1. Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

Securing Windows 2000/XP/Server 2003 services HOW TO

Discussion in 'General Software' started by Alec§taar, Aug 22, 2006.

Thread Status:
Not open for further replies.
  1. Namslas90 New Member

    Joined:
    Aug 27, 2006
    Messages:
    4,851 (1.63/day)
    Thanks Received:
    555
    Location:
    Earth
    Thanx, I needed that!!
    Nice to hear from you;
    Don't work too hard!!

    L8r
     
    Last edited: Mar 13, 2007
  2. CheckingUpOnInfraRed New Member

    Joined:
    Mar 13, 2007
    Messages:
    1 (0.00/day)
    Thanks Received:
    0
    Good, I hope so... I saw your profile, & security IS part of the name of YOUR game I see!

    :)

    It is ONLY to "keep square w/ the house" here, karma etc. because folks here did teach me about AMD overclocking (since I let my hardware know-how go WAY slack in the time that I have been concentrating on software/OS/programming instead for the last decade++ or so now)...

    My explicitly giving Solaris17 & InfraRed the material for reconstructing this post the RIGHT way, with all of its data intact & what-not, via email, is for getting square w/ the house, debt erased type of thing:

    All so they each have data to reconstruct this post the way I would have per Solaris17's request to make the sticky threads I had here (4 of them) into less (I eliminated 1, startup/run areas & consolidated 3 more into what this one WILL be eventually once Solaris does the directions above).

    It is probably the BEST post I ever put out here, so... I think it "evens up the score" with TPU members who taught me the tricks of o/c'ing a modern AMD rig.

    Have no choice, have to... largest reason I have to 'lay off' doing forums really... well, that & some of the replies I saw in various threads after I left... because, as you can see? THERE IS NO BANNING ME.

    (Man - 1 good thing comes of things like this situation turned out to be: I can tell who was against me, or was my pal... always a good thing, that!)

    APK
     
  3. Jimmy 2004

    Jimmy 2004 New Member

    Joined:
    Jan 15, 2005
    Messages:
    5,491 (1.54/day)
    Thanks Received:
    267
    Location:
    England
    Hi Alec - not sure how long you'll last back here, but I thought I'd let you know the guys over at AshenTech would like you to join them I think - not that I want to push people away from TPU, but doubt you're planning to post on here anymore.

    Thanks for trying to get the thread back up, although I can't say I approved of removing it in the first place.
    BTW, the DDOS comment was from this thread. Anyway, enough of that subject, techPowerUp! has had more than enough drama and doesn't need anything else.
     
  4. AshenSugar

    AshenSugar New Member

    Joined:
    Sep 20, 2006
    Messages:
    1,998 (0.68/day)
    Thanks Received:
    0
    Location:
    ashentech.com
    yes we would like to see alek come by, even if only from time to time.

    and ofcorse they banned him again, and would ban a hundred more accounts if they knew it was him, or others who have came back under ghost names.

    As you should know alec and others, i consider alec a friend, we had great talks, its over and done, im sure hes not going to be welcomed back here, and im sure thats mostly because a few people still really have a problem with him and how he reacted to the situation that happened that night.......everybody needs to just let it go.......

    this was a great place, and may be one again, but many where driven away by whats happened over the last few months, this alec thing was just the straw that broke the camels back, punish 1 and not the other when both should be held accountable...to me that was a big thing.......i have been a forums admin 5+ times in the past, also been a gmod/supermod more times then that, and i would have temp banned them both as soon as i saw it happening, give them a couple/few days to cool off......if that didnt work, well weeks or more may have been needed, but i never would have taken sides as it seems some mods did....i cant blame alec for being upset and desiding not to come back here, it sickens me how mods can jump to take sides, then crap like the thred wazzle posted.......a mod shouldnt be doing that shit..

    its become clear that wazzle really does just like to stir shit up.....as others have told me in the past.....not a good thing for a mod to do........
     
  5. Jimmy 2004

    Jimmy 2004 New Member

    Joined:
    Jan 15, 2005
    Messages:
    5,491 (1.54/day)
    Thanks Received:
    267
    Location:
    England
    Admittedly you could also follow the first link in ashen's sig to get you to ashentech, but unfortunately that will link you to ashentech.coom .
     
  6. newtekie1

    newtekie1 Semi-Retired Folder

    Joined:
    Nov 22, 2005
    Messages:
    20,029 (6.15/day)
    Thanks Received:
    6,094
    Ashen, why is it that you are the only one that can't seem to "just let it go"?

    See Here to discover why he was banned and I wasn't:
    http://forums.techpowerup.com/showthread.php?p=284508

    It has something to do with the fact that I didn't do anything and he did(and then some). The mods didn't take sides, they banned the one that deserved it and not the innocent one. I got my infraction for my one and single insult given out, which again was only after he insulted me.

    Now, follow your own advise and just let it go already.
     
    Crunching for Team TPU 50 Million points folded for TPU
  7. Polaris573

    Polaris573 Senior Moderator

    Joined:
    Feb 26, 2005
    Messages:
    4,281 (1.21/day)
    Thanks Received:
    718
    Location:
    Little Rock, USA
    How about all of you stop it?
     
  8. newtekie1

    newtekie1 Semi-Retired Folder

    Joined:
    Nov 22, 2005
    Messages:
    20,029 (6.15/day)
    Thanks Received:
    6,094
    I've let it go, obviously I'm back, just needed a day or two to cool off. But I'll defend myself as long as Ashen keeps going on about it. That is just the kind of person I am and the personality I have.
     
    Crunching for Team TPU 50 Million points folded for TPU
  9. TheMasterOfSinanju

    TheMasterOfSinanju New Member

    Joined:
    Jun 18, 2007
    Messages:
    28 (0.01/day)
    Thanks Received:
    11
    Location:
    A discrete point in the space-time continuum!
    NEWLY AMENDED, FULL BORE HOW TO SECURE YOUR RIG by "The Master of Sinanju" (apk)

    Original version @ slashdot -> http://it.slashdot.org/comments.pl?sid=237507&cid=19410153

    INTRODUCTION:

    Windows CAN be secured very well, but, you have to go thru some "GYRATIONS/EFFORT" to do it, but, it IS doable (but not to any 100% levels, because again - new holes/vulnerabilities appear in the OS & its libs + apps, but this gets you closer, if not as close as a body needs to be!).

    THIS IS GEARED TO "stand-alone" systems online on the internet (However - it can be adapted for LAN/WAN office or home networked environs, BUT, pay attention to step #2's 'warnings' about pulling Client For Microsoft Networks, &/or File & printer sharing - most networks require/need this)

    BACKGROUND & INFORMATION + TOOLS YOU CAN USE TO HELP YOU SECURE YOUR SYSTEM:

    Here I am running Windows Server 2003 SP #2, fully current patched by MS update pages, here (I check it every 2nd Tuesday of the month of course, on "Patch Tuesday's"):

    http://www.microsoft.com/downloads/Results.aspx?DisplayLang=en&nr=50&sortCriteria=date

    It is a personally 'security-hardened' model I have been working on for many years, using principals I learned & used since the NT 3.5x days onward to this version of the OS: As is now?

    I score an 84.735 on the CIS Tool 1.x currently as of 06/01/2007! This is up from my past score here of 76.xxx on it, & here is how to do it!

    (For CIS Tool - There are Linux, MacOS X, Solaris, & other OS models ports of this are available too by the way - not really "ports" strictly speaking, they require JAVA to run)

    DOWNLOAD URL FOR CIS TOOL (for multiple platforms), from "The Center for Internet Security" here:

    http://www.cisecurity.org/bench.html

    (IMPORTANT: This tool IS invaluable in guiding you to a more secure OS, on any OS platform really!)

    APK 14 STEPS TO FOLLOW TO SECURE YOUR WINDOWS NT-BASED SYSTEM (2000/XP/SERVER 2003/VISTA):

    1.) Windows Server 2003's SCW was run over it FIRST (this only exists on Windows Server 2003, not on 2000/XP (you have to install this, it does NOT install by default) first to help security it (SCW = security configuration wizard, & it's pretty damn good believe-it-or-not, (@ least, as as starting point))...

    Directions for its installation are as follows:

    Start the Add or Remove Programs Control Panel applet.

    Click Add/Remove Windows Components.

    On the Windows Components Wizard screen, select the "Security Configuration Wizard" check box, as the figure shows. Click Next.

    The Windows Components Wizard builds a list of files to be copied and finishes installing SCW. Click Finish.

