APK "A to Z" Internet Speedup & Security Text!

Advertisement (Why?)

While browsing one of the online forums, Beta.Net Forums I came across this AMAZING and VERY LONG article on basically everything you ever wanted to know but were afraid to ask, about Windows XP, Security and speeding up your internet connection, even if you only have a modem.

This is quite a read, so print yourself a copy or download to your PDA, and be amazed at what you'll learn from this collection of information that APK has gathered and put in one place for everyone to enjoy!

Sections include :-

Want to filter your XP TCP/IP stacks some more & be more secure online?
Using the Microsoft Security Scanner online to ensure you are up to date
Filesystem & Registry Level Security (allowing ONLY myself & the system)
Dropping/Stopping all the default shares like C$ etc
A very potent speedup (security too) use a custom hosts file

Click the ...Read more link to see the complete text from the Beta.Net forum!

---------------------------------------------------------------------
APK "A to Z" INTERNET SPEEDUP & SECURITY TEXT!
---------------------------------------------------------------------

IMPORTANT NOTES & THINGS TO WATCH FOR: THIS IS GEARED TO A STANDALONE SYSTEM:

If you have a LAN at home, be extra careful about some settings regarding NetBIOS (Tcp/IP NetBIOS Helper Service (an NT based OS service) & also NetBIOS over Tcp/IP in your WINS properties) & Client For Microsoft Networks (needed to change workgroup name & machine name and other network functions) as well as some of the Port filtrations, since some ports are used by NetBIOS (135-139), and also some of the registry hacks for security!

ALSO IMPORTANT: Do NOT DO THIS, until you have a perfectly setup system! One with all of your software online! Ghost it in pre-tuned "normal" untuned form if you can so restores are fast!

Because, if you have to setup things like Diskeeper after doing service tunings? It may fail... the troubleshooting guide at the bottom shows more on it & details on how to recover, guaranteed, back to system normal state!

(Diskeeper depends on remote registy service access to get the SYSTEM username, & also named pipes, which if memory serves me right, is LanManager based... & thus needs Client for Microsoft Networks bound to Tcp/IP services PLUS Tcp/IP over NetBIOS in wins... this has saved me from this hassle! More on it at the bottom in troubleshooting!)

======================================================================
SECURITY SECTION:
======================================================================

A.) Want to filter your XP Tcp/IP stacks some more & be more secure online?

Go to your network connection properties via Control panel called "network & internet connections":

1.) Use the Network Connection item
2.) Right-Click on the connection itself, & from the popup-menu, select properties
3.) Under the "This connection uses the following items" section window, hi-lite 'Internet Protocol (TCP/IP)'
4.) Click the Properties button
5.) Click the Advanced button
6.) Use the Options tab
7.) Hi-Lite Tcp/IP filtering
8.) Click the Properties button
9.) Now, in the TcpPorts section, Tick off/Click the 'Permit Only' checkbox-radio button
10.) Under there, use the Add button to Add the ports you ONLY want to come thru (I only allow 21 for FTP servers I might run or port 80 for HTTP... add what you need to let come in on an as-needed basis for what you run)
11.) In the IP Protocols section, Tick off/Click the 'Permit Only' checkbox-radio button
12.) Under there, use the Add button to put in the number 6

* A simple "12-step" program to heighten the effectiveness of the Internet security of your machine online!

(UDP Ports can be filtered as well & right now? It's my belief using IP protocol 6 only does this! You could add IP protocol 17 (which is UDP) to the IP section as well. If you want to add UDP specifically allowed filters (since it is my belief it is already ALL UDP packet filtered since I only allow IP protocol 6 thru which is Tcp packets only in the IP section)?

You would add IP protocol 17 in the IP Section, as well & any ports for the UDP you want to allow in the UDP section checking off either ALLOW ALL, or Allow Only & adding ports you wish to come in!

This takes some research & doing with your ISP or with games as many use UDP since it is the fastest NET based protocol since it uses no return validation of packets sent as Tcp/IP does... ISP's for cablemodem providers often use ports like 53 in the 'known ports' category for communications with your system & higher ports like the 60000 range also! BUT, it can be strengthened as well, but takes some research & trial & error testing with your ISP!)

