# Anyone want to try a test CompletelyBonkers (new user here) turned me onto?



## Alec§taar (Feb 13, 2007)

*BELARC ADVISOR ->* Dowload URL:

www.belarc.com



*I got a 4.17 out of 10 & CompletelyBonkers got a 3.13 out of 10!*

His lesser score IS w/ GOOD reason: He needed help implementing some of its suggestions... secpol.msc/gpedit.msc stuff, MOSTLY...

(Still, I don't FULLY TRUST that score of mine... I list some reservations I noted @ in the URL below, as to why (the URL next below was my post of objections from the bottom of the thread where I did this test per his request))

Still, CompletelyBonkers expected me to get a "10/10", but that's flat out impossible imo, for the most part!

(&, imo @ least, on ANY security test 'right-off-the-bat', & especially THIS one)

You'll see WHY I say that, once you read on below!

*Securing Windows 2000/XP/Server 2003 services HOW TO - list of APK findings/thoughts/objections to BELARC ADVISOR RESULTS:*

http://forums.techpowerup.com/showthread.php?p=261581#post261581

(That's what it listed I failed, but I had reservations about its messages too, & they are RIGHT in that post (edited that URL to put in my EXACT reasons of objections post linkage, to see if others agree w/ them, once they run this, etc. OR otherwise)).

* Personally, I think that BELARC ADVISOR, while a GOOD & DECENT PROGRAM, does make SOME mistakes in some cases!

APK

P.S.=> Anyhow, you guys oughtta give this SECURITY TEST a shot, & see HOW YOU DO... apk


----------



## Alec§taar (Feb 13, 2007)

My score result, beat it IF you can!



& again, IF you do? I'd like to know HOW you overcame some of the ones the program faulted my setup on, per this URL from above:

http://forums.techpowerup.com/showthread.php?p=261581#post261581

Some of it I do not agree with @ all, & not for how I setup a system, but I will listen to objections, if you state them logically, as to where you feel I went wrong in my setup, vs. BELARC's suggestions... it is possible I am OUTRIGHT WRONG, but unlikely for how & why I setup things it yelled about (lol, imo @ least so far).

* & Above all else... thanks for participating, because this ought to be interesting.

APK


----------



## Alec§taar (Feb 14, 2007)

I'm going to beat that score...



* I am nearly certain of it: I definitely object to the things I do above, vs. its opinions, but should be able to beat my former score above!

APK

P.S.=> Nobody else? Come on... We're starting to get that snowstorm here, expecting 2 ft., so my neighbor & I played Chess for hours in this snowstorm - so, I didn't get around to it, yet, but... soon I will! apk


----------



## Alec§taar (Feb 14, 2007)

Well, I tried & tried, for most ALL of last night (into early a.m., I knew we'd all be snowed in today, so the most I had to look forward to was using my snowblower this a.m., lol, & freezing my tail off!)...

I still can't beat the score I got above - & almost locked myself outta my system going 'ape' on registry hive/key rights to try get higher than 4.17.

(Got it back though - it was to the point, kid you not, where I was running Windows Server 2003, WITHOUT ANY SERVICES RUNNING @ ALL - yes, it is possible, & not going thru the gymnastics this URL below puts you thru either):

*Running Windows with No Services*

http://blogs.technet.com/markrussinovich/archive/2005/07/24/running-windows-with-no-services.aspx

* I managed to 'accomplish' that, just by knocking out rights to various registry hives/keys for the SERVICE entity itself... & it was pretty cool, because I had more free RAM & CPU cycles, this is certain, & I ran Quake 4 SMP on it (no sound though)... F A S T, faster than usual imo!

APK

P.S.=> Still, it was NO fun not being able to get online, so, I had to reverse some of the changes... interesting experiment so far, & a challenge! apk


----------



## Alec§taar (Feb 17, 2007)

*Did it! Got my score up higher, FINALLY, on this security test!*








* Up, from 4.17 before, to a 5.0... "she's getting there!"

APK


----------



## ace80 (Feb 17, 2007)

doesn't give me a score, says its only compatible with win 2000/2003/xp pro. I run xp home.


----------



## Alec§taar (Feb 17, 2007)

ace80 said:


> doesn't give me a score, says its only compatible with win 2000/2003/xp pro. I run xp home.



Man... that sux!



* You'd have been the 1st taker too, other than the person who tuned me into its abilities for this in CompletelyBonkers, for taking this security examination...

("DAMN!")

APK

P.S.=> Hey, @ least YOU "took a shot @ it"... it's the thought that counts! apk


----------



## ex_reven (Feb 17, 2007)

I scored a 1.8 LOL


You can probably see why:


----------



## Alec§taar (Feb 18, 2007)

*"Hector.... Hector... HECTOR!!!"*

Per the film TROY when Achilles stands outside the gates of troy issuing a challenge to Hector to do battle?



* Anyone who's a Greek here, (& I KNOW THAT YOU ARE HERE) I would like to ask a question:

How many hours/days, & HOW MANY TIMES, did Achilles SCREAM that, while outside the gates of Troy??

APK

P.S.=> LOL! apk


----------



## ex_reven (Feb 18, 2007)

Alec§taar said:


> *"Hector.... Hector... HECTOR!!!"*
> 
> Per the screenshot above & the same film?
> 
> ...



Sadly, historical evidence cant point out how many times Achilles screamed, nor even if he fought Hector. Most evidence points that the war was over trade and not that of a female love interest. However, Id say that from this report, my computer is far from the Greek Phalanx


----------



## Scavar (Feb 18, 2007)

I got a 1.8 as well......though the reasoning behind it all seems a little iffy. Still im fixing some of the things I can now see as obvious holes.


----------



## Alec§taar (Feb 18, 2007)

ex_reven said:


> I scored a 1.8 LOL



Well, you can work on it, per the suggestions I gave CompletelyBonkers in the "Securing Windows Services" thread, if you like... 

I.E.-> You use tools like Windows Explorer.exe, Regedit.exe, secpol.msc, gpedit.msc, & lusrmgr.msc to do it. See this thread, slightly above THIS post there (3-4 posts above it, both of those):

http://forums.techpowerup.com/showthread.php?p=261581#post261581

(Doesn't take ALL that long, but you really have to PAY ATTENTION to the section where I put in BOLDED "IMPORTANT" type warnings regarding ACL rights in the registry especially, & using Explorer.exe NTFS rights - you CAN lock yourself out, if you do it wrong, & no way back in using std. tools @ that point)...

As far as NTFS rights, & Registry Hives/keys rights, NEVER REMOVE System, or Administrators group (or, your local machine level Administrator) from FULL CONTROL rights to them... you can always get back in, that way, no matter what.



ex_reven said:


> You can probably see why:



Yea, it's taking you down on points because it says you are WAY outta date on security updates/patches/hotfixes.

Some of the stuff astounds ME in it as well: For example, it says I have this key in my registry that is secured, that DOESN'T EVEN EXIST (SNMP related path)... & others that I KNOW are secured properly, say they aren't...

I outline SOME of them in the "Securing Windows Thread" & point to it above iirc in my first post, to the exact posting I did complaining about it... it is a 'valid bitch' on my part, because I know the program IS making errors on those accounts.

BUT, all-in-all, it's a decent program.

APK


----------



## Alec§taar (Feb 18, 2007)

ex_reven said:


> Sadly, historical evidence cant point out how many times Achilles screamed, nor even if he fought Hector.



I read D'Aulaire's Greek Myths & others like it about the Trojan War when I was a boy, & it was something like a WHOLE day & night from their accounts of it!

However, the point above in my stating that per the film's portrayal of that, was just for humor really!

I.E. ->  Calling out to more of you to try this test is all.

(Sometimes, I have a "StRaNgE" sense of humor I guess... Plus, lol, I posted that after my neighbor & I drank a bottle of Tequilla last night (real 100% Agave based stuff) too, & after I watched the film again w/ him, because he never saw it, I posted that, lol!)



ex_reven said:


> Most evidence points that the war was over trade and not that of a female love interest.



Probably true, most wars are given a 'false front' to enflame the masses (e.g.-> Catholic vs. Protestant in Ireland, OR, lol, how about "staying the course, for Iraqi Freedom & WMD's"?)

Agamemnon wanted the Aegean Sea & control of it, FULL NTFS/ACL rights control, lol!



ex_reven said:


> However, Id say that from this report, my computer is far from the Greek Phalanx



That's ok - you can make it so, if you wish... takes time though, on some of the settings involved this program points out, & imo, it STILL makes some errors in regard to some of what it suggests.

I guess still, it is a GOOD program, because it makes you take a look @ things & 'shore them up'...

APK

P.S.=> HOWEVER, OVERALL? I do feel that it's a good program!

A regular "Chiron to Achilles" (keeping the theme alive, lol - Chiron MASSIVELY educated & raised Achilles).

It teaches you, to be far more invulnerable!

Thus - giving you guys, w/ all your Super-Powerful hardware the GREEK IDEAL of "Sound Body (good hardware) & Sound Mind (secure solid OS)" in a way, lol... apk


----------



## Jimmy 2004 (Feb 18, 2007)

I'm on XP home too, so doesn't work for me (don't know why they can't make it work). I'd probably get an ok score, but nothing incredible.


----------



## Alec§taar (Feb 18, 2007)

Jimmy 2004 said:


> I'm on XP home too, so doesn't work for me (don't know why they can't make it work).



Basically, I'd wager it'd work FINE, but the author of the program's going thru a CASE statement testing values returned from Win32 API calls @ its startup, testing what version of MS OS is running, due to the TINY diff.'s in its registries on them, & testing later as well for this while it performs its security analysis... he is simply, on a guess, missing detecting XPHome...



Jimmy 2004 said:


> I'd probably get an ok score, but nothing incredible.



Some guy out online CLAIMS to have an 8.34 score on it... but, he never posts any proofs that I saw, & I am VERY 'big' on putting out proofs to backup statements.

I am TRYING to work my way higher still, but the suggestions where it says I am missing security on registry permissions/ACL's, make NO sense, because they ARE SECURED PROPERLY... it's weird!

*EDITING THIS IN A FEW DAYS LATER (02/19/2007), so folks know what I mean, on "weird":* For example? It detracts from my score, badly & imo, wrongfully, in its services section!

Funniest part is, it does this for SERVICES I AM NO LONGER EVEN RUNNING, first of all... & secondly, even though I disabled them? I also lessened their logon entity to LESS THAN SYSTEM (down to NETWORK SERVICE or LOCAL SERVICE, just in case they somehow got remotely started (doubtful, but you NEVER know)).

That said - I can't see how this person could claim that score, unless he runs ALL of his services (which I doubt he needs to period & is wasting memory & cpu cycles + other forms of I/O in doing so): 

After all - He has the same registry paths for the most part, that I do, regardless of the OS version he runs, & couldn't have secured himself any differently than I did w/ out locking himself outta his rig, OR possibly severely crippling some of its abilities. I give a specific example of this below in fact...

APK

P.S.=> Another one it SPECIFICALLY & EXPLICITLY says to turn down, is the rights of the Windows Installer (runs as SYSTEM by default), which is EXACTLY what Joanna Rutkowska took Mark Russinovich 'down a peg' on recently here:

http://blogs.zdnet.com/security/?p=29

Problem is, when you DO secure it, by removing SYSTEM as the program suggests? Well, trying to use "Add-Remove Programs" in Control Panel, to uninstall something will NOT work anymore! apk


----------



## PVTCaboose1337 (Feb 18, 2007)

.63 on my laptop I'm on now...  Wow.


----------



## Alec§taar (Feb 18, 2007)

PVTCaboose1337 said:


> .63 on my laptop I'm on now...  Wow.



I understand your reaction:

Almost spooky, isn't it? Microsoft really sort of HAS to ship their systems in a 'less secured' & 'generic state', imo, so the OS' install & run, no problems on ANY machine...

BUT, you are 'open' in some ways, because of this.

(Yes, there ARE 'hardened' installations of the OS that some oem's make, not for the masses, but I know this has been done over time... or, there are folks out there making monies doing it, independently, for others).

* This is how you can LEARN to do that imo.

APK


----------



## PVTCaboose1337 (Feb 18, 2007)

I could make it better, but I am too lazy to update to SP2...


----------



## Alec§taar (Feb 18, 2007)

PVTCaboose1337 said:


> I could make it better, but I am too lazy to update to SP2...



LOL, awww... come on man!



* That only takes a few minutes to apply!

APK

P.S.=> That will help, SOME, but there is a LOT MORE this thing looks @ besides patches levels (that is very important though)... security's NOT a big priority for most folks imo... after all - PC's are just another "home appliance" to they, but, I guess my point is, for folks like us who are "into it" &/or make our living from it? This can be a job-skill learning session in many ways, in Computer Security related areas... GOOD for network techs & such especially, imo! apk


----------



## Alec§taar (Feb 19, 2007)

Nobody else, eh?



