 8 charecters long. Windows accepts passwords upto 127 charecters in length!
  • Use a mixture of uppercase and lowercase letters, numbers, and other characters such as *, ?, or $.
  • If you have multiple systems, do not use the same password in all.
  • Never, ever write your passwords down or send them in unencrypted e-mail messages.

More tips on selecting a strong and easy to remember passwords Ten Windows Password Myths

Use a Bios/Bootlevel Password

Once set, the bootlevel bios password is required every time your system is started. It protects your system by completely disabling it until a password is entered. Normally you can set a bootlevel password by selecting the option in your bios setup. While you are at it, also consider setting up a password for accessing the bios setup itself to prevent an unauthorized user from changing the bios settings.

Use the screensaver to secure your PC

This step will secure your computer when you are away for a short period. Turn on the screensaver manually or set it to activate after a fixed time interval, such as 10 minutes. Normally, in all versions of Windows the screensaver password can be set from the screensaver tab in the display properties window.

Turnoff/Rename/Password protect the Guest account

A guest account provides access to the computer for any user who does not have a user account on the computer. Microsoft recommends against disabling the Guest account in XP Description of the Guest account in Windows XP , it can be turned off, renamed and passworded to provide comparatively more security.

To turn off Guest account access, follow these steps:

  • Click Start, click Control Panel, and then double-click User Accounts.
  • Click the Guest account.
  • Click Turn off Guest access.

Rename and password protect the Guest account, because the Guest account is known to exist on all Windows 2000 Server, Windows 2000 Professional, and Windows XP computers, renaming the account makes it slightly more difficult for unauthorized persons to guess this user name and password combination.

To rename the Guest account in XP Pro, follow these steps:

  • Right click on ‘My computer‘ and click ‘Manage‘, which opens the Microsoft Management console.
  • Open the Users folder under Local users and groups, right click on ‘Guest‘ and click Rename and type in your preferred unique name.
  • Right click on ‘Guest‘, click properties and edit the description for the account, so as not to reveal its true nature.

To Password Protect the Guest account, follow these steps:

Right click on ‘My computer‘ and click ‘Manage‘, which opens the Microsoft Management console. Open the Users folder under Local users and groups, right click on ‘Guest‘ and click set password and proceed past the security warning and set the password for the Guest account.

As Local Users and Groups option is not available in XP Home edition, follow these steps:

Click start, click run and type in the command “net user guest *” without quotes, press enter and you will be prompted for a password to use.

Rename/Password protect the administrator account

An administrator account has the largest amount of default permissions and the ability to change their own permissions. To stop the intruders from accessing your computers and gaining administrative rights from the built-in Administrator account, it is highly recommended to rename the Administrator account

To rename the administrator account in windows XP Pro, follow these steps:

  • Right click on ‘My computer‘ and click ‘Manage‘, which opens the Microsoft Management console.
  • Open the Users folder under Local users and groups, right click on ‘Administrator‘ and click Rename and type in your preferred unique name.
  • Right click on ‘Administrator‘, click properties and edit the description for the account, so as not to reveal its true nature.

To password protect the administrator account, if you have not done it already, or to change the password follow these steps:

  • Right click on ‘My computer‘ and click ‘Manage‘, which opens the Microsoft Management console.
  • Open the Users folder under Local users and groups, right click on ‘Administrator‘ and click Set Password.
  • Click Proceed in the message box that appears.
  • Type and confirm the new password in the appropriate boxes, and then click OK.

Disable Enumeration of Account SIDs

Even if you rename the Guest and Administrator accounts, you need to be aware that there are software programs which will let an intruder find the real account by enumerating the account SIDs (Security Identifiers) as renaming an account does not change its SID. Once administrator account names were identified (by the SID), brute force password guessing began and exploitation of accounts with weak passwords immediately followed.

To disable enumeration of Account SIDs follow these steps:

  • Click Start, go to control panel, Click administrative tools and click local security policy.
  • Click on the “Security Options” folder in the left pane.
  • Scroll down and double click on Network access: Do not allow anonymous enumeration of SAM accounts and shares on the right pane.
  • Choose Enabled and click Apply & Ok to save the settings.

Use NTFS File system

Install Windows XP in a partition formatted with NTFS file system. NTFS has built-in security features which other older file systems like FAT lacks. NTFS file system allows you to configure which user can perform what sorts of operations on the available data. It allows you to encrypt files and folders to protect your sensitive data.

More on NTFS file system……NTFS.com NTFS File System.