    DONE! Now, run it... it is very simple to use, and will help even TRIM services you do not need running (which saves Memory, other resources, & I/O to cpu/ram/disk etc. AS WELL AS PROVIDING SECURITY should any services you disable turn up vulnerabilities (this has happened before)).

    Then, @ that point? I pull ANY Networking clients &/or Protocols in the Local Area Connection, other than Tcp/IP typically (& disable NetBIOS as well, because I don't need it here), on a stand-alone machine that is not dependent on Microsoft's File Sharing etc. on a LAN/WAN. I also disable that too!

    2.) Disable Microsoft "File & Print Sharing" as well as "Client for Microsoft Networks" in your LOCAL AREA CONNECTION (if you do not need them that is for say, running your home LAN)!

    3.) Use IP security policies (modded AnalogX one, very good for starters, you can edit & add/remove from it as needed) - Download url link is here for that:

    http://www.analogx.com/contents/articles/ipsec.htm

    (Search "AnalogX Public Server IPSec Configuration v1.00 (29k zip file)" on that page & follow the directions on the page!)

    NOTE: This can be 'troublesome' though, for folks that run filesharing clients though. An alternative to this is using IP Ports Filtrations, in combination with a GOOD software firewall &/or NAT 'firewalling' (or true stateful inspection type) router. All of these work in combination w/ one another perfectly.

    (HOWEVER - Should you choose to use it, and do filesharing programs? No problem really, because you can turn them on/off @ will using secpol.msc & the IP stack in Windows 2000/XP/Server 2003/VISTA is of "plug-N-play" design largely, & will allow it & when done? TURN THEM ON, AGAIN!).

    4.) USE General security policies in gpedit.msc/secpol.msc, these are VALUABLE tools (and will be needed & suggestions for it will be told to you by the CIS Tool noted above - great stuff!)

    5.) HARDENING & SECURING SERVICES HOW-TO:

    Many services I do not need are either cut off OR secured in their logon entity to lower privilege entities (from default, near "ALL POWERFUL" SYSTEM, to lesser ones like NETWORK SERVICE or LOCAL SERVICE), see this URL where I did a lot of research for a prebuilt list for another forums, to see how/why this works:

    http://forums.techpowerup.com/showthread.php?t=16097

    I went at ALL of the services in Windows Server 2003 (some will not be in XP for instance, & Windows 2000 has no NETWORK SERVICE or LOCAL SERVICE as far as I know, but not sure, you can always make a limited privelege user too for this on 2000 if needed)...

    I did testing to see which services could be run/logged in as LOCAL SERVICE, or NETWORK SERVICE, rather than the default of LOCAL SYSTEM (which means Operating System entity level privileges - which CAN be "misused" by various spyware/malware/virus exploits).

    LOCAL SERVICE startable list (vs. LocalSystem Logon Default):

    Acronis Scheduler 2 Service
    Alerter (needs Workstation Service Running)
    COM+ System Application
    GHOST
    Indexing Service
    NVIDIA Display Driver Service
    Office Source Engine
    O&O Clever Cache
    Remote Registry
    Sandra Service
    Sandra Data Service
    SmartCard
    Tcp/IP NetBIOS Helper
    Telnet
    UserProfile Hive Cleanup Service
    Volume Shadowing Service
    Windows UserMode Drivers
    Windows Image Acquisition
    WinHTTP Proxy AutoDiscovery Service

    NETWORK SERVICE startable list (vs. LocalSystem Logon Default):

    ASP.NET State Service
    Application Layer Gateway
    Clipbook (needs Network DDE & Network DDE DSDM)
    Microsoft Shadow Copy Provider
    Executive Software Undelete
    DNS Client
    DHCP Client
    Error Reporting
    FileZilla Server
    Machine Debug Manager
    Merger
    NetMeeting Remote Desktop Sharing Service
    Network DDE
    Network DDE DSDM
    PDEngine (Raxco PerfectDisk)
    Performance Logs & Alerts
    RPC
    Remote Desktop Help Session Manager Service
    Remote Packet Capture Protocol v.0 (experimental MS service)
    Resultant Set of Policies Provider
    SAV Roam
    Symantec LiveUpdate
    Visual Studio 2005 Remote Debug

    PLEASE NOTE: Each service uses a BLANK password when reassigning their logon entity (when you change it from the default of LOCAL SYSTEM Account), because they use SID's as far as I know, not standard passwords.

    WHEN YOU TEST THIS, AFTER RESETTING THE LOGON USER ENTITY EACH SERVICE USES: Just run your system awhile, & if say, Norton Antivirus refuses to update, or run right? You KNOW you set it wrong... say, if one you test that I do NOT list won't run as LOCAL SERVICE? Try NETWORK SERVICE instead... if that fails? YOU ARE STUCK USING LOCAL SYSTEM!

    If you cannot operate properly while changing the security logon entity context of a service (should NOT happen w/ 3rd party services, & this article shows you which ones can be altered safely)?

    Boot to "Safe Mode", & reset that service's logon entity back to LOCAL SYSTEM again & accept it cannot do this security technique is all... it DOES happen!

    If that fails? There are commands in the "Recovery Console" (installed from your Windows installation CD as a bootup option while in Windows using this commandline -> D:\i386\winnt32.exe /cmdcons, where D is your CD-Rom driveletter (substitute in your dvd/cd driveletter for D of course)) of:

    ListSvc (shows services & drivers states of stopped or started)

    Enable (starts up a service &/or driver)

    Disable (stops a server &/or driver)

    Which can turn them back on if/when needed

    (ON Virtual Disk Service being removed, specifically (because it used to be in this list): This was done solely because, although it will run as LOCAL SERVICE, diskmgmt.msc will not be able to work! Even though the Logical Disk Manager service does not list VirtualDisk as a dependency, this occurs, so VirtualDisk service was pulled from BOTH the LOCAL SERVICE and NETWORK SERVICE lists here... apk)

    CUTTING OFF SERVICES YOU DO NOT NEED TO RUN IS POSSIBLY THE BEST METHOD OF SECURING THEM, AND GAINING SPEED SINCE YOU ARE NOT WASTING I/O, MEMORY, or OTHER RESOURCES ON THEM, PERIOD, in doing this - do consider it, when possible!

    SECURING SERVICES @ THE ACL LEVEL VIA A SECURITY POLICY HOW-TO:

    STEP #1: CONFIGURE A CUSTOM Microsoft Management Console for this!

    Configuring yourself a "CUSTOM MMC.EXE (Microsoft Mgt. Console)" setup for security policy templates, here is how (these are NOT default Computer Mgt. tools, so you have to do this yourself, or run them by themselves, but this makes working w/ them convenient):

    The next part's per BelArcGuy of BELARC ADVISOR's advice (pun intended):

    http://forums.techpowerup.com/showthread.php?t=16097

    "Security Configuration and Analysis" is an MMC snap-in. To access the MMC, type in mmc to the Windows Run.. command to pop up the console. Then use it's File|Add/Remove Snap-in... command and click the Add button on the resulting dialog. Choose both "Security Configuration and Analysis" and "Security Templates", close that dialog, and OK. You'll end up with a management console that has both of those snap-ins enabled. The whole MMC mechanism is a bit weird, but does work"

    (It's easy, & it works, & is necessary for the actual steps to do this, below)

    Next, is the actual "meat" of what we need to do, per Microsoft, to set ACLs!

    STEP #2: HOW TO: Define Security Templates By Using the Security Templates Snap-In in Windows Server 2003

    http://support.microsoft.com/kb/816297

    Create and Define a New Security Template

    (To define a new security template, follow these steps)

    1. In the console tree, expand Security Templates
    2. Right-click %SystemRoot%\Security\Templates, and then click New Template
    3. In the Template name box, type a name for the new template.

    (If you want, you can type a description in the Description box, and then click OK)

    The new security template appears in the list of security templates. Note that the security settings for this template are not yet defined. When you expand the new security template in the console tree, expand each component of the template, and then double-click each security setting that is contained in that component, a status of Not Defined appears in the Computer Setting column.

    1. To define a System Services policy, follow these steps:
    a. Expand System Services
    b. In the right pane, double-click the service that you want to configure
    c. Specify the options that you want, and then click OK.

    (And, of course, the user feedback on its effectiveness (Makes your Win32 NT-based OS very much like how MacOS X treats its daemon processes via privelege levels), which uses the same general principals)

    It works, & although many service packs for Windows OS' have changed their services (not all but many nowadays) to less than SYSTEM, my list covers those they may not have in recent service packs AND 3rd party services are listed too that you may be running possibly!