* Oh well... what can you do! You can lead a horse to water, can you make him drink??

(Too bad, because I was truly hoping someone would beat my score up there, & show us ALL how he did it, sharing "the good word" & all that!)

APK

P.S.=> Thing is guys, this is NOT a competition to me, or me vs. YOU: It's about learning more, each of us participating.

Heck, anything I found? I'd share it + did (in the URL's noted above) for everyone's good... but, again, imo? 

Security isn't a priority for most folks on a PC, not by a longshot (well, @ least not until they get 'hit' by it being weak - I was the SAME, until I did get 'taken advantage of' years ago on IRC... some guys told me HOW they did what they did, others not - that's what got me into securing a system really)... 

Then again, maybe folks are right & I am wrong - you probably can NEVER be totally secure nowadays online... apk


----------



## wazzledoozle (Feb 22, 2007)

I got a 1.88/10. Im missing 16 "critical/important" updates and it says I should reinstall a lot of those already installed. Meh. I also dont run any local antivirus, so that probably cost me a lot of points. I think im just gonna nuke my XP installation today.


----------



## Alec§taar (Feb 23, 2007)

This is a testimonial to how Windows Machine are setup TOO generically outta the factory imo @ least...

* APPEARS TO BE A PROBLEM TO ME AT LEAST... That is, IF you value security @ all.

(Above all - No offense intended regarding anyone's scores, but if the scores we're seeing are stock setups purely? Well, seeing's believing!)

APK

P.S.=> You CAN shore it up though, I did, it seems to work fine & my system's the same as before function-wise, + faster... There is now enough literature on these forums to let you do so!

I'm going to write the folks @ BELARC though about some of the readings I got - scoring me downwards for services I don't even keep running & also disable + knock down their logon entity rights to ZIP (LOCAL SERVICE) as well, plus, how they scored me down on other things that I feel are "off", because I think my score's actually QUITE A BIT HIGHER than 5.0 in reality... apk


----------



## PVTCaboose1337 (Feb 23, 2007)

Now my laptop is a 3.13 of 10


----------



## Alec§taar (Feb 23, 2007)

You're doing better... Service Pack #2 alone get you up from your last score?



* If you work @ it, you can ALL get to "5.0"... I am going to try to get higher, & am going to inquire on some of the results as well w/ BELARC as I noted above.

APK

P.S.=> 
	

	
	
		
		

		
		
	


	




Screenshots? apk


----------



## PVTCaboose1337 (Feb 23, 2007)

Yep .


----------



## anticlutch (Feb 23, 2007)

Geez this made my day... 1.88/10
lol!


----------



## PVTCaboose1337 (Feb 23, 2007)

Your computer is protected well...  from you...  not viruses.


----------



## anticlutch (Feb 23, 2007)

I uninstalled my antivirus because it screwed with my logoff thing... with McAfee Enterprise installed my computer would not display the "Saving preferences" and those kinds of messages when I would shut the computer off (it would just show a Windows logo without any text and just hang there). I'm okay though... as long as I don't visit shady websites and don't open up weird emails, I should be reasonably safe 

Edit: After updating Windows my score went up to 3.13... nice


----------



## PVTCaboose1337 (Feb 23, 2007)

anticlutch said:


> I uninstalled my antivirus because it screwed with my logoff thing... with McAfee Enterprise installed my computer would not display the "Saving preferences" and those kinds of messages when I would shut the computer off (it would just show a Windows logo without any text and just hang there). I'm okay though... as long as I don't visit shady websites and don't open up weird emails, I should be reasonably safe
> 
> Edit: After updating Windows my score went up to 3.13... nice



Congrats, and goodnight.


----------



## Completely Bonkers (Feb 23, 2007)

APK

5.00 = good job man!

When I've got more time... I'll try and beat that score!

P.S. Old member... new name ;-)

Bonkers


----------



## Completely Bonkers (Feb 23, 2007)

I actually think the scoring should be different, ie. get "some" points for EACH item you lock down... not grouped in the way that calculate the score today... where if you CHOOSE not to implement just one thing... for real reasons... you loose a bunch of points even though you did lock down everything else.

But anyway... its food for discussion.


----------



## Alec§taar (Feb 23, 2007)

PVTCaboose1337 said:


> Yep .



Excellent... Service Packs ARE worth applying by all means.



* You did yourself "right" popping that in there... quite the 'boost' in your score (like nearly 3 points worth).

APK


----------



## Alec§taar (Feb 23, 2007)

Completely Bonkers said:


> I actually think the scoring should be different, ie. get "some" points for EACH item you lock down... not grouped in the way that calculate the score today... where if you CHOOSE not to implement just one thing... for real reasons... you loose a bunch of points even though you did lock down everything else.
> 
> But anyway... its food for discussion.



I agree, & it's part of what I am going to write BELARC's folks about, as well as being VERY WRONG (imo) on various points, I mention a few last page near the bottom that it 'hit me' on, such as services that I don't even HAVE RUNNING (non-security oriented ones mind you & I disable them + even altered their logon entity to LESS than SYSTEM as well, ontop of disabling them (services I do run though, that will function correctly, also get this type of security hardening as well)).

APK


----------



## Alec§taar (Feb 23, 2007)

anticlutch said:


> Geez this made my day... 1.88/10
> lol!



See what I meant last page man? Microsoft I am pretty sure, can do a better job of this, especially out of the box/straight from them.

I realize they ship with MANY services active, so that systems can be put into say, a corporate network right away & work (stuff like Workstation &/or Server services)... but, you do NOT need them running period/all the time much less, if you don't use them & are NOT on a LAN/WAN!

They also leave services set as SYSTEM logon entity, & many will work just FINE set as a lesser ability logon entity & be more secure this way... BELARC doesn't pick up on this, anymore than it does say, a hardware firewall/NAT router!

APK


----------



## Alec§taar (Feb 23, 2007)

Completely Bonkers said:


> APK
> 
> 5.00 = good job man!



Thanks! Up from an initial score of 4.17, to 5.0, thanks to your pointing this program out to me, & my using it... 

Still, I have reservations about some of its scoring as do you, & also some of its analysis, which I am CERTAIN are in error in conditions I note above... but, overall?

It's a GOOD solid analysis & does work overall for helping to shore up PC security.



Completely Bonkers said:


> When I've got more time... I'll try and beat that score!



You go for it... it's "doable", & any one of you CAN reach my current score, because the tools to use are outlined in this thread, & also the "SECURING SERVICES" sticky thread, per your asking me how to implement some things to get them right for better security!

... me? I am 'going for more', myself.

Still, I am a LONG ways off of the 10/10 you figured I'd nab!

The program misses things though as well as making what I am SURE are mistakes... it doesn't pick up on hardware firewalls (not sure how it could), or even things like CUSTOM HOSTS FILES: Which add not only to your SPEED, but also better security per this thread:

http://forums.techpowerup.com/showthread.php?t=25937



Completely Bonkers said:


> P.S. Old member... new name ;-)
> 
> Bonkers



Really? PM me, tell me who you "REALLY ARE" (lol)...



APK


----------



## pt (Feb 23, 2007)




----------



## Alec§taar (Feb 23, 2007)

PT is in 2nd place, right behind myself:






& the evidence is shown above in a screenshot no less, from both of us!



* PT has the BEST initial score I have ever seen!

PLUS, & he didn't really "go after it" as I have been in registry hacks, NTFS & Registry rights alterations, & more, as I have trying to beat my score & find things in BELARC that need adjustment, which I will write them on for purposes of discussion... 

(BELARC ADVISOR, overall, is a good program, I am going to TRY to help make it better via this type of contribution)...

* BY THE WAY? GREAT job PT!

APK


----------



## Steevo (Feb 23, 2007)

1.25 on this PC here at work.


It doesn't take into account a good firewall and other security measures.


----------



## Alec§taar (Feb 23, 2007)

Steevo said:


> 1.25 on this PC here at work.



Spooky, isn't it?

I comment on some assumptions & what I feel are OUTRIGHT errors in its analysis thru the thread, & also that MS ships these machines or rather the OS itself, in TOO 'generic' & weak security-wise configuration imo @ least!

Take a look, if you would like to take a peek & have the time to do so.

Up to you - you have a great deal of saavy in this area, & are a network admin iirc? It may interest you greatly...



Steevo said:


> It doesn't take into account a good firewall and other security measures.



Nope, & again, SOME of what it states, makes NO sense to me (see what I wrote about it knocking me on scores on services I have set disabled, period, & even though disabled, I secured them down to LOCAL SERVICE as well... still I get demerited!)

I think my score's ACTUALLY around a 6-7, but I will write BELARC once we are 'done' testing this here, on some points I noted.

OVERALL, it's a decent program, & one I'd like to contribute to, in terms of feedback & thus, making it better.

APK


----------



## Steevo (Feb 23, 2007)

I don't know that I really feel threatened.


Some of the things here have to be in place for certain software to work, and others make my life and job easier. I renamed myself above Administrator and took control of most everything on our server. It considers that a security threat. I consider a new person with a laptop being given rights that haven't been locked down a threat.


To each their own however.


----------



## Alec§taar (Feb 23, 2007)

Steevo said:


> I don't know that I really feel threatened.



Again, I hear you, & understand... some of what it 'knocked me for' I KNOW in my case is WAY wrong!

(E.G. -> The services I keep turned off is FAR MORE SECURE than leaving them running, potentially, if they turn up with holes, & they have before).

I'll address that much w/ BELARC, because I do feel it is a decent program, but needs work/improvement.

It can be a real favor to users in this capacity, but it has to account for some exceptions.



Steevo said:


> Some of the things here have to be in place for certain software to work, and others make my life and job easier.



That I can understand completely.



Steevo said:


> I renamed myself above Administrator and took control of most everything on our server. It considers that a security threat. I consider a new person with a laptop being given rights that haven't been locked down a threat.



Agreed on BOTH accounts.



Steevo said:


> To each their own however.



Right, but I am actually going to collect a few issues I saw, & comment on them to BELARC's development team & hopefully, it all comes outta the wash & straightens them out on those counts which I mention above (only 1 of them, there are around 4-5 I question, STRONGLY).

APK


----------



## Guttboy (Feb 23, 2007)

Alec,

Initial run on laptop is 3.13....I am not sure I agree with being penalized for things not running at all....not sure why that is.


----------



## Alec§taar (Feb 24, 2007)

Guttboy said:


> Alec,
> 
> Initial run on laptop is 3.13....



Not bad - you're probably "up-to-date" on your Windows hotfixes & AntiVirus Definitions then would be my guess, judging on others' results that have scored around where you are (PVTCaboose being one iirc)...

YOU CAN GO HIGHER IF YOU TRY THOUGH! It's pretty much outlined how in this thread & also in the "Securing Windows' Services" sticky thread.



Guttboy said:


> I am not sure I agree with being penalized for things not running at all....not sure why that is.



I am going to find out when I write the people from BELARC ADVISOR... it appears that if you have even 1 thing that doesn't agree w/ their program in certain sections, you get 'taken down' for the whole section - trouble is, determining which one that is in some of the sections (the single element that is 'off' according to their progrram).

Makes no sense sometimes... e.g./again: I have a set of services I don't even RUN, being marked here as 'wrong', well... how can they be insecure if I don't run them @ all & have them set as DISABLED? Ontop of that - I even secure them more here, by lessening their logon entity to LESS THAN THE SYSTEM ENTITY (usually LOCAL SERVICE, if I disabled them).

I also secured services here that can take it & run full function from SYSTEM, to NETWORK SERVICE or LOCAL SERVICE, which does secure them further.

I'll find out soon enough as to WHY some of their scoring is the way it is.

APK


----------



## Alec§taar (Feb 24, 2007)

*"Hector... HeCtOr... HECTOR!!!", lol...*

^
|

"up, Up, UP!!!"






*"Is there NO ONE else?"* - Achilles' challenge to the Thessalonian Army after defeating their champion Agreus... lol!



* Have @ it guys... & good luck!

APK


----------



## Completely Bonkers (Feb 25, 2007)

APK... good job at getting this topic discussed. Thanks for keeping it live. I WILL ADD when I've got more time available.

However, I've just found another interesting tool, Sunbelt Software / Subbelt Network Security Inspector.  It's not free like Belarc... its $2000!!!!... but I think there is a demo.  The output is nicely structured with explanations of the problems and what to do about it. Take a quick look.


----------



## Alec§taar (Feb 25, 2007)

Completely Bonkers said:


> APK... good job at getting this topic discussed. Thanks for keeping it live. I WILL ADD when I've got more time available.



Oh, no problem, & you're welcome for 'turning me onto it' (this program)... it's decent, but does make some errors imo @ least, & I note a few above. 

I intend to write them about it, & hopefully improve their program, OR misconceptions I MIGHT HAVE (either is possible).