Disable Automated Logins – Make sure all user accounts are password protected

Click start, go to control panel, click administrative tools and click Local security policy. Select all user names one by one and make sure there is a password set for each account that is enabled.

Limit the number of unnecessary login accounts

Remove all unnecessary user accounts and also prune the Administrator group. By limiting user accounts and the members of the Administrator group, you limit the number of users who might choose passwords that could expose your system.

Disable Simple File Sharing

If you are not connected to a domain, the simplified file sharing is enabled in Windows XP by default. This allows remote users to access the system’s shares freely without being prompted for a password. When simple file sharing is enabled, you can share folders with everyone on your network or workgroup, the downside is you cannot prevent specific users from accessing those folders. It is recommended that you turn off simple file sharing which will enable you to permit specific users logged on with the user rights you have granted to access the designated folders. It is to be noted that simple file sharing cannot be turned off in Windows XP Home edition.

More on File sharing and how to disable simple file sharing in Windows XP….. Windows XP Professional File Sharing

How to configure file sharing in Windows XP

Disable File and print sharing

With an always-on connection, enabling file and print sharing becomes the equivalent of leaving your front door open when you are not at home. Unless absolutely necessary disable file and print sharing.

To disable file and print sharing, follow these steps:

  • Click Start, point to Settings, and then click Control Panel.
  • Double-click Internet Options. On the Connections tab, select your connection, and then click Settings.

Unhide the file extensions

By default, Windows hides the extensions of files when viewed in Windows Explorer and on the Windows desktop. This is exploited by malware to hide themselves by imparting a hidden second extension in order to penetrate the victims system. AnnaKournikova.jpg.vbs is an example where the windows sees only .JPG as the extention and the user is fooled into thinking that he is actually downloading a juicy image instead of the worm with an extension .vbs.

To unhide the file extensions, follow these steps:

  • Click Start, Open Control Panel, Click Folder options
  • Click on the View tab
  • Uncheck Hide extensions for known file types

There are certain file extensions which will remain hidden even after the above procedure is followed. They are .shs, .pif and .lnk. Now these extensions are being used by malware writters to let loose dangerous Trojans on the unsuspecting victims. So, when in doubt don’t download or run the file.

Disable Remote assistance and Remote Desktop

Remote assistance is where you can invite another person to log on to your machine for remote troubleshooting. You can re-enable it whenever you require such assistance.

Remote Desktop on Windows XP Professional, “you can have access to a Windows session that is running on your computer when you are at another computer. This means, for example, that you can connect to your work computer from home and have access to all of your applications, files, and network resources as though you were in front of your computer at work. You can leave programs running at work and when you get home, you can see your desktop at work displayed on your home computer, with the same programs running”.

To disable, open the System folder in Control Panel. Click on the Remote tab, uncheck both “Allow Remote Assistance invitations to be sent from this computer” and “Allow users to connect remotely to this computer“, Click Apply to save the settings.

Disable unnecessary and potentially dangerous services

Default installations of Windows XP comes with a number of services that are not necessary and some of those unwanted services can be outright dangerous. Unless disabled explicitly these services start during the boot process and reside in memory wasting precious RAM.

To change the services settings, go to services configuration screen in XP by the following steps:

Click Start, Click Run Type in ‘Services.msc‘ and click OK.

In the services configuration screen, double click on the name of the service to change the startup type options for that particular service.

There are three settings possible, they are

Automatic : When this option is selected the service is initiated while loading windows.

Manual : When this option is selected the service is not loaded during the boot process, but if needed it can be initiated automatically in the background without the user going in to the services configuration to manually start it.

Disabled : When this option is selected the service is not initiated during the boot process and also it cannot be started without changing the startup options in the services configuration and reboot or by clicking on the ‘start’ button manually.

I am not going to get into nuances of each and every service that is enabled by default, there are whole sites devoted to that. Check out the following links for tips on tweaking the services to your needs.

Elder Geek – Services Guide for Windows XP

Snakefoot’s Windows NT4/2000/XP Services

The indicated settings are general in nature and may not be suitable for each and everyone as many services are necessitated by individual preferences and operational environments. It is imperative that you should backup your data and set a restore point before tweaking with the services.

A note on ‘Messenger” service – Why disable the Messenger service?

If advertisements are opening on your computer in a window titled Messenger Service, it may mean that the Messenger service is enabled and running in your system. Although the name of the service is similar, Messenger Service in Windows XP is not related to instant messaging programs such as Windows Messenger and MSN Messenger, disabling it will not affect the functioning of the IM programs.

