# Securing Windows 2000/XP/Server 2003 services HOW TO



## Alec§taar (Aug 22, 2006)

This is all i could save. I dont know if people can see what I can in the Wiki, but I got this article the others he deleted b4 he posted them in the wiki and i dont have the powers even in my sections to bring them back...perhaps a back up but Im not sure we have one ill go see. He did a damn good job at making sure nothing of his existed after he left...Im at school but when i get home ill email him and see if i can get him back im not done fighting yet.-Solaris17




Securing Windows 2000/XP/Server 2003 services HOW TO 
I went at ALL of the services in Windows Server 2003 (some will not be in XP for instance, & Windows 2000 has no NETWORK SERVICE or LOCAL SERVICE as far as I know, but not sure, you can always make a limited privelege user too for this on 2000 if needed)... 

I did testing to see which services could be run/logged in as LOCAL SERVICE, or NETWORK SERVICE, rather than the default of LOCAL SYSTEM (which means Operating System entity level privileges - which CAN be "misused" by various spyware/malware/virus exploits). 


LOCAL SERVICE startable list (vs. LocalSystem Logon Default): 


--------------------------------------------------------------------------------

Acronis Scheduler 2 Service 
Alerter (needs Workstation Service Running) 
COM+ System Application 
GHOST 
Indexing Service 
NVIDIA Display Driver Service 
Office Source Engine 
O&O Clever Cache 
Remote Registry 
Sandra Service 
Sandra Data Service 
SmartCard 
Tcp/IP NetBIOS Helper 
Telnet 
UserProfile Hive Cleanup Service 
Volume Shadowing Service 
Windows UserMode Drivers 
Windows Image Acquisition 
WinHTTP Proxy AutoDiscovery Service 
NETWORK SERVICE startable list (vs. LocalSystem Logon Default): 


--------------------------------------------------------------------------------

ASP.NET State Service 
Application Layer Gateway 
Clipbook (needs Network DDE & Network DDE DSDM) 
Microsoft Shadow Copy Provider 
Executive Software Undelete 
DNS Client 
DHCP Client 
Error Reporting 
FileZilla Server 
Machine Debug Manager 
Merger 
NetMeeting Remote Desktop Sharing Service 
Network DDE 
Network DDE DSDM 
PDEngine (Raxco PerfectDisk) 
Performance Logs & Alerts 
RPC 
Remote Desktop Help Session Manager Service 
Remote Packet Capture Protocol v.0 (experimental MS service) 
Resultant Set of Policies Provider 
SAV Roam 
Symantec LiveUpdate 
Visual Studio 2005 Remote Debug 
PLEASE NOTE: Each service uses a BLANK password when reassigning their logon entity (when you change it from the default of LOCAL SYSTEM Account), because they use SID's as far as I know, not standard passwords. 


--------------------------------------------------------------------------------

WHEN YOU TEST THIS, AFTER RESETTING THE LOGON USER ENTITY EACH SERVICE USES: Just run your system awhile, & if say, Norton Antivirus refuses to update, or run right? You KNOW you set it wrong... say, if one you test that I do NOT list won't run as LOCAL SERVICE? Try NETWORK SERVICE instead... if that fails? YOU ARE STUCK USING LOCAL SYSTEM! 

If you cannot operate properly while changing the security logon entity context of a service (should NOT happen w/ 3rd party services, & this article shows you which ones can be altered safely)? 

Boot to "Safe Mode", & reset that service's logon entity back to LOCAL SYSTEM again & accept it cannot do this security technique is all... it DOES happen! 

If that fails? There are commands in the "Recovery Console" (installed from your Windows installation CD as a bootup option while in Windows using this commandline -> D:\i386\winnt32.exe /cmdcons, where D is your CD-Rom driveletter (substitute in your dvd/cd driveletter for D of course)) of: 

ListSvc (shows services & drivers states of stopped or started) 

Enable (starts up a service &/or driver) 

Disable (stops a server &/or driver) 

Which can turn them back on if/when needed 

Last edited by APK on 03/04/2007 
I.E. -> I removed Telephony, Symantec AntiVirus, & Virtual Disk Service! 

(ON Virtual Disk Service being removed, specifically: This was done solely because, although it will run as LOCAL SERVICE, diskmgmt.msc will not be able to work! Even though the Logical Disk Manager service does not list VirtualDisk as a dependency, this occurs, so VirtualDisk service was pulled from BOTH the LOCAL SERVICE and NETWORK SERVICE lists here... apk) 

*SECURING SERVICES @ THE ACL LEVEL VIA A SECURITY POLICY HOW-TO:* 

*STEP #1: CONFIGURE A CUSTOM Microsoft Management Console for this! * 

Configuring yourself a "CUSTOM MMC.EXE (Microsoft Mgt. Console)" setup for security policy templates, here is how (these are NOT default Computer Mgt. tools, so you have to do this yourself, or run them by themselves, but this makes working w/ them convenient): 

===============================================================
The next part's per BelArcGuy of BELARC ADVISOR's advice (pun intended): 
==============================================
http://forums.techpowerup.com/showthread.php?p=282551#post282551 

==============================================
"Security Configuration and Analysis" is an MMC snap-in. To access the MMC, type in mmc to the Windows Run.. command to pop up the console. Then use it's File|Add/Remove Snap-in... command and click the Add button on the resulting dialog. Choose both "Security Configuration and Analysis" and "Security Templates", close that dialog, and OK. You'll end up with a management console that has both of those snap-ins enabled. The whole MMC mechanism is a bit weird, but does work" 

(It's easy, & it works, & is necessary for the actual steps to do this, below) 


--------------------------------------------------------------------------------

(Next, is the actual "meat" of what we need to do, per Microsoft, to set ACLs) 


--------------------------------------------------------------------------------

*STEP #2: HOW TO: Define Security Templates By Using the Security Templates Snap-In in Windows Server 2003* 

http://support.microsoft.com/kb/816297 

*Create and Define a New Security Template* 

(To define a new security template, follow these steps) 

*1.* In the console tree, expand Security Templates. *2.* Right-click %SystemRoot%\Security\Templates, and then click New Template. *3.* In the Template name box, type a name for the new template. 

(If you want, you can type a description in the Description box, and then click OK) 

The new security template appears in the list of security templates. Note that the security settings for this template are not yet defined. When you expand the new security template in the console tree, expand each component of the template, and then double-click each security setting that is contained in that component, a status of Not Defined appears in the Computer Setting column. 

*1.* To define a System Services policy, follow these steps: *a.* Expand System Services. *b.* In the right pane, double-click the service that you want to configure. *c.* Specify the options that you want, and then click OK. 

==============================================
) 
APK (added 03/08/2007)


----------



## Alec§taar (Aug 23, 2006)

*The method above is good vs. the faults noted in Windows vs. MacOS X noted in URL*

Suggestions + critique are welcome, & add on ideas too... especially THIS part, to improve it!

 

* DONE!

(When I first got here, somebody asked me to "write the damn book of knowledge" lol, well... there tis', consolidated from ALL of my posts on the subject of internet security & speeding it up as well @ the SAME TIME!)

APK

P.S.=> Moderators: AGAIN - if you feel this 'makes the grade' as to consolidating a secure your system & speedup online STICKY THREAD? Go for it... 

LOL, personally speaking? I do think so, but... it's NOT up to me to judge! apk


----------



## PVTCaboose1337 (Aug 24, 2006)

OMG sticky, good job Alec§taar!


----------



## Alec§taar (Aug 24, 2006)

Suggestions + critique are welcome, & add on ideas too... especially THIS part, to improve it!



* DONE!

(LOL - Hey: I remember when I first got here a year ago? Well, somebody asked me to "write the damn book of knowledge" lol, well... there tis', consolidated from ALL of my posts on the subject of internet security & speeding it up as well @ the SAME TIME!)

APK

P.S.=> Moderators: AGAIN - if you feel this 'makes the grade' as to consolidating a secure your system & speedup online STICKY THREAD? Go for it... 

LOL, personally speaking? I do think so, but... it's NOT up to me to judge! apk


----------



## PVTCaboose1337 (Aug 24, 2006)

You have the longest and most informative posts!  Of course I expect this quality of article.


----------



## Jimmy 2004 (Sep 24, 2006)

Well I only just got round to sorting this out for my services. thanks for the guide Alec. So far no problems, but I have found that the diskeeper service will not start if it has Local or Network Service so I left it as local system. Going to move to perfect disk soon anyway because I read much better reviews about it.


----------



## Slater (Sep 24, 2006)

Should I check "Allow service to interact with desktop"


----------



## Jimmy 2004 (Sep 24, 2006)

Alec§taar said:


> *QUESTION:*
> 
> Did you have ANY others than I did not list above, besides Diskeeper (I use this too, it will NOT work that way, you are right)?
> 
> (If so, please provide them, if you have services diff. from the list above & also IF they work doing this technique).



I will try changing their settings sometime, the one thing I've noticed about this guide is that it doesn't list the Windows services that NEED to be left as local system, so some people might not be too sure what they're doing and worry about any that aren't listed. Just a suggestion that you might want to include in any future revisions. 

The non-default ones I have that you have not listed are:

.Net Runtime Optimization Service v2.0.50727_X86
Ati HotKey Poller
ATI Smart
AVG E-mail Scanner
AVG7 Alert Manager Server
AVG7 Update Service
BlueSoleil Hid Service
Bluetooth Support Service
ewido anti-spyware 4.0 guard
iPod Service
Messenger Sharing USN Journal Reader Service
Service Layer
Windows Defender Service

The problem is that the only ones of these I actually use are The AVG and Windows Defender services and occasionally the "Service Layer" service (related to Nokia PC Suite) and the "Messenger Sharing USN Journal Reader Service" (related to WindowsLive Messenger). Anyway, I'll see how much I can secure those and post back how I get on. I'll try to test it sometime this week just I'm a bit waring of changing the AVG settings because the only way to test if it was still working would be for a virus to be detected... and I' rather I didn't get viruses!


----------



## Slater (Sep 24, 2006)

uhm I dont have any options other than LocalSystem I believe 

Running x64


----------



## pt (Sep 24, 2006)

cool guide
too bad my school starts tomorrow  , my time on the pc will be far less


----------



## Jimmy 2004 (Sep 24, 2006)

I don't normally have time during the day to play with settings, but if I find time in the evenings I will have a go. Concentrating on Vista atm though.


----------



## Jimmy 2004 (Sep 25, 2006)

I'm considering setting up my PC to work as a limited account except for installing stuff, but I just wondered if you know whether all programs work then Alec (or anyone else). Thanks.


----------



## Jimmy 2004 (Sep 26, 2006)

Alec§taar said:


> this is what RUNAS is for! apk



Well the whole vista setup is what inspired me to want to use a limited account. Although those messages get annoying they are good for security and like you say "RunAs" could be used. I've decided to stick as an administrator account for now, but I might give it a go in the future.

One service that I have found out needs Local System rights is the AVG7 Update Service, if it is set to Network Serivce it brings up a message about not being able to change files next startup or something along those lines. I'll try to get round to testing the rest later in the week/ at the weekend.


----------



## Slater (Sep 27, 2006)

They got the idea from you alec xD


----------



## Jimmy 2004 (Sep 27, 2006)

Alec, I've found two settings in oyur guide that don't work well with my computer:

UserProfile Hive Cleanup Service
DHCP Client

Both of the above need to be set to local system in order for them to work correctly (seems unusual considering that M$ puts DHCP client in that list...) 

For DHCP I get the message "Error 1079.The account specified is different from the account specified for other services running in the same process." Not too sure how I can conquer that, guessing that it's linked to the whole svchost.exe generic process.


----------



## Slater (Sep 27, 2006)

> P.S.=> I am personally surprised they have not issued a security update altering this in the registry really, on ALL of their Win32 OS of NT-based nature/ancestry.
> 
> That is, if they have NOT done so already in hotfixes (they have with ACL's & I mention it in other threads here in fact)... because of this year's past exploits of services! apk



Wait a couple days, you just gave them the idea


----------



## AshenSugar (Oct 23, 2006)

ok question, i forgot to dissable printer port b4 i installed windows 2003 this last time, how do i remove the service so it dosnt bitch about the service failing to load each time windows starts now that i dissabled it(my board dosnt acctualy have a printer port just a header for one)


----------



## Jimmy 2004 (Oct 23, 2006)

I really should get round to testing those services soon.


----------



## Completely Bonkers (Feb 9, 2007)

Alec... Great post.

Could you please load www.belarc.com and run an audit. It will give you a security rating. See what you get.  If you don't get a score of 10... figure out what's wrong. My score is about 4 and to be honest, I'm stuck! LOL


----------



## Completely Bonkers (Feb 9, 2007)

Belarc Advisor is free.  And it is pretty good.  Shows you the status of security upgrades and other "hardening" issues. I can recommend it. Just don't know how to implement all of its recommendations.


----------



## Completely Bonkers (Feb 9, 2007)

Here is some of the output from Belarc. As you can see I'm up to date on hotfixes, but my CIS score has gone down to 3.13 with new verion of Belarc. Ooohps.  It seems that I need to manage permissions better. But not sure how to do this.


----------



## Completely Bonkers (Feb 9, 2007)

Thanks Alec. I think the greatest help would be to understand the _technique _for handling each section, rather than each specific item itself. Thanks in advance.