It's so we can ALL learn about PC security, moreso, & this program helps in that capacity. In today's world of virus/spyware/malware/rootkits/nuisanceware, etc. et al? 

It's analysis & your personal 'shoring up security' work using it as a baseline analysis can save you from a system rebuild @ the OS + software level (a PAIN).



Completely Bonkers said:


> However, I've just found another interesting tool, Sunbelt Software / Subbelt Network Security Inspector.  It's not free like Belarc... its $2000!!!!... but I think there is a demo.  The output is nicely structured with explanations of the problems and what to do about it. Take a quick look.



Whoooosh, that some HEAVY coins... However, I will keep it in mind as well. 

By the way?

Microsoft has tools of that nature like SCW ('security configuration wizard') on Windows Server 2003 ONLY (& then, you have to install it, it does not by itself @ OS install), 

& 

Also their Microsoft Baseline Security Analyzer (BOTH FREE) as well... & the latter is for 2000/XP/Server 2003 (not just 2003 like the former)!

(Some you might want to check out too!)

"Tit-for-tat & ALL THAT"



* The ONLY part about MS' security analysis tools that is SOMEWHAT of a pain, is that they demand you run certain services (in the case of Server 2003 & SCW, the workstation service, which ordinarily I do NOT use - this is much like Windows Defender demanding Automatic Updates & more are running as services that are active for its update)... I am fairly certain IIRC? That Microsoft Baseline Security Analyzer will demand similar services running for IT to work as well.

APK


----------



## Alec§taar (Feb 27, 2007)

*I think I MAY have an answer, to get a higher score on this beast & it's simple:*

And, per my subject-line/title above? Anyone want to test out a theory I have??

If you have a limited user logon, & have already taken this test...? That answers it for me: My idea would be wrong.

I logon as an ADMINISTRATIVE GROUP USER, & one w/ considerably more 'power'/abilities than normal admins, up near SYSTEM level priveleges on many things!

(AND, imo? This alone, probably hurts my score on this, badly)

HOWEVER, like Steevo said here earlier? 

Doing so, just makes working on this thing, that much easier, as it would for he being a AD Administrator level user top-level, as well as having full rights to all systems under said network). I am as secure as I can make myself @ this point, I can't move any farther... & am going to discuss this w/ the folks @ BELARC once this final 'test' is done!

*'THE TEST':*

I'd bet that IF I (or, you others who didn't run this test as an Administrator group user member) were to logon as say, a limited use user? 

That your, OR I'd 'bat off' close to the 10/10 CompletelyBonkers thought I'd snag... but, this IS only theory...

I don't have ANY limited use users here, & the ones I do have are basically 'cut off' & @ many places thru the system (tools noted to use to do this test & do better on it, & more in other tools)... I don't honestly know if I'd catch them ALL @ this point, all the places I shredded them out of my system as best I could.

** SO/BOTTOM-LINE* - anyone who has run this test, as an administrator? Would you be willing to logon on some other LIMITED account, say GUEST, & then try it again, to see if it raises your score??

APK

P.S.=> I have a feeling it very well may... apk


----------



## Alec§taar (Mar 2, 2007)

*Well, I wrote BELARC.COM today: & this was the content... apk*

Per my subject line above:

I have a number of questions regarding the "BELARC ADVISOR" browser security check up product, & some of its objections it has noted in my security setup.

(I.E.-> Some do not make sense to me, as to WHY I was 'downgraded' on some of them, & this is why I have written you folks).

I can send specifics, or any files you wish to use from my system which BELARC ADVISOR generated, upon request.

It is overall a good program imo, but because I question some of its findings? I think it may be better... conversely?

(NOW: IF am incorrect on my assumptions on the ones I feel are "off", then I just get THAT MUCH STRONGER for it, & my system will as well, security-wise.)

* Thanks!

Sincerely,

Alexander Peter Kowalski
apk4776239@hotmail.com
apk

P.S.=> My current score is 5.00/10 possible, & I would, of course, like to be a perfect 10/10... so, your advice is appreciated... thanks! apk


----------



## Completely Bonkers (Mar 2, 2007)

Alec, 

I think your email to them was a little general. You also said you had some questions... but you didn't pose them! LOL. I doubt they are mind readers... (although I can read your mind. LOL)

I'm going to do 2 things now:

1./ Find the CIS recommendations... since BELARC scores against the CIS rules

2./ I'll run in guest mode just to check results

****

P.S. I turned off Terminal Services some months ago on my laptop. And today I discovered why my infrared wasn't working... needs TS for the infrared service to work.

I do wish Windows would somehow make this information - and dependencies - more accessible to NON-PROFESSIONALS.


----------



## Alec§taar (Mar 3, 2007)

Completely Bonkers said:


> I doubt they are mind readers... (although I can read your mind. LOL)



Careful: You can't always believe what you read... & bear in mind: You may not like what you find... lol!






Do read on!



Completely Bonkers said:


> Alec,
> 
> I think your email to them was a little general. You also said you had some questions... but you didn't pose them!



Note, that in the content of my letter, I wrote them I would/could submit any files they may require from it, which WOULD contain the information needed. I don't supply information until it is asked for in situations like these...

E.G.-> One will be, that it knocked me around on the services section!

(Which I can't understand, because I secure their logon entity & disabled ALL the ones they cut me down for, and set them disabled PLUS cutting their logon entity to LOCAL SERVICE (vs. SYSTEM or NETWORK SERVICE even, since local service is the weakest of the 3, in case somehow, an interloper/virus/malware/spyware turned them on, like in the event of a weakness/hole found in them - this? HAPPENS!))

There are others, plenty of them, in the post we initially discussed this in, but that would only be a TINY fraction of what I wish to discuss w/ they @ BELARC.

Many others as well. In fact, TOO many to put into that letter... I supply when asked for, & not before typically.

I also suspect that one's score COULD be raised by logging in as a LIMITED user (such as something like GUEST account, which I disable, but not sure... I note this above as an experiment to perform).



Completely Bonkers said:


> I'm going to do 2 things now:
> 
> 1./ Find the CIS recommendations... since BELARC scores against the CIS rules



There is that, an ENTIRE LISTING of the sources used to develop the product by... pretty respected ones too. Still, per the SINGLE example above I posted & I have plenty of others it cut me down for? I question it, severely.



Completely Bonkers said:


> 2./ I'll run in guest mode just to check results
> 
> ****



Right... I wonder if it covers that part (it does not account for firewalls or NAT routers (true firewalling ones like mine even, not just NAT IP address assignments, which is NOT as strong)))

Not that their sources are "Bad", they're not... I typically do NOT operate on "proofs" other provide, not @ first... I operate on MY understanding of this stuff, & then later, do what I am doing now - inquiring...

However, how BELARC's applying them, per their analysis, may be incorrect in some cases... again, or I am!

... & I am out to help improve that, in either event, in case the folks @ belarc are in error... or, conversely, I am.

Either way? Everybody wins...

ALSO - Some things, BELARC ADVISOR doubtless can't account for... too new of attack vectors, or less obvious ones (such as what custom adbanner HOSTS files can secure you against, or turning off javascript/java & ActiveX/ActiveScripting in your webbrowsers on the public internet as well, using them ONLY if a site loses functionality doing so, & it is one that you need to access for whatever reasons).



Completely Bonkers said:


> P.S. I turned off Terminal Services some months ago on my laptop. And today I discovered why my infrared wasn't working... needs TS for the infrared service to work.



Odd it would require that... but, if it does, it does. Turn it back on... other things need it as well, like RDP (remote desktop) stuff iirc...

Only turn off services for security, if you ABSOLUTELY do not need them... sometimes, you turn this up later on (I did for PerfectDisk in fact... it needs DCOM Process Launcher started for example).



Completely Bonkers said:


> I do wish Windows would somehow make this information - and dependencies - more accessible to NON-PROFESSIONALS.



If infrared tools need it? It SHOULD be listed in each services DEPENDENCIES tab... there is that you know!

(I take it wasn't for this infrared service?)

APK


----------



## Namslas90 (Mar 3, 2007)

Stupid Belarc Advisor, after running test, said I got a 2.4 (sorry no pic,read on); The stupid program got into a fight with my system had to reboot and Un-install Belarc and do a few other things just to get back online(took almost 3 hours).  The thing I noticed is that to increase my score I would have to;

SET Min and MAX password lengths;

Have a different password for Administrator, and User (Even though they are the same person).

Set passwords Schedule to require Passwords be changed ever day.

Thats allready to much trouble,  I want to turn the computer on and have it work;  I don't need any passwords or any of that crap!!

This Belarc thing is for big coorporate applications, not home computers.


----------



## Alec§taar (Mar 3, 2007)

Namslas90 said:


> Stupid Belarc Advisor, after running test, said I got a 2.4 (sorry no pic,read on);



That's actually NOT "all that bad" man, look @ some other folks' scores, & see what I mean by that... & it's NOT their faults, @ least not entirely... Ms' ships their OS "pretty wide open" so it deploys easily, & runs w/ EVERYTHING pretty much!

This has downsides, but makes life 'easier' @ the outset @ least, until someone finds holes in said default setup, creating the need for change.

Don't dismiss it entirely though - it does make a LOAD of good suggestions, & per your objections list below? I'll help you thru some, hopefully.



Namslas90 said:


> The stupid program got into a fight with my system had to reboot and Un-install Belarc and do a few other things just to get back online(took almost 3 hours).



That is ODD that it would... what webbrowser is your default one? I ask, because you may have found a bug in the browser YOU use, and you ought to report it to its maker(s), IF you can consistently duplicate it, that is.



Namslas90 said:


> The thing I noticed is that to increase my score I would have to;
> 
> SET Min and MAX password lengths;
> 
> Have a different password for Administrator, and User (Even though they are the same person).



secpol.msc is where you change this... 

Go up to, iirc, 12-14 (iirc, 14 is the max, but I could be off here) characters as MIN @ least, max? 

Heck... whatever it will take. 

See, the longer THIS is?? The longer it takes 'brute force dictionary crackers' to work... & the time involved for that, even on a FAST computer, is huge & especially @ those lengths & up...

Also, you can supplement THAT, by allowing only say, 3 tries on an incorrect password entry (all done in secpol.msc iirc), & that also helps 'stall' those types of attacks.



Namslas90 said:


> Set passwords Schedule to require Passwords be changed ever day.



Logging on as Administrator, even though largely 'frowned upon' nowadays? Offsets this usually, iirc.

See, I do... but, I am out to secure the HECK out of logging ON as Administrator... they say that though, WITH good reason, because anything YOU run on your machine (while you are logged on) runs in that user's security privelege context (most of it that is, some stuff runs as SYSTEM, like installers, imo a NO NO, but how they are currently)... so, that said?

IF you 'suck in' a malware? It has ALL of your powers... & if you logon as Admin? Well... it can do, pretty much what YOU can!



Namslas90 said:


> Thats allready to much trouble,  I want to turn the computer on and have it work;  I don't need any passwords or any of that crap!!



Well, I see YOUR point: A matter of convenience. That is, until you get "hit" by something that uses the 'security-holes' this & other programs like it, can find, & help you patch up!



Namslas90 said:


> This Belarc thing is for big coorporate applications, not home computers.



Well, I tend to differ, but... to each his own!



* If you have nothing to worry about on your local system? Then, agreed, you can do without it... me? The ONLY reason I go thru this, @ least @ home?? Is so I do NOT have to redo my system setups (ghosting helps though) due to being busted up by some kind of attack via malware/spyware/virus, OR remote intruders... it's a PAIN for me, trust me, because my systems are SO 'customized', & not only @ the OS level, but in my games, compilers, & more... 

Well, thank goodness for GHOST & progs like it!

They help, some, & a LOT, if I keep their images up to date... but, problem is, what if I ghost some setup that has an exploit that nothing I have in the way of security stopped, & I didn't keep multiple images ready (& I do, 4 deep, & though it takes up a LOT of my space, it's worth it to me)? I am screwed, blued, & TATOOED, even IF I ghosted.

Anyhow... to each his own, I respect that, above all else.

APK


----------



## BXtreme (Mar 3, 2007)

i got a 0.63 w/ default setting in 2k3, but i'll turn it up for sure


----------



## Alec§taar (Mar 3, 2007)

BXtreme said:


> i got a 0.63 w/ default setting in 2k3, but i'll turn it up for sure



Turn it up MY way, for example? Here is where you can be:







By the time I am done with this? It should be higher than that... especially once I get feedback from BELARC themselves, & I wrote them about this all, per what I found, thusfar.



* I'm going to beat 5.00... just like I beat my init. score of 4.17, just takes time & perseverance is all. I take my time about it, but @ this point?

I need consulting w/ BELARC, & last page? I wrote them, & you can see what I did @ this point @ least. I don't expect an answer until Monday or so, it is, after all, the weekend!