See, I found that many level #1 support techs aren't aware of this & many Tier #2-3 ones aren't either... hence, why I stated it can be VERY trial & error on your part but worth it! But, it is a PAIN trying & retrying it to get it right... but it can be done!

-------------------------------------------------------------------------------------------

B.) ALSO, here is a COMBINED speedup & security increasing section to add to your Tcp/IP Paramters section in the registry at this location:

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters]
"NameServer"=""
"ForwardBroadcasts"=dword:00000000
"IPEnableRouter"=dword:00000000
"Domain"=""
"SearchList"=""
"UseDomainNameDevolution"=dword:00000001
"EnableICMPRedirect"=dword:00000000
"DeadGWDetectDefault"=dword:00000001
"DontAddDefaultGatewayDefault"=dword:00000000
"EnableSecurityFilters"=dword:00000001
"AllowUnqualifiedQuery"=dword:00000000
"PrioritizeRecordData"=dword:00000001
"TCP1320Opts"=dword:00000003
"KeepAliveTime"=dword:00023280
"BcastQueryTimeout"=dword:000002ee
"BcastNameQueryCount"=dword:00000001
"CacheTimeout"=dword:0000ea60
"Size/Small/Medium/Large"=dword:00000003
"LargeBufferSize"=dword:00001000
"SynAckProtect"=dword:00000002
"PerformRouterDiscovery"=dword:00000000
"EnablePMTUBHDetect"=dword:00000000
"FastSendDatagramThreshold "=dword:00000400
"StandardAddressLength "=dword:00000018
"DefaultReceiveWindow "=dword:00004000
"DefaultSendWindow"=dword:00004000
"BufferMultiplier"=dword:00000200
"PriorityBoost"=dword:00000002
"IrpStackSize"=dword:00000004
"IgnorePushBitOnReceives"=dword:00000000
"DisableAddressSharing"=dword:00000000
"AllowUserRawAccess"=dword:00000000
"DisableRawSecurity"=dword:00000000
"DynamicBacklogGrowthDelta"=dword:00000032
"FastCopyReceiveThreshold"=dword:00000400
"LargeBufferListDepth"=dword:0000000a
"MaxActiveTransmitFileCount"=dword:00000002
"MaxFastTransmit"=dword:00000040
"OverheadChargeGranularity"=dword:00000001
"SmallBufferListDepth"=dword:00000020
"SmallerBufferSize"=dword:00000080
"TransmitWorker"=dword:00000020
"DNSQueryTimeouts"=hex(7):31,00,00,00,32,00,00,00,32,00,00,00,34,00,00,00,38,
00,00,00,30,00,00,00,00,00
"DefaultRegistrationTTL"=dword:00000014
"DisableReplaceAddressesInConflicts"=dword:00000000
"DisableReverseAddressRegistrations"=dword:00000001
"UpdateSecurityLevel "=dword:00000000
"DisjointNameSpace"=dword:00000001
"QueryIpMatching"=dword:00000000
"NoNameReleaseOnDemand"=dword:00000001
"EnableDeadGWDetect"=dword:00000000
"EnableFastRouteLookup"=dword:00000001
"MaxFreeTcbs"=dword:000007d0
"MaxHashTableSize"=dword:00000800
"SackOpts"=dword:00000001
"Tcp1323Opts"=dword:00000003
"TcpMaxDupAcks"=dword:00000001
"TcpRecvSegmentSize"=dword:00000585
"TcpSendSegmentSize"=dword:00000585
"TcpWindowSize"=dword:0007d200
"DefaultTTL"=dword:00000030
"TcpMaxHalfOpen"=dword:0000004b
"TcpMaxHalfOpenRetried"=dword:00000050
"TcpTimedWaitDelay"=dword:00000000
"MaxNormLookupMemory"=dword:00030d40
"FFPControlFlags"=dword:00000001
"FFPFastForwardingCacheSize"=dword:00030d40
"MaxForwardBufferMemory"=dword:00019df7
"MaxFreeTWTcbs"=dword:000007d0
"GlobalMaxTcpWindowSize"=dword:0007d200
"EnablePMTUDiscovery"=dword:00000001
"ForwardBufferMemory"=dword:00019df7

HERE IS A SECTION (EDIT PART, IMPROVED, TO ADD TO YOUR AFD.SYS TUNING FOR Tcp/IP also!)