Messenger Service window that contains an Internet advertisement appears

Shoot The Messenger

Use EFS (Encrypting File System) to encrypt My Documents folder and Temp folder

The Encrypting File System available in Windows 2000 and Windows XP lets you encrypt selected NTFS files and folders using public key cryptography. Encrypting sensitive folders by means of EFS adds another layer of security. When folders are encrypted, their data is protected even if an attacker has full access to the computer’s data storage. Read more on EFS here

Encrypting File System before attempting the following.

Encrypt the My Documents folder (%UserProfile%My Documents) to ensure that the personal folder, in which most Microsoft Office documents are saved, is encrypted by default.

Encrypt the Temp folder (%TEMP%) to ensure that the temporary files that are created by various applications are encrypted.

To encrypt a selected folder:

Open Windows Explorer.

Right-click the folder that you want to encrypt, and then click Properties. On the General tab, click Advanced. Select the Encrypt contents to secure data check box.

Related link Error Message “Access Denied” When Starting a Recently Installed Program

Clear Page File at System Shutdown

Ensure that the system page file is cleared before shutdown. This will ensure that any sensitive information from process memory will not be paged to disk in clear text form at shutdown.

Start the Registry Editor (regedit.exe) and browse to the following key on the left pane:

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession ManagerMemory Management

Find the value ClearPageFileAtShutdown on the right pane and Doubleclick on ClearPageFileAtShutdown and:

set to 0 to turn the behaviour off

set to 1 to turn the behaviour on

OR

Open Administrative Tools folder in Control panel, Start > Control Panel > Administrative Tools > Local Security Policy > Local Policies and click on Security Options Double click on the entry Shutdown: clear virtual memory Pagefile in the right pane and select Enabled.

Disable Dump file creation

when your computer stops unexpectedly as a result of a Stop error (also known as a “blue screen of death”, system crash, or bug check), a Memory.dmp file is automatically created and it is helpful when diagnosing problems using debugging tools. Like the page file this stored data can contain sensitive information and passwords.

To disable dump file creation: Open the System folder in Control Panel, Click on the Advanced tab and then Click on the Settings button under Startup and Recovery option. Under Write debugging information, Click to open the drop down menu and select none and OK your way out.

Note: Disabling the dump file creation does delete the dump file created on earlier occasions. To delete it, use Windows explorer and browse to the default location, C:Windows and delete the Memory.dmp file.

Disable Dr.Watson dump file creation

A memory dump file similar to the above is created by Dr.Watson, a program error debugger that gathers information about your computer when an error (or user-mode fault) occurs with a program.

To disable Dr.Watson dump file: Start the Registry Editor (regedit.exe) and browse to the following key on the left pane:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionAeDebug

Click on it and double click the value Auto on the right pane and change the value to “0“.

Note: Disabling Dr.Watson does delete the dump file created on earlier occasions. To delete it, use Windows explorer and browse to C:Documents and SettingsAll UsersApplication DataMicrosoftDr Watson and delete the files named User.dmp and Drwtsn32.log.

Neutralize the scrap file

A scrap file is a type of file used to transfer objects between programs on Windows computers. A scrap file can contain just about anything from simple data, to a document or spreadsheet, to an executable program.

The scrap file can be named with most any extension to make it look like a benign file (e.g., .GIF, .JPG, .TXT, etc.) and then Windows adds the .SHS extension to that. In most cases, even if you have Windows set to show all file extensions, the .SHS extension will not show up after you’ve saved the file to disk (it should be visible as an attachment to an E-mail message). This can make scrap files more dangerous as they can easily appear to be something they are not just by giving the file a benign name.

Windows assigns “RUNDLL32.EXE SHSCRAP.DLL, OPENSCRAP_RUNDLL %1” to the .SHS extension by default and, when opened, Windows will unpack the scrap file and open or execute whatever is in the file. You will have no control over this once you attempt to open the scrap file.

The display of the .SHS extension is controlled by the following registry entry…

HKEY_CLASSES_ROOTShellScrap

and “NeverShowExt” on the right pane.

To neutralize the scrap file you can either change “NeverShowExt” to “AlwaysShowExt” or simply delete the entry. Then, reboot and .SHS files should show their extension even when saved to disk.

Scrap Files Can Tear You Up

Keep Yourself Informed

Newer and more sinister Malware are detected nearly every other day, making it imperative that some one interested in better online security keeps oneself better informed on the ongoings in the Anti- Malware field.

by Shanmuga on October 25, 2008

http://www.malwarehelp.org/malware-prevention-hardening-windows-security1.html

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s