APK

P.S.=> And, on that note? Folks need their rest & play too... best security? A SHARP MIND! And, weekends help that imo... so does rest! apk


----------



## BXtreme (Mar 3, 2007)

hmm, considerable..Vista gave me 4.32 as 'default', bit xp gave me 2.x something, it means Vista is really secure , but i just uninstalled it for some time....


----------



## Namslas90 (Mar 3, 2007)

Well I ran it again, and noticed i got a 2.5.  Also noticed that I got no scores because it could not detect a lot of the things I have installed, IE Virus Protection, Spyware Protection, Im protection, Password protection ETC- Basicaly all of my security was undetected by the Belarc Advisor, and yet I see the name of My Protection Software on their list of supported applications.  It also list all the User accounts on my system as DISABLED and NEVER logged in.  Now the way I see it is; if they say they can't detect it and therefore give me a lower score, they are just fishing for my business by offering to sell me their service to admit I have the protection I allready have!!  i think something is fishy about this program, and still think it is only for Business applications and networks.  (I have neither)!

I do like the way it can scan your computer and give you more Information than Windows!!


----------



## Alec§taar (Mar 3, 2007)

*Learn to know the DarkSide of the Force, & YOU ACHIEVE A POWER, GREATER THAN ANY JEDI*



BXtreme said:


> hmm, considerable..Vista gave me 4.32 as 'default', bit xp gave me 2.x something, it means Vista is really secure , but i just uninstalled it for some time....



Excellent point on VISTA security... I am GLAD somebody decided to test IT, this way, as well!



* Proof's in the security pudding, per Bxtreme!

APK

P.S.=> I helped Scavar in 'pm' achieve up to nearly 2x his score intially already (1.88 -> 3) & he was already 'into' this area... & this area? It's one of the 'more arcane' & useful (especially out there online today, w/ all the risks inherent) ones,  & I think of it THIS way (along w/ coding):

*"Learn to know the DarkSide of the Force, & YOU ACHIEVE A POWER, GREATER THAN ANY JEDI" - Darth Sidious*

Per my subject-line/title-line for this reply here in this thread, above... lol!

... going for MORE now with him... it's DOABLE! apk


----------



## Alec§taar (Mar 3, 2007)

Namslas90 said:


> Well I ran it again, and noticed i got a 2.5.  Also noticed that I got no scores because it could not detect a lot of the things I have installed, IE Virus Protection, Spyware Protection, Im protection, Password protection ETC- Basicaly all of my security was undetected by the Belarc Advisor, and yet I see the name of My Protection Software on their list of supported applications.  It also list all the User accounts on my system as DISABLED and NEVER logged in.  Now the way I see it is; if they say they can't detect it and therefore give me a lower score, they are just fishing for my business by offering to sell me their service to admit I have the protection I allready have!!  i think something is fishy about this program, and still think it is only for Business applications and networks.  (I have neither)!
> 
> I do like the way it can scan your computer and give you more Information than Windows!!



It does have some 'drawbacks & shortcomings' & I also have objections, but this IS part of why I wrote them (list of mine are in this thread, some in particular REALLY bother me & I repeatedly note 1 or 2, because I am fairly CERTAIN they are 'off' on them).

Also, per your reply?

BELARC ought to let users do a 'customized exceptions list' for yours in particular (in that they do not account for different programs used for security, such as less known or used AntiVirus programs, & even AntiSpyware resident ones etc. or diff. firewalls, et al)...

(In fact, in my discussion w/ them, per the letter I wrote them on last page (upcoming talking to they, it's the weekend, so I don't expect reply until Monday or so), I will direct them @ this thread, so they can see your objections (all of you), & yes, mine as well!)

* All to make this program, ALL THAT MUCH BETTER!

APK

P.S.=> Again: *"Learn to know the DarkSide of the Force, AND YOU ACHIEVE A POWER, GREATER THAN ANY JEDI!" - Darth Sidious*... apk


----------



## BXtreme (Mar 3, 2007)

just wanted to know, what does all these security tweaks matter ? i reinstall my os (any1 of them, i have lots but not all) every 40 days so i can't tweak everytime. so i let tuneup utilities do it for me.any others reason to security tweak for a gamer/hardcore user ?


----------



## Alec§taar (Mar 3, 2007)

BXtreme said:


> just wanted to know, what does all these security tweaks matter ? i reinstall my os (any1 of them, i have lots but not all) every 40 days so i can't tweak everytime. so i let tuneup utilities do it for me.any others reason to security tweak for a gamer/hardcore user ?



Well, if you like having a long-term setup preserved, so you do NOT have to do reinstalls? GHOSTING helps, but keeping that current is a bit of work & yes, even GHOST has downsides, see my ps below for that... do read on please, thanks!

AND, imo? On the account above?? It matters... for me to redo my system, reinstall ALL programs, customize the OS & my compilers & much more (games even, & many system files, movements of them to diff. disks like logs & more)??? Takes DAYS, literally, if not a week in total hours!

I save a great deal of time using prebuilt generic .reg files for instant merges, but even w/ that? Takes a while... GHOST saves some time, but it is tough to keep 100% current on it.

*It also matters, regarding others... try to think of this, this way:

Ever heard of "typhoid mary"?*

Well, if not? She had a plague (typhus/typhoid fever) & was a carrier, but operated JUST FINE... 

* If you get infected or exploited, you may not just "go down" but could be serving as a carrier/spreader, & also functioning as part of a "bot net" etc., so it is really also, considering others...

APK

P.S.=> This is ALL personal preference though... up to the individual! I do it, mainly, to NOT have to go & rebuild it all again (even if I have timesaving tricks)... 

*AGAIN, on GHOST:* Though a great program & concept (outta the shareware/freeware leagues no less is where it came from so you guys know), is subject to backing up infectors too, & I will NOT stand for that!

(I keep 4 backup deep here, each one building a BIT MORE ontop of the next, but they are out of date on patches from MS & other apps too... a 'downside' of GHOST, imo @ least - *you can never be totally current, AND you can never be sure you didn't back up the plague, like a melting glacier might have 'trapped under ice' (per Metallica tune of the same name, lol*))... apk


----------



## BXtreme (Mar 3, 2007)

for long term use then, ok.
vista gets that score with default state, after applying current 18-20 released patches, it should get more score, right ? i'll try this later for verifications.


----------



## Alec§taar (Mar 3, 2007)

BXtreme said:


> for long term use then, ok.



That, & not doing what this tune by Queensryche said:

"Spreading the disease"

(Awesome tune, check it sometime)

Per my "p.s." in my last post above, & especially regarding GHOST on a couple accounts (this one, & the fact it's going to be out of date on patches most likely & MAY CONTAIN BUGS, especially unknown ones @ the time of the backup)...



BXtreme said:


> vista gets that score with default state, after applying current 18-20 released patches, it should get more score, right ? i'll try this later for verifications.



Yes, you ought to... applying the latest service packs & also patches raised guys from scores like .63 to 3's ranges alone on XP here earlier (see back in this thread for that statement's evidence)... doing what I do? Takes you farther... 

EVEN PAST SECURITY you saw on VISTA, by default!



* Looking forward to your patched level score on VISTA though, eagerly!

APK


----------



## BXtreme (Mar 3, 2007)

it's 8:30p.m here, so i'll try it later  any free partition resizers with gui ?


----------



## BXtreme (Mar 3, 2007)

never mind, i'll try it tomorrow on Vista...


----------



## Alec§taar (Mar 3, 2007)

BXtreme said:


> never mind, i'll try it tomorrow on Vista...



Cool, because I, for one, am seriously looking forward to it...



* I have a feeling, that my 'challenge' (per the Achilles photo I always put up & HIS challenge lol) will be met by you!

(Simply by your using a more modern & secured OS, especially after you update it, that it will be even more secure, per this test, than the model I use is by default (it is already, this much I can guarantee @ this point) but, even past what I am achieving thusfar after my personal methods fr this topic: securing an OS + its apps)... 

Finally, I think, if anyone does pass my score?

It will be you, on VISTA!

APK


----------



## BXtreme (Mar 3, 2007)

maybe, 5 years by the hardworking Vista programmers didn't go in Vain, they've made it the best os ever. Though i still love mac os x tiger, i just couldn't get it to work on my 'test setup', i'll try that after a month cuz i also haven't got time hehe, well...hope to see this forum after 6-7 hours as it's night time here, loggin out


----------



## Completely Bonkers (Mar 3, 2007)

From CIS themselves, a more detailed test with remedies...

Belarc is still nicer for a one page diagnostic of the whole computer, but the CIS tool looks promising for pure security issues:

http://www.cisecurity.org/tools2/windows/ng_scoring_tool-gui-1.0-win32-nojvmbundle.exe


----------



## BXtreme (Mar 5, 2007)

OMGWTF!!! Now that I start belarc in Vista it says only compatible with 2000, XP, 2003 ???? last time it didn't say anything,  what's happened ???


----------



## Alec§taar (Mar 5, 2007)

*Hey man... patch that beastie, & have @ it: Show us VISTA @ "max-security"*



BXtreme said:


> never mind, i'll try it tomorrow on Vista...



Did you get to fully patch VISTA on its critical security updates & what-not? If so, run her again as you stated you'd "get around to" & let 'er rip!



* Anticipating surprising results here... & good luck!

APK

P.S.=> If anyone's going to pass my score of 5.00/10 on this test, imo, it is going to be fully patched VISTA users, & if not? Then fully patched VISTA users, using the suggestions that BELARC yields... apk


----------



## Alec§taar (Mar 5, 2007)

BXtreme said:


> OMGWTF!!! Now that I start belarc in Vista it says only compatible with 2000, XP, 2003 ???? last time it didn't say anything,  what's happened ???



Ok, per my last post above, I did not see you did try it again... &, I am assuming this is on VISTA, & this round, FULLY security critical updates patched.

I have seen folks w/ XP Home state this earlier on in this thread, & unlike many software installers that say for "XP only"? There is doubtless actual VALID & LEGITIMATE reasons for OS version checks @ installation (because they are slightly different, & @ the registry &/or features levels for instance)... not just to get more money out of you asking for "server versions only" for instance of particular softwares.

My guess would be, first: TRY IT AGAIN... & if no go still, & you patched? Ms has done SOMETHING subtle in one of the updates that is hosing it now, on the aforementioned OS version checking programs of THIS nature, doubtless RIGHTFULLY & CORRECTLY perform... & as I noted to XP Home users here earlier? They are probably not aware of the version check string to account for in this version of VISTA (patched ones) most likely.

* Ugh... & I was SO looking forward to your results on this, on a FULLY SECURITY PATCHED VERSION OF VISTA!!!

APK

P.S.=> Another issue I'll discuss today hopefully, w/ BELARC's folks, once they respond to my letter I wrote them (content thereof on the last page of this thread before this one), & I will probably direct them to THIS VERY THREAD... to help them make their program all that much better on ALL levels noted for objections to Security, & OS version checkings... apk


----------



## BXtreme (Mar 5, 2007)

i've installed all updates up-to-date, and tried again, tried w/ out updates but still no luck.
something's quite wrong here, has belarc's prior version thought that my vista was xp and rated it ? Or in any of vista's updates done something. The last time i did it it, gave me 4.32, all hotfixes installed and antivirus up-to-date was the status.
and now it gains the understanding of that it ain't compatible ???
pls see this page from download.com, it says it's requirements state that it can run on vista, but practically not!
http://www.download.com/Belarc-Advisor/3000-2094_4-10636466.html?tag=lst-0-1


----------



## Completely Bonkers (Mar 6, 2007)

I have the 7.2h and 7.2k installers if you need an "old" version.


----------



## Alec§taar (Mar 6, 2007)

Completely Bonkers said:


> I have the 7.2h and 7.2k installers if you need an "old" version.



BxTreme: DO TRY AN OLDER VERSION OF THE PROGRAM AS BONKERS SUGGESTS!



* Odds are, something has changed in the new models, & it is messing w/ you now, per the explanation of "OS VERSION STRING CHECKING" many programs perform (usually to get you to buy a more expensive 'server model' of a program, same thing, w/ MAYBE client-server tools (easy to make no less) for network wide central admin'ing mostly in programs of that class, vs. their 'end user' models... like you see in NAV for consumers, vs. NAV Corporate Edition AntiVirus for example)...

This program HAS good reason to do checking of this nature, because @ this level, some folder structures, features & registry entires ARE diff. between PRO/WORKSTATION models of Windows, & Server Class ones... & thus, the program has to check what model of Windows it is running on, & then, treat it accordingly for security analysis to account for the differences.

I hope I explained that ok so you understand it... I have had trouble expressing myself well the past week or so... I think I need more sleep, lol!

Anyhow... there you go!