    DONE!

    6.) Another thing I do for securing a Windows NT-based OS: IP Port Filtrations (like ip security policies (per AnalogX above), it is often called the "poor man's firewall" & works perfectly with both IPSecurity policies, hardware AND software firewalls, all in combination/simultaneously running)!

    DIRECTIONS:

    Start Menu -> Connect To Item (on the right hand side) -> Local Area Connection (whatever you called it, this is the default, iirc) open it via double click OR, right-click popup menu PROPERTIES item -> Properties button on left-hand side bottom, press/click it -> NEXT SCREEN (Local Area Connection PROPERTIES) -> "This connection uses the followng items" (go down the list, to Tcp/IP & select it & /click the PROPERTIES button there) -> Press/Click the Advanced Button @ the bottom Right-Hand Side (shows Advanced Tcp/IP Settings screen) -> OPTIONS tab, use it & Tcp IP Filtering is in the list, highlite/select it -> Beneath the Optional Settings, press/click the PROPERTIES button on the lower right-hand side -> Check the "Enable Tcp/IP Filtering (on all adapters)" selection -> In the far right, IP PROTOCOLS section, add ports 6 (tcp) & 17 (udp) -> In the far left "tcp ports" list - check off the radio button above the list titled "PERMIT ONLY", & then add ports you want to have open (all others will be filtered out, & for example, I leave port 80,8080, & 443 here open, only - you may need more if you run mail servers, & what-have-you (this varies by application)) -> I leave the UDP section "PERMIT ALL" because of ephemeral/short-lived ports usage that Windows does (I have never successfully filtered this properly but it doesn't matter as much imo, because udp does not do 'callback' as tcp does, & that is why tcp can be DDOS'd/DOS'd imo - it only sends out info., but never demands verification of delivery (faster, but less reliable)) -> DONE!

    You may need a reboot & it will signal if it needs it or not (probably will, even in VISTA):

    I say this, because although IP Security Policies work with the "Plug-N-Play" design of modern Windows NT-based OS' (ipsec.sys) & do NOT require a reboot to activate/deactivate them in Windows 2000/XP/Server 2003/VISTA? This is working @ a diff. level & diff. driver iirc (tcpip.sys) & level of the telecommunications stacks in this OS family & WILL require a reboot to take effect (for a more detailed read of this, see here):

    http://www.microsoft.com/technet/community/columns/cableguy/cg0605.mspx

    (Enjoy the read, it is VERY informative - That article shows you how TcpIP.sys, ipnat.sys, ipsec.sys, & ipfiltdrv.sys interact, PLUS how you can use them to your advantage in security!)

    7.) PLUS, this version of the OS in Server 2003 has a hardened IE6/7 by default (which can be duplicated on other Win32 OS versions, because it mainly just does what I have been doing for a long time & noted by myself earlier, in stuff like turning off ActiveX & scripting + JAVA online on the public internet, of all types by default, & I do this in ALL of my browsers (IE, FF, & Opera) & only make exceptions for CERTAIN sites)

    8.) Running the "std. stuff", like AntiVirus (NOD32 latest 2.7x - best one there is, & that is not only MY opinion after testing it vs. my former fav. NAV Corporate 10.2 (it is lighter in RAM & resource uses than NAV Corporate even, finds more virus' than others, & uses less "moving parts" (in the way of services componentry, than most do, & certainly less than NAV)) + SpyBot (Ad-Aware is another option) as my resident antispyware tool running in the background! AntiRootkit tools are another one to be conscious of nowadays, now that such machinations are available for Windows (they originated, afaik, in the UNIX world though). The "best ones" are:

    AVG AntiRootkit
    BitDefender AntiRootkit
    GMER
    Rootkit Revealer
    PrevX AntiRootkit
    Rootkit Hook Analyzer
    Sophos AntiRootkit
    F-Secure Blacklight
    Gromozon Rootkit Removal Tool
    KLister
    McAfee Rootkit Detective
    PatchFinder
    RogueRemover
    VICE
    System Virginity Verifier for Windows 2000/XP/2003

    That is a list for you all to choose from, they all do a decent enough job though, & are 100% FREE - SO, DO use them!

    9.) Plus good email client practices like using .txt mail only, no RTF or HTML mail, not opening or allowing attachments unless I know the person (still gets email scanned though by your resident antivirus email scan component (use AntiVirus programs with these, OR, manually scan ANY attachments before opening them (if you get Microsoft Office .doc, .xls, .ppt etc. files uncompressed? HOLD DOWN THE SHIFT KEY AS YOU OPEN THEM - this stops macros from running & macros are the avenue utilized using VBA script to infect you))

    10.) I also use a LinkSys/CISCO BEFSX41 "NAT" true firewalling CISCO technology-based router (with cookie & scripting filtering built-in @ the hardware level), these are excellent investments for security.

    11.) USE Tons of security & speed oriented registry hacks (reconfiging the OS basically - stuff like you might do in etc in UNIX/LINUX I suppose)

    Many can be found here, in an article I authored (and it tells what they do, & how they work, w/ descriptions from Microsoft themselves):

    http://www.avatar.demon.nl/APK.html

    OR, if that site is down? Download them from here @ SOFTPEDIA (where they are rated 4/5):

    http://www.softpedia.com/get/Tweak/System-Tweak/APK-Internet-and-NTkXP-Speedup-Guides.shtml

    OR, just email me here for them -> apk4776239@hotmail.com

    (I also have these PREBUILT, in .reg files, mind you!)

    They are FULLY documented internally, with link url's to the Microsoft pages they came from, inside the .reg files, so YOU can look at what the hack does inside them, verify this @ MS, & know what the valid parameters are as well!

    (This? It took me FOREVER a year or so ago to do this, but worth it!)

    The urls, or downloadable .mht files, outline it all (as do my prebuilt .reg files, probably the BEST choice of the lot imo), as to what you can ".reg file hack" for better SPEED, and SECURITY online, in a modern Windows 2000/XP/Server 2003 OS & has references from Microsoft in it for each setting plus their definitions & parameters possible!

    12.) The use of a CUSTOM ADBANNER BLOCKING HOSTS FILE (my personal one houses, as of this date, 90,000 known adbanner servers, OR sites known to bear malicious code & exploits (per GOOGLE mostly, from stopbadware.org))

    Custom HOSTS files work in combination with Opera adbanner blocks & the usage of .PAC filering files + cascading style sheets for this purpose.

    (As well as speeding up access to sites I often access - doing this, acting as my own "DNS Server" more or less, is orders of magnitude faster than calling out to my ISP/BSP DNS servers, waiting out a roundtrip return URL-> IP Address resolution. It may take some maintenance for this @ times, especially if sites change HOSTING PROVIDERS, but this is a rarity & most sites TELL YOU when they do this as well, so you can make fast edits, as needed (and, on Windows NT-based OS since 2000/XP/Server 2003 & VISTA? A reboot is NOT required upon edits & commits of changes in the new largely near fully PnP IP stacks!))

    For a copy of mine, write me, here -> apk4776239@hotmail.com

    And, I will send it to you in .zip or .rar format (with sped up sites # UNIX comment symbol disabled, enable the ones you use AFTER you 'ping' them first from my list, & add ones YOU PERSONALLY USE to it as needed after determining their IP address via a PING of them)

    13.) KEEP UP ON PATCHES FROM MICROSOFT, HERE (ordered by release date) and your antivirus/antispyware/antirootkit AND Java runtime vendors:

    http://www.microsoft.com/downloads/Results.aspx?DisplayLang=en&nr=50&sortCriteria=date

    (Download them manually & install them yourself, OR just let "Windows Automatic Updates" run)

    & please - DO keep up on your AntiVirus updates (either automatically via their services, or manually) & the same with your AntiSpyware products &/or things like JAVA runtimes (which was updated yesterday (06/05/2007) to JRE6.1 by SUN Microsystems mind you)!

    14.) It is also possible, for webbrowsers &/or email clients, to create a "VISTA LIKE" UAC-like type scenario, isolating them into their own spaces, here are 2 methods, how (not needed on VISTA though, afaik):

    IE6/7 & FF + OPERA AS WELL (as noted by A/C slashdot poster in reply to my methods, both his & my own work well, & are listed here @ /. (slashdot)) on modern NT-based OS "how-to":

    http://it.slashdot.org/comments.pl?sid=236547&cid=19310513

    MY METHOD:

    RUNNING IE in a "runas limited user class" sandbox effect:

    "It is actually possible to run IE securely: just create a throwaway restricted user account for IE use alone. The restricted account user can't install software and can't access files of other users, so even if IE autoexecutes any nastiness, it can't do any damage.