P.S. Use the left-right scroll bar in your browser windows to see the screen. The gifs might appear wide if you are not using a 1600+ pixel screen


----------



## Alec§taar (Feb 13, 2007)

Ok, some of it, I agreed with... other parts, not.

Examples: (coming, will edit it in & explain why I did not agree w/ some of its assessments).

Scored just a WEE BIT better than what you did, initially (you should do better once you use secpol.msc, regedit.exe, & explorer.exe for NTFS, etc. & follow some of its recommendations there) -> 

*APK SCORE -> 4.17 of 10 (I don't agree w/ all of its recommendations, see next post)*






(Some of it though, I definitely DO NOT AGREE WITH - 1 example being that IF I cutoff using a service completely? It's downgrading me for it... that's not right, lol!)

Check it -> A service IS NOT vulnerable, if I do not allow it to run, period, SET TO DISABLED: And, I lower their logon entity to less than SYSTEM (NETWORK SERVICE or LOCAL SERVICE) for the DISABLED ONES ontop of doing that cutting them off!

(You ALL KNOW that saves I/O, CPU, RAM, you-name-it, another reason I do it (why run something I don't need or use))

I also do that for the few I run.

Lessening their logon priority makes them a LOT less powerful IF overtaken, what little services I run (they are secure afaik)))! 

Plus, I am on a non-HOME-LAN type networked rig presently, & some of its complaints are bugging me, saying I am limiting functionality - FUNNY, BUT THAT IS WHAT I AM OUT TO DO, especially to 'remote users'/potential interlopers: Run less background apps that MIGHT have exploitable holes in them, & save CPU cycles &/or RAM, & secure the ones that you DO run.

APK

P.S.=> I'll point out next, where I personally feel it is 'cutting users down too much', especially for things like turning off services you do NOT use, hey - how can they be 'vulnerable' if not active, or disabled, period, for instance (answer - they're NOT)... apk


----------



## Alec§taar (Feb 17, 2007)

*CompletelyBonkers, got my score on BELARC ADVISOR higher finally*








* Up, from 4.17 before, to a 5.0... "she's getting there!"

APK


----------



## pt (Feb 18, 2007)

i have 4.338 on that thing


----------



## Namslas90 (Mar 13, 2007)

Thanx, I needed that!!
Nice to hear from you;
Don't work too hard!!

L8r


----------



## CheckingUpOnInfraRed (Mar 13, 2007)

Namslas90 said:


> Thanx, I needed that!!



Good, I hope so... I saw your profile, & security IS part of the name of YOUR game I see!





Namslas90 said:


> Nice to hear from you;



It is ONLY to "keep square w/ the house" here, karma etc. because folks here did teach me about AMD overclocking (since I let my hardware know-how go WAY slack in the time that I have been concentrating on software/OS/programming instead for the last decade++ or so now)...

My explicitly giving Solaris17 & InfraRed the material for reconstructing this post the RIGHT way, with all of its data intact & what-not, via email, is for getting square w/ the house, debt erased type of thing:

All so they each have data to reconstruct this post the way I would have per Solaris17's request to make the sticky threads I had here (4 of them) into less (I eliminated 1, startup/run areas & consolidated 3 more into what this one WILL be eventually once Solaris does the directions above).

It is probably the BEST post I ever put out here, so... I think it "evens up the score" with TPU members who taught me the tricks of o/c'ing a modern AMD rig.



Namslas90 said:


> Don't work too hard!!
> 
> L8r



Have no choice, have to... largest reason I have to 'lay off' doing forums really... well, that & some of the replies I saw in various threads after I left... because, as you can see? THERE IS NO BANNING ME.

(Man - 1 good thing comes of things like this situation turned out to be: I can tell who was against me, or was my pal... always a good thing, that!)

APK


----------



## Jimmy 2004 (Mar 13, 2007)

Hi Alec - not sure how long you'll last back here, but I thought I'd let you know the guys over at AshenTech would like you to join them I think - not that I want to push people away from TPU, but doubt you're planning to post on here anymore.

Thanks for trying to get the thread back up, although I can't say I approved of removing it in the first place. 
BTW, the DDOS comment was from this thread. Anyway, enough of that subject, techPowerUp! has had more than enough drama and doesn't need anything else.


----------



## AshenSugar (Mar 14, 2007)

yes we would like to see alek come by, even if only from time to time.

and ofcorse they banned him again, and would ban a hundred more accounts if they knew it was him, or others who have came back under ghost names.

As you should know alec and others, i consider alec a friend, we had great talks, its over and done, im sure hes not going to be welcomed back here, and im sure thats mostly because a few people still really have a problem with him and how he reacted to the situation that happened that night.......everybody needs to just let it go.......

this was a great place, and may be one again, but many where driven away by whats happened over the last few months, this alec thing was just the straw that broke the camels back, punish 1 and not the other when both should be held accountable...to me that was a big thing.......i have been a forums admin 5+ times in the past, also been a gmod/supermod more times then that, and i would have temp banned them both as soon as i saw it happening, give them a couple/few days to cool off......if that didnt work, well weeks or more may have been needed, but i never would have taken sides as it seems some mods did....i cant blame alec for being upset and desiding not to come back here, it sickens me how mods can jump to take sides, then crap like the thred wazzle posted.......a mod shouldnt be doing that shit..

its become clear that wazzle really does just like to stir shit up.....as others have told me in the past.....not a good thing for a mod to do........


----------



## Jimmy 2004 (Mar 14, 2007)

Admittedly you could also follow the first link in ashen's sig to get you to ashentech, but unfortunately that will link you to ashentech.coom .


----------



## newtekie1 (Mar 14, 2007)

Ashen, why is it that you are the only one that can't seem to "just let it go"?



AshenSugar said:


> punish 1 and not the other when both should be held accountable...to me that was a big thing.......i have been a forums admin 5+ times in the past, also been a gmod/supermod more times then that, and i would have temp banned them both as soon as i saw it happening, give them a couple/few days to cool off......if that didnt work, well weeks or more may have been needed, but i never would have taken sides as it seems some mods did....i cant blame alec for being upset and desiding not to come back here, it sickens me how mods can jump to take sides



See Here to discover why he was banned and I wasn't:
http://forums.techpowerup.com/showthread.php?p=284508

It has something to do with the fact that I didn't do anything and he did(and then some).  The mods didn't take sides, they banned the one that deserved it and not the innocent one.  I got my infraction for my one and single insult given out, which again was only after he insulted me.

Now, follow your own advise and just let it go already.


----------



## Polaris573 (Mar 14, 2007)

How about all of you stop it?


----------



## newtekie1 (Mar 15, 2007)

Polaris573 said:


> How about all of you stop it?



I've let it go, obviously I'm back, just needed a day or two to cool off.  But I'll defend myself as long as Ashen keeps going on about it. That is just the kind of person I am and the personality I have.


----------



## TheMasterOfSinanju (Jun 18, 2007)

*NEWLY AMENDED, FULL BORE HOW TO SECURE YOUR RIG by "The Master of Sinanju" (apk)*

Original version @ slashdot -> http://it.slashdot.org/comments.pl?sid=237507&cid=19410153

*INTRODUCTION:*

Windows CAN be secured very well, but, you have to go thru some "GYRATIONS/EFFORT" to do it, but, it IS doable (but not to any 100% levels, because again - new holes/vulnerabilities appear in the OS & its libs + apps, but this gets you closer, if not as close as a body needs to be!).

*THIS IS GEARED TO "stand-alone" systems online on the internet* (However - it can be adapted for LAN/WAN office or home networked environs, BUT, pay attention to step #2's 'warnings' about pulling Client For Microsoft Networks, &/or File & printer sharing - most networks require/need this)

*BACKGROUND & INFORMATION + TOOLS YOU CAN USE TO HELP YOU SECURE YOUR SYSTEM:*

Here I am running Windows Server 2003 SP #2, fully current patched by MS update pages, here (I check it every 2nd Tuesday of the month of course, on "Patch Tuesday's"):

http://www.microsoft.com/downloads/Results.aspx?DisplayLang=en&nr=50&sortCriteria=date

It is a personally 'security-hardened' model I have been working on for many years, using principals I learned & used since the NT 3.5x days onward to this version of the OS: As is now?

I score an 84.735 on the CIS Tool 1.x currently as of 06/01/2007! This is up from my past score here of 76.xxx on it, & here is how to do it!

(For CIS Tool - There are Linux, MacOS X, Solaris, & other OS models ports of this are available too by the way - not really "ports" strictly speaking, they require JAVA to run)

*DOWNLOAD URL FOR CIS TOOL (for multiple platforms), from "The Center for Internet Security" here:*

http://www.cisecurity.org/bench.html

(*IMPORTANT:* This tool IS invaluable in guiding you to a more secure OS, on any OS platform really!)

*APK 14 STEPS TO FOLLOW TO SECURE YOUR WINDOWS NT-BASED SYSTEM (2000/XP/SERVER 2003/VISTA):*

*1.) Windows Server 2003's SCW* was run over it FIRST (this only exists on Windows Server 2003, not on 2000/XP (you have to install this, it does NOT install by default) first to help security it (SCW = security configuration wizard, & it's pretty damn good believe-it-or-not, (@ least, as as starting point))...

Directions for its installation are as follows:

Start the Add or Remove Programs Control Panel applet.

Click Add/Remove Windows Components.

On the Windows Components Wizard screen, select the "Security Configuration Wizard" check box, as the figure shows. Click Next.

The Windows Components Wizard builds a list of files to be copied and finishes installing SCW. Click Finish.

DONE! Now, run it... it is very simple to use, and will help even TRIM services you do not need running (which saves Memory, other resources, & I/O to cpu/ram/disk etc. AS WELL AS PROVIDING SECURITY should any services you disable turn up vulnerabilities (this has happened before)).

Then, @ that point? I pull ANY Networking clients &/or Protocols in the Local Area Connection, other than Tcp/IP typically (& disable NetBIOS as well, because I don't need it here), on a stand-alone machine that is not dependent on Microsoft's File Sharing etc. on a LAN/WAN. I also disable that too!

*2.) Disable Microsoft "File & Print Sharing" as well as "Client for Microsoft Networks"* in your LOCAL AREA CONNECTION (if you do not need them that is for say, running your home LAN)!

*3.) Use IP security policies* (modded AnalogX one, very good for starters, you can edit & add/remove from it as needed) - Download url link is here for that:

http://www.analogx.com/contents/articles/ipsec.htm

(Search "AnalogX Public Server IPSec Configuration v1.00 (29k zip file)" on that page & follow the directions on the page!)

*NOTE:* This can be 'troublesome' though, for folks that run filesharing clients though. An alternative to this is using IP Ports Filtrations, in combination with a GOOD software firewall &/or NAT 'firewalling' (or true stateful inspection type) router. All of these work in combination w/ one another perfectly.

(*HOWEVER - Should you choose to use it, and do filesharing programs? No problem really, because you can turn them on/off @ will using secpol.msc* & the IP stack in Windows 2000/XP/Server 2003/VISTA is of "plug-N-play" design largely, & will allow it & when done? TURN THEM ON, AGAIN!).

*4.) USE General security policies in gpedit.msc/secpol.msc*, these are VALUABLE tools (and will be needed & suggestions for it will be told to you by the CIS Tool noted above - great stuff!)

*5.) HARDENING & SECURING SERVICES HOW-TO:*

Many services I do not need are either cut off OR secured in their logon entity to lower privilege entities (from default, near "ALL POWERFUL" SYSTEM, to lesser ones like NETWORK SERVICE or LOCAL SERVICE), see this URL where I did a lot of research for a prebuilt list for another forums, to see how/why this works:

http://forums.techpowerup.com/showthread.php?t=16097

I went at ALL of the services in Windows Server 2003 (some will not be in XP for instance, & Windows 2000 has no NETWORK SERVICE or LOCAL SERVICE as far as I know, but not sure, you can always make a limited privelege user too for this on 2000 if needed)...

I did testing to see which services could be run/logged in as LOCAL SERVICE, or NETWORK SERVICE, rather than the default of LOCAL SYSTEM (which means Operating System entity level privileges - which CAN be "misused" by various spyware/malware/virus exploits).

*LOCAL SERVICE startable list* (vs. LocalSystem Logon Default):

Acronis Scheduler 2 Service
Alerter (needs Workstation Service Running)
COM+ System Application
GHOST
Indexing Service
NVIDIA Display Driver Service
Office Source Engine
O&O Clever Cache
Remote Registry
Sandra Service
Sandra Data Service
SmartCard
Tcp/IP NetBIOS Helper
Telnet
UserProfile Hive Cleanup Service
Volume Shadowing Service
Windows UserMode Drivers
Windows Image Acquisition
WinHTTP Proxy AutoDiscovery Service

*NETWORK SERVICE startable list* (vs. LocalSystem Logon Default):

ASP.NET State Service
Application Layer Gateway
Clipbook (needs Network DDE & Network DDE DSDM)
Microsoft Shadow Copy Provider
Executive Software Undelete
DNS Client
DHCP Client
Error Reporting
FileZilla Server
Machine Debug Manager
Merger
NetMeeting Remote Desktop Sharing Service
Network DDE
Network DDE DSDM
PDEngine (Raxco PerfectDisk)
Performance Logs & Alerts
RPC
Remote Desktop Help Session Manager Service
Remote Packet Capture Protocol v.0 (experimental MS service)
Resultant Set of Policies Provider
SAV Roam
Symantec LiveUpdate
Visual Studio 2005 Remote Debug

*PLEASE NOTE:* Each service uses a BLANK password when reassigning their logon entity (when you change it from the default of LOCAL SYSTEM Account), because they use SID's as far as I know, not standard passwords.