APK

P.S.=> BELARC wrote me back, w/ what looks like a std. form letter, & too bad, I would help them out, gratis, on suggestions & EVEN CODE if needed, to make it better to account for my objections noted above & thru this thread (small sampling only too, I would have given them more, reasons why they are 'off' & I am CERTAIN they are in places)... oh well! Letter is below... apk


----------



## Alec§taar (Mar 6, 2007)

*LETTER I GOT IN REPLY TO BELARC, per the first one I sent a page or two back...*

Hi,

Thank you for your question or comment regarding our Free Belarc 
Advisor. Since this is a free product, we may not always be able to 
provide individual responses or assistance for this program. We do 
read every email we receive and respond when possible.

It's best to get the latest version of the Advisor from
<http://www.belarc.com/free_download.html>http://www.belarc.com/free_download.html 

and check to see if your issue has already been resolved.

If you are finding that your browser is not showing your PC's Belarc 
Advisor profile please try the following steps:

1. Open Internet Explorer
2. Select File>Open
3. Select Browse, then navigate to the following directory:

c:\program files\belarc\advisor\system\tmp

4. In this directory you will find a file named like 
(computer_name).html. Please highlight this file and select Open.

When you don't see your PC's profile, that's caused by Windows being 
mis-configured so that it doesn't use your web browser to open files 
with the .html file extension. This usually happens when you switch 
the web browser you use, or install an application that helps view or 
edit web content. You can fix this in the Folder Options Control 
Panel. On the File Types tab, select the HTML extension and click the 
Change... button to set your browser to be used for HTML files.

Please let us know how the above help out with your question.

Best regards,
Angela

**************************
Angela F. Mosscrop
Sales/Marketing Assistant
Belarc Inc.
Email: amosscrop@belarc.com
Web: http://www.belarc.com
**************************
====================

*MAN - a std. 'form letter'...*

... too bad, like I said above... 

* IMO - The BELARC ADVISOR FOLKS do NOT seem receptive to critique, OR seem willing to discuss POSSIBLE errs on their end.

(Could be mine, but on the few I note here & in another thread? I actually STRONGLY doubt it!)

It's that (std. reply form letter from BELARC), or this is std. practice w/ them, initially!

APK

P.S.=> I'll pursue it more, because this IS a decent program, & w/ a BIT of advice? IMO, I can help them make it a LOT better... & so can you guys here, in your objections noted above... some very recent (like Bonkers & BXTreme's version check issue above)... apk


----------



## BXtreme (Mar 6, 2007)

*Alex, you MUST LOOK AT this !*

I've downloaded 7.2M, and started it, and now it thinks my vista ultimate is 2000, how-e-ever, I got a 3.75 this time.....gotta try some other versions too, do report this glitch


----------



## Alec§taar (Mar 6, 2007)

BXtreme said:


> how-e-ever, I got a 3.75 this time.....gotta try some other versions too, do report this glitch



Eventually, when I reply to that "std. form letter" above (me writing BELARC back), I will supply them my file from the browser it generates, & then each point will be addressed by myself, & WHY I KNOW SOME ARE WRONG!

(... & why I think others are as well, in the points it scored me bad on for my 5.00/10 score).

In fact, I am going to probably point their people @ this thread as well, so they can see your problems with it as well, & objections.

This is so we can get to the bottom of this, & improve this program (if possible) and also our own security (plus our scores).



BXtreme said:


> I've downloaded 7.2M, and started it, and now it thinks my vista ultimate is 2000



Is that the NEWEST/LATEST GREATEST, or OLDER MODEL? I am just curious in that regard, thanks...



* Thanks for reply, no hurry... & GOOD SCORE NEVERTHELESS on your end, @ 3.75 this round on VISTA (fully patched on your end in OS updates/servicepacks/hotfixes + AntiVirus' being updated too)...

APK


----------



## BXtreme (Mar 6, 2007)

i think it's a little old, cuz it says p3, but i have c2d at 1.93 LOL.
oh, and it's 7.2'M' confuses me a bit, latest version on download.com says 7.2k ???
i picked up the 'm' one from pcworld, while searching for old versions of belarc.
and i also don't think, belarc advisor knows what's my hardware and what sp i have installed.
BUT, it's a bit confusing that different old versions gave me different but above 3.5 results, so when it officially supports Vista, i may get a higher score 
Looking forward for belarc reply with you


----------



## Alec§taar (Mar 6, 2007)

BXtreme said:


> Looking forward for belarc reply with you



As am I... I am going to finish this up, hopefully, today!








* In any event, it's been an interesting experiment... & I intend to raise that 5.00/10 score I got shown above!

APK

P.S.=> HOPEFULLY, writing them will get some amendments done to this program, OR upset some assumptions I make possibly, regarding securing a PC... apk


----------



## Alec§taar (Mar 6, 2007)

*Well, off this letter went to BELARC today... awaiting answer, & I pointed them here*

Here is what I wrote the folks @ BELARC today:

==============================

The problem is NOT in the program's operation, OR, version I use, per your std. form letter reply:

It is more on issues I saw on its analysis. I like the program, & would like to better it, OR be proven wrong in my assumptions so I can secure myself further.

Also some folks on forums.techpowerup.com have noted difficulties in the program. 

E.G.-> I have scored 5.00/10 possible, but feel that in some cases, the program is NOT analyzing security absolutely properly. I am using the latest build by the way.

Here was the testing & what we found for your reference (below that are my personal objections to its findings):

http://forums.techpowerup.com/showthread.php?t=25428

To wit/some examples:

------------------------------------------------------------------
Available Services and Other Requirements section BELARC ADVISOR:
------------------------------------------------------------------
* I am being scored downwards on services I do NOT have enabled here (set disabled), period, first of all. I also secondarily secured said services by lessening their logon entity from SYSTEM to LOCAL SERVICE as well. Why then, am I being 'down-scored' on services which are NOT active AND have had their logon entity 'powered down' ontop of that as a security measure?

------------------------------------------------------------------
Security Settings section of BELARC ADVISOR:
------------------------------------------------------------------
17.  Interactive Logon: Smart Card Removal Behavior

* I use no smartcard here period. This was amended in secpol.msc as well.

25.  Network Access: Remotely Accessible Registry Paths
26.  Network Access: Remotely Accessible Registry Paths and sub-Paths

*  Within the regsitry I completely BLANKED THOSE OUT & have for years... & my system runs just fine. If I have none there that are remotely accessible, why then am I being downgraded?

* Again, if your technical staff would like my output files? They're included in this mail as the attached file (.rar file)...

Sincerely,

Alexander Peter Kowalski
apk4776239@hotmail.com

P.S.=> She's a GOOD program, but I feel it makes some incorrect assumptions & yes mistakes. Perhaps I am wrong, but I think not on the counts noted above regarding security, & others if you need them the program noted as WRONG are in the attached .rar file... this will help to make the program BETTER! apk

==============================



* Well, one way or another? We SHOULD get some answers... not only to my examples above, but possibly your objections & findings too gents!

APK


----------



## ktr (Mar 6, 2007)

If you have belarc's products/services installed, for sure you will score a 10/10...


----------



## Alec§taar (Mar 6, 2007)

ktr said:


> If you have belarc's products/services installed, for sure you will score a 10/10...



LOL! Good point... per the tune by Queensryche, *REVOLUTION CALLING*: "And, now the Holy Dollar rules everybody's live: GOTTA MAKE A MILLION, doesn't matter who DIES"



* Well, in any event, I have to 'blow past' the person who sent me the letter, & get to the folks that do the actual coding... they're WHO I want to converse with on this matter!

APK


----------



## ktr (Mar 6, 2007)

Well i am looking at there services: http://www.belarc.com/belsecure.html

for $5000+ they will come and audit you computers and ...



> BelSecure features include the following:
> 
> * Automated, daily vulnerability assessment, including all Microsoft OS and Office vulnerabilities, anti-virus status, user account status, and more.
> * Web portal architecture. WAN based operation. Single Intranet server and database.
> ...



 5/10 = 10/10


----------



## Alec§taar (Mar 6, 2007)

ktr said:


> Well i am looking at there services: http://www.belarc.com/belsecure.html
> 
> for $5000+ they will come and audit you computers and ...
> 
> ...



Remember what I said in this thread, early on? YOU CAN LEARN THIS YOURSELF... just by doing this & other stuff I have listed on the forums...

Learn, to EARN...

APK


----------



## ktr (Mar 6, 2007)

Alec§taar said:


> Remember what I said in this thread, early on? YOU CAN LEARN THIS YOURSELF... just by doing this & other stuff I have listed on the forums...
> 
> Learn, to EARN...
> 
> APK



amen!

Funny thing is that belarc told us the steps on what it takes to achieve 10/10...if you refer the my previous post, that is what they are auditing, therefore that is what they are rating us on. But this is mostly for corp. computers rather than the home user.


----------



## Alec§taar (Mar 6, 2007)

ktr said:


> amen!
> 
> Funny thing is that belarc told us the steps on what it takes to achieve 10/10...if you refer the my pervious post, that i what they are auditing, therefore that is what they are rating us on.



Hence you earlier statement, that IF one puts their services offered into motion, for "5 gravities" worth of ca$h? You score 10/10...

Ah man... 

"BUT NOW I SEE PAYOFFS EVERYWHERE I LOOK - who do you trust, when everyone's a crook?" 

& 

"Everybody's using everyone, MAKING THE SALE" 

Per the band & tune I quoted above earlier...

Your viewpoint's a LOT like that tune is, & that IS MY VIEWPOINT...

APK

P.S.=> Still, my personal animosities for today's society aside? I am going to give them the 'benefit of the doubt' to discuss the issues I noted above, holding me down apparently, from a higher score & according to their program also, IMPERFECT SECURITY HERE... possible, but I DO FEEL their program errs, & too much! I would like to see it improved on several accounts is why (OR, conversely, POSSIBLY some bad assumptions on MY end, this is possible too)... it is a GOOD thing, for the most part! apk


----------



## ktr (Mar 6, 2007)

Here is another auditor i have found, really complex, certified CIS scoring:

http://www.cisecurity.org/tools2/windows/ng_scoring_tool-gui-1.0-win32.exe

and the manual: http://www.cisecurity.org/tools2/usersmanual/CIS_NGTool_Users_Manual-public.pdf


----------



## Alec§taar (Mar 6, 2007)

I hauled those down, days ago... not the pdf though, thanks for THAT!



What bothered me about it though, was iirc, when I tried to install it? IT DEMANDS I HAVE JAVA IN PLACE... a security violation period, imo @ least!

APK

P.S.=> Ok, I 'gave in' & installed it for now, for THIS test... I seem to do better on it, only a few objections thusfar, but I only ran 1 of its tests (it too, makes mistakes, but the program was written prior to Windows Server 2003 having patches - I am UP TO DATE on those, running it here in a "workstation" capacity ONLY, & the tests are geared MORE to domain controllers etc.)... 

*#1.)* IT also makes a mistake on POSIX & subsystems, like BELARC did:

-------------------------
3.2.1.63 3.2.1.63 System settings: Optional subsystems	Check Type:	Status:
Questionnaire	Failed
Description

Here you can define subsystems which support running applications. The default entry of “POSIX” allows the POSIX subsystem to run. Defining this option but leaving the list blank will effectively disable the POSIX subsystem, which is only useful for Unix emulation services running on Windows.

Subsystems can spawn processes which access multiple user sessions. The poorly written subsystem may allow a process to escalate privileges by accessing another account's process
-------------------------

I burnt those out using secpol.msc, when I installed the OS, & BOTH programs mess up here too! BUT, iirc, they keep libs on the System (dlls iirc) & perhaps I have to find those & chop them out? I don't know... 

*#2.) * I set this as "for systems under attack" & yet I get this?

-------------------------
 3.2.1.67 MSS: (AFD MaximumDynamicBacklog) Maximum number of 'quasi-free' connections for Winsock applications	Check Type:	Status:
OVAL	Failed
Description

A “quasi-free” connection is one in which the SYN packet is sent, but the full TCP 3-way connection handshake is not yet complete. This setting defines the number of uninitiated and the number of quasi-free connections per listening endpoint.
-------------------------

?

*3.) BELARC ADVISOR FAILS ME ON THIS ONE, YET KTR'S CIS TOOL TEST PASSES ME!

-------------------------
* 4.1.37 Trivial FTP Daemon	Check Type:	Status:
OVAL	Passed
Description

Trivial FTP (tftp) offers a lightweight, unauthenticated version of the FTP protocol. The service is typically used for bootstrapping devices during automated startup, and is part of the requirements for a Remote Installation service (see 4.1.24). However, tftp is also a favorite protocol for propogation of worms and Trojan horse applications, and should be disabled wherever possible
-------------------------

NOTE your test, ktr, the one which BELARC is based on? Passes me here, but BELARC fails me, & on ALL OF THE PROGRAMS IN ITS LIST (21 of them no less, but I KNOW THIS IS OFF)!

I secured them via NTFS rights long ago, yet still BELARC ADVISOR fails me?