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesAFDParameters]
"DefaultReceiveWindow"=dword:00004000
"DefaultSendWindow"=dword:00004000
"LargeBufferSize"=dword:00002000
"MediumBufferSize"=dword:00001000
"SmallBufferSize"=dword:00000400
"TransmitWorker"=dword:00000020
"DisableRawSecurity"=dword:00000000
"DynamicBacklogGrowthDelta"=dword:00000000
"FastCopyReceiveThreshold"=dword:00000800
"FastSendDatagramThreshold"=dword:00000800
"IgnorePushBitOnReceives"=dword:00000000
"IrpStackSize"=dword:00000004
"LargeBufferListDepth"=dword:0000000a
"MaxActiveTransmitFileCount"=dword:00000002
"MaxFastTransmit"=dword:00000040
"MaxFastCopyTransmit"=dword:00000080
"MediumBufferListDepth"=dword:00000018
"OverheadChargeGranularity"=dword:00000001
"PriorityBoost"=dword:00000002
"SmallBufferListDepth"=dword:00000020
"StandardAddressLength"=dword:00000016

-------------------------------------------------------------------------------------------

C.) Again, combined security & speed (here because it adds to the above section B): Added to that one above in B? Using ping -l 1400 -f (start at 1300 & go up to 1500 on Cable/DSL) & seeing your LOWEST ms times on those pings? You can figure out your MTU to add as well under each Network Adapter Interface!

EXAMPLE: ping -l 1500 -f www.twcny.rr.com

(Ping your DNS connection Default Gateway from your ISP if you can, that's your doorway! That is determined by using IPConfig /all from the commandline, or using wntipcfg.exe from the reskit... a GUI one like the winipcfg.exe in Win9x (both from MS, both free now). If not, next best bet is to ping your ISP's webpage!)

1500 is the default & 1472 seems to be the largest anyone can do without fragmentation... the ping command will show you your best one & when it starts to fragment? You use the one before it that did not as YOUR individually best value!

E.G.-> They look like this in the registry:

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParametersAdapters{09EC4F91-EABC-419C-BEF4-433971144FE5}]

Under each of them, add in the MTU as a DWORD value with your best non-fragmented packet size after doing the ping test I showed above!

(And in the above tip I wrote on the Parameters section? Make that equal to your EXACT TcpRecvSegmentSize & TcpSendSegmentSize so you take in the BIGGEST chunks per packet you can at once & do not fragment!)

Then, get your RWIN:

On cablemodems, the generic network MTU/MaxMTU is usually 1472 (largest non fragmented value) a.k.a 1500. -40 would be 1460 MSS.

56K modems use 576 MTU and 536MSS.

The generic PPOE (dsl) mtu is 1492. -48 (40bytes for the default TCP OPTIONS + 8 bytes for the ppoe header involved) 1444 MSS.

The -40 amount is TCP HEADER size. Which can be affected by certain RFC options like Timestampings.

The RWIN amount needs to be an even multiple of MSS x even number the forumla I use is:

Download Rate in Kb (kilobits) x 1024 = n
n * .5 (.5 is the latency of the line or 500ms) = n
n / 8 = n

1472 is my MTU/MaxMTU derived from ping -l 1472 -f to my ISP gateway & website also... largest I could be before fragmenting packets!
472 - 48 = 1424 + 12 packets gained by using Tcp1230pts TimeStamps removed on packet headers = 1436
512 x 1024 = 524288
524288 x .5 = 262144
262144 / 8 = 32768
32768 / 1436 = 22.8 ~ 23
23 x 1436 = 33028 my RWIN figure...

Now you've got a number you can utilize for the next step!