*WHEN YOU TEST THIS, AFTER RESETTING THE LOGON USER ENTITY EACH SERVICE USES:* Just run your system awhile, & if say, Norton Antivirus refuses to update, or run right? You KNOW you set it wrong... say, if one you test that I do NOT list won't run as LOCAL SERVICE? Try NETWORK SERVICE instead... if that fails? YOU ARE STUCK USING LOCAL SYSTEM!

If you cannot operate properly while changing the security logon entity context of a service (should NOT happen w/ 3rd party services, & this article shows you which ones can be altered safely)?

Boot to "Safe Mode", & reset that service's logon entity back to LOCAL SYSTEM again & accept it cannot do this security technique is all... it DOES happen!

If that fails? There are commands in the "Recovery Console" (installed from your Windows installation CD as a bootup option while in Windows using this commandline -> D:\i386\winnt32.exe /cmdcons, where D is your CD-Rom driveletter (substitute in your dvd/cd driveletter for D of course)) of:

ListSvc (shows services & drivers states of stopped or started)

Enable (starts up a service &/or driver)

Disable (stops a server &/or driver)

Which can turn them back on if/when needed

(ON Virtual Disk Service being removed, specifically (because it used to be in this list): This was done solely because, although it will run as LOCAL SERVICE, diskmgmt.msc will not be able to work! Even though the Logical Disk Manager service does not list VirtualDisk as a dependency, this occurs, so VirtualDisk service was pulled from BOTH the LOCAL SERVICE and NETWORK SERVICE lists here... apk)

*CUTTING OFF SERVICES YOU DO NOT NEED TO RUN IS POSSIBLY THE BEST METHOD OF SECURING THEM, AND GAINING SPEED SINCE YOU ARE NOT WASTING I/O, MEMORY, or OTHER RESOURCES ON THEM, PERIOD, in doing this - do consider it, when possible!*

*SECURING SERVICES @ THE ACL LEVEL VIA A SECURITY POLICY HOW-TO:*

*STEP #1:* CONFIGURE A CUSTOM Microsoft Management Console for this!

Configuring yourself a "CUSTOM MMC.EXE (Microsoft Mgt. Console)" setup for security policy templates, here is how (these are NOT default Computer Mgt. tools, so you have to do this yourself, or run them by themselves, but this makes working w/ them convenient):

The next part's per BelArcGuy of BELARC ADVISOR's advice (pun intended):

http://forums.techpowerup.com/showthread.php?t=16097

"Security Configuration and Analysis" is an MMC snap-in. To access the MMC, type in mmc to the Windows Run.. command to pop up the console. Then use it's File|Add/Remove Snap-in... command and click the Add button on the resulting dialog. Choose both "Security Configuration and Analysis" and "Security Templates", close that dialog, and OK. You'll end up with a management console that has both of those snap-ins enabled. The whole MMC mechanism is a bit weird, but does work"

(It's easy, & it works, & is necessary for the actual steps to do this, below)

Next, is the actual "meat" of what we need to do, per Microsoft, to set ACLs!

*STEP #2:* HOW TO: Define Security Templates By Using the Security Templates Snap-In in Windows Server 2003

http://support.microsoft.com/kb/816297

Create and Define a New Security Template

(To define a new security template, follow these steps)

1. In the console tree, expand Security Templates
2. Right-click %SystemRoot%\Security\Templates, and then click New Template
3. In the Template name box, type a name for the new template.

(If you want, you can type a description in the Description box, and then click OK)

The new security template appears in the list of security templates. Note that the security settings for this template are not yet defined. When you expand the new security template in the console tree, expand each component of the template, and then double-click each security setting that is contained in that component, a status of Not Defined appears in the Computer Setting column.

1. To define a System Services policy, follow these steps:
a. Expand System Services
b. In the right pane, double-click the service that you want to configure
c. Specify the options that you want, and then click OK.

(And, of course, the user feedback on its effectiveness (Makes your Win32 NT-based OS very much like how MacOS X treats its daemon processes via privelege levels), which uses the same general principals)

It works, & although many service packs for Windows OS' have changed their services (not all but many nowadays) to less than SYSTEM, my list covers those they may not have in recent service packs AND 3rd party services are listed too that you may be running possibly!

DONE!

*6.) Another thing I do for securing a Windows NT-based OS: IP Port Filtrations* (like ip security policies (per AnalogX above), it is often called the "poor man's firewall" & works perfectly with both IPSecurity policies, hardware AND software firewalls, all in combination/simultaneously running)!

*DIRECTIONS:*

Start Menu -> Connect To Item (on the right hand side) -> Local Area Connection (whatever you called it, this is the default, iirc) open it via double click OR, right-click popup menu PROPERTIES item -> Properties button on left-hand side bottom, press/click it -> NEXT SCREEN (Local Area Connection PROPERTIES) -> "This connection uses the followng items" (go down the list, to Tcp/IP & select it & /click the PROPERTIES button there) -> Press/Click the Advanced Button @ the bottom Right-Hand Side (shows Advanced Tcp/IP Settings screen) -> OPTIONS tab, use it & Tcp IP Filtering is in the list, highlite/select it -> Beneath the Optional Settings, press/click the PROPERTIES button on the lower right-hand side -> Check the "Enable Tcp/IP Filtering (on all adapters)" selection -> In the far right, IP PROTOCOLS section, add ports 6 (tcp) & 17 (udp) -> In the far left "tcp ports" list - check off the radio button above the list titled "PERMIT ONLY", & then add ports you want to have open (all others will be filtered out, & for example, I leave port 80,8080, & 443 here open, only - you may need more if you run mail servers, & what-have-you (this varies by application)) -> I leave the UDP section "PERMIT ALL" because of ephemeral/short-lived ports usage that Windows does (I have never successfully filtered this properly but it doesn't matter as much imo, because udp does not do 'callback' as tcp does, & that is why tcp can be DDOS'd/DOS'd imo - it only sends out info., but never demands verification of delivery (faster, but less reliable)) -> DONE!

You may need a reboot & it will signal if it needs it or not (probably will, even in VISTA):

I say this, because although IP Security Policies work with the "Plug-N-Play" design of modern Windows NT-based OS' (ipsec.sys) & do NOT require a reboot to activate/deactivate them in Windows 2000/XP/Server 2003/VISTA? This is working @ a diff. level & diff. driver iirc (tcpip.sys) & level of the telecommunications stacks in this OS family & WILL require a reboot to take effect (for a more detailed read of this, see here):

http://www.microsoft.com/technet/community/columns/cableguy/cg0605.mspx

(Enjoy the read, it is VERY informative - That article shows you how TcpIP.sys, ipnat.sys, ipsec.sys, & ipfiltdrv.sys interact, PLUS how you can use them to your advantage in security!)

*7.) PLUS, this version of the OS in Server 2003 has a hardened IE6/7 by default* (which can be duplicated on other Win32 OS versions, because it mainly just does what I have been doing for a long time & noted by myself earlier, in stuff like turning off ActiveX & scripting + JAVA online on the public internet, of all types by default, & I do this in ALL of my browsers (IE, FF, & Opera) & only make exceptions for CERTAIN sites)

*8.) Running the "std. stuff", like AntiVirus* (NOD32 latest 2.7x - best one there is, & that is not only MY opinion after testing it vs. my former fav. NAV Corporate 10.2 (it is lighter in RAM & resource uses than NAV Corporate even, finds more virus' than others, & uses less "moving parts" (in the way of services componentry, than most do, & certainly less than NAV)) *+ SpyBot (Ad-Aware is another option)* as my resident antispyware tool running in the background! *AntiRootkit tools are another one to be conscious of nowadays*, now that such machinations are available for Windows (they originated, afaik, in the UNIX world though). The "best ones" are:

AVG AntiRootkit
BitDefender AntiRootkit
GMER
Rootkit Revealer
PrevX AntiRootkit
Rootkit Hook Analyzer
Sophos AntiRootkit
F-Secure Blacklight
Gromozon Rootkit Removal Tool
KLister
McAfee Rootkit Detective
PatchFinder
RogueRemover
VICE
System Virginity Verifier for Windows 2000/XP/2003

That is a list for you all to choose from, they all do a decent enough job though, & are 100% FREE - SO, DO use them!

*9.) Plus good email client practices* like using .txt mail only, no RTF or HTML mail, not opening or allowing attachments unless I know the person (still gets email scanned though by your resident antivirus email scan component (use AntiVirus programs with these, OR, manually scan ANY attachments before opening them (if you get Microsoft Office .doc, .xls, .ppt etc. files uncompressed? HOLD DOWN THE SHIFT KEY AS YOU OPEN THEM - this stops macros from running & macros are the avenue utilized using VBA script to infect you))

*10.) I also use a LinkSys/CISCO BEFSX41 "NAT" true firewalling CISCO technology-based router* (with cookie & scripting filtering built-in @ the hardware level), these are excellent investments for security.

*11.) USE Tons of security & speed oriented registry hacks* (reconfiging the OS basically - stuff like you might do in etc in UNIX/LINUX I suppose)

Many can be found here, in an article I authored (and it tells what they do, & how they work, w/ descriptions from Microsoft themselves):

http://www.avatar.demon.nl/APK.html

OR, if that site is down? Download them from here @ SOFTPEDIA (where they are rated 4/5):

http://www.softpedia.com/get/Tweak/System-Tweak/APK-Internet-and-NTkXP-Speedup-Guides.shtml

OR, just email me here for them -> apk4776239@hotmail.com

(I also have these PREBUILT, in .reg files, mind you!)

They are FULLY documented internally, with link url's to the Microsoft pages they came from, inside the .reg files, so YOU can look at what the hack does inside them, verify this @ MS, & know what the valid parameters are as well!

(This? It took me FOREVER a year or so ago to do this, but worth it!)

The urls, or downloadable .mht files, outline it all (as do my prebuilt .reg files, probably the BEST choice of the lot imo), as to what you can ".reg file hack" for better SPEED, and SECURITY online, in a modern Windows 2000/XP/Server 2003 OS & has references from Microsoft in it for each setting plus their definitions & parameters possible!

*12.) The use of a CUSTOM ADBANNER BLOCKING HOSTS FILE* (my personal one houses, as of this date, 90,000 known adbanner servers, OR sites known to bear malicious code & exploits (per GOOGLE mostly, from stopbadware.org))

Custom HOSTS files work in combination with Opera adbanner blocks & the usage of .PAC filering files + cascading style sheets for this purpose.

(As well as speeding up access to sites I often access - doing this, acting as my own "DNS Server" more or less, is orders of magnitude faster than calling out to my ISP/BSP DNS servers, waiting out a roundtrip return URL-> IP Address resolution. It may take some maintenance for this @ times, especially if sites change HOSTING PROVIDERS, but this is a rarity & most sites TELL YOU when they do this as well, so you can make fast edits, as needed (and, on Windows NT-based OS since 2000/XP/Server 2003 & VISTA? A reboot is NOT required upon edits & commits of changes in the new largely near fully PnP IP stacks!))

For a copy of mine, write me, here -> apk4776239@hotmail.com

And, I will send it to you in .zip or .rar format (with sped up sites # UNIX comment symbol disabled, enable the ones you use AFTER you 'ping' them first from my list, & add ones YOU PERSONALLY USE to it as needed after determining their IP address via a PING of them)

*13.) KEEP UP ON PATCHES FROM MICROSOFT*, HERE (ordered by release date) and your antivirus/antispyware/antirootkit AND Java runtime vendors:

http://www.microsoft.com/downloads/Results.aspx?DisplayLang=en&nr=50&sortCriteria=date

(Download them manually & install them yourself, OR just let "Windows Automatic Updates" run)

& please - DO keep up on your AntiVirus updates (either automatically via their services, or manually) & the same with your AntiSpyware products &/or things like JAVA runtimes (which was updated yesterday (06/05/2007) to JRE6.1 by SUN Microsystems mind you)!

*14.) It is also possible, for webbrowsers &/or email clients, to create a "VISTA LIKE" UAC-like type scenario, isolating them into their own spaces*, here are 2 methods, how (not needed on VISTA though, afaik):

IE6/7 & FF + OPERA AS WELL (as noted by A/C slashdot poster in reply to my methods, both his & my own work well, & are listed here @ /. (slashdot)) on modern NT-based OS "how-to":

http://it.slashdot.org/comments.pl?sid=236547&cid=19310513

*MY METHOD:*

RUNNING IE in a "runas limited user class" sandbox effect:

"It is actually possible to run IE securely: just create a throwaway restricted user account for IE use alone. The restricted account user can't install software and can't access files of other users, so even if IE autoexecutes any nastiness, it can't do any damage.

Of course, it's a hassle to log in as a different user just to browse the web. So we'd want to use "runas" to run just IE as a different user.

Unfortunately, MS has made running IE as a different user a little harder than necessary. Rightclicking and using "Run as" doesn't seem to work. What did work for me was the following.