*4.) BELARC FAILS ME HERE, KTR's CIS TOOL TEST DOES NOT (again):*

-------------------------
4.2.39 Take ownership of file or other objects	Check Type:	Status:
OVAL	Passed
Description

A user who “owns” a file has greater authority over that file than even the permissions would suggest. The right to take ownership of a file is equivalent to the ability to compromise an entire file system.
-------------------------

(Editing more examples coming)... apk


----------



## Alec§taar (Mar 6, 2007)

Aha, I see somebody named "BelArcGuy" browsing now... here we go maybe?

http://forums.techpowerup.com/member.php?u=36847



* BelArcGuy - if you are browsing the results here, thanks for showing up, & setting myself & others here straight IF need be!

APK

P.S.=> Per my letter, the program's decent, but I have objections... thanks! apk


----------



## ktr (Mar 6, 2007)

Alec§taar said:


> I hauled those down, days ago... not the pdf though, thanks for THAT!
> 
> 
> 
> ...



It requires Java Virtual Machine to work


----------



## Alec§taar (Mar 6, 2007)

ktr said:


> It requires Java Virtual Machine to work



See my above post... the VERY one you quoted from in fact!



I edited in the fact I let Java install, which I USUALLY WON'T (it has holes & I try to minimize that, & though it was touted as having an 'impenetrable sandbox'? Today we KNOW this is NOT true!)... & noting outright errors in BOTH this program AND BELARC, @ least as far as I understand this stuff!

See above, the post you quoted of mine, I am editing it as I go w/ examples.

APK

P.S.=> I am going to stop posting now, & let BelArcGuy do HIS thing... apk


----------



## BelarcGuy (Mar 6, 2007)

Hi Alec§taar,

Thanks for your kind words about the Belarc Advisor, and for leading this "challenge" to get the best CIS benchmark score.  Other forums have had a similar challenge, with some of the users easily getting 10 scores (using a security configuration template file to make the settings).  Let me warn all readers that incorrectly changing the security configuration of your Windows computer can make it completely unusable, requiring an OS reinstall or restore from backup.  It's best to test these security settings on a test computer (Virtual PC is free) before applying them to any production computer.

First let me point out that the Center for Internet Security benchmarks are authored by a consortium of security experts from the US Government and industry.  Belarc is providing easy access to them in the Advisor, but is not the "authoritaty" behind these benchmarks.  The CIS benchmark documents (also accessible by clicking links within the Advisor's CIS benchmark report) provide reasonably complete justification for many of the security settings, so you should read those.  However, do note that those documents can't completely reproduce the back-and-forth discussion between the consortium members on each of these settings.

That said, I'll try to address your concerns below, interspersed with your posting:



Alec§taar said:


> ------------------------------------------------------------------
> Available Services and Other Requirements section BELARC ADVISOR:
> ------------------------------------------------------------------
> * I am being scored downwards on services I do NOT have enabled here (set disabled), period, first of all. I also secondarily secured said services by lessening their logon entity from SYSTEM to LOCAL SERVICE as well. Why then, am I being 'down-scored' on services which are NOT active AND have had their logon entity 'powered down' ontop of that as a security measure?


The benchmark calls for the services to both be set to a specific run state (e.g. disabled) and have their ACLs set to prevent malicious applications from simply changing that run state and starting them up.  See the security template editor for how to put ACLs on services.


Alec§taar said:


> ------------------------------------------------------------------
> Security Settings section of BELARC ADVISOR:
> ------------------------------------------------------------------
> 17.  Interactive Logon: Smart Card Removal Behavior
> ...


There are many OS options that best practices recommend to be secured whether or not installed.  Although a bit academic, this certainly helps keep a system from immediately becoming vulnerable upon enabling the option.  In your case this setting could be made and when/if you ever plug in a smart card you'll be "ready".


Alec§taar said:


> 25.  Network Access: Remotely Accessible Registry Paths
> 26.  Network Access: Remotely Accessible Registry Paths and sub-Paths
> 
> *  Within the regsitry I completely BLANKED THOSE OUT & have for years... & my system runs just fine. If I have none there that are remotely accessible, why then am I being downgraded?


Our licensed professional tools can also consider these blanked out registry values as more secure than the CIS recommended settings, however the free Advisor doesn't have that capability.  As you can imagine, it's not possible to compare an arbitrary set of registry paths to the CIS recommendations and determine if they are more or less secure.  For that reason the Advisor requires an exact match to the CIS recommendations for these settings.

Best of luck to you all getting your CIS score higher!


----------



## Alec§taar (Mar 6, 2007)

BelarcGuy said:


> Hi Alec§taar,
> 
> Thanks for your kind words about the Belarc Advisor, and for leading this "challenge" to get the best CIS benchmark score



No problem about the thanks from you - YOUR program is a good idea, & FREE! 



BelarcGuy said:


> Other forums have had a similar challenge, with some of the users easily getting 10 scores (using a security configuration template file to make the settings).



Well, I have questions on some of the scores it gave me (edit, more on next page with photos of each section & how I set them up, with what tools, & more - please answer the questions there as well, thanks)...

Now, you mention ACL's here: Does this mean going to the particular services' DLL or EXE & setting NTFS rights on them? Because afaik, doing the logon entity IS securing their ACL!

Some ideas of those templates don't 'fit' here though, I note 1 below (regarding NTFS on all diskdrives, & I have to make an exception on that note, see below, later in my P.S. why).



BelarcGuy said:


> Let me warn all readers that incorrectly changing the security configuration of your Windows computer can make it completely unusable, requiring an OS reinstall or restore from backup.  It's best to test these security settings on a test computer (Virtual PC is free) before applying them to any production computer.



Understood & I WARN FOLKS ABOUT THAT IN A SECURING SERVICES STICKY THREAD I AUTHORED IN THE GENERAL SOFTWARE SECTION HERE IN FACT... good move on your end too!

*Securing Windows 2000/XP/Server 2003 services HOW TO:*

http://forums.techpowerup.com/showthread.php?t=16097



BelarcGuy said:


> First let me point out that the Center for Internet Security benchmarks are authored by a consortium of security experts from the US Government and industry.



I understand... it's impossible in ALL cases/circumstances, to fit every security scenario perfectly.

However - I hate to put it THIS way, but some PhD's & experts have taken a beating from me before & to the point they either RAN online, or did not reply vs. proofs I had made... Dr. Mark Russinovich being one example thereof.



BelarcGuy said:


> Belarc is providing easy access to them in the Advisor, but is not the "authoritaty" behind these benchmarks.



Again, understood - there is no "uber" advisor in any field most likely... especially complex fields, like computers. 

Agreed, 110%... 

Here? I am just trying to point out things I noted in your program is all that I feel ARE off, & not just by my own view - vs. CIS tools as well!

See 4 posts above, or the URL I post in this page below...



BelarcGuy said:


> The CIS benchmark documents (also accessible by clicking links within the Advisor's CIS benchmark report) provide reasonably complete justification for many of the security settings, so you should read those.  However, do note that those documents can't completely reproduce the back-and-forth discussion between the consortium members on each of these settings.



http://forums.techpowerup.com/showthread.php?p=281278#post281278

I cite examples a few posts (the URL directly above posted for YOUR reference) up though, using THEIR CIS tool, that contradict what BELARC ADVISOR SHOWS... please, see above 2-3 posts, to see what I mean.



BelarcGuy said:


> That said, I'll try to address your concerns below, interspersed with your posting:



All I ever wanted... let's go!



BelarcGuy said:


> and have their ACLs set to prevent malicious applications from simply changing that run state and starting them up.  See the security template editor for how to put ACLs on services.



Again:

*Securing Windows 2000/XP/Server 2003 services HOW TO:*

http://forums.techpowerup.com/showthread.php?t=16097

I have put that up here to do the ACL change on services. How to secure them. If you have time, take a peek there, it is, afaik, CORRECT!



BelarcGuy said:


> The benchmark calls for the services to both be set to a specific run state (e.g. disabled)



Most of those noted here ARE... disabled  (or manual) & additionally, set with LOWER than SYSTEM logon entities, THIS is done in case they are SOMEHOW turned on, even if set disabled, they cannot run out of the privelege token assigned of LOCAL SYSTEM (far weaker than system).

I set some manual, because at times? I use them... saves time. This is why I set some of them as LOCAL SERVICE too, some run ok that way.

I guess I had BEST CHECK if all of them are disabled... for sure.



BelarcGuy said:


> There are many OS options that best practices recommend to be secured whether or not installed.  Although a bit academic, this certainly helps keep a system from immediately becoming vulnerable upon enabling the option.  In your case this setting could be made and when/if you ever plug in a smart card you'll be "ready".



Fair enough on that one, it is academic in my case, no smartcard... 



BelarcGuy said:


> Our licensed professional tools can also consider these blanked out registry values as more secure than the CIS recommended settings, however the free Advisor doesn't have that capability.



Got ya... so, I should be scored higher is what you are saying... a bug?



BelarcGuy said:


> As you can imagine, it's not possible to compare an arbitrary set of registry paths to the CIS recommendations and determine if they are more or less secure.  For that reason the Advisor requires an exact match to the CIS recommendations for these settings.



Understood, & I know that it is nearly impossible to be able to get ALL of the permutations in code & OS' down 100%, @ least not right away & especially IF they change (a program I have hosted here for others, good for security in many ways no less, had to take SOME changes to work on VISTA, & I spent part of my nite redong its config, not it's exe, unneeded, for it to work on VISTA), too much change in other words... 

I know, because I've been coding for almost 20 years now, 15 as a pro.



BelarcGuy said:


> Best of luck to you all getting your CIS score higher!



Trying my man... trying!



http://forums.techpowerup.com/showthread.php?p=281278#post281278

* See the list above, again for your reference the URL directly above, which is 4 posts up from this reply of mine in fact though!

It's where I noted exceptions in BELARC ADVISOR vs. CIS SCORING TOOL, the source who's tool you use, yes?

THANKS!

APK

P.S.=> I don't like acting the way I did above (about Dr. Mark R., he & I used to work for the same shop & he's GOOD @ this stuff) & other "experts" out there, because I know 1 thing about them: They're human, they DO ERR! 

Heck, I do too, sometimes intentionally (like the NTFS rights on ALL disks, but I do that WITH GODO REASON (to not waste diskspace on a very small SSD I run here for added speed)).

However, in my statement about "running a few into the ground"? It's fact... Above all though - I am NOT out to 'show you up' or otherwise be an ass... I just want to make sure I am solid!

Basically, I am just trying to make this program of YOURS better, because it's a great idea, free, & works... but, by the same token?

I want to know I am doing the RIGHT thing for security here... so far, so good, but per the URL here (again):

http://forums.techpowerup.com/showthread.php?p=281278#post281278

I see contradictions... between BELARC & THE CIS SCORING TOOL... outright ones. Perhaps it is something to look at on your end, thanks, & good luck! apk


----------



## BelarcGuy (Mar 6, 2007)

Hi Alec§taar,

The CIS' scoring tool is not in any way related to the Belarc benchmark scoring engine, so you should talk to the CIS folks about issues you find with their tool.  We're happy to talk about the Advisor, and welcome your comments.

It seems that perhaps one recurring theme in your tests is that you make some security settings that are logically "better" than those called out by the CIS that aren't reasonable to expect a benchmark scoring program to interpret as such.  One example is that you've set the services with ACLs "LOWER than SYSTEM logon entities", yet that's a very hard thing for a program to interpret.  All current benchmark scoring programs have limitations in the interpretation of "better" settings than recommended.  However, it's rarely an issue in practice.

What most security folks do is use a security template (with the CIS benchmark settings already in it) that lets you just set all the benchmark settings in one shot.  Then they modify that template to suit their needs (e.g. allow IIS to run on WinXP Pro).


----------



## Alec§taar (Mar 6, 2007)

BelarcGuy said:


> Hi Alec§taar,
> 
> The CIS' scoring tool is not in any way related to the Belarc benchmark scoring engine, so you should talk to the CIS folks about issues you find with their tool.  We're happy to talk about the Advisor, and welcome your comments.



Hi, Ok... I thought it was? It bears the SAME descriptions in its explanations the CIS tool does in fact!

Oh well... 

Still, it disagrees w/ your tool, if you checked above... 

E.G.-> About securing things like the tftp.exe (trivial ftp) for instance... I did the NTFS ACL on that & 20 others it states I am 'off/wrong' on!

Still BELARC ADVISOR states it is WRONG/OFF above... but the CIS tool says I am ok?



BelarcGuy said:


> It seems that perhaps one recurring theme in your tests is that you make some security settings that are logically "better" than those called out by the CIS that aren't reasonable to expect a benchmark scoring program to interpret as such.



Agreed... especially for scenarios I uniquely have to deal with... 

E.G.-> The NTFS on all disks is one above, on my pagefile.sys partition on a Solid State Ramdisk here... 