Take that last N / MSS = n You'll usually get something like 30.23341341 Round up/down to the nearest even number. So in our case it would be 30 Then Take 30 x MSS = RWIN VALUE

This RWIN value is added right alongside MTU in your registry interface keys!

------------------------------------------------------------------------------------------

D.) Disable LANMAN Authentication by sites online with this hack:

HKEY_LOCAL_MACHINESoftwareMicrosoftInternet ExplorerSecurityNTLM

Double click on SchemeList in the righthand side part of regedit.exe, if not there, create it!

Change REG_SZ string Value to: APK

(This will prevent IE from browsing any site that uses NTLM authentication on the net)

-------------------------------------------------------------------------------------------

E.) Other things to do are to make sure you're up to date on patches for the OS & use the Microsoft Security Scanner online for that located here:

http://www.microsoft.com/technet/mpsa/start.asp

(This site tells you what patches you lack & advises on application AND OS level security in passwords & settings for networking too... great stuff!)

-------------------------------------------------------------------------------------------

F.) I delete out the Client for Microsoft Networks because I do not believe in broadcasting extra protocols (have a LAN now, did not until recently), & disable the Tcp/IP Netbios helper service as well as telling the Internet Connection to NOT use NetBIOS over Tcp/IP... However, be sure your workgroup names are the SAME on all your boxes before you do this! You can only change your system name & workgroup if Client for Microsoft Networks is installed first!

(As I am sure you all know, but am going to restate: You can use just Tcp/IP for your networks, more collisions than a non-internet routeable protocol like NetBEUI is, but if you go online it is safer to use only Tcp/IP in my estimation if you go online & surf! Don't like collisions of packets? GET A SWITCH!)

YES, you can unbind NetBIOS stuff from your NIC or internet adapter on a hardware bindings level, but this 'radical surgery' technique I use is in my opinion, the safest... Tcp/IP networking, ONLY!

(You can have a home LAN that is ALL Tcp/IP no problem & be a bit more secure & faster broadcasting LESS protocols too in piggybacked packets! Smaller per packet too, & faster!)

-------------------------------------------------------------------------------------------

G.) Plus, if you use File & Printer sharing? Disable it... or remove the service/protocol for it from the connection you use for the net in Network Control Panel icon item's properties!

Again, if on a home LAN, you may need this & there IS ways to make it more secure by switching connections bindings & more (like password access etc.) & they have LOADS of info about that on MS Tech-Net!

Here's how to hide your shared printers too:

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlPrint]
"DisableServerThread"=dword:00000001

-------------------------------------------------------------------------------------------

H.) HERE IS SOME MORE HACKS FOR YOU IF YOU USE NETBIOS (client for Microsoft Networks) on your LAN/WAN connection:

I rename the initial Admin account ("Administrator") for security purposes!

(Not that it helps if you don't take certain measures! Anyone can find it with nbtstat I believe...)

You can disable NETBIOS info enumeration for nbtstat.exe & other programs with this hack in the second set & the first set stops anonymous logons used in Null Sesssion style hacks by NetBIOS type attacks:

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsa]
"SecureBoot"=dword:00000001
"restrictanonymous"=dword:00000002

* This stops 'nullsession attacks' otherwise known as anonymous logons that take advantage of SMB/CIFS (common internet FileSystem) style attacks on MS stuff.

ALSO, under this, here:

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsaMSV1_0
NtlmMinClientSec
MtlmMinServerSec

of these values in this small table below next:

0x00000010 Integrity Message
0x00000020
0x00080000 NTLM2 Session Security
0x20000000 128-bit session security
0x80000000 56-bit session security

Do that... add those DWORD values as decimal ones! They restrict man in the middle
attacks & using smb stuff against you!

Under [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsa] add another key called NoLMHash & also add a DWORD value of NoLMHash as well... this works on Xp & 2k equally doing both!

PLUS THIS:

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesLanManServerParameters]
"autodisconnect"=dword:0000000a
"enableforcedlogoff"=dword:00000001
"enablesecuritysignature"=dword:00000001
"requiresecuritysignature"=dword:00000001
"Lmannounce"=dword:00000000
"Size"=dword:00000001
"CachedOpenLimit"=dword:00000000
"IRPStackSize"=dword:4
"AutoShareServer"=dword:00000000
"AutoShareWks"=dword:00000000
"Hidden"=dword:00000001
"SizReqBuf"=dword:00003904

(The IRPStackSize & SizReqBuf speed up this too as a bonus!)