Say the limited account is called "IEuser". Then create a shortcut to "runas /user:IEuser cmd". on your desktop. Double-clicking this will open a command prompt that runs as IEuser. Now you can manually start IE with "start iexplore". Or create a batchfile c:windowsie.bat that just contains the line "start iexplore" and you can start IE by just typing "ie". Remove all shortcuts to IE from you normal desktop and only run it from the restricted account. This way you can use IE without worry about any IE exploits"

*OTHER, VERY QUITE POSSIBLY SUPERIOR METHOD:* ...this is exacly the way I do (but with opera and other internet related apps as acroread, mail, ...). But simply "runas /user:xxx cmd" is not the best way to achieve process separation. If you have a look at the process tree you will see: system->smss.exe->winlogon.exe->services.exe->cmd. exe->iexplore.exe. A better way is to use the method described in Joannas blog

http://theinvisiblethings.blogspot.com/2007/02/running-vista-every-day.html

*See section:* Do-It-Yourself: Implementing Privilege Separation. Using the psexec tool as described results in a "clean" process tree where iexplore.exe will show up directly under the root avoiding beeing a child process.

This is my runopera.bat which runs opera as user internet:
psexec.exe -d -u internet -p p4ssw0rd "cmd" "/d /D /c start /b Opera.exe"

*(YOU ARE NOW @ THE END OF THIS DOCUMENT & ALL of that is done for ONLINE security... &, it works!)*

(Yes, it's a PAIN to do it the first time - maybe 1 hr. work for an experienced user, more for less experienced ones, but WORTH EVERY SECOND! Why? Well, I have not had this system "go down" due to hacks/cracks/malware/virus/trojans/spyware, etc. et al (you name it) in years now! It just works... & everyone ought to know this stuff, so here 'tis!)

Enjoy & IF you know of more to do? Please, have @ it, & let us all know what it is you do on your Win32 rigs of NT-based OS nature!

APK

P.S.=> Enjoy it, & SOLARIS? Do put this in place of the original post, & THE WIKI too... it is truly, as good as I can get it to be... thanks! Nice to see you all again also! apk


----------



## Dippyskoodlez (Jun 18, 2007)

Belarc advisor security status...

Isn't that the program that posts your windows key online?

Lolz.


----------



## TheMasterOfSinanju (Jun 18, 2007)

Dippyskoodlez said:


> Belarc advisor security status...
> 
> Isn't that the program that posts your windows key online?
> 
> Lolz.



Well, it's SORT OF like the "CIS Tool 1.x" I note above, & their developer came in here to these forums, to speak with myself & others in regards to differences I saw in it, vs. CIS Tool 1.x (which is multiplatform, & java driven, whereas Belarc Advisor is pure Windows/Win32 code, afaik @ least & could tell & only runs on Windows - CIS Tool runs on TONS of platforms, java etc. et al is why).

It's a decent program (BELARC ADVISOR), but I have to admit:

*I actually LIKE CIS Tool 1.x better,  & hence, why I suggest it above, vs. BELARC ADVISOR!*

(Plus, if you are conscious of things like you note & suspect badware etc.? Suggest that to Majorgeeks.com or other sites that feature it, OR write him - he came here @ my behest once, is a nice guy, and knows his stuff! He is willing to talk to folks & yes, even help them out as he did myself & others here!)

I like CIS Tool 1.x though, because imo?

It is more accurate, & doesn't assume things (it asks you questions first, & ones I suggested to BelarcGuy to put into HIS app, rather than assume things OR worse, get them wrong).

The "CENTER FOR INTERNET SECURITY" also authored CIS Tool, & if you can't trust them? WHO CAN YOU TRUST?? lol... you know???

He (belarcguy) may have amended it since, especially vs. your objections!

(Yes, I have heard this tell of this too as you did, but it may just be an "urban myth" online (heck, my initials 'apk' are in virus' for God's sake - I did not write those, but I have heard folks say (even here after I left) "APK IS IN VIRUS PROGRAMS", sheesh, lol!))

"APK DON'T BUILD NO JUNK" as the saying goes.

http://www.techpowerup.com/downloads/389/foowhatevermakesgooglehappy.html

LOL!

Anyhow/anyways, on BELARC ADVISOR - I do know he has issued several updates since the time of our test here, write him in regard to your thoughts.

APK

P.S.=> He was EXTREMELY helpful to me though, as he is noted above as helping me out in this capacity - using SECURITY policies! apk


----------



## Dippyskoodlez (Jun 18, 2007)

TheMasterOfSinanju said:


> *I actually LIKE CIS Tool 1.x better,  & hence, why I suggest it above, vs. BELARC ADVISOR!*



I'm impressed. all this work.

I fixed all those problems the easy way.


----------



## Wile E (Jun 18, 2007)

Dippyskoodlez said:


> I'm impressed. all this work.
> 
> I fixed all those problems the easy way.


OS X, ftw! lol


----------



## TheMasterOfSinanju (Jun 18, 2007)

Wile E said:


> OS X, ftw! lol



LOL, I do ideas from that OS, before they HAD it even (because I've been messing around with this since 1992-1998 really, before there WAS a MacOS X)... secured services!

Still, MacOS X,  I have to admit, has GREAT BSD foundations!

BSD's have the best IP stack in the business imo, & Windows XP/2003 Server/VISTA bit off of it, in the 'dynamically loading' ip stack (MacOS X stuff here, not sure on early BSD), that previous windows did NOT have!

(AND YES, when MS first put Tcp/IP into their OS, they took older BSD code for their IP stack (there are still ways to show & prove this in fact, if you look online, in the tcpip.sys drivers & other libs MS uses for this, but I don't recall the specifics of it... it's older IP stack BSD code largely, but it was improved upon in some ways, by MS))

I.E. (very real in effect)? 

You get a FASTER BOOT from it, for one thing, & you can load/unload stuff like IP Security policies dynamically (I do note this above, see "Analog X" section) & also alter your HOSTS file w/ out a reboot in XP/Server2003/VISTA, where you could NOT in Windows 2000 & below for example WITHOUT reboots of the OS!

Also, & if you have ever noted?

If you do not start up a browser right away with the OS boot, or other apps that call the IP stack (OR perform an esoteric hack to the OS using iirc, gpedit.msc, that makes it like Windows 2000 & below were (making the IP stack load FULLY prior to entering the windows explorer desktop shell, slowing its bootup))? 

Your first web based app takes a BIT of time to load, & subsequent loads of it are faster, as are any other IP utilizing app, once only 1 has made calls to it once you are in Windows... 

This is why: ONLY Part of the OS' IP stack is loaded @ boot & when an application in "usermode" (explorershell) calls on it? It then only, loads up FULLY!

This technique/trick was 'stolen' from MacOS X tech by MS from what I understand (perhaps an urban myth online, but imo, not in THIS case).

*Anyhow - run CIS tool on your MacOS X rigs... see if you can beat a score of 84.735!*

(Consider it a 'challenge' to you MacOS X users!)

Hey - None of the Linux folks I challenged to it here:

http://linux.sys-con.com/read/382946_f.htm

(A debate/discussion over Windows vs. Linux security superiority partially)

Tried, or rather perhaps just could NOT exceed my score (which if you guys go about the above? You can have it too, & perhaps, exceed it), & they could NOT beat my score! 

Whatever the case may have been? Doesn't matter really... I do suspect they did try it though, & could NOT exceed my score.

See -  what I really WANTED was someone with the SELinux builds (addon hooks into the Linux kernel to create ACL like security control, except they call it MAC (mandatory access control)), especially to try it!

CIS Tool 1.x runs on Windows, MacOS X, Linux, BSD, & Solaris (some FYI guys, it is great stuff, & helps you secure yourself, unlike other security testers (not counting Belarc Advisor, it does so, but is NOT quite up to the level of CIS Tool 1.x imo, @ least in the version we tried here)).

Anyhow/anyways - Good luck, hope you can beat my score Wile E!

APK

P.S.=> 





Dippyskoodlez said:


> I'm impressed. all this work.
> 
> I fixed all those problems the easy way.



Yes, Dippy, it is some work (1 hour's worth for experienced folks imo)... but, worth every second, for YEARS of stability from a single setup (I am on 2 now with this one, maybe more)... 

I never get "hacked/cracked/virus-malware-spyware ridden" etc. et al, because of that stuff above! I did it once, & have not had to look back, she stays UP & RUNNING, solid!

Does it bug me, that MS does NOT ship it setup like the above? 

Yes, and NO... 

IMO, it's done for app & network compatibility, mainly for MASS deployments!

Imo, VISTA as it ships "oem/outta-the-box" is probably the BEST that can be done w/ Windows NT-based OS for security, & still have the OS easily "mass deployable" by networkers, & assuring compatibility w/ networks & shared apps that run across networks... I could be wrong, but this is what I suspect. Otherwise, IF I am wrong (& I can be, rare, lol, but I can be)? Ms needs to do this stuff above imo, as std. practice/oem shipped this way (barring the NetBIOS/Client For Microsoft networks cutoffs I note above). 

The above 14 steps I use? Generally, its for 'stand-alone/single-rigs online' like mine, but it can be adapted for home LAN setups too (note the LanManager/NetBIOS/Client for Microsoft Networks steps above & their warning!)... apk


----------



## TheMasterOfSinanju (Jun 18, 2007)

*One last thing before hitting work today: Photo proof of my CIS Tool 1.x score*







"Pictures DO say a 1,000 words"...



* Which, lol, equates to my post above I would say (easily 1,000 words I would guess/wager)...

APK


----------



## xvi (Jun 19, 2007)

Not bad. I think you should add the Microsoft Baseline Security Analyzer to the mix.

I'm not a fan of adding extra software on my servers, though. Most of the ones that I'm lucky enough to manage don't touch the internet. Just keep current on your updates and don't install software that you don't trust with your life.


----------



## TheMasterOfSinanju (Jun 19, 2007)

xvi said:


> Not bad.



Thanks! It just works...



xvi said:


> I think you should add the Microsoft Baseline Security Analyzer to the mix.



That's an idea, but I have had trouble running it before here, & iirc, it was calling for me to run SOME services I do not keep running usually!

(IIRC, it depends on services I turn off, & iirc, it MAY have been Terminal Services (I don't use them here like I used to, so, I cranked it off)... I used to use it to work from home 2-3 days a week, but not anymore, have to be "on site" from now on (in mgt. now)).



xvi said:


> I'm not a fan of adding extra software on my servers, though. Most of the ones that I'm lucky enough to manage don't touch the internet. Just keep current on your updates and don't install software that you don't trust with your life.



Thing is? This is oriented to WORKSTATIONS/PRO type Windows NT-based OS setups... e.g.-> The Windows Server 2003 setup I have here, is nearly PURELY a "Workstation/Pro" setup, its default in this OS version (you add server components like IIS, or others, ONLY AS YOU NEED THEM (sorry if you are aware of this already, I hate to sound OR BE, condescending, because it's NOT cool, & you never know if you may be talking to someone who is your equal OR superior in a particular area)).

If ANYTHING above? I am cutting back on wares (stopping Client for Microsoft Network or NetBIOS + File & Printer sharing for example)... 

Still  - I ought to add the basic concept of cutting off services really, ones you do NOT need, but that IS covered in my downloads documents internally, above (softseek ones, etc.).

APK

P.S.=> I will add this to that above, it cannot hurt, IF I missed it (this latter point, cutting off services you do NOT need to be running, & here, NOT just in my downloadable speedup stuff)... EDIT PART - it is there already, but I 'reinforced it more' in a bolded statement! apk


----------



## Dippyskoodlez (Jun 19, 2007)

TheMasterOfSinanju said:


> Anyhow - run CIS tool on your MacOS X rigs... see if you can beat a score of 84.735!
> 
> (Consider it a 'challenge' to you MacOS X users!)
> 
> ...



Hey, link me a working os x bench and I'll gladly beat it. 

But all I could find was a crappy pdf


----------



## Remo_Williams (Jun 27, 2007)

Dippyskoodlez said:


> Hey, link me a working os x bench and I'll gladly beat it.
> 
> But all I could find was a crappy pdf



Sorry my man, you are right... I checked before I got the ban (as "TheMasterOfSinanju"), & you are right (I don't use MacOS X, & I figured since it is basically a BSD variant, it would have one, as BSD's do there)...

Of course, this also is an evidence of there being LESS SOFTWARE FOR MacOS X, than there is for Windows... keep that in mind!

Anyhow/anyways - "Oh well!"

If anyone can 'take out my score'? I figured it MIGHT just be a MacOS X rig... SELinux folks can't, & I posted @ slashdot MANY times to the BSD folks even (and Linux Penguins too, even SELinux ones)... nobody could/no takers!

APK

P.S.=> Anyhow, final mod for the TPU Wiki for this post is upcoming... the technique's & article material are down to a "12 step program" in my next post (final one I will ever EVER do here)... enjoy the read, & I hope you guys find it useful in securing your Windows rigs (especially so no one can EVER feed you a line that "Windows is less secure than (insert other OS here)" type stuff... cuz it just AIN'T true!)... apk


----------



## Remo_Williams (Jun 27, 2007)

*APK "12 step program" 4 a secure Windows NT-based OS (2000/XP/Server 2003/VISTA))*

*INTRODUCTION:*

Windows CAN be secured very well, but, you have to go thru some "GYRATIONS/EFFORT" to do it, but, it IS doable (but not to any 100% levels, because again - new holes/vulnerabilities appear in the OS & its libs + apps, but this gets you closer, if not as close as a body needs to be!).