    Of course, it's a hassle to log in as a different user just to browse the web. So we'd want to use "runas" to run just IE as a different user.

    Unfortunately, MS has made running IE as a different user a little harder than necessary. Rightclicking and using "Run as" doesn't seem to work. What did work for me was the following.

    Say the limited account is called "IEuser". Then create a shortcut to "runas /user:IEuser cmd". on your desktop. Double-clicking this will open a command prompt that runs as IEuser. Now you can manually start IE with "start iexplore". Or create a batchfile c:windowsie.bat that just contains the line "start iexplore" and you can start IE by just typing "ie". Remove all shortcuts to IE from you normal desktop and only run it from the restricted account. This way you can use IE without worry about any IE exploits"

    OTHER, VERY QUITE POSSIBLY SUPERIOR METHOD: ...this is exacly the way I do (but with opera and other internet related apps as acroread, mail, ...). But simply "runas /user:xxx cmd" is not the best way to achieve process separation. If you have a look at the process tree you will see: system->smss.exe->winlogon.exe->services.exe->cmd. exe->iexplore.exe. A better way is to use the method described in Joannas blog

    http://theinvisiblethings.blogspot.com/2007/02/running-vista-every-day.html

    See section: Do-It-Yourself: Implementing Privilege Separation. Using the psexec tool as described results in a "clean" process tree where iexplore.exe will show up directly under the root avoiding beeing a child process.

    This is my runopera.bat which runs opera as user internet:
    psexec.exe -d -u internet -p p4ssw0rd "cmd" "/d /D /c start /b Opera.exe"

    (YOU ARE NOW @ THE END OF THIS DOCUMENT & ALL of that is done for ONLINE security... &, it works!)

    (Yes, it's a PAIN to do it the first time - maybe 1 hr. work for an experienced user, more for less experienced ones, but WORTH EVERY SECOND! Why? Well, I have not had this system "go down" due to hacks/cracks/malware/virus/trojans/spyware, etc. et al (you name it) in years now! It just works... & everyone ought to know this stuff, so here 'tis!)

    Enjoy & IF you know of more to do? Please, have @ it, & let us all know what it is you do on your Win32 rigs of NT-based OS nature!

    APK

    P.S.=> Enjoy it, & SOLARIS? Do put this in place of the original post, & THE WIKI too... it is truly, as good as I can get it to be... thanks! Nice to see you all again also! apk
     
    Last edited: Jun 19, 2007
    lemonadesoda, Grings and Namslas90 say thanks.
  10. Dippyskoodlez

    Joined:
    Jul 1, 2005
    Messages:
    5,097 (1.50/day)
    Thanks Received:
    238
    Location:
    Kansas City, KS
    Belarc advisor security status...

    Isn't that the program that posts your windows key online?

    Lolz.
     
  11. TheMasterOfSinanju

    TheMasterOfSinanju New Member

    Joined:
    Jun 18, 2007
    Messages:
    28 (0.01/day)
    Thanks Received:
    11
    Location:
    A discrete point in the space-time continuum!
    Well, it's SORT OF like the "CIS Tool 1.x" I note above, & their developer came in here to these forums, to speak with myself & others in regards to differences I saw in it, vs. CIS Tool 1.x (which is multiplatform, & java driven, whereas Belarc Advisor is pure Windows/Win32 code, afaik @ least & could tell & only runs on Windows - CIS Tool runs on TONS of platforms, java etc. et al is why).

    It's a decent program (BELARC ADVISOR), but I have to admit:

    I actually LIKE CIS Tool 1.x better, & hence, why I suggest it above, vs. BELARC ADVISOR!

    (Plus, if you are conscious of things like you note & suspect badware etc.? Suggest that to Majorgeeks.com or other sites that feature it, OR write him - he came here @ my behest once, is a nice guy, and knows his stuff! He is willing to talk to folks & yes, even help them out as he did myself & others here!)

    I like CIS Tool 1.x though, because imo?

    It is more accurate, & doesn't assume things (it asks you questions first, & ones I suggested to BelarcGuy to put into HIS app, rather than assume things OR worse, get them wrong).

    The "CENTER FOR INTERNET SECURITY" also authored CIS Tool, & if you can't trust them? WHO CAN YOU TRUST?? lol... you know???

    He (belarcguy) may have amended it since, especially vs. your objections!

    (Yes, I have heard this tell of this too as you did, but it may just be an "urban myth" online (heck, my initials 'apk' are in virus' for God's sake - I did not write those, but I have heard folks say (even here after I left) "APK IS IN VIRUS PROGRAMS", sheesh, lol!))

    "APK DON'T BUILD NO JUNK" as the saying goes.

    http://www.techpowerup.com/downloads/389/foowhatevermakesgooglehappy.html

    LOL!

    Anyhow/anyways, on BELARC ADVISOR - I do know he has issued several updates since the time of our test here, write him in regard to your thoughts.

    APK

    P.S.=> He was EXTREMELY helpful to me though, as he is noted above as helping me out in this capacity - using SECURITY policies! apk
     
    Last edited: Jun 18, 2007
    lemonadesoda says thanks.
  12. Dippyskoodlez

    Joined:
    Jul 1, 2005
    Messages:
    5,097 (1.50/day)
    Thanks Received:
    238
    Location:
    Kansas City, KS
    I'm impressed. all this work.

    I fixed all those problems the easy way. :laugh::laugh:
     
  13. Wile E

    Wile E Power User

    Joined:
    Oct 1, 2006
    Messages:
    24,324 (8.26/day)
    Thanks Received:
    3,778
    OS X, ftw! lol
     
  14. TheMasterOfSinanju

    TheMasterOfSinanju New Member

    Joined:
    Jun 18, 2007
    Messages:
    28 (0.01/day)
    Thanks Received:
    11
    Location:
    A discrete point in the space-time continuum!
    LOL, I do ideas from that OS, before they HAD it even (because I've been messing around with this since 1992-1998 really, before there WAS a MacOS X)... secured services!

    Still, MacOS X, I have to admit, has GREAT BSD foundations!

    BSD's have the best IP stack in the business imo, & Windows XP/2003 Server/VISTA bit off of it, in the 'dynamically loading' ip stack (MacOS X stuff here, not sure on early BSD), that previous windows did NOT have!

    (AND YES, when MS first put Tcp/IP into their OS, they took older BSD code for their IP stack (there are still ways to show & prove this in fact, if you look online, in the tcpip.sys drivers & other libs MS uses for this, but I don't recall the specifics of it... it's older IP stack BSD code largely, but it was improved upon in some ways, by MS))

    I.E. (very real in effect)?

    You get a FASTER BOOT from it, for one thing, & you can load/unload stuff like IP Security policies dynamically (I do note this above, see "Analog X" section) & also alter your HOSTS file w/ out a reboot in XP/Server2003/VISTA, where you could NOT in Windows 2000 & below for example WITHOUT reboots of the OS!

    Also, & if you have ever noted?

    If you do not start up a browser right away with the OS boot, or other apps that call the IP stack (OR perform an esoteric hack to the OS using iirc, gpedit.msc, that makes it like Windows 2000 & below were (making the IP stack load FULLY prior to entering the windows explorer desktop shell, slowing its bootup))?

    Your first web based app takes a BIT of time to load, & subsequent loads of it are faster, as are any other IP utilizing app, once only 1 has made calls to it once you are in Windows...

    This is why: ONLY Part of the OS' IP stack is loaded @ boot & when an application in "usermode" (explorershell) calls on it? It then only, loads up FULLY!

    This technique/trick was 'stolen' from MacOS X tech by MS from what I understand (perhaps an urban myth online, but imo, not in THIS case).

    Anyhow - run CIS tool on your MacOS X rigs... see if you can beat a score of 84.735!

    (Consider it a 'challenge' to you MacOS X users!)

    Hey - None of the Linux folks I challenged to it here:

    http://linux.sys-con.com/read/382946_f.htm

    (A debate/discussion over Windows vs. Linux security superiority partially)

    Tried, or rather perhaps just could NOT exceed my score (which if you guys go about the above? You can have it too, & perhaps, exceed it), & they could NOT beat my score!

    Whatever the case may have been? Doesn't matter really... I do suspect they did try it though, & could NOT exceed my score.