AND THIS:

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesLanmanWorkstationParameters]
"enableplaintextpassword"=dword:00000000
"enablesecuritysignature"=dword:00000001
"requiresecuritysignature"=dword:00000001
"OtherDomains"=hex(7):00,00
"AutoShareWks"=dword:00000000
"AutoShareServer"=dword:00000000
"MaxCmds"=dword:00000020
"MaxThreads"=dword:00000020
"MaxCollectionCount"=dword:00000020
"CacheFileTimeout"=dword:0000000f
"DormantFileLimit"=dword:00000032

(The last 2 in this one also speed up NetBIOS some)

* Best way however, in my estimation to stop that? REMOVE Client for Microsoft Networks (some things like ICS may need it however, or you need it to change your workgroup name I believe) & tell Tcp/IP NOT to use NetBIOS over Tcp/IP in wins! Also, disable the Tcp/IP NetBIOS helper service! This stops the possibilities of NULL session hacks too! If you have a home LAN that needs it though, don't do this one!

-------------------------------------------------------------------------------------------

I.) GET A LINKSYS DSL/CABLEMODEM NAT "firewalling" Router-Gateway, cheap & effective! Worth their weight in gold for cable & dsl folks for security, fast & easy to manage also via a webbrowser admin tool no less!

-------------------------------------------------------------------------------------------

J.) Filesystem & Registry Level Security (allowing ONLY myself & the system)

Same idea as the registry security: The less folks that have rights to your machine (keys to your home) the less chance of ingress/forced entry... very simple idea.

If I need to add registry or filesystem access to a group?

It'd ONLY be to the "Authenticated Users" group!

Why?

Well, some things NEED the "Everyone" Group to do things, like some installs do on container level special access to files or folders (or both).

The "Everyone" group includes remote users too! The "Authenticated Users" group does not, making it ONLY accessible on files & folders (registry too) to local machine users. NO HACKERS ALLOWED from remote locales!

-------------------------------------------------------------------------------------------

K.) File System Encryptions & Compressions

Encryption is a good idea for your data if you want to secure it. Compression MIGHT help also if the attacker is coming from a system by SLIGHTLY slowing him down (granted, not much) in the decompression process!

-------------------------------------------------------------------------------------------

L.) Disabling certain accounts (like guest & anonymous logins AND RENAME THE ADMINISTRATOR)

Just smart! Again, the less keys to your house you give out... the less chance of entry is all! Just common sense! Add rights as you need to though for LANS to users on the NT/Win2k workstation so they are permitted rights as needed to files, printers, drives, & registry!

If I need to add registry or filesystem access to a group?

It'd ONLY be to the "Authenticated Users" group!

Why?

Well, some things NEED the "Everyone" Group to do things, like some installs do on container level special access to files or folders (or both).

The "Everyone" group includes remote users too! The "Authenticated Users" group does not, making it ONLY accessible on files & folders (registry too) to local machine users. NO HACKERS ALLOWED from remote locales!

-------------------------------------------------------------------------------------------

M.) Knocking out certain services (like FTP Servers, Alerter, Clipbook, Computer Browser, Fast User Switching, Human Interface Access Devices Indexing Service (Slows the hard drive down), Messenger, Net Logon (unnecessary unless networked on a Domain), Netmeeting Remote Desktop Sharing (disabled for extra security), Remote Desktop Help Session Manager (disabled for extra security), Remote Procedure Call Locator, Remote Registry (disabled for extra security), Routing & Remote Access (disabled for extra security), Server, SSDP Discovery Service (this is for the utterly pointless "Universal P'n'P", & leaves TCP Port 5000 wide open) TCP/IP NetBIOS Helper, Telnet (disabled for extra security), Universal Plug and Play Device Host, Upload Manager, Windows Time, Wireless Zero Configuration (for wireless networks), Workstation)

* Some things and setups may require some of these, so be judicious in your choices & do reseach each for any 'peculiarties' your setup may possess.