*THIS IS GEARED TO "stand-alone" systems online on the internet (However - it can be adapted for LAN/WAN office or home networked environs, BUT, pay attention to step #2's 'warnings' about pulling Client For Microsoft Networks, &/or File & printer sharing - most networks require/need this)*

*BACKGROUND & INFORMATION + TOOLS YOU CAN USE TO HELP YOU SECURE YOUR SYSTEM:*

Here I am running Windows Server 2003 SP #2, fully current patched by MS update pages, here (I check it every 2nd Tuesday of the month of course, on "Patch Tuesday's"):

http://www.microsoft.com/downloads/Results.aspx?DisplayLang=en&nr=50&sortCriteria=date

It is a personally 'security-hardened' model I have been working on for many years, using principals I learned & used since the NT 3.5x days onward to this version of the OS: As is now?

*I score an 84.735 on the CIS Tool 1.x currently as of 06/01/2007! This is up from my past score here of 76.xxx on it, & here is how to do it!*

Currently, I can go NO higher than this score of 84.735 (of 100 total) on CIS Tool 1.x for Windows, pictured here (photo proof/pictures DO say, a 1,000 words (like this post, lol)):

http://forums.techpowerup.com/showthread.php?p=366342#post366342

BUT, that is a GOOD score (especially considering the default score of VISTA even, is FAR BELOW THAT! Nice part is? The techniques noted here can LARGELY APPLY TO VISTA AS WELL! Read on...)

(For CIS Tool - There are Linux, Solaris, BSD variants, & other OS models ports (some only in .pdf security guide form though, not programmatically automated yet, like MacOS X) of this are available too by the way - not really "ports" strictly speaking, they require JAVA to run)

*DOWNLOAD URL FOR CIS TOOL* (for multiple platforms), from "The Center for Internet Security" here:

http://www.cisecurity.org/bench.html

(*IMPORTANT:* This tool IS invaluable in guiding you to a more secure OS, on any OS platform really!)

*APK 12 STEPS TO FOLLOW TO SECURE YOUR WINDOWS NT-BASED SYSTEM (2000/XP/SERVER 2003/VISTA):*

*1.) Windows Server 2003's SCW was run over it FIRST* (this only exists on Windows Server 2003, not on 2000/XP (you have to install this, it does NOT install by default) first to help security it (SCW = security configuration wizard, & it's pretty damn good believe-it-or-not, (@ least, as as starting point))...

Directions for its installation are as follows:

Start the Add or Remove Programs Control Panel applet.

Click Add/Remove Windows Components.

On the Windows Components Wizard screen, select the "Security Configuration Wizard" check box, as the figure shows. Click Next.

The Windows Components Wizard builds a list of files to be copied and finishes installing SCW. Click Finish.

*DONE! Now, run it...* it is very simple to use, and will help even TRIM services you do not need running (which saves Memory, other resources, & I/O to cpu/ram/disk etc. AS WELL AS PROVIDING SECURITY should any services you disable turn up vulnerabilities (this has happened before)).

*ALSO, per TPU forums user (username "xvi") @ techpowerup.com forums (software section): Use Microsoft Baseline Security Advisor, a free download from Microsoft* as well to check your system for security holes, patch updates, etc. (be wary of the fact it does require various services running though, iirc, Terminal Server Services Client - I do NOT keep that running here anymore, & this program failed on me because of that (would not initialize @ all))

*2.) Disable Microsoft "File & Print Sharing" as well as "Client for Microsoft Networks" in your LOCAL AREA CONNECTION* (if you do not need them that is for say, running your home LAN)!

E.G.-> Here? I pull ANY Networking clients &/or Protocols in the Local Area Connection, other than Tcp/IP typically (& disable NetBIOS as well, because I don't need it here), on a stand-alone machine that is not dependent on Microsoft's File Sharing etc. on a LAN/WAN. I also disable that too!

*3.) Use IP security policies (modded AnalogX one, very good for starters, you can edit & add/remove from it as needed) - Download url link is here for that:*

http://www.analogx.com/contents/articles/ipsec.htm

(Search "AnalogX Public Server IPSec Configuration v1.00 (29k zip file)" on that page & follow the directions on the page!)

*NOTE:* This can be 'troublesome' though, for folks that run filesharing clients though. An alternative to this is using IP Ports Filtrations, in combination with a GOOD software firewall &/or NAT 'firewalling' (or true stateful inspection type) router. All of these work in combination w/ one another perfectly.

(*HOWEVER - Should you choose to use it, and do filesharing programs? No problem really, because you can turn them on/off @ will using secpol.msc* & the IP stack in Windows 2000/XP/Server 2003/VISTA is of "plug-N-play" design largely, & will allow it & when done? TURN THEM ON, AGAIN! These work WITH software & hardware router firewalls, IP port filtering, and security IP policies, simultaneosly/concurrently, for "layered security", no hassles!).

*4.) USE General security policies (in gpedit.msc/secpol.msc), these are VALUABLE tools* (and will be needed & suggestions for it will be told to you by the CIS Tool noted above - great stuff!) and regedit.exe!

*(Newly added - regedit.exe use is for registry ACL permissions*, via its EDIT menu, PERMISSIONS submenu item (to add/remove users that have rights to regisry hives/values, & to establish their rights levels therein))

*ALSO NEWLY ADDED - Explorer.exe "right-click" on drive letters/folders/files (for file access ACL permissions hardening)* using its popup menu selection of "PROPERTIES", & in the next screen, the SECURITY tab (to add/remove users that have rights to said items, & to establish their rights levels therein), also - this is another requirement of CIS Tool 1.x & its suggestions for better security.

*5.) HARDENING & SECURING SERVICES HOW-TO:*

Many services I do not need are either cut off OR secured in their logon entity to lower privilege entities (from default, near "ALL POWERFUL" SYSTEM, to lesser ones like NETWORK SERVICE or LOCAL SERVICE), see this URL where I did a lot of research for a prebuilt list for another forums, to see how/why this works:

http://forums.techpowerup.com/showthread.php?t=16097

I went at ALL of the services in Windows Server 2003 (some will not be in XP for instance, & Windows 2000 has no NETWORK SERVICE or LOCAL SERVICE as far as I know, but not sure, you can always make a limited privelege user too for this on 2000 if needed)...

I did testing to see which services could be run/logged in as LOCAL SERVICE, or NETWORK SERVICE, rather than the default of LOCAL SYSTEM (which means Operating System entity level privileges - which CAN be "misused" by various spyware/malware/virus exploits).

*LOCAL SERVICE startable list (vs. LocalSystem Logon Default)*:

Acronis Scheduler 2 Service
Alerter (needs Workstation Service Running)
COM+ System Application
GHOST
Indexing Service
NVIDIA Display Driver Service
Office Source Engine
O&O Clever Cache
Remote Registry
Sandra Service
Sandra Data Service
SmartCard
Tcp/IP NetBIOS Helper
Telnet
UserProfile Hive Cleanup Service
Volume Shadowing Service
Windows UserMode Drivers
Windows Image Acquisition
WinHTTP Proxy AutoDiscovery Service

*NETWORK SERVICE startable list (vs. LocalSystem Logon Default):*

ASP.NET State Service
Application Layer Gateway
Clipbook (needs Network DDE & Network DDE DSDM)
Microsoft Shadow Copy Provider
Executive Software Undelete
DNS Client
DHCP Client
Error Reporting
FileZilla Server
Machine Debug Manager
Merger
NetMeeting Remote Desktop Sharing Service
Network DDE
Network DDE DSDM
PDEngine (Raxco PerfectDisk)
Performance Logs & Alerts
RPC
Remote Desktop Help Session Manager Service
Remote Packet Capture Protocol v.0 (experimental MS service)
Resultant Set of Policies Provider
SAV Roam
Symantec LiveUpdate
Visual Studio 2005 Remote Debug

*PLEASE NOTE:* Each service uses a BLANK password when reassigning their logon entity (when you change it from the default of LOCAL SYSTEM Account), because they use SID's as far as I know, not standard passwords.

*WHEN YOU TEST THIS, AFTER RESETTING THE LOGON USER ENTITY EACH SERVICE USES:* Just run your system awhile, & if say, Norton Antivirus refuses to update, or run right? You KNOW you set it wrong... say, if one you test that I do NOT list won't run as LOCAL SERVICE? Try NETWORK SERVICE instead... if that fails? YOU ARE STUCK USING LOCAL SYSTEM!

If you cannot operate properly while changing the security logon entity context of a service (should NOT happen w/ 3rd party services, & this article shows you which ones can be altered safely)?

Boot to "Safe Mode", & reset that service's logon entity back to LOCAL SYSTEM again & accept it cannot do this security technique is all... it DOES happen!

*If that fails (shouldn't, but IF it does)?* There are commands in the "Recovery Console" (installed from your Windows installation CD as a bootup option while in Windows using this commandline -> D:\i386\winnt32.exe /cmdcons, where D is your CD-Rom driveletter (substitute in your dvd/cd driveletter for D of course)) of:

ListSvc (shows services & drivers states of stopped or started)

Enable (starts up a service &/or driver)

Disable (stops a server &/or driver)

Which can turn them back on if/when needed

(*ON Virtual Disk Service being removed, specifically (because it used to be in this list)):* This was done solely because, although it will run as LOCAL SERVICE, diskmgmt.msc will not be able to work! Even though the Logical Disk Manager service does not list VirtualDisk as a dependency, this occurs, so VirtualDisk service was pulled from BOTH the LOCAL SERVICE and NETWORK SERVICE lists here... apk)

*CUTTING OFF SERVICES YOU DO NOT NEED TO RUN IS POSSIBLY THE BEST METHOD OF SECURING THEM, AND GAINING SPEED SINCE YOU ARE NOT WASTING I/O, MEMORY, or OTHER RESOURCES ON THEM, PERIOD, in doing this - do consider it, when possible! Many guides online exist for this, & I authored one of the first "back in the day" for NTCompatible.com as "Article #1" back in 1997-1998 - the latest ones are even BETTER!*

*SECURING SERVICES @ THE ACL LEVEL VIA A SECURITY POLICY HOW-TO:*

*STEP #1:* CONFIGURE A CUSTOM Microsoft Management Console for this!

Configuring yourself a "CUSTOM MMC.EXE (Microsoft Mgt. Console)" setup for security policy templates, here is how (these are NOT default Computer Mgt. tools, so you have to do this yourself, or run them by themselves, but this makes working w/ them convenient):

The next part's per BelArcGuy of BELARC ADVISOR's advice (pun intended):

http://forums.techpowerup.com/showthread.php?t=16097

"Security Configuration and Analysis" is an MMC snap-in. To access the MMC, type in mmc to the Windows Run.. command to pop up the console. Then use it's File|Add/Remove Snap-in... command and click the Add button on the resulting dialog. Choose both "Security Configuration and Analysis" and "Security Templates", close that dialog, and OK. You'll end up with a management console that has both of those snap-ins enabled. The whole MMC mechanism is a bit weird, but does work"

(It's easy, & it works, & is necessary for the actual steps to do this, below)

Next, is the actual "meat" of what we need to do, per Microsoft, to set ACLs!

*STEP #2:* HOW TO: Define Security Templates By Using the Security Templates Snap-In in Windows Server 2003

http://support.microsoft.com/kb/816297

Create and Define a New Security Template

(To define a new security template, follow these steps)

1. In the console tree, expand Security Templates
2. Right-click %SystemRoot%\Security\Templates, and then click New Template
3. In the Template name box, type a name for the new template.

(If you want, you can type a description in the Description box, and then click OK)

The new security template appears in the list of security templates. Note that the security settings for this template are not yet defined. When you expand the new security template in the console tree, expand each component of the template, and then double-click each security setting that is contained in that component, a status of Not Defined appears in the Computer Setting column.

1. To define a System Services policy, follow these steps:
a. Expand System Services
b. In the right pane, double-click the service that you want to configure
c. Specify the options that you want, and then click OK.

(And, of course, the user feedback on its effectiveness (Makes your Win32 NT-based OS very much like how MacOS X treats its daemon processes via privelege levels), which uses the same general principals)

It works, & although many service packs for Windows OS' have changed their services (not all but many nowadays) to less than SYSTEM, my list covers those they may not have in recent service packs AND 3rd party services are listed too that you may be running possibly!

*DONE!*

*6.) Another thing I do for securing a Windows NT-based OS: IP Port Filtrations* (like ip security policies (per AnalogX above), it is often called the "poor man's firewall" & works perfectly with both IPSecurity policies, hardware AND software firewalls, all in combination/simultaneously running)!

*DIRECTIONS ON HOW TO IMPLEMENT THEM (very easy):*

Start Menu -> Connect To Item (on the right hand side) -> Local Area Connection (whatever you called it, this is the default, iirc) open it via double click OR, right-click popup menu PROPERTIES item -> Properties button on left-hand side bottom, press/click it -> NEXT SCREEN (Local Area Connection PROPERTIES) -> "This connection uses the followng items" (go down the list, to Tcp/IP & select it & /click the PROPERTIES button there) -> Press/Click the Advanced Button @ the bottom Right-Hand Side (shows Advanced Tcp/IP Settings screen) -> OPTIONS tab, use it & Tcp IP Filtering is in the list, highlite/select it -> Beneath the Optional Settings, press/click the PROPERTIES button on the lower right-hand side -> Check the "Enable Tcp/IP Filtering (on all adapters)" selection -> In the far right, IP PROTOCOLS section, add ports 6 (tcp) & 17 (udp) -> In the far left "tcp ports" list - check off the radio button above the list titled "PERMIT ONLY", & then add ports you want to have open (all others will be filtered out, & for example, I leave port 80,8080, & 443 here open, only - you may need more if you run mail servers, & what-have-you (this varies by application)) -> I leave the UDP section "PERMIT ALL" because of ephemeral/short-lived ports usage that Windows does (I have never successfully filtered this properly but it doesn't matter as much imo, because udp does not do 'callback' as tcp does, & that is why tcp can be DDOS'd/DOS'd imo - it only sends out info., but never demands verification of delivery (faster, but less reliable)) -> DONE!