    See - what I really WANTED was someone with the SELinux builds (addon hooks into the Linux kernel to create ACL like security control, except they call it MAC (mandatory access control)), especially to try it!

    CIS Tool 1.x runs on Windows, MacOS X, Linux, BSD, & Solaris (some FYI guys, it is great stuff, & helps you secure yourself, unlike other security testers (not counting Belarc Advisor, it does so, but is NOT quite up to the level of CIS Tool 1.x imo, @ least in the version we tried here)).

    Anyhow/anyways - Good luck, hope you can beat my score Wile E!

    APK

    P.S.=>
    Yes, Dippy, it is some work (1 hour's worth for experienced folks imo)... but, worth every second, for YEARS of stability from a single setup (I am on 2 now with this one, maybe more)...

    I never get "hacked/cracked/virus-malware-spyware ridden" etc. et al, because of that stuff above! I did it once, & have not had to look back, she stays UP & RUNNING, solid!

    Does it bug me, that MS does NOT ship it setup like the above?

    Yes, and NO...

    IMO, it's done for app & network compatibility, mainly for MASS deployments!

    Imo, VISTA as it ships "oem/outta-the-box" is probably the BEST that can be done w/ Windows NT-based OS for security, & still have the OS easily "mass deployable" by networkers, & assuring compatibility w/ networks & shared apps that run across networks... I could be wrong, but this is what I suspect. Otherwise, IF I am wrong (& I can be, rare, lol, but I can be)? Ms needs to do this stuff above imo, as std. practice/oem shipped this way (barring the NetBIOS/Client For Microsoft networks cutoffs I note above).

    The above 14 steps I use? Generally, its for 'stand-alone/single-rigs online' like mine, but it can be adapted for home LAN setups too (note the LanManager/NetBIOS/Client for Microsoft Networks steps above & their warning!)... apk
     
    Last edited: Jun 18, 2007
  15. TheMasterOfSinanju

    TheMasterOfSinanju New Member

    Joined:
    Jun 18, 2007
    Messages:
    28 (0.01/day)
    Thanks Received:
    11
    Location:
    A discrete point in the space-time continuum!
    One last thing before hitting work today: Photo proof of my CIS Tool 1.x score

    [​IMG]

    "Pictures DO say a 1,000 words"...

    :)

    * Which, lol, equates to my post above I would say (easily 1,000 words I would guess/wager)...

    APK
     
    lemonadesoda says thanks.
  16. xvi

    xvi

    Joined:
    Nov 10, 2006
    Messages:
    2,027 (0.70/day)
    Thanks Received:
    1,221
    Location:
    Washington, US
    Not bad. I think you should add the Microsoft Baseline Security Analyzer to the mix.

    I'm not a fan of adding extra software on my servers, though. Most of the ones that I'm lucky enough to manage don't touch the internet. Just keep current on your updates and don't install software that you don't trust with your life.
     
    Crunching for Team TPU
  17. TheMasterOfSinanju

    TheMasterOfSinanju New Member

    Joined:
    Jun 18, 2007
    Messages:
    28 (0.01/day)
    Thanks Received:
    11
    Location:
    A discrete point in the space-time continuum!
    Thanks! It just works...

    That's an idea, but I have had trouble running it before here, & iirc, it was calling for me to run SOME services I do not keep running usually!

    (IIRC, it depends on services I turn off, & iirc, it MAY have been Terminal Services (I don't use them here like I used to, so, I cranked it off)... I used to use it to work from home 2-3 days a week, but not anymore, have to be "on site" from now on (in mgt. now)).

    Thing is? This is oriented to WORKSTATIONS/PRO type Windows NT-based OS setups... e.g.-> The Windows Server 2003 setup I have here, is nearly PURELY a "Workstation/Pro" setup, its default in this OS version (you add server components like IIS, or others, ONLY AS YOU NEED THEM (sorry if you are aware of this already, I hate to sound OR BE, condescending, because it's NOT cool, & you never know if you may be talking to someone who is your equal OR superior in a particular area)).

    If ANYTHING above? I am cutting back on wares (stopping Client for Microsoft Network or NetBIOS + File & Printer sharing for example)...

    Still - I ought to add the basic concept of cutting off services really, ones you do NOT need, but that IS covered in my downloads documents internally, above (softseek ones, etc.).

    APK

    P.S.=> I will add this to that above, it cannot hurt, IF I missed it (this latter point, cutting off services you do NOT need to be running, & here, NOT just in my downloadable speedup stuff)... EDIT PART - it is there already, but I 'reinforced it more' in a bolded statement! apk
     
  18. Dippyskoodlez

    Joined:
    Jul 1, 2005
    Messages:
    5,097 (1.50/day)
    Thanks Received:
    238
    Location:
    Kansas City, KS
    Hey, link me a working os x bench and I'll gladly beat it. ;)

    But all I could find was a crappy pdf :(
     
  19. Remo_Williams

    Remo_Williams New Member

    Joined:
    Jun 27, 2007
    Messages:
    7 (0.00/day)
    Thanks Received:
    2
    Location:
    A discrete point in the space-time continuum
    Sorry my man, you are right... I checked before I got the ban (as "TheMasterOfSinanju"), & you are right (I don't use MacOS X, & I figured since it is basically a BSD variant, it would have one, as BSD's do there)...

    Of course, this also is an evidence of there being LESS SOFTWARE FOR MacOS X, than there is for Windows... keep that in mind!

    Anyhow/anyways - "Oh well!"

    If anyone can 'take out my score'? I figured it MIGHT just be a MacOS X rig... SELinux folks can't, & I posted @ slashdot MANY times to the BSD folks even (and Linux Penguins too, even SELinux ones)... nobody could/no takers!

    APK

    P.S.=> Anyhow, final mod for the TPU Wiki for this post is upcoming... the technique's & article material are down to a "12 step program" in my next post (final one I will ever EVER do here)... enjoy the read, & I hope you guys find it useful in securing your Windows rigs (especially so no one can EVER feed you a line that "Windows is less secure than (insert other OS here)" type stuff... cuz it just AIN'T true!)... apk
     
    Last edited: Jun 27, 2007
  20. Remo_Williams

    Remo_Williams New Member

    Joined:
    Jun 27, 2007
    Messages:
    7 (0.00/day)
    Thanks Received:
    2
    Location:
    A discrete point in the space-time continuum
    APK "12 step program" 4 a secure Windows NT-based OS (2000/XP/Server 2003/VISTA))

    INTRODUCTION:

    Windows CAN be secured very well, but, you have to go thru some "GYRATIONS/EFFORT" to do it, but, it IS doable (but not to any 100% levels, because again - new holes/vulnerabilities appear in the OS & its libs + apps, but this gets you closer, if not as close as a body needs to be!).

    THIS IS GEARED TO "stand-alone" systems online on the internet (However - it can be adapted for LAN/WAN office or home networked environs, BUT, pay attention to step #2's 'warnings' about pulling Client For Microsoft Networks, &/or File & printer sharing - most networks require/need this)

    BACKGROUND & INFORMATION + TOOLS YOU CAN USE TO HELP YOU SECURE YOUR SYSTEM:

    Here I am running Windows Server 2003 SP #2, fully current patched by MS update pages, here (I check it every 2nd Tuesday of the month of course, on "Patch Tuesday's"):

    http://www.microsoft.com/downloads/Results.aspx?DisplayLang=en&nr=50&sortCriteria=date

    It is a personally 'security-hardened' model I have been working on for many years, using principals I learned & used since the NT 3.5x days onward to this version of the OS: As is now?

    I score an 84.735 on the CIS Tool 1.x currently as of 06/01/2007! This is up from my past score here of 76.xxx on it, & here is how to do it!

    Currently, I can go NO higher than this score of 84.735 (of 100 total) on CIS Tool 1.x for Windows, pictured here (photo proof/pictures DO say, a 1,000 words (like this post, lol)):

    http://forums.techpowerup.com/showthread.php?p=366342#post366342

    BUT, that is a GOOD score (especially considering the default score of VISTA even, is FAR BELOW THAT! Nice part is? The techniques noted here can LARGELY APPLY TO VISTA AS WELL! Read on...)

    (For CIS Tool - There are Linux, Solaris, BSD variants, & other OS models ports (some only in .pdf security guide form though, not programmatically automated yet, like MacOS X) of this are available too by the way - not really "ports" strictly speaking, they require JAVA to run)

    DOWNLOAD URL FOR CIS TOOL (for multiple platforms), from "The Center for Internet Security" here:

    http://www.cisecurity.org/bench.html

    (IMPORTANT: This tool IS invaluable in guiding you to a more secure OS, on any OS platform really!)