Reason for it here? I do NOT want to lose 20% of its space using NTFS & offset risk (pagefile.sys is the ONLY file on that part of my SSD) by clearing the pagefile.sys @ shutdown.



BelarcGuy said:


> One example is that you've set the services with ACLs "LOWER than SYSTEM logon entities", yet that's a very hard thing for a program to interpret.



I know, & accept that fact... so, it is just a warning then! Still here is an area your program should ASK THE USER what is up then... your tools should ASK FIRST, as the CIS tool noted above does for various things!

*Just a suggestion, & one to make the program MORE ACCURATE.*

I.E.-> I know one thing: I would not lie to a program, or person, that was asking me questions on how to secure my home... OR, my computer, for example.



BelarcGuy said:


> All current benchmark scoring programs have limitations in the interpretation of "better" settings than recommended.  However, it's rarely an issue in practice.



I know that for sure, per my statements above on coding... lol, BOY do I know that.



BelarcGuy said:


> What most security folks do is use a security template (with the CIS benchmark settings already in it) that lets you just set all the benchmark settings in one shot.  Then they modify that template to suit their needs (e.g. allow IIS to run on WinXP Pro).



I thought CIS stuff was not related to BELARC stuff? I don't understand... oh well, I see your views now, & know what I have to do... going for more than 5.00/10 here.

Still, I feel your program is making some errors, & should ask a few questions first, as the CIS tool does... when you are NOT sure of the status of say, a services' logon entity (for securing it) or other areas in question I noted above.

APK


----------



## BelarcGuy (Mar 6, 2007)

Hi BXtreme,

Sorry for the suprise.  The Belarc Advisor version that's fully qualified for Vista (released last month) respects the CIS benchmarks by applying them only (and automatically) to the OS they're designed for.  That's because there's little point in using a benchmark that tests security settings that are non-existant or obsoleted or superceded in the OS being used.  With hundreds of security settings to pay attention to, we don't need any more distractions than we already have.

The CIS has begun discussions of their Vista security benchmarks but hasn't agreed upon anything yet.  You might want to join the CIS and participate in those discussions, if you enjoy that kind of thing.



BXtreme said:


> OMGWTF!!! Now that I start belarc in Vista it says only compatible with 2000, XP, 2003 ???? last time it didn't say anything,  what's happened ???


----------



## Alec§taar (Mar 6, 2007)

BelarcGuy said:


> The CIS has begun discussions of their Vista security benchmarks but hasn't agreed upon anything yet.  You might want to join the CIS and participate in those discussions, if you enjoy that kind of thing.



Well, one thing your program DID show that was good: VISTA is more secure out of the box, BY FAR, than is XP... by a HUGE amount, & unpatched no less!



* See my edits above, they are for your reference... thanks for speaking to us also!

APK


----------



## BelarcGuy (Mar 6, 2007)

Hi Alec§taar,

Belarc is a CIS "Vendor Member" and all of the benchmarks in our products are CIS certified to work correctly.  The only CIS "stuff" Belarc uses is the benchmark specifications and documents (see below).

Perhaps a bit of terminology definition might help.  A CIS benchmark is a collection of recommended security settings for a particular OS in a particular environment.  That benchmark takes the form of a document describing those settings (you've apparently downloaded one of those in PDF form).  The security "posture" of a computer is measured against that benchmark separately for each of the hundreds of security settings in the OS, passing for those that "measure up" to the benchmark and failing for those that are "below".

The method of coming up with a numerical score, for a benchmark result, isn't specified by the CIS.  However, the CIS benchmarks do specify a rough percentage of total score that each section of the benchmark should contribute.  Up until last year the CIS' own scoring tool used the same scoring method the Belarc Advisor uses.  Last year the CIS changed their tool's scoring method, for better or worse.  There are different viewpoints as to how scoring should be done and only recently has the CIS begun a discussion among their consortium on that topic.



Alec§taar said:


> I thought CIS stuff was not related to BELARC stuff? I don't understand... oh well, I see your views now, & know what I have to do... going for more than 5.00/10 here.


----------



## BelarcGuy (Mar 6, 2007)

*My desktop score*

FWIW, my Windows XP desktop computer gets a CIS benchmark score of 7.29 (the reduction from 10 is mostly because I have some settings made to allow running the IIS web server).


----------



## Alec§taar (Mar 6, 2007)

BelarcGuy said:


> FWIW, my Windows XP desktop computer gets a CIS benchmark score of 7.29 (the reduction from 10 is mostly because I have some settings made to allow running the IIS web server).



I am doing 1 thing that may need doing here, per your advice... setting the services I got scored down on, to DISABLED.

I had many set as MANUAL (because some I actually DO USE, on occasion).

Hopefully, this will get my score up some... I am looking @ both the BELARC ADVISOR & the CIS TOOL for this.

APK


----------



## Alec§taar (Mar 6, 2007)

BelarcGuy:

I am going to post screenshots of my failed areas, per your program's suggestions: 

Can you tell me why they are failing on the "X" noted ones?

Thanks!

APK

P.S.=> In turn? I will post why I have certain things set a certain way, & why, & if you have questions why I do so, ask... thanks! apk


----------



## BelarcGuy (Mar 6, 2007)

Hi Alec§taar,

Here's a security template file that sets the Alerter service security controls and permissions according to the CIS benchmark you're using.  You can also use this (with the Windows secedit tool) to verify whether the settings are correct.

[Unicode]
Unicode=yes
[Version]
signature="$CHICAGO$"
Revision=1
[Service General Setting]
Alerter,4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)"



Alec§taar said:


> I am doing 1 thing that may need doing here, per your advice... setting the services I got scored down on, to DISABLED.
> 
> I had many set as MANUAL (because some I actually DO USE, on occasion).
> 
> ...


----------



## Alec§taar (Mar 6, 2007)

Need to know your views on WHY I have been scored down on those!

Here are the settings I use below next, on each one, & HOW I APPLIED THEM (tools used):

Each of those is set DISABLED (except Telephony) in services.msc!

(& also has their logon entity set to LOCAL SERVICE in services.msc as well!)

* The latter as a security precaution (ACL)... severely limiting them (even IF someone could remotely turn them on).

*I note also, I got FULLY MARKED DOWN, NO POINTS GIVEN, ON THIS SECTION OF THE TEST (even if some of them are set with checkmarks, indicating they are OK? Why is this??)*

APK

P.S.=> Some do NOT exist here, & those I get checkmarks/OK ratings on, BUT some are disabled (& more, see below):


Alerter Service - DISABLED (don't need it, not on LAN w/ central domain server etc.)

ClipBook Service - DISABLED

File Replication Service -  DISABLED

HELP & SUPPORT - DISABLED

Indexing Service - DISABLED

License Logging Service - DISABLED

Messenger Service - DISABLED

NetMeeting Remote Desktop Sharing - DISABLED

Remote Access Auto Connection Manager - DISABLED

Remote Desktop Help Session Manager - DISABLED

Remote Procedure Call (RPC) Locator - DISABLED

Telnet Service - DISABLED

Wireless Configuration Service - DISABLED
SOME do (like Network Connections, can't do w/ out it & get online)!

*QUESTION:*

Why then, if I do not even RUN those services, OR they are DISABLED, & additionally have their logon entity set as low as it can go to LOCAL SERVICE (just in case), then, am I getting downgraded on them @ ALL?? apk


----------



## Alec§taar (Mar 6, 2007)

The bottom-most list of .exe files are SET to SYSTEM & ADMINISTRATOR GROUP MEMBERS ACCESS ONLY (full control). 

NOW, the ODD part is, that the CIS tool marks them as OK, per last page, here:

http://forums.techpowerup.com/showthread.php?p=281278#post281278

On the last page... odd!

AGAIN: *I note also, I got FULLY MARKED DOWN, NO POINTS GIVEN, ON THIS SECTION OF THE TEST (even if some of them are set with checkmarks, indicating they are OK? Why is this??)*

APK


----------



## Alec§taar (Mar 6, 2007)

*I note also, I got FULLY MARKED DOWN, NO POINTS GIVEN, ON THIS SECTION OF THE TEST (even if some of them are set with checkmarks, indicating they are OK? Why is this??)*






Some of those I wonder about, & here are the ones in question from myself:

*Allow Logon Locally:* I can't cut out my Administrator users there, can I? (That is ALL that is in that one... why is it scored down then??)

*Terminal services is SHUT OFF here as a service, & in secpol.msc, I allow NOBODY to use that as well.* All of them are DENIED via secpol.msc

*Backup Files & Directories:* is also shut off, nobody in that group period, via secpol.msc... instead, I do that via tools like GHOST - All of them are DENIED via secpol.msc & nobody is in that group in secpol.msc...

*Deny Access to this Computer from the Network AND Deny Logon as a Batch Job:* Help & Support entity, Terminal Services users, DIALUP, REMOTE INTERACTIVE LOGON, & ANONYMOUS LOGON - All of them are DENIED via secpol.msc

*Impersonate a Client After Authentication:* ONLY SERVICE is in that one per secpol.msc, is this bad & why I am being scored poorly on it?

*Load & Unload Device Drivers:* ONLY SYSTEM IN HERE, per secpol.msc

*Logon as a Batch Job:* ONLY LOCAL SERVICE is here per secpol.msc

APK


----------



## Alec§taar (Mar 6, 2007)

Thanks for the tips on those, IF you have any BelarcGuy, because those are what are KILLING ME on your test...



* Awaiting answers... thanks!

APK


----------



## Alec§taar (Mar 7, 2007)

BelarcGuy said:


> Hi Alec§taar,
> 
> Here's a security template file that sets the Alerter service security controls and permissions according to the CIS benchmark you're using.  You can also use this (with the Windows secedit tool) to verify whether the settings are correct.
> 
> ...



I don't use secedit.exe (never have), I use secpol.msc &/or services.msc... iirc, they WILL accomplish the SAME THINGS, yes?

APK

P.S.=> Can you explain HOW TO USE SECEDIT.EXE, period, per your example on it above in the ALERTER SERVICE? Thanks... apk


----------



## BelarcGuy (Mar 7, 2007)

Hi Alec§taar,

Well... no.  The local policy editor and services control panel are only a tiny part of the security settings for Windows.  Here's a link to documentation for the "Pro" security tools for Windows Server 2003

http://www.microsoft.com/resources/documentation/windowsserv/2003/standard/proddocs/en-us/ALL_tools.asp​
For Windows XP

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/all_tools.mspx​
and Windows 2000

http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/seconfig.mspx​
Testing a security template on a local computer is most easily done with the Security and Analysis tool.  It allows you to "Analyze" what would change without making those changes.  It also lets you apply a template for application testing.

Once you look at some of that for your OS you'll see how it's actually pretty easy to make these settings locally or with a group policy object.  They're much better at explaining how to use those tools than I could ever be.

Enjoy!



Alec§taar said:


> I don't use secedit.exe (never have), I use secpol.msc &/or services.msc... iirc, they WILL accomplish the SAME THINGS, yes?
> 
> APK
> 
> P.S.=> Can you explain HOW TO USE SECEDIT.EXE, period, per your example on it above in the ALERTER SERVICE? Thanks... apk


----------



## Alec§taar (Mar 7, 2007)

BelArcGuy: *again, please:* 

NOTE THE POSTS ABOVE WHERE I PUT DOWN THE SECTIONS WHERE YOUR PROGRAM IS 'downgrading' MY SCORE please...

& NOTE THE SETTINGS I USED, & TOOLS USED TO APPLY THEM, & THEN?

*ANSWER MY QUESTIONS THERE IN EACH OF THOSE, AND WHAT IS THE COMMANDLINE TO IMPORT THAT SECEDIT.EXE POLICY FOR THE ALERTER SERVICE YOU PUT UP ABOVE!*

* Again, thanks...

APK


----------



## BelarcGuy (Mar 7, 2007)

Hi Alec§taar,

As I mentioned in my previous post, you can find that info in the Microsoft documentation I pointed you to.  For your specific question about how to import the policy for the alerter service:

http://technet2.microsoft.com/WindowsServer/en/library/70b73361-dd07-49ee-b183-f727569c66a11033.mspx?mfr=true​
As to the other questions, I'll have to research a bit to get back to you.



Alec§taar said:


> BelArcGuy: *again, please:*
> 
> NOTE THE POSTS ABOVE WHERE I PUT DOWN THE SECTIONS WHERE YOUR PROGRAM IS 'downgrading' MY SCORE please...
> 
> ...


----------



## Alec§taar (Mar 7, 2007)

BelarcGuy said:


> For your specific question about how to import the policy for the alerter service:



Man, I don't get this:

http://technet2.microsoft.com/Windo...dd07-49ee-b183-f727569c66a11033.mspx?mfr=true

1. Open Security Configuration and Analysis.

Great, just great... 

(What command is what, what executable? Sometimes?? I hate MS documentations)... 