Stopping things like this is another "less keys" but more like less doors into your home to defend. If the doors are not there, they cannot get in... just simple technique! This is potentially problematic for the unexperienced, but in the bottom of this article I list a way around that thru two methods, so do not fear it & it is explained on how to check for service dependencies on one another as well as restoration of your system to defaults also!

-------------------------------------------------------------------------------------------

N.) Dropping/Stopping all the default shares like C$ etc. thru a batch file run at startup to stall anyone being able to see the drives period! (just added this tonite!)

Stopping the default share registry technique as follows (Courtesy of CDogg @ 3dfiles):

To stop the creation of the default share in the first place, fire up regedit and navigate to the key:

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesLanManServerParameters.

Within the parameters key create a new DWORD value and name it AutoShareServer for NTServer (and 2000 server & up) or AutoShareWks for NT Workstation (and 2000 pro) and give it a value of 0. I show this above in detail! Here is another method at boot thru a logon script or batchfile:

VIA BATCHFILE COMMANDS:

NET SHARE C$ /DELETE
NET SHARE D$ /DELETE
NET SHARE ADMIN$ /DELETE
NET SHARE IPC$ /DELETE
NET SHARE DFS$ /DELETE
NET SHARE COMCFG$ /DELETE

etc.

OR just typing NET USE * /d /y should do it for ALL of them!

(etc. for all the shares you wished dropped continuing driveletters as needed. This can be tricky with some apps, so watch it. Some need IPC$ & some need ADMIN$. Stopping the Server Service stops this also additionally to take care of it all at once & not share ANY of them!)

If a drive's not shared in ANY capacity, it cannot be used... another door closed!

-------------------------------------------------------------------------------------------

O.) Additionally, using ActiveX & Java Scripting can be dangerous too in your browsers potentially... if you wish to get "hard-core military" on your security, disable them in your browser along with Cookies too! Remember though, some things MIGHT NEED this stuff, certain pages & apps, so do so if you don't require that functionality!

-------------------------------------------------------------------------------------------

P.) Stopping the Windows Scripting Host in Add-Remove programs also helps against Macro-Virii and many trojans that use it too, consider it an add-on also! Again, some apps programmed around it MIGHT need this, so do so if you DON'T do this stuff for .vbs scripting etc.!

-------------------------------------------------------------------------------------------

Q.) Stopping Macros in your apps is another avenue of prevention, borderline AntiVirus protection really, but a helpful security measure too! Do this, or use something like Norton AntiVirus which protects against this by integrating with Office apps & email programs as well! Again, some things MIGHT need macroing, if you're an advanced Word, Access, or Excel user... So consider that first if you use macroing!

-------------------------------------------------------------------------------------------

R.) Bind MS LoopBack adapter to the certain protocols, like Microsoft File & Print Sharing or also on Client for Microsoft networks if you MUST have them online!

To install the Microsoft Loopback adapter:

1. Control Panel / Add/Remove Hardware.
2. Press Add/Troubleshoot a device and press Next.
3. Press Add a new device and press Next.
4. Select No, I want to select the hardware from a list and press Next.
5. Select Network adapters and press Next.
6. Select Microsoft in the Manufacturers box.
7. Select Microsoft Loopback Adapter in the Network Adapter box.
8. Press Next.
9. Press Finish.

After the installation, you can configure its options like any other NIC & if needed ever? Change its bindings to your normal REAL nic. Saves install time and can act as security too! Also, if you do any remote IIS administration, it's wise to set the Remote Administration of it to this adapter for security according to Cereberus Security Scanner.

-------------------------------------------------------------------------------------------

S.) Disable Telnet access to your system:

If Windows 2000 detects the presence of a local TelnetClients group, users who are members of this group ONLY can get to your computer via Telnet! Local Admins can also...