    APK 12 STEPS TO FOLLOW TO SECURE YOUR WINDOWS NT-BASED SYSTEM (2000/XP/SERVER 2003/VISTA):

    1.) Windows Server 2003's SCW was run over it FIRST (this only exists on Windows Server 2003, not on 2000/XP (you have to install this, it does NOT install by default) first to help security it (SCW = security configuration wizard, & it's pretty damn good believe-it-or-not, (@ least, as as starting point))...

    Directions for its installation are as follows:

    Start the Add or Remove Programs Control Panel applet.

    Click Add/Remove Windows Components.

    On the Windows Components Wizard screen, select the "Security Configuration Wizard" check box, as the figure shows. Click Next.

    The Windows Components Wizard builds a list of files to be copied and finishes installing SCW. Click Finish.

    DONE! Now, run it... it is very simple to use, and will help even TRIM services you do not need running (which saves Memory, other resources, & I/O to cpu/ram/disk etc. AS WELL AS PROVIDING SECURITY should any services you disable turn up vulnerabilities (this has happened before)).

    ALSO, per TPU forums user (username "xvi") @ techpowerup.com forums (software section): Use Microsoft Baseline Security Advisor, a free download from Microsoft as well to check your system for security holes, patch updates, etc. (be wary of the fact it does require various services running though, iirc, Terminal Server Services Client - I do NOT keep that running here anymore, & this program failed on me because of that (would not initialize @ all))

    2.) Disable Microsoft "File & Print Sharing" as well as "Client for Microsoft Networks" in your LOCAL AREA CONNECTION (if you do not need them that is for say, running your home LAN)!

    E.G.-> Here? I pull ANY Networking clients &/or Protocols in the Local Area Connection, other than Tcp/IP typically (& disable NetBIOS as well, because I don't need it here), on a stand-alone machine that is not dependent on Microsoft's File Sharing etc. on a LAN/WAN. I also disable that too!

    3.) Use IP security policies (modded AnalogX one, very good for starters, you can edit & add/remove from it as needed) - Download url link is here for that:

    http://www.analogx.com/contents/articles/ipsec.htm

    (Search "AnalogX Public Server IPSec Configuration v1.00 (29k zip file)" on that page & follow the directions on the page!)

    NOTE: This can be 'troublesome' though, for folks that run filesharing clients though. An alternative to this is using IP Ports Filtrations, in combination with a GOOD software firewall &/or NAT 'firewalling' (or true stateful inspection type) router. All of these work in combination w/ one another perfectly.

    (HOWEVER - Should you choose to use it, and do filesharing programs? No problem really, because you can turn them on/off @ will using secpol.msc & the IP stack in Windows 2000/XP/Server 2003/VISTA is of "plug-N-play" design largely, & will allow it & when done? TURN THEM ON, AGAIN! These work WITH software & hardware router firewalls, IP port filtering, and security IP policies, simultaneosly/concurrently, for "layered security", no hassles!).

    4.) USE General security policies (in gpedit.msc/secpol.msc), these are VALUABLE tools (and will be needed & suggestions for it will be told to you by the CIS Tool noted above - great stuff!) and regedit.exe!

    (Newly added - regedit.exe use is for registry ACL permissions, via its EDIT menu, PERMISSIONS submenu item (to add/remove users that have rights to regisry hives/values, & to establish their rights levels therein))

    ALSO NEWLY ADDED - Explorer.exe "right-click" on drive letters/folders/files (for file access ACL permissions hardening) using its popup menu selection of "PROPERTIES", & in the next screen, the SECURITY tab (to add/remove users that have rights to said items, & to establish their rights levels therein), also - this is another requirement of CIS Tool 1.x & its suggestions for better security.

    5.) HARDENING & SECURING SERVICES HOW-TO:

    Many services I do not need are either cut off OR secured in their logon entity to lower privilege entities (from default, near "ALL POWERFUL" SYSTEM, to lesser ones like NETWORK SERVICE or LOCAL SERVICE), see this URL where I did a lot of research for a prebuilt list for another forums, to see how/why this works:

    http://forums.techpowerup.com/showthread.php?t=16097

    I went at ALL of the services in Windows Server 2003 (some will not be in XP for instance, & Windows 2000 has no NETWORK SERVICE or LOCAL SERVICE as far as I know, but not sure, you can always make a limited privelege user too for this on 2000 if needed)...

    I did testing to see which services could be run/logged in as LOCAL SERVICE, or NETWORK SERVICE, rather than the default of LOCAL SYSTEM (which means Operating System entity level privileges - which CAN be "misused" by various spyware/malware/virus exploits).

    LOCAL SERVICE startable list (vs. LocalSystem Logon Default):

    Acronis Scheduler 2 Service
    Alerter (needs Workstation Service Running)
    COM+ System Application
    GHOST
    Indexing Service
    NVIDIA Display Driver Service
    Office Source Engine
    O&O Clever Cache
    Remote Registry
    Sandra Service
    Sandra Data Service
    SmartCard
    Tcp/IP NetBIOS Helper
    Telnet
    UserProfile Hive Cleanup Service
    Volume Shadowing Service
    Windows UserMode Drivers
    Windows Image Acquisition
    WinHTTP Proxy AutoDiscovery Service

    NETWORK SERVICE startable list (vs. LocalSystem Logon Default):

    ASP.NET State Service
    Application Layer Gateway
    Clipbook (needs Network DDE & Network DDE DSDM)
    Microsoft Shadow Copy Provider
    Executive Software Undelete
    DNS Client
    DHCP Client
    Error Reporting
    FileZilla Server
    Machine Debug Manager
    Merger
    NetMeeting Remote Desktop Sharing Service
    Network DDE
    Network DDE DSDM
    PDEngine (Raxco PerfectDisk)
    Performance Logs & Alerts
    RPC
    Remote Desktop Help Session Manager Service
    Remote Packet Capture Protocol v.0 (experimental MS service)
    Resultant Set of Policies Provider
    SAV Roam
    Symantec LiveUpdate
    Visual Studio 2005 Remote Debug

    PLEASE NOTE: Each service uses a BLANK password when reassigning their logon entity (when you change it from the default of LOCAL SYSTEM Account), because they use SID's as far as I know, not standard passwords.

    WHEN YOU TEST THIS, AFTER RESETTING THE LOGON USER ENTITY EACH SERVICE USES: Just run your system awhile, & if say, Norton Antivirus refuses to update, or run right? You KNOW you set it wrong... say, if one you test that I do NOT list won't run as LOCAL SERVICE? Try NETWORK SERVICE instead... if that fails? YOU ARE STUCK USING LOCAL SYSTEM!

    If you cannot operate properly while changing the security logon entity context of a service (should NOT happen w/ 3rd party services, & this article shows you which ones can be altered safely)?

    Boot to "Safe Mode", & reset that service's logon entity back to LOCAL SYSTEM again & accept it cannot do this security technique is all... it DOES happen!

    If that fails (shouldn't, but IF it does)? There are commands in the "Recovery Console" (installed from your Windows installation CD as a bootup option while in Windows using this commandline -> D:\i386\winnt32.exe /cmdcons, where D is your CD-Rom driveletter (substitute in your dvd/cd driveletter for D of course)) of:

    ListSvc (shows services & drivers states of stopped or started)

    Enable (starts up a service &/or driver)

    Disable (stops a server &/or driver)

    Which can turn them back on if/when needed

    (ON Virtual Disk Service being removed, specifically (because it used to be in this list)): This was done solely because, although it will run as LOCAL SERVICE, diskmgmt.msc will not be able to work! Even though the Logical Disk Manager service does not list VirtualDisk as a dependency, this occurs, so VirtualDisk service was pulled from BOTH the LOCAL SERVICE and NETWORK SERVICE lists here... apk)

    CUTTING OFF SERVICES YOU DO NOT NEED TO RUN IS POSSIBLY THE BEST METHOD OF SECURING THEM, AND GAINING SPEED SINCE YOU ARE NOT WASTING I/O, MEMORY, or OTHER RESOURCES ON THEM, PERIOD, in doing this - do consider it, when possible! Many guides online exist for this, & I authored one of the first "back in the day" for NTCompatible.com as "Article #1" back in 1997-1998 - the latest ones are even BETTER!