You may need a reboot & it will signal if it needs it or not (probably will, even in VISTA):

I say this, because although IP Security Policies work with the "Plug-N-Play" design of modern Windows NT-based OS' (ipsec.sys) & do NOT require a reboot to activate/deactivate them in Windows 2000/XP/Server 2003/VISTA? This is working @ a diff. level & diff. driver iirc (tcpip.sys) & level of the telecommunications stacks in this OS family & WILL require a reboot to take effect (for a more detailed read of this, see here):

http://www.microsoft.com/technet/community/columns/cableguy/cg0605.mspx

(*In THAT url above? Trust me - Enjoy the read, it is VERY informative:* That article shows you how TcpIP.sys, ipnat.sys, ipsec.sys, & ipfiltdrv.sys interact, PLUS how you can use them to your advantage in security!)

*7.) Plus good email client practices* like using .txt mail only, no RTF or HTML mail, not opening or allowing attachments unless I know the person (still gets email scanned though by your resident antivirus email scan component (use AntiVirus programs with these, OR, manually scan ANY attachments before opening them (if you get Microsoft Office .doc, .xls, .ppt etc. files uncompressed? HOLD DOWN THE SHIFT KEY AS YOU OPEN THEM - this stops macros from running & macros are the avenue utilized using VBA script to infect you))

*8.) I also use a LinkSys/CISCO BEFSX41 "NAT" true firewalling CISCO technology-based router (with cookie & scripting filtering built-in @ the hardware level),* these are excellent investments for security.

*9.) USE Tons of security & speed oriented registry hacks* (reconfiging the OS basically - stuff like you might do in etc / conf in UNIX/LINUX I suppose)

Many can be found here, in an article I authored (and it tells what they do, & how they work, w/ descriptions from Microsoft themselves):

http://www.avatar.demon.nl/APK.html

OR, if that site is down? Download them from here @ SOFTPEDIA (where they are rated 4/5):

http://www.softpedia.com/get/Tweak/System-Tweak/APK-Internet-and-NTkXP-Speedup-Guides.shtml

OR, just email me here for them -> apk4776239@hotmail.com

*(I also have these PREBUILT, in .reg files, mind you, available by email, fully internally documented!)*

They are FULLY documented internally, with link url's to the Microsoft pages they came from, inside the .reg files, so YOU can look at what the hack does inside them, verify this @ MS, & know what the valid parameters are as well!

(This? It took me FOREVER a year or so ago to do this, but worth it!)

The urls, or downloadable .mht files, outline it all (as do my prebuilt .reg files, probably the BEST choice of the lot imo), as to what you can ".reg file hack" for better SPEED, and SECURITY online, in a modern Windows 2000/XP/Server 2003 OS & has references from Microsoft in it for each setting plus their definitions & parameters possible!

*10.) The use of a CUSTOM ADBANNER BLOCKING HOSTS FILE* (my personal one houses, as of this date, 90,000 known adbanner servers, OR sites known to bear malicious code & exploits (per GOOGLE mostly, from stopbadware.org))

Custom HOSTS files work in combination with Opera adbanner blocks & the usage of .PAC filering files + cascading style sheets for this purpose.

(As well as speeding up access to sites I often access - doing this, acting as my own "DNS Server" more or less, is orders of magnitude faster than calling out to my ISP/BSP DNS servers, waiting out a roundtrip return URL-> IP Address resolution. It may take some maintenance for this @ times, especially if sites change HOSTING PROVIDERS, but this is a rarity & most sites TELL YOU when they do this as well, so you can make fast edits, as needed (and, on Windows NT-based OS since 2000/XP/Server 2003 & VISTA? A reboot is NOT required upon edits & commits of changes in the new largely near fully PnP IP stacks!))

*For a copy of mine, write me, here* -> apk4776239@hotmail.com

And, I will send it to you in .zip or .rar format (with sped up sites # UNIX comment symbol disabled, enable the ones you use AFTER you 'ping' them first from my list, & add ones YOU PERSONALLY USE to it as needed after determining their IP address via a PING of them)

*11.) KEEP UP ON PATCHES FROM MICROSOFT, for your OS & Microsoft Office Apps, & IE, etc., HERE (ordered by release date) and run AntiVirus/AntiSpyware/AntiRootkit tools (& yes, keep them updated/current)!*

http://www.microsoft.com/downloads/Results.aspx?DisplayLang=en&nr=50&sortCriteria=date

*Again, keep up on antivirus/antispyware/antirootkit AND Java runtimes updates!*

(Done either automatically via their services, or manually)

Download them manually & install them yourself (OR just let "Windows Automatic Updates" run)

*Running the "std. stuff", like AntiVirus (NOD32 latest 2.7x* - best one there is, & that is not only MY opinion after testing it vs. my former fav. NAV Corporate 10.2 (it is lighter in RAM & resource uses than NAV Corporate even, finds more virus' than others, & uses less "moving parts" (in the way of services componentry, than most do, & certainly less than NAV)) *+ SpyBot (Ad-Aware is another option)* as my resident antispyware tool running in the background! *AntiRootkit tools are another one to be conscious of nowadays, now that such machinations are available for Windows* (they originated, afaik, in the UNIX world though). 

The "best ones" are:

AVG AntiRootkit
BitDefender AntiRootkit
GMER
Rootkit Revealer
PrevX AntiRootkit
Rootkit Hook Analyzer
Sophos AntiRootkit
F-Secure Blacklight
Gromozon Rootkit Removal Tool
KLister
McAfee Rootkit Detective
PatchFinder
RogueRemover
VICE
System Virginity Verifier for Windows 2000/XP/2003

That is a list for you all to choose from, they all do a decent enough job though, & are 100% FREE - SO, DO use them!

*12.) It is also possible, for webbrowsers &/or email clients, to create a "VISTA LIKE IE 7 Protected Mode"-like type scenario, isolating them into their own spaces in memory*, here are 2 methods, how (not needed on VISTA though, afaik):

IE6/7 & FF + OPERA AS WELL (as noted by A/C slashdot poster in reply to my methods, both his & my own work well, & are listed here @ /. (slashdot)) on modern NT-based OS "how-to":

http://it.slashdot.org/comments.pl?sid=236547&cid=19310513

*MY METHOD:*

RUNNING IE in a "runas limited user class" sandbox effect:

"It is actually possible to run IE securely: just create a throwaway restricted user account for IE use alone. The restricted account user can't install software and can't access files of other users, so even if IE autoexecutes any nastiness, it can't do any damage.

Of course, it's a hassle to log in as a different user just to browse the web. So we'd want to use "runas" to run just IE as a different user.

Unfortunately, MS has made running IE as a different user a little harder than necessary. Rightclicking and using "Run as" doesn't seem to work. What did work for me was the following.

Say the limited account is called "IEuser". Then create a shortcut to "runas /user:IEuser cmd". on your desktop. Double-clicking this will open a command prompt that runs as IEuser. Now you can manually start IE with "start iexplore". Or create a batchfile c:windowsie.bat that just contains the line "start iexplore" and you can start IE by just typing "ie". Remove all shortcuts to IE from you normal desktop and only run it from the restricted account. This way you can use IE without worry about any IE exploits"

*OTHER, VERY QUITE POSSIBLY SUPERIOR METHOD:* ...this is exacly the way I do (but with opera and other internet related apps as acroread, mail, ...). But simply "runas /user:xxx cmd" is not the best way to achieve process separation. If you have a look at the process tree you will see: system->smss.exe->winlogon.exe->services.exe->cmd. exe->iexplore.exe. A better way is to use the method described in Joannas blog

http://theinvisiblethings.blogspot.c...every-day.html

*See section: Do-It-Yourself: Implementing Privilege Separation. Using the psexec tool as described results in a "clean" process tree where iexplore.exe will show up directly under the root avoiding beeing a child process.

Note - The "invisible thing"? She's "Yuriko DeathStrike" as far as I am concerned... Joanna Rutkowska, my fellow "Polish Person" & she's a regular "wonder" in the security/hacking/cracking world!

This is my runopera.bat which runs opera as user internet:
psexec.exe -d -u internet -p p4ssw0rd "cmd" "/d /D /c start /b Opera.exe"

PLUS, Windows Server 2003 has a hardened IE6/7 by default (which can be duplicated on other Win32 OS versions, because it mainly just does what I have been doing for a long time & noted by myself earlier, in stuff like turning off ActiveX & scripting + JAVA online on the public internet, of all types by default, & I do this in ALL of my browsers (IE, FF, & Opera) & only make exceptions for CERTAIN sites)

(YOU ARE NOW @ THE END OF THIS DOCUMENT & ALL of that is done for ONLINE security... &, it works!)

APK

P.S.=> Yes, it's a PAIN to do it the first time - maybe 1 hr. work for an experienced user, more for less experienced ones, but WORTH EVERY SECOND! 

Why? 

Well, I have not had this system "go down" due to hacks/cracks/malware/virus/trojans/spyware, etc. et al (you name it) in years now! It just works... 

(... & everyone ought to know this stuff, so here 'tis!)

Enjoy & IF you know of more to do? Please, have @ it, & let us all know what it is you do on your Win32 rigs of NT-based OS nature... apk

Original version @ slashdot -> http://it.slashdot.org/comments.pl?sid=237507&cid=19410153

Updated version #2 @ techpowerup.com -> http://forums.techpowerup.com/showthread.php?p=365996#post365996*


----------



## oily_17 (Jun 27, 2007)

Cheers Alec,I am shortly going to do a clean install and this will come in very helpfull before I make a ghost backup for later use when looking to revert back to a secure OS.


----------



## Wile E (Aug 28, 2007)

*A Tout Le Monde*

Posted by me, as requested by APK, thru email.



			
				APK said:
			
		

> It's the latest breaking my old record of 84.735, now @ 85.185 of 100%
> perfect. Everyone reading that thread should see the "mark to beat", & what
> is possible...
> 
> ...


----------



## mullered07 (Aug 28, 2007)

lol apk ftw   

even now i enjoy reading his posts, i alos like when he creates a new user account he blatantly signs it apk (although jusat by reading the first line of any of his posts you know who it is  ) also his location, did you see it ? "a discreet point in the space-time continuim" lol


----------



## theonetruewill (Oct 12, 2007)

*Russian boy would like this*

Message from APK:

_"It's getting BETTER ALL THE TIME!" - The Beatles
(see attached picture)
(For RussianBoy of course, as he's a Beatle's Fan, & I think that tune fits this increased score, as a theme)...

Thanks!

APK

P.S.=> A SIDE NOTE -> A guy over @ /. (slashdot.org) has supposedly "beaten" 
my score!

(However, his LINUX is running under a VMWare emulation)

So I would like others' feedback as to that if you would like to post this as well:

http://enigma.ev6.net/result2.html   <---------His result's there.
_


----------



## DoctorWhoIsWho (Oct 20, 2007)

*LINUX RESULTS (both default AND security hardened on SuSE Linux Enterprise)*

See the attached jpg photos for the scores for LINUX folks (default is 46.xxx & security hardened is 90.xxx).

*LINUX SuSE Enterprise SECURITY HARDENED SCORE:*






*LINUX SuSE Enterprise DEFAULT NON-SECURITY HARDENED SCORE:*






This all just goes to show you that even LINUX (which is WORSE by default per this security settings test than Windows XP SP 2 is, despite the constant diatribes spouted by the *NIX community of "how superior the security is on *NIX's" vs. Windows) can stand quite the bit of security hardening...

APK

P.S.=> My next post will have my current highscore on Windows Server 2003 SP #2 fully security hotfix patched (as of the date of the last "Patch Tuesday") & also my workstation on the job (now security hardened) scoring 85.356 (and, I cannot FULLY security harden it, because we have some legacy NT 4.x servers & they cannot handle NTLMv2 communications, a requirement for a higher score + our pwd policies are limited as well)... apk


----------



## DoctorWhoIsWho (Oct 20, 2007)

*Windows XP SP #2 & Windows Server 2003 SP #2 fully security hardened CIS TOOL scores*

*WINDOWS XP SP #2 WORKSTATION SECURITY HARDENED SCORE* (not fully, due to my last post above's P.S. as reasons why I am restricted on the job for various settings):







*WINDOWS SERVER 2003 SP #2 SECURITY HARDENED SCORE* (FULL as possible, but, note that even IF I could get the last couple of points, which I can because I know the test errs on them, I cannot EVER REACH 90++% scores, do the math & see):






That's all she wrote... & what is possible (probably moreso for you guys @ home, since you don't have NT 4.x servers stopping NTLMv2 communications & password policies beyond your control too) on Windows XP SP #2 (which, most of you use most likely).