To create the local TelnetClients group and add user to it:

1. Control Panel / Administrative Tools / Computer Management.
2. Expand Local Users And Groups and select Groups.
3. Press Action and New Group.
4. Type TelnetClients into Group name and enter a Description.
5. Press Add and double-click the users you wish to include.
6. Press OK.
7. Press Create.
8. Press Close

(There is this option, or you can disable the Telnet Service, completely, set it to manual or disabled & use ONLY when you need its functions!)

-------------------------------------------------------------------------------------------

T.) Get your WinXP Security Tab back in Explorer.exe to make File System security adjustments by doing this:

Control Panel/Folder Options/View, then under the advanced settings, uncheck 'Use Simple file sharing'.

(Gets back the Security Tab in XP under Explorer for files!). GOOD FOR TIP letter "K" above in Windows XP!

-------------------------------------------------------------------------------------------

U.) I use multiple "locks" on the door to my house (system) in case one gets broken... if someone COULD get into my machine (good luck, the password is MILES long & of mixed case & characters both numeric and alpha! LOL, I am guessing it would take forever even with a Cray SuperComputer to break and with LoPht tools! By that time, I'd be on another OS, lol!) more power to them because they'd be "The SUPER HACKER" I would think! But, no system is totally impenetrable... just takes time & perseverance (if not sneakiness!). But, this helps alot what is contained in these pages!

(Again, the trick is (and this can happen but not likely the longer your pwd is, and the
more mixed of case & character it is) to break the admin account password...) to bust that account, just like cracking a SuperUser/Root user on a Linux or Unix system! If done right, with length & mix of characters (and changing it periodically is recommended), it's pretty solid stuff! Enabling STRONG PASSWORD REQUIREMENTS in secpol.msc Local Policies is a good way to enforce this along with AT LEAST a 7 character password length requirement!)

-------------------------------------------------------------------------------------------

V.) LASTLY, AND VERY POTENT SPEEDUP (SECURITY TOO) USE A CUSTOM HOSTS FILE!

This can get you to sites you like the most FAST, because your own system acts as the DNS server, & that means it does not have to query your ISP's one for the sites you put in it, PLUS it can stop banner ads! That's right!

Banners are a security threat in some ways, & slow you down in their loadtime! They take up loading time (some of them, ALOT, not well coded or just TOO big). They also do something called "banner grabbing" of information on you! Here is an example from the interior of mine:

EXAMPLE HOSTS FILE WITH SPEEDUP & ALSO BANNER STOP ADDITIONS BETWEEN ASTERISKED LINES:

I can provide you a FULLY LOADED custom hosts file with TONS of ad banners servers blocked, email me! You can add your fav sites to that and REALLY fly with NO banner ads, & fastest access to your favorites sites because your own machine acts as its own DNS host! akowals1@twcny.rr.com is my email for that file. A program called "Naviscope" in version 8.70 or better, does the same PLUS tons more! Freeware too at:

www.naviscope.com

(great tool, jack of ALL trades & 'good buddy' to your browser!)

-------------------------------------------------------------------------------------------

W.) REMOVAL OF LANMAN HASHES (easily hacked, NTLMv2 is more secure... everytime a user makes a password? This old hash is STILL present & presents an opening! Here is how to stop that!)

A quote from SANS Network on Security for computers:

The problem with simply removing the LanMan hashes on the network is that the hashes are still created and stored in the SAM or the Active Directory.

Microsoft very recently made a new mechanism available for turning off the creation of the LanMan hashes altogether. On Windows 2000 systems, go to the following registry key:

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsa

On the Edit menu in RegEdt32 or RegEdit click Add Key… and add a key called NoLMHash. After doing this, quit the registry editor and reboot the computer. The net time a user changes his or her password, the computer will no longer create a LanMan hash at all. If this key is created on a Windows 2000 Domain Controller, the LanMan hashes will no longer be created and stored in Active Directory.

On Windows XP, the same functionality can be implemented by setting a registry value:

Hive: HKEY_LOCAL_MACHINE
Key: SystemCurrentControlSetControlLsa
Value: NoLMHash
Type: REG_DWORD
Data: 1

-------------------------------------------------------------------------------------------

X.) SECURITY POLICIES (run the secpol.msc tool &/or gpedit.msc (both do same & diff. things, see both mmc.exe snapons) for this!)