    SECURING SERVICES @ THE ACL LEVEL VIA A SECURITY POLICY HOW-TO:

    STEP #1: CONFIGURE A CUSTOM Microsoft Management Console for this!

    Configuring yourself a "CUSTOM MMC.EXE (Microsoft Mgt. Console)" setup for security policy templates, here is how (these are NOT default Computer Mgt. tools, so you have to do this yourself, or run them by themselves, but this makes working w/ them convenient):

    The next part's per BelArcGuy of BELARC ADVISOR's advice (pun intended):

    http://forums.techpowerup.com/showthread.php?t=16097

    "Security Configuration and Analysis" is an MMC snap-in. To access the MMC, type in mmc to the Windows Run.. command to pop up the console. Then use it's File|Add/Remove Snap-in... command and click the Add button on the resulting dialog. Choose both "Security Configuration and Analysis" and "Security Templates", close that dialog, and OK. You'll end up with a management console that has both of those snap-ins enabled. The whole MMC mechanism is a bit weird, but does work"

    (It's easy, & it works, & is necessary for the actual steps to do this, below)

    Next, is the actual "meat" of what we need to do, per Microsoft, to set ACLs!

    STEP #2: HOW TO: Define Security Templates By Using the Security Templates Snap-In in Windows Server 2003

    http://support.microsoft.com/kb/816297

    Create and Define a New Security Template

    (To define a new security template, follow these steps)

    1. In the console tree, expand Security Templates
    2. Right-click %SystemRoot%\Security\Templates, and then click New Template
    3. In the Template name box, type a name for the new template.

    (If you want, you can type a description in the Description box, and then click OK)

    The new security template appears in the list of security templates. Note that the security settings for this template are not yet defined. When you expand the new security template in the console tree, expand each component of the template, and then double-click each security setting that is contained in that component, a status of Not Defined appears in the Computer Setting column.

    1. To define a System Services policy, follow these steps:
    a. Expand System Services
    b. In the right pane, double-click the service that you want to configure
    c. Specify the options that you want, and then click OK.

    (And, of course, the user feedback on its effectiveness (Makes your Win32 NT-based OS very much like how MacOS X treats its daemon processes via privelege levels), which uses the same general principals)

    It works, & although many service packs for Windows OS' have changed their services (not all but many nowadays) to less than SYSTEM, my list covers those they may not have in recent service packs AND 3rd party services are listed too that you may be running possibly!

    DONE!

    6.) Another thing I do for securing a Windows NT-based OS: IP Port Filtrations (like ip security policies (per AnalogX above), it is often called the "poor man's firewall" & works perfectly with both IPSecurity policies, hardware AND software firewalls, all in combination/simultaneously running)!

    DIRECTIONS ON HOW TO IMPLEMENT THEM (very easy):

    Start Menu -> Connect To Item (on the right hand side) -> Local Area Connection (whatever you called it, this is the default, iirc) open it via double click OR, right-click popup menu PROPERTIES item -> Properties button on left-hand side bottom, press/click it -> NEXT SCREEN (Local Area Connection PROPERTIES) -> "This connection uses the followng items" (go down the list, to Tcp/IP & select it & /click the PROPERTIES button there) -> Press/Click the Advanced Button @ the bottom Right-Hand Side (shows Advanced Tcp/IP Settings screen) -> OPTIONS tab, use it & Tcp IP Filtering is in the list, highlite/select it -> Beneath the Optional Settings, press/click the PROPERTIES button on the lower right-hand side -> Check the "Enable Tcp/IP Filtering (on all adapters)" selection -> In the far right, IP PROTOCOLS section, add ports 6 (tcp) & 17 (udp) -> In the far left "tcp ports" list - check off the radio button above the list titled "PERMIT ONLY", & then add ports you want to have open (all others will be filtered out, & for example, I leave port 80,8080, & 443 here open, only - you may need more if you run mail servers, & what-have-you (this varies by application)) -> I leave the UDP section "PERMIT ALL" because of ephemeral/short-lived ports usage that Windows does (I have never successfully filtered this properly but it doesn't matter as much imo, because udp does not do 'callback' as tcp does, & that is why tcp can be DDOS'd/DOS'd imo - it only sends out info., but never demands verification of delivery (faster, but less reliable)) -> DONE!

    You may need a reboot & it will signal if it needs it or not (probably will, even in VISTA):

    I say this, because although IP Security Policies work with the "Plug-N-Play" design of modern Windows NT-based OS' (ipsec.sys) & do NOT require a reboot to activate/deactivate them in Windows 2000/XP/Server 2003/VISTA? This is working @ a diff. level & diff. driver iirc (tcpip.sys) & level of the telecommunications stacks in this OS family & WILL require a reboot to take effect (for a more detailed read of this, see here):

    http://www.microsoft.com/technet/community/columns/cableguy/cg0605.mspx

    (In THAT url above? Trust me - Enjoy the read, it is VERY informative: That article shows you how TcpIP.sys, ipnat.sys, ipsec.sys, & ipfiltdrv.sys interact, PLUS how you can use them to your advantage in security!)

    7.) Plus good email client practices like using .txt mail only, no RTF or HTML mail, not opening or allowing attachments unless I know the person (still gets email scanned though by your resident antivirus email scan component (use AntiVirus programs with these, OR, manually scan ANY attachments before opening them (if you get Microsoft Office .doc, .xls, .ppt etc. files uncompressed? HOLD DOWN THE SHIFT KEY AS YOU OPEN THEM - this stops macros from running & macros are the avenue utilized using VBA script to infect you))

    8.) I also use a LinkSys/CISCO BEFSX41 "NAT" true firewalling CISCO technology-based router (with cookie & scripting filtering built-in @ the hardware level), these are excellent investments for security.

    9.) USE Tons of security & speed oriented registry hacks (reconfiging the OS basically - stuff like you might do in etc / conf in UNIX/LINUX I suppose)

    Many can be found here, in an article I authored (and it tells what they do, & how they work, w/ descriptions from Microsoft themselves):

    http://www.avatar.demon.nl/APK.html

    OR, if that site is down? Download them from here @ SOFTPEDIA (where they are rated 4/5):

    http://www.softpedia.com/get/Tweak/System-Tweak/APK-Internet-and-NTkXP-Speedup-Guides.shtml

    OR, just email me here for them -> apk4776239@hotmail.com

    (I also have these PREBUILT, in .reg files, mind you, available by email, fully internally documented!)

    They are FULLY documented internally, with link url's to the Microsoft pages they came from, inside the .reg files, so YOU can look at what the hack does inside them, verify this @ MS, & know what the valid parameters are as well!

    (This? It took me FOREVER a year or so ago to do this, but worth it!)

    The urls, or downloadable .mht files, outline it all (as do my prebuilt .reg files, probably the BEST choice of the lot imo), as to what you can ".reg file hack" for better SPEED, and SECURITY online, in a modern Windows 2000/XP/Server 2003 OS & has references from Microsoft in it for each setting plus their definitions & parameters possible!

    10.) The use of a CUSTOM ADBANNER BLOCKING HOSTS FILE (my personal one houses, as of this date, 90,000 known adbanner servers, OR sites known to bear malicious code & exploits (per GOOGLE mostly, from stopbadware.org))

    Custom HOSTS files work in combination with Opera adbanner blocks & the usage of .PAC filering files + cascading style sheets for this purpose.

    (As well as speeding up access to sites I often access - doing this, acting as my own "DNS Server" more or less, is orders of magnitude faster than calling out to my ISP/BSP DNS servers, waiting out a roundtrip return URL-> IP Address resolution. It may take some maintenance for this @ times, especially if sites change HOSTING PROVIDERS, but this is a rarity & most sites TELL YOU when they do this as well, so you can make fast edits, as needed (and, on Windows NT-based OS since 2000/XP/Server 2003 & VISTA? A reboot is NOT required upon edits & commits of changes in the new largely near fully PnP IP stacks!))

    For a copy of mine, write me, here -> apk4776239@hotmail.com

    And, I will send it to you in .zip or .rar format (with sped up sites # UNIX comment symbol disabled, enable the ones you use AFTER you 'ping' them first from my list, & add ones YOU PERSONALLY USE to it as needed after determining their IP address via a PING of them)

    11.) KEEP UP ON PATCHES FROM MICROSOFT, for your OS & Microsoft Office Apps, & IE, etc., HERE (ordered by release date) and run AntiVirus/AntiSpyware/AntiRootkit tools (& yes, keep them updated/current)!

    http://www.microsoft.com/downloads/Results.aspx?DisplayLang=en&nr=50&sortCriteria=date

    Again, keep up on antivirus/antispyware/antirootkit AND Java runtimes updates!