APK


----------



## pt (Oct 20, 2007)

you had to type apk


----------



## DoctorWhoIsWho (Oct 20, 2007)

*LINUX SCORES (SuSE Enterprise current model under VMWare)*

*LINUX SuSE Enterprise SECURITY HARDENED SCORE:*






*LINUX SuSE Enterprise DEFAULT NON-SECURITY HARDENED SCORE:*






* DO NOTE - the Linux tested areas seems FAR SMALLER for one thing (less complex of an OS, perhaps?), & they CAN get to 90 ranges on their CIS TOOL server class OS test... whereas I cannot, though I miss less areas of the test than they do & have FAR MORE TESTED (per my Windows Server 2003 results above)...

APK

P.S.=> This all just goes to show you that even LINUX (which is WORSE by default per this security settings test than Windows XP SP 2 is, despite the constant diatribes spouted by the *NIX community of "how superior the security is on *NIX's" vs. Windows) can stand quite the bit of security hardening... apk


----------



## DoctorWhoIsWho (Oct 20, 2007)

*HOW TO ACHIEVE 85.xxx (or, better) CIS TOOL scores*

*APK "12 step program" 4 a secure Windows NT-based OS (2000/XP/Server 2003/VISTA)) 
INTRODUCTION:*

Windows CAN be secured very well, but, you have to go thru some "GYRATIONS/EFFORT" to do it, but, it IS doable (but not to any 100% levels, because again - new holes/vulnerabilities appear in the OS & its libs + apps, but this gets you closer, if not as close as a body needs to be!).

*THIS IS GEARED TO "stand-alone" systems online on the internet (However - it can be adapted for LAN/WAN office or home networked environs, BUT, pay attention to step #2's 'warnings' about pulling Client For Microsoft Networks, &/or File & printer sharing - most networks require/need this)*

*BACKGROUND & INFORMATION + TOOLS YOU CAN USE TO HELP YOU SECURE YOUR SYSTEM:*

Here I am running Windows Server 2003 SP #2, fully current patched by MS update pages, here (I check it every 2nd Tuesday of the month of course, on "Patch Tuesday's"):

http://www.microsoft.com/downloads/...ryid=7&sortCriteria=date&sortOrder=descending

It is a personally 'security-hardened' model I have been working on for many years, using principals I learned & used since the NT 3.5x days onward to this version of the OS: As is now?

*I score an 85.760 on the CIS Tool 1.x currently as of 10/10/2007! This is up from my past score here of 76.xxx on it (default score I had prior to this security hardening via CIS TOOL & its advisements & past the 84.735 I initially hardened it up to, & later 85.185 as well), & here is how to do it!*

Currently, I can go NO higher than this score of 85.760 (of 100 total) on CIS Tool 1.x for Windows, pictured here (photo proof/pictures DO say, a 1,000 words (like this post, lol)) & even IF I could get past the few areas I know are wrong (the test errs, as it does on some areas in LINUX as well), I cannot get past 88% or so, period!

BUT, that is a GOOD score (especially considering the default score of VISTA even, is FAR BELOW THAT! Nice part is? The techniques noted here can LARGELY APPLY TO VISTA AS WELL! Read on...)

(For CIS Tool - There are Linux, Solaris, BSD variants, & other OS models ports (some only in .pdf security guide form though, not programmatically automated yet, like MacOS X) of this are available too by the way - not really "ports" strictly speaking, they require JAVA to run)

*DOWNLOAD URL FOR CIS TOOL (for multiple platforms), from "The Center for Internet Security" here:*

http://www.cisecurity.org/bench.html

*(IMPORTANT: This tool IS invaluable in guiding you to a more secure OS, on any OS platform really!)*

================================================================================

*APK 12 STEPS TO FOLLOW TO SECURE YOUR WINDOWS NT-BASED SYSTEM (2000/XP/SERVER 2003/VISTA):*

*1.) Windows Server 2003's SCW was run over it FIRST* (this only exists on Windows Server 2003, not on 2000/XP (you have to install this, it does NOT install by default) first to help security it (SCW = security configuration wizard, & it's pretty damn good believe-it-or-not, (@ least, as as starting point))...

*Directions for its installation are as follows:*

Start the Add or Remove Programs Control Panel applet.

Click Add/Remove Windows Components.

On the Windows Components Wizard screen, select the "Security Configuration Wizard" check box, as the figure shows. Click Next.

The Windows Components Wizard builds a list of files to be copied and finishes installing SCW. Click Finish.

*DONE! Now, run it...*

It is very simple to use, and will help even TRIM services you do not need running (which saves Memory, other resources, & I/O to cpu/ram/disk etc. AS WELL AS PROVIDING SECURITY should any services you disable turn up vulnerabilities (this has happened before)).

ALSO, per TPU forums user (username "xvi") @ techpowerup.com forums (software section): Use Microsoft Baseline Security Advisor, a free download from Microsoft as well to check your system for security holes, patch updates, etc. (be wary of the fact it does require various services running though, iirc, Terminal Server Services Client - I do NOT keep that running here anymore, & this program failed on me because of that (would not initialize @ all))

-------------------------------------------------------------------------------------------------------

*2.) Disable Microsoft "File & Print Sharing" as well as "Client for Microsoft Networks" in your LOCAL AREA CONNECTION* (if you do not need them that is for say, running your home LAN)!

E.G.-> Here? I pull ANY Networking clients &/or Protocols in the Local Area Connection, other than Tcp/IP typically (& disable NetBIOS as well, because I don't need it here), on a stand-alone machine that is not dependent on Microsoft's File Sharing etc. on a LAN/WAN. I also disable that too!

-------------------------------------------------------------------------------------------------------

*3.) Use IP security policies* (modded AnalogX one, very good for starters, you can edit & add/remove from it as needed) - *Download url link is here for that:*

http://www.analogx.com/contents/articles/ipsec.htm

(Search "AnalogX Public Server IPSec Configuration v1.00 (29k zip file)" on that page & follow the directions on the page!)

*NOTE: This can be 'troublesome' though, for folks that run filesharing clients though.*

An alternative to this is using IP Ports Filtrations, in combination with a GOOD software firewall &/or NAT 'firewalling' (or true stateful inspection type) router. All of these work in combination w/ one another perfectly.

(HOWEVER - Should you choose to use it, and do filesharing programs? No problem really, because you can turn them on/off @ will using secpol.msc & the IP stack in Windows 2000/XP/Server 2003/VISTA is of "plug-N-play" design largely, & will allow it & when done? TURN THEM ON, AGAIN! These work WITH software & hardware router firewalls, IP port filtering, and security IP policies, simultaneosly/concurrently, for "layered security", no hassles!).

-------------------------------------------------------------------------------------------------------

*4.) USE General security policies* (in gpedit.msc/secpol.msc), these are VALUABLE tools (and will be needed & suggestions for it will be told to you by the CIS Tool noted above - great stuff!) and regedit.exe!

(*Newly added - regedit.exe use is for registry ACL permissions, via its EDIT menu, PERMISSIONS submenu item* (to add/remove users that have rights to regisry hives/values, & to establish their rights levels therein))

*ALSO NEWLY ADDED - Explorer.exe "right-click" on drive letters/folders/files (for file access ACL permissions hardening) using its popup menu selection of "PROPERTIES", & in the next screen, the SECURITY tab* (to add/remove users that have rights to said items, & to establish their rights levels therein), also - this is another requirement of CIS Tool 1.x & its suggestions for better security.

-------------------------------------------------------------------------------------------------------

*5.) HARDENING & SECURING SERVICES HOW-TO:*

Many services I do not need are either cut off OR secured in their logon entity to lower privilege entities (from default, near "ALL POWERFUL" SYSTEM, to lesser ones like NETWORK SERVICE or LOCAL SERVICE). I went at ALL of the services in Windows Server 2003 (some will not be in XP for instance, & Windows 2000 has no NETWORK SERVICE or LOCAL SERVICE as far as I know, but not sure, you can always make a limited privelege user too for this on 2000 if needed)...

I did testing to see which services could be run/logged in as LOCAL SERVICE, or NETWORK SERVICE, rather than the default of LOCAL SYSTEM (which means Operating System entity level privileges - which CAN be "misused" by various spyware/malware/virus exploits).

*LOCAL SERVICE startable list (vs. LocalSystem Logon Default):*

Acronis Scheduler 2 Service
Alerter (needs Workstation Service Running)
COM+ System Application
GHOST
Indexing Service
NVIDIA Display Driver Service
Office Source Engine
O&O Clever Cache
Remote Registry
Sandra Service
Sandra Data Service
SmartCard
Tcp/IP NetBIOS Helper
Telnet
UserProfile Hive Cleanup Service
Volume Shadowing Service
Windows UserMode Drivers
Windows Image Acquisition
WinHTTP Proxy AutoDiscovery Service

*NETWORK SERVICE startable list (vs. LocalSystem Logon Default):*

ASP.NET State Service
Application Layer Gateway
Clipbook (needs Network DDE & Network DDE DSDM)
Microsoft Shadow Copy Provider
Executive Software Undelete
DNS Client
DHCP Client
Error Reporting
FileZilla Server
Machine Debug Manager
Merger
NetMeeting Remote Desktop Sharing Service
Network DDE
Network DDE DSDM
PDEngine (Raxco PerfectDisk)
Performance Logs & Alerts
RPC
Remote Desktop Help Session Manager Service
Remote Packet Capture Protocol v.0 (experimental MS service)
Resultant Set of Policies Provider
SAV Roam
Symantec LiveUpdate
Visual Studio 2005 Remote Debug

*PLEASE NOTE: Each service uses a BLANK password when reassigning their logon entity (when you change it from the default of LOCAL SYSTEM Account), because they use SID's as far as I know, not standard passwords.*

*WHEN YOU TEST THIS, AFTER RESETTING THE LOGON USER ENTITY EACH SERVICE USES:* Just run your system awhile, & if say, Norton Antivirus refuses to update, or run right? You KNOW you set it wrong... say, if one you test that I do NOT list won't run as LOCAL SERVICE? Try NETWORK SERVICE instead... if that fails? YOU ARE STUCK USING LOCAL SYSTEM!

*If you cannot operate properly while changing the security logon entity context of a service* (should NOT happen w/ 3rd party services, & this article shows you which ones can be altered safely)?

Boot to "Safe Mode", & reset that service's logon entity back to LOCAL SYSTEM again & accept it cannot do this security technique is all... it DOES happen!

If that fails (shouldn't, but IF it does)? There are commands in the "Recovery Console" (installed from your Windows installation CD as a bootup option while in Windows using this commandline -> D:\i386\winnt32.exe /cmdcons, where D is your CD-Rom driveletter (substitute in your dvd/cd driveletter for D of course)) of:

ListSvc (shows services & drivers states of stopped or started)

Enable (starts up a service &/or driver)

Disable (stops a server &/or driver)

Which can turn them back on if/when needed

(ON Virtual Disk Service being removed, specifically (because it used to be in this list)): This was done solely because, although it will run as LOCAL SERVICE, diskmgmt.msc will not be able to work! Even though the Logical Disk Manager service does not list VirtualDisk as a dependency, this occurs, so VirtualDisk service was pulled from BOTH the LOCAL SERVICE and NETWORK SERVICE lists here... apk)

*CUTTING OFF SERVICES YOU DO NOT NEED TO RUN IS POSSIBLY THE BEST METHOD OF SECURING THEM, AND GAINING SPEED SINCE YOU ARE NOT WASTING I/O, MEMORY, or OTHER RESOURCES ON THEM, PERIOD, in doing this* - do consider it, when possible! Many guides online exist for this, & I authored one of the first "back in the day" for NTCompatible.com as "Article #1" back in 1997-1998 - the latest ones are even BETTER!

*SECURING SERVICES @ THE ACL LEVEL VIA A SECURITY POLICY HOW-TO:

STEP #1: CONFIGURE A CUSTOM Microsoft Management Console for this!*

Configuring yourself a "CUSTOM MMC.EXE (Microsoft Mgt. Console)" setup for security policy templates, here is how (these are NOT default Computer Mgt. tools, so you have to do this yourself, or run them by themselves, but this makes working w/ them convenient):

The next part's per BelArcGuy of BELARC ADVISOR's advice (pun intended):

http://forums.techpowerup.com/showthread.php?t=16097

"Security Configuration and Analysis" is an MMC snap-in. To access the MMC, type in mmc to the Windows Run.. command to pop up the console. Then use it's File|Add/Remove Snap-in... command and click the Add button on the resulting dialog. Choose both "Security Configuration and Analysis" and "Security Templates", close that dialog, and OK. You'll end up with a management console that has both of those snap-ins enabled. The whole MMC mechanism is a bit weird, but does work"

(It's easy, & it works, & is necessary for the actual steps to do this, below)

Next, is the actual "meat" of what we need to do, per Microsoft, to set ACLs!

*STEP #2: HOW TO: Define Security Templates By Using the Security Templates Snap-In in Windows Server 2003*

http://support.microsoft.com/kb/816297

Create and Define a New Security Template

(To define a new security template, follow these steps)

1. In the console tree, expand Security Templates
2. Right-click %SystemRoot%\Security\Templates, and then click New Template
3. In the Template name box, type a name for the new template.

(If you want, you can type a description in the Description box, and then click OK)

The new security template appears in the list of security templates. Note that the security settings for this template are not yet defined. When you expand the new security template in the console tree, expand each component of the template, and then double-click each security setting that is contained in that component, a status of Not Defined appears in the Computer Setting column.

1. To define a System Services policy, follow these steps:
a. Expand System Services
b. In the right pane, double-click the service that you want to configure
c. Specify the options that you want, and then click OK.