See... I used a lot of info. from MS in the past to get to the score I have now, & also things I learned on my own in this area... I need help apparently to go higher @ this point.

5.00/10 is NOT 'cutting it for me', lol...

That page is not helping me, if I do NOT know what tool to use for it.



BelarcGuy said:


> As to the other questions, I'll have to research a bit to get back to you.



Thanks, because they really do NOT make sense to me as to why parts of them are good, parts not (per the photos above), & above all?

Why the program gives you NOTHING if you missed some (the X'd scores) & yet you did get some of them correct, per them having a checkmark instead!

It is odd... no PARTIAL CREDIT even!

APK

P.S.=> I NEED HELP on this secedit.exe tool... it is a REAL "S.O.B." imo to be blunt about it!

Usually? I am as @ home with the commandline tools as I am w/ GUI stuff (DOS background, UNIX before, it, & even some VMS way, WAY back too)... but, not this time... apk


----------



## BXtreme (Mar 7, 2007)

nice , i got my feed. But just to show what the latest version shows on vista ultimate here's s screenie 
http://img.techpowerup.org/070306/Capture006.jpg

Hmm, but since Vista isn't supported, i'm getting some doubts.
Belarc advisors old versions, said that my os was 2000, another said 2003 (forgot which one) ??
Does Vista contain security codes from it's prior versions ?
like from 2000 it has got some part of it, and just an upgraded part of it ?
Could this mean ms built vista with most of it's prior versions parts ?
...so many questions arise about ms' gr8 os


----------



## BelarcGuy (Mar 7, 2007)

Hi Alec§taar,

"Security Configuration and Analysis" is an MMC snap-in.  To access the MMC, type in mmc to the Windows Run.. command to pop up the console.  Then use it's File|Add/Remove Snap-in... command and click the Add button on the resulting dialog.  Choose both "Security Configuration and Analysis" and "Security Templates", close that dialog, and OK.  You'll end up with a management console that has both of those snap-ins enabled.  The whole MMC mechanism is a bit weird, but does work  

From there you can follow the MS doc.



Alec§taar said:


> Man, I don't get this:
> 
> http://technet2.microsoft.com/Windo...dd07-49ee-b183-f727569c66a11033.mspx?mfr=true
> 
> ...


----------



## Alec§taar (Mar 7, 2007)

BelarcGuy said:


> Hi Alec§taar,
> 
> "Security Configuration and Analysis" is an MMC snap-in.  To access the MMC, type in mmc to the Windows Run.. command to pop up the console.  Then use it's File|Add/Remove Snap-in... command and click the Add button on the resulting dialog.  Choose both "Security Configuration and Analysis" and "Security Templates", close that dialog, and OK.  You'll end up with a management console that has both of those snap-ins enabled.  The whole MMC mechanism is a bit weird, but does work
> 
> From there you can follow the MS doc.



I've added stuff to MMC.exe before, & built my own 'custom ones' here, but this is new stuff to me, & I welcome the knowledge, by ALL means...

Cool, I will give it a go, & see what goes... but, I would like an example of using secedit.exe to import a policy file for a service too, but gui is nice as well!

The ONLY part I do NOT like about using 'templates' is, not understanding what EXACTLY I am inserting... that is pretty 'arcane' stuff up there,  for the ALERTER example policy you put up!

Hence, why I pursue this as I do. SO I UNDERSTAND IT ALL!



* Thanks for showing back up, but please, if you can? 

DO answer those questions above, from each picture accompanied post, & the diff. sections I was scored down in by your program with data on how I set each up... 

(They are in final edit form, for your analysis... thanks!)

APK

P.S.=> Most of all, whatever results? Credits to you for showing up to speak to us all... apk


----------



## Completely Bonkers (Mar 7, 2007)

First of all, TY BelarcGuy for the info and help so far.

Personally, I think it's dreadful that Security Management is buried within an mmc snapin that you have to know about... 

... MS is getting more and more SOHO unfriendly as they introduce "enterprise" management tools only for "MS Qualified Server Engineers". As a 2003 SBS owner, this is just dreadful.  I need an outrageously expensive IT technician just to manage one server and 3 desktops!  Aweful MS. Aweful.

What's needed is a tool like Belarc and a security management toolkit that I, amateur expert but no MS qualified security engineer, can install, access, and use with confidence.


----------



## Alec§taar (Mar 7, 2007)

He's got a GOOD program, it's up there w/ CIS tool & if he uses the analysis above, in my exceptions lists, AND YOURS TOO mind you?

It can get BETTER than CIS tool, quite possibly!



* The end goal here, is a 'win-win' situation for ALL participating here, including BelArcGuy on his end coding the BELARC ADVISOR!

(This IS how programs get better... I develop stuff that's freeware too, & it would NOT be as good as it is (purely relative term) w/ OUT user feedback-critique... no questions asked!)

APK


----------



## Alec§taar (Mar 7, 2007)

Completely Bonkers said:


> First of all, TY BelarcGuy for the info and help so far.



Agreed!



Completely Bonkers said:


> Personally, I think it's dreadful that Security Management is buried within an mmc snapin that you have to know about...



It is...



Completely Bonkers said:


> ... MS is getting more and more SOHO unfriendly as they introduce "enterprise" management tools only for "MS Qualified Server Engineers". As a 2003 SBS owner, this is just dreadful.  I need an outrageously expensive IT technician just to manage one server and 3 desktops!  Aweful MS. Aweful.



This IS silly to an extent... it keeps knowledge in the dark, & for folks that CAN 'grok' it & assimilate it & GAIN by it... kind of like dictators do!

BUT - it keeps network engineers/admins working & ahead of their constituents/clients/users!

(Imo, to a good extent @ least, just 'users w/ a better password', lol, it makes them upset when you call them that... not entirely true, they know their stuff, but imo? Not a LOT more than most "power users" do... after all, we can ALL follow directions from MS & read too!)

Not knocking network guys, having been one in my day (not primarly, not since the NT 3.51 days really, cetainly NOT lately, but now more often coding! Doing development, you get assigned @ least junior network admin domain rights & certainly local machine admin most times)!

AND - you DO have to come in w/ a lot of understanding, & anybody that's been MCSE has to pass some VERY hard tests (took the trainer transcenders in my time, & they are HARD - adaptive stuff, you get an answer wrong in a particular area? It pounds you MORE on that area, lol!).



Completely Bonkers said:


> What's needed is a tool like Belarc and a security management toolkit that I, amateur expert but no MS qualified security engineer, can install, access, and use with confidence.



Exactamundo... & perhaps, per my last post above? This will help BelArcGuy better his FREEBIE product AND also his commercial stuff, to an extent it exceeds the CIS Tool even.



* Anyhow/anyways - One never knows...

APK

P.S.=> Finally, I am off to apply that security policy for Alerter above, & gain further understanding of its arcane strings & what they mean... see ya!


----------



## Alec§taar (Mar 8, 2007)

*Ok, I found an EXCELLENT Step-by-Step for Securing Services @ the ACL level!*

*SECURING SERVICES @ THE ACL LEVEL VIA A SECURITY POLICY HOW-TO:*

http://support.microsoft.com/kb/816297

Create and Define a New Security Template

To define a new security template, follow these steps: 

*1.* In the console tree, expand Security Templates.
*2.* Right-click %SystemRoot%\Security\Templates, and then click New Template.
*3.* In the Template name box, type a name for the new template. 

If you want, you can type a description in the Description box, and then click OK.

The new security template appears in the list of security templates. Note that the security settings for this template are not yet defined. When you expand the new security template in the console tree, expand each component of the template, and then double-click each security setting that is contained in that component, a status of Not Defined appears in the Computer Setting column.

*6.* To define a System Services policy, follow these steps:
*a.* Expand System Services.
*b.* In the right pane, double-click the service that you want to configure.
*c.* Specify the options that you want, and then click OK.



* Now, THIS? I can work with... but, I still want to get SECEDIT.EXE down, & that arcane madness up there @ the top from BelArcGuy about securing the ALERTER service down pat... & I will eventually.

(Have to understand all of this, & then? This goes into the "Securing Services Thread" sticky in the GENERAL SOFTWARE SECTION too!)

APK

P.S.=> CompletelyBonkers &/or BxTreme: You two seem the MOST interested in this so far, & this? This is NOT SO BAD @ ALL! Give it a look-see, & you'll see what I mean... apk


----------



## Namslas90 (Mar 8, 2007)

Good find/link, how about for win XP,(is it the same?)?


----------



## Alec§taar (Mar 8, 2007)

Namslas90 said:


> Good find/link, how about for win XP,(is it the same?)?



Most likely, I concentrated on Win2k3... Look @ the Microsoft URL, & pay attention to the stuff BELARCGuy wrote, because you NEED to set that up, first...

OR

Just go to the "Securing Services How To" sticky thread, where I 'stitched this all together'...

http://forums.techpowerup.com/showthread.php?t=16097&page=3



* I am busy right now 'ripping thru all of my services' & applying the users I want to have rights to them @ THIS level (ACL)!

*... & I have a theory, but not sure on it yet... *

See, many services are just .DLL's, OR .EXE's, run by svchost.exe (or commandline switches for it too - you can SEE this in services.msc, & look @ services' properties)...

(& I am betting this works @ an NTFS level on their Access Control List rights... I mentioned it earlier how, & it IS how I would have approached it via my 'manual mehods' & SPECIFICALLY @ the NTFS level, but not sure IF this is actually what is taking place... however, I will find out soon enough though!)

Once I apply these?

I am going to examine the lib that svchost.exe runs, & I wager it will mirror, probably EXACTLY what this is doing, albeit @ a filesystem level!

APK


----------



## BelarcGuy (Mar 9, 2007)

Hi Completely Bonkers,

Thanks for your kind words.

These security tools have been in professional & server versions of Windows since NT 4.  They're *way* over the heads of non-professional users (clearly with the exception of this forum) and I'd bet that that Microsoft couldn't support end-users if these controls were made more accessible.  There're just too many ways to mess up an OS with these settings.   



Completely Bonkers said:


> First of all, TY BelarcGuy for the info and help so far.
> 
> Personally, I think it's dreadful that Security Management is buried within an mmc snapin that you have to know about...
> 
> ...


----------



## BelarcGuy (Mar 9, 2007)

Hi Alec§taar,

What I included in the prior posting was the contents of a security template file to secure the alerter service according to the CIS recommendations.  Just create a file named SecureAlerter.inf (in the My Documents\My Templates folder) and paste this into it with Notepad

[Unicode]
Unicode=yes
[Version]
signature="$CHICAGO$"
Revision=1
[Service General Setting]
Alerter,4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCLCSWLOCRRC;;;IU)(A;;CCDCLCSWRPWPDTLOCRSDRCW DWO;;;SY)"

and save the file.  Now you can view and edit that template with the Security Template Editor (in the MMC as described before) by selecting "Security Templates" in the MMC left pane and running the Action|New Template Search Path... command to add My Documents\My Templates.  Then you can view the template and examine it with the GUI.

To use that template, select "Security Configuration and Analysis" in the MMC left pane and run the Action|Import Template... command to load that template into a "test" configuration database.  Then you can analyze your system or apply the database contents (all the tempates you've loaded) to your computer.

To read/understand the template .inf file content format look at the MS docs for the Security Descriptor Definition Language (SDDL)

http://msdn2.microsoft.com/en-us/library/aa379567.aspx​


Alec§taar said:


> ...
> * Now, THIS? I can work with... but, I still want to get SECEDIT.EXE down, & that arcane madness up there @ the top from BelArcGuy about securing the ALERTER service down pat... & I will eventually.
> 
> (Have to understand all of this, & then? This goes into the "Securing Services Thread" sticky in the GENERAL SOFTWARE SECTION too!)
> ...


----------



## BelarcGuy (Mar 9, 2007)

Hi Namslas90,

Yes, Windows XP Professional (and Tablet or MCE which both have Professional as their base) has the same security tools and Windows Server 2003.



Namslas90 said:


> Good find/link, how about for win XP,(is it the same?)?


----------



## BelarcGuy (Mar 9, 2007)

Hi Alec§taar,

Sorry, but these Security Configuration ACLs are applied through the Services Control Manager API and not at the filesystem level.  Other than writing your own program to make these changes there's no other OS user interface to make these changes.



Alec§taar said:


> (& I am betting this works @ an NTFS level on their Access Control List rights... I mentioned it earlier how, & it IS how I would have approached it via my 'manual mehods' & SPECIFICALLY @ the NTFS level, but not sure IF this is actually what is taking place... however, I will find out soon enough though!)


----------



## L|NK|N (Mar 9, 2007)

Unfortunately, Alec wont be replying back to you any time soon..........


----------



## BelarcGuy (Mar 9, 2007)

Hi LiNKiN,

Oh, sorry to hear that.  It does seem like the other folks here are smart and energetic too, so perhaps someone else will try these things out.


----------