    (Done either automatically via their services, or manually)

    Download them manually & install them yourself (OR just let "Windows Automatic Updates" run)

    Running the "std. stuff", like AntiVirus (NOD32 latest 2.7x - best one there is, & that is not only MY opinion after testing it vs. my former fav. NAV Corporate 10.2 (it is lighter in RAM & resource uses than NAV Corporate even, finds more virus' than others, & uses less "moving parts" (in the way of services componentry, than most do, & certainly less than NAV)) + SpyBot (Ad-Aware is another option) as my resident antispyware tool running in the background! AntiRootkit tools are another one to be conscious of nowadays, now that such machinations are available for Windows (they originated, afaik, in the UNIX world though).

    The "best ones" are:

    AVG AntiRootkit
    BitDefender AntiRootkit
    GMER
    Rootkit Revealer
    PrevX AntiRootkit
    Rootkit Hook Analyzer
    Sophos AntiRootkit
    F-Secure Blacklight
    Gromozon Rootkit Removal Tool
    KLister
    McAfee Rootkit Detective
    PatchFinder
    RogueRemover
    VICE
    System Virginity Verifier for Windows 2000/XP/2003

    That is a list for you all to choose from, they all do a decent enough job though, & are 100% FREE - SO, DO use them!

    12.) It is also possible, for webbrowsers &/or email clients, to create a "VISTA LIKE IE 7 Protected Mode"-like type scenario, isolating them into their own spaces in memory, here are 2 methods, how (not needed on VISTA though, afaik):

    IE6/7 & FF + OPERA AS WELL (as noted by A/C slashdot poster in reply to my methods, both his & my own work well, & are listed here @ /. (slashdot)) on modern NT-based OS "how-to":

    http://it.slashdot.org/comments.pl?sid=236547&cid=19310513

    MY METHOD:

    RUNNING IE in a "runas limited user class" sandbox effect:

    "It is actually possible to run IE securely: just create a throwaway restricted user account for IE use alone. The restricted account user can't install software and can't access files of other users, so even if IE autoexecutes any nastiness, it can't do any damage.

    Of course, it's a hassle to log in as a different user just to browse the web. So we'd want to use "runas" to run just IE as a different user.

    Unfortunately, MS has made running IE as a different user a little harder than necessary. Rightclicking and using "Run as" doesn't seem to work. What did work for me was the following.

    Say the limited account is called "IEuser". Then create a shortcut to "runas /user:IEuser cmd". on your desktop. Double-clicking this will open a command prompt that runs as IEuser. Now you can manually start IE with "start iexplore". Or create a batchfile c:windowsie.bat that just contains the line "start iexplore" and you can start IE by just typing "ie". Remove all shortcuts to IE from you normal desktop and only run it from the restricted account. This way you can use IE without worry about any IE exploits"

    OTHER, VERY QUITE POSSIBLY SUPERIOR METHOD: ...this is exacly the way I do (but with opera and other internet related apps as acroread, mail, ...). But simply "runas /user:xxx cmd" is not the best way to achieve process separation. If you have a look at the process tree you will see: system->smss.exe->winlogon.exe->services.exe->cmd. exe->iexplore.exe. A better way is to use the method described in Joannas blog

    http://theinvisiblethings.blogspot.c...every-day.html

    See section: Do-It-Yourself: Implementing Privilege Separation. Using the psexec tool as described results in a "clean" process tree where iexplore.exe will show up directly under the root avoiding beeing a child process.

    Note - The "invisible thing"? She's "Yuriko DeathStrike" as far as I am concerned... Joanna Rutkowska, my fellow "Polish Person" & she's a regular "wonder" in the security/hacking/cracking world!

    This is my runopera.bat which runs opera as user internet:
    psexec.exe -d -u internet -p p4ssw0rd "cmd" "/d /D /c start /b Opera.exe"

    PLUS, Windows Server 2003 has a hardened IE6/7 by default (which can be duplicated on other Win32 OS versions, because it mainly just does what I have been doing for a long time & noted by myself earlier, in stuff like turning off ActiveX & scripting + JAVA online on the public internet, of all types by default, & I do this in ALL of my browsers (IE, FF, & Opera) & only make exceptions for CERTAIN sites)

    (YOU ARE NOW @ THE END OF THIS DOCUMENT & ALL of that is done for ONLINE security... &, it works!)

    APK

    P.S.=> Yes, it's a PAIN to do it the first time - maybe 1 hr. work for an experienced user, more for less experienced ones, but WORTH EVERY SECOND!

    Why?

    Well, I have not had this system "go down" due to hacks/cracks/malware/virus/trojans/spyware, etc. et al (you name it) in years now! It just works...

    (... & everyone ought to know this stuff, so here 'tis!)

    Enjoy & IF you know of more to do? Please, have @ it, & let us all know what it is you do on your Win32 rigs of NT-based OS nature... apk

    Original version @ slashdot -> http://it.slashdot.org/comments.pl?sid=237507&cid=19410153

    Updated version #2 @ techpowerup.com -> http://forums.techpowerup.com/showthread.php?p=365996#post365996
     
    Last edited: Jun 27, 2007
    lemonadesoda says thanks.
  21. oily_17

    oily_17

    Joined:
    Sep 25, 2006
    Messages:
    2,313 (0.78/day)
    Thanks Received:
    670
    Location:
    Norn Iron
    Cheers Alec,I am shortly going to do a clean install and this will come in very helpfull before I make a ghost backup for later use when looking to revert back to a secure OS.
     
    Remo_Williams says thanks.
  22. Wile E

    Wile E Power User

    Joined:
    Oct 1, 2006
    Messages:
    24,324 (8.26/day)
    Thanks Received:
    3,778
    A Tout Le Monde

    Posted by me, as requested by APK, thru email.

     
  23. mullered07

    mullered07 New Member

    Joined:
    Jan 28, 2007
    Messages:
    2,648 (0.94/day)
    Thanks Received:
    204
    Location:
    UK
    lol apk ftw :roll: :rockout:

    even now i enjoy reading his posts, i alos like when he creates a new user account he blatantly signs it apk (although jusat by reading the first line of any of his posts you know who it is ;) ) also his location, did you see it ? "a discreet point in the space-time continuim" lol :toast:
     
  24. theonetruewill New Member

    Joined:
    Nov 12, 2006
    Messages:
    2,996 (1.03/day)
    Thanks Received:
    240
    Location:
    London - Close your eyes and you'll see me
    Russian boy would like this

    Message from APK:

    "It's getting BETTER ALL THE TIME!" - The Beatles
    (see attached picture)
    (For RussianBoy of course, as he's a Beatle's Fan, & I think that tune fits this increased score, as a theme)...

    Thanks!

    APK

    P.S.=> A SIDE NOTE -> A guy over @ /. (slashdot.org) has supposedly "beaten"
    my score!

    (However, his LINUX is running under a VMWare emulation)

    So I would like others' feedback as to that if you would like to post this as well:

    http://enigma.ev6.net/result2.html <---------His result's there.
     

    Attached Files:

  25. DoctorWhoIsWho New Member

    Joined:
    Oct 20, 2007
    Messages:
    5 (0.00/day)
    Thanks Received:
    0
    LINUX RESULTS (both default AND security hardened on SuSE Linux Enterprise)

    See the attached jpg photos for the scores for LINUX folks (default is 46.xxx & security hardened is 90.xxx).

    LINUX SuSE Enterprise SECURITY HARDENED SCORE:

    [​IMG]

    LINUX SuSE Enterprise DEFAULT NON-SECURITY HARDENED SCORE:

    [​IMG]

    This all just goes to show you that even LINUX (which is WORSE by default per this security settings test than Windows XP SP 2 is, despite the constant diatribes spouted by the *NIX community of "how superior the security is on *NIX's" vs. Windows) can stand quite the bit of security hardening...

    APK

    P.S.=> My next post will have my current highscore on Windows Server 2003 SP #2 fully security hotfix patched (as of the date of the last "Patch Tuesday") & also my workstation on the job (now security hardened) scoring 85.356 (and, I cannot FULLY security harden it, because we have some legacy NT 4.x servers & they cannot handle NTLMv2 communications, a requirement for a higher score + our pwd policies are limited as well)... apk
     

    Attached Files:

Currently Active Users Viewing This Thread: 1 (0 members and 1 guest)

Thread Status:
Not open for further replies.

Share This Page