(And, of course, the user feedback on its effectiveness (Makes your Win32 NT-based OS very much like how MacOS X treats its daemon processes via privelege levels), which uses the same general principals)

It works, & although many service packs for Windows OS' have changed their services (not all but many nowadays) to less than SYSTEM, my list covers those they may not have in recent service packs AND 3rd party services are listed too that you may be running possibly!

DONE!

-------------------------------------------------------------------------------------------------------

*6.) Another thing I do for securing a Windows NT-based OS: IP Port Filtrations*(like ip security policies (per AnalogX above), it is often called the "poor man's firewall" & works perfectly with both IPSecurity policies, hardware AND software firewalls, all in combination/simultaneously running)!

*DIRECTIONS ON HOW TO IMPLEMENT THEM (very easy):*

Start Menu -> Connect To Item (on the right hand side) -> Local Area Connection (whatever you called it, this is the default, iirc) open it via double click OR, right-click popup menu PROPERTIES item -> Properties button on left-hand side bottom, press/click it -> NEXT SCREEN (Local Area Connection PROPERTIES) -> "This connection uses the followng items" (go down the list, to Tcp/IP & select it & /click the PROPERTIES button there) -> Press/Click the Advanced Button @ the bottom Right-Hand Side (shows Advanced Tcp/IP Settings screen) -> OPTIONS tab, use it & Tcp IP Filtering is in the list, highlite/select it -> Beneath the Optional Settings, press/click the PROPERTIES button on the lower right-hand side -> Check the "Enable Tcp/IP Filtering (on all adapters)" selection -> In the far right, IP PROTOCOLS section, add ports 6 (tcp) & 17 (udp) -> In the far left "tcp ports" list - check off the radio button above the list titled "PERMIT ONLY", & then add ports you want to have open (all others will be filtered out, & for example, I leave port 80,8080, & 443 here open, only - you may need more if you run mail servers, & what-have-you (this varies by application)) -> I leave the UDP section "PERMIT ALL" because of ephemeral/short-lived ports usage that Windows does (I have never successfully filtered this properly but it doesn't matter as much imo, because udp does not do 'callback' as tcp does, & that is why tcp can be DDOS'd/DOS'd imo - it only sends out info., but never demands verification of delivery (faster, but less reliable)) -> DONE!

You may need a reboot & it will signal if it needs it or not (probably will, even in VISTA):

I say this, because although IP Security Policies work with the "Plug-N-Play" design of modern Windows NT-based OS' (ipsec.sys) & do NOT require a reboot to activate/deactivate them in Windows 2000/XP/Server 2003/VISTA? This is working @ a diff. level & diff. driver iirc (tcpip.sys) & level of the telecommunications stacks in this OS family & WILL require a reboot to take effect (for a more detailed read of this, see here):

http://www.microsoft.com/technet/community/columns/cableguy/cg0605.mspx

(In THAT url above? Trust me - Enjoy the read, it is VERY informative: That article shows you how TcpIP.sys, ipnat.sys, ipsec.sys, & ipfiltdrv.sys interact, PLUS how you can use them to your advantage in security!)

-------------------------------------------------------------------------------------------------------

*7.) Plus good email client practices like using .txt mail only, no RTF or HTML mail, not opening or allowing attachments unless I know the person & even THEN, scan it with an antivirus* (still gets email scanned though by your resident antivirus email scan component (use AntiVirus programs with these, OR, manually scan ANY attachments before opening them (if you get Microsoft Office .doc, .xls, .ppt etc. files uncompressed? HOLD DOWN THE SHIFT KEY AS YOU OPEN THEM - this stops macros from running & macros are the avenue utilized using VBA script to infect you))

-------------------------------------------------------------------------------------------------------

*8.) I also use a LinkSys/CISCO BEFSX41 "NAT" true firewalling CISCO technology-based router* (with cookie & scripting filtering built-in @ the hardware level), these are excellent investments for security.

-------------------------------------------------------------------------------------------------------

*9.) USE Tons of security & speed oriented registry hacks* (reconfiging the OS basically - stuff like you might do in etc / conf in UNIX/LINUX I suppose)

Download them from here @ SOFTPEDIA (where they are rated 4/5):

http://www.softpedia.com/get/Tweak/System-Tweak/APK-Internet-and-NTkXP-Speedup-Guides.shtml

OR, just email me here for them -> apk4776239@hotmail.com

(I also have these PREBUILT, in .reg files, mind you, available by email, fully internally documented!)

They are FULLY documented internally, with link url's to the Microsoft pages they came from, inside the .reg files, so YOU can look at what the hack does inside them, verify this @ MS, & know what the valid parameters are as well!

(This? It took me FOREVER a year or so ago to do this, but worth it!)

The urls, or downloadable .mht files, outline it all (as do my prebuilt .reg files, probably the BEST choice of the lot imo), as to what you can ".reg file hack" for better SPEED, and SECURITY online, in a modern Windows 2000/XP/Server 2003 OS & has references from Microsoft in it for each setting plus their definitions & parameters possible!

-------------------------------------------------------------------------------------------------------

*10.) The use of a CUSTOM ADBANNER BLOCKING HOSTS FILE* (my personal one houses, as of this date, 90,000 known adbanner servers, OR sites known to bear malicious code & exploits (per GOOGLE mostly, from stopbadware.org))

Custom HOSTS files work in combination with Opera adbanner blocks & the usage of .PAC filering files + cascading style sheets for this purpose.

(As well as speeding up access to sites I often access - doing this, acting as my own "DNS Server" more or less, is orders of magnitude faster than calling out to my ISP/BSP DNS servers, waiting out a roundtrip return URL-> IP Address resolution. It may take some maintenance for this @ times, especially if sites change HOSTING PROVIDERS, but this is a rarity & most sites TELL YOU when they do this as well, so you can make fast edits, as needed (and, on Windows NT-based OS since 2000/XP/Server 2003 & VISTA? A reboot is NOT required upon edits & commits of changes in the new largely near fully PnP IP stacks!))

For a copy of mine, write me, here -> apk4776239@hotmail.com

And, I will send it to you in .zip or .rar format (with sped up sites # UNIX comment symbol disabled, enable the ones you use AFTER you 'ping' them first from my list, & add ones YOU PERSONALLY USE to it as needed after determining their IP address via a PING of them)

OR, JUST DOWNLOAD IT HERE:

http://forums1.techpowerup.com/attachment.php?attachmentid=6540&d=1172567412

-------------------------------------------------------------------------------------------------------

*11.) KEEP UP ON PATCHES FROM MICROSOFT, for your OS & Microsoft Office Apps, & IE, etc., HERE* (ordered by release date) and run AntiVirus/AntiSpyware/AntiRootkit tools (& yes, keep them updated/current)!

http://www.microsoft.com/downloads/...ryid=7&sortCriteria=date&sortOrder=descending

Again, keep up on antivirus/antispyware/antirootkit AND Java runtimes updates!

(Done either automatically via their services, or manually)

Download them manually & install them yourself (OR just let "Windows Automatic Updates" run)

Running the "std. stuff", like AntiVirus (NOD32 latest 2.7x - best one there is, & that is not only MY opinion after testing it vs. my former fav. NAV Corporate 10.2 (it is lighter in RAM & resource uses than NAV Corporate even, finds more virus' than others, & uses less "moving parts" (in the way of services componentry, than most do, & certainly less than NAV)) + SpyBot (Ad-Aware is another option) as my resident antispyware tool running in the background! AntiRootkit tools are another one to be conscious of nowadays, now that such machinations are available for Windows (they originated, afaik, in the UNIX world though). 

*The "best ones"  (AntiRootkit scanners) are:*

AVG AntiRootkit
BitDefender AntiRootkit
GMER
Rootkit Revealer
PrevX AntiRootkit
Rootkit Hook Analyzer
Sophos AntiRootkit
F-Secure Blacklight
Gromozon Rootkit Removal Tool
KLister
McAfee Rootkit Detective
PatchFinder
RogueRemover
VICE
System Virginity Verifier for Windows 2000/XP/2003

That is a list for you all to choose from, they all do a decent enough job though, & are 100% FREE - SO, DO use them!

-------------------------------------------------------------------------------------------------------

*12.) It is also possible, for webbrowsers &/or email clients, to create a "VISTA LIKE IE 7 Protected Mode"-like type scenario, isolating them into their own spaces in memory, here are 2 methods, how* (not needed on VISTA though, afaik):

IE6/7 & FF + OPERA AS WELL (as noted by A/C slashdot poster in reply to my methods, both his & my own work well, & are listed here @ /. (slashdot)) on modern NT-based OS "how-to":

http://it.slashdot.org/comments.pl?sid=236547&cid=19310513

*MY METHOD for RUNNING IE in a "runas limited user class" sandbox effect:*

"It is actually possible to run IE securely: just create a throwaway restricted user account for IE use alone. The restricted account user can't install software and can't access files of other users, so even if IE autoexecutes any nastiness, it can't do any damage.

Of course, it's a hassle to log in as a different user just to browse the web. So we'd want to use "runas" to run just IE as a different user.

Unfortunately, MS has made running IE as a different user a little harder than necessary. Rightclicking and using "Run as" doesn't seem to work. What did work for me was the following.

Say the limited account is called "IEuser". Then create a shortcut to "runas /user:IEuser cmd". on your desktop. Double-clicking this will open a command prompt that runs as IEuser. Now you can manually start IE with "start iexplore". Or create a batchfile c:windowsie.bat that just contains the line "start iexplore" and you can start IE by just typing "ie". Remove all shortcuts to IE from you normal desktop and only run it from the restricted account. This way you can use IE without worry about any IE exploits"

*OTHER, VERY QUITE POSSIBLY SUPERIOR METHOD:* ...this is exacly the way I do (but with opera and other internet related apps as acroread, mail, ...). But simply "runas /user:xxx cmd" is not the best way to achieve process separation. If you have a look at the process tree you will see: system->smss.exe->winlogon.exe->services.exe->cmd. exe->iexplore.exe. A better way is to use the method described in Joannas blog

http://theinvisiblethings.blogspot.com/2007/02/running-vista-every-day.html

*See section: Do-It-Yourself: Implementing Privilege Separation. Using the psexec tool as described results in a "clean" process tree where iexplore.exe will show up directly under the root avoiding beeing a child process.

Note - The "invisible thing"? She's "Yuriko DeathStrike" as far as I am concerned... Joanna Rutkowska, my fellow "Polish Person" & she's a regular "wonder" in the security/hacking/cracking world!

This is my runopera.bat which runs opera as user internet:
psexec.exe -d -u internet -p p4ssw0rd "cmd" "/d /D /c start /b Opera.exe"

PLUS, Windows Server 2003 has a hardened IE6/7 by default (which can be duplicated on other Win32 OS versions, because it mainly just does what I have been doing for a long time & noted by myself earlier, in stuff like turning off ActiveX & scripting + JAVA online on the public internet, of all types by default, & I do this in ALL of my browsers (IE, FF, & Opera) & only make exceptions for CERTAIN sites)

================================================================================

(YOU ARE NOW @ THE END OF THIS DOCUMENT & ALL of that is done for ONLINE security... &, it works!)

APK

P.S.=> Yes, it's a PAIN to do it the first time - maybe 1 hr. work for an experienced user, more for less experienced ones, but WORTH EVERY SECOND! 

Why? 

Well, I have not had this system "go down" due to hacks/cracks/malware/virus/trojans/spyware, etc. et al (you name it) in years now! It just works... 

(... & everyone ought to know this stuff, so here 'tis!)

Enjoy & IF you know of more to do? Please, have @ it, & let us all know what it is you do on your Win32 rigs of NT-based OS nature... apk*


----------



## DoctorWhoIsWho (Oct 20, 2007)

pt said:


> you had to type apk



Of course... & now? 

We have photo proofs/evidences of "what is what", as far as security ratings defaults from OEM's of the OS' we typically use in Windows XP, myself in Windows Server 2003, & even LINUX results.

This goes to show you that no matter WHAT the *NIX crowd states, it seems their OS are less secure, BY DEFAULT, than Windows ones are, out of the box/oem stock for one thing, & that their tests are FAR LESS in what is tested as well. Note how much less is tested.

*Another thing to note:*

I cannot EVER reach a 90++% score on Windows Server, because if you do the math for the spots I missed? They only add another 2 points or so... putting me roughly @ 88% top possible score (& this IS an error in the test itself, unfortunately).

I know also the spots I miss on Windows Server 2003 are NOT wrong on my end, I have written the CIS TOOL authors with the proofs thereof... no response to date though, unfortunately again.

APK

P.S.=> Anyhow, there goes, I hope you guys like & use this stuff, especially for creating a SAFE & SECURITY HARDENED initial system image (say, via a NORTON GHOST backup for example)... it just works! apk


----------



## oily_17 (Oct 20, 2007)

DoctorWhoIsWho said:


> *MY METHOD for RUNNING IE in a "runas limited user class" sandbox effect:*
> 
> "It is actually possible to run IE securely: just create a throwaway restricted user account for IE use alone. The restricted account user can't install software and can't access files of other users, so even if IE autoexecutes any nastiness, it can't do any damage.
> 
> ...



For running IE,Firefox etc as a throw away account has anyone tried this app out yet.Recently came across it, but have not tried it out yet.
Anyone any views?

http://www.sandboxie.com/

As the name suggests runs IE etc in a sand box effect.


----------



## DaMulta (Oct 25, 2007)

So Alec§taar your still on the ban list I see.


----------