Security Policy/Local Policy/Security Options

Digitally sign client communincation (if possible) ENABLED
Digitally sign secure & encrypt secure channel data ENABLED
Digitally sign secure channel data ENABLED
Require Strong Session Key ENABLED

Do as MUCH as you can using NTLVM2, not NTLM only! Most modern cable broadband providers do this, & you can use it as I am on RoadRunner to your advantage in data sent to & from them! You will see the sections in SECURITY OPTIONS for this in the lists as you go thru them.

ALSO, play with (in secpol.msc) the encryptions on IP Local Security and Policies (last tree item)!

Edit each item in the filter tab, and put on MD5 or 3DES encryptions on each in a custom manner! Lots to do but worth it! Pay Attention to IP Filter Lists & Filter Actions, edit on each item adding MD5 &/or 3DES when you can!

Do it one by one, on ALL IP Traffic, All ICMP traffic & Dynamic as well! It's worth it adding to the ports filtrations you did above!

Enabling LOGGING of Login attempts, both successful & failed is a good measure to take as well, that is done in your secpol.msc, Local Policies, Audit Policies MMC.exe snapon.

If you do NOT disable your Guests group it is adviseable to disable access to the logs for them & any others by first applying registry level security via regedt32.exe in NT/2k menus for security permissions or using regedit.exe in XP.

Under this section:

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesEventLog

Under each logname (Security, System, & Application) after editing permissions & only letting select users alter it like your admin user, set this value, a DWORD, to 1:

RestrictGuestAccess=1

-------------------------------------------------------------------------------------------

Y.) Enable NetBT Port Blocking!

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNetBTParameters]
"NbProvider"="_tcp"
"NameServerPort"=dword:00000089
"CacheTimeout"=dword:000927c0
"BcastNameQueryCount"=dword:00000003
"BcastQueryTimeout"=dword:000002ee
"NameSrvQueryCount"=dword:00000003
"NameSrvQueryTimeout"=dword:000005dc
"Size/Small/Medium/Large"=dword:00000001
"SessionKeepAlive"=dword:0036ee80
"TransportBindName"="Device"
"EnableLMHOSTS"=dword:00000001
"EnablePortLocking"=dword:00000001

The last entry is the add-on, legacy from NT service packs fix that enabled this, probably works natively without patch in 2k/XP! I am using it to NO detriment thus far!

-------------------------------------------------------------------------------------------

Z.) STOPPING ANONYMOUSLY ACCESSIBLE PATHS IN YOUR MACHINE!

These are the default ones, & I removed them & rebooted & thus far? No problems... only app i have that I know of that uses them is Diskeeper for its Client-Server Computer Browser style model, so I removed them after I installed it and am online JUST FINE! Here is the default ones & their locations in the registry if you have to put them back:

That too, is in the Local Policies section & editable as well from above... in secpol.msc!

REMOTELY ACCESSIBLE REGISTRY PATHS IN SECPOL.MSC ORIGINAL ENTRIES YOU CAN REMOVE (I did, still online doing fine!!):

SystemCurrentControlSetControlProductOptions
SystemCurrentControlSetControlPrintPrinters
SystemCurrentControlSetControlServer Applications
SystemCurrentControlSetServicesEventlog
SoftwareMicrosoftOLAP Server
SoftwareMicrosoftWindows NTCurrentVersion
SystemCurrentControlSetControlContentIndex
SystemCurrentControlSetControlTerminal Server
SystemCurrentControlSetControlTerminal ServerUserConfig
SystemCurrentControlSetControlTerminal ServerDefaultUserConfiguration

* SHARES THAT CAN BE ACCESSED ANONYMOUSLY (here is another one I removed)

COMCFG
DFS$

** NAMED PIPES THAT CAN BE ACCESSED ANONYMOUSLY

COMNAP
COMNODE
SQLQUERY
SPOOLSS
LLSRPC
EPMAPPER
LOCATOR
TrkWks
TrkSvr

===========================================================================================
SPEED INCREASES SECTION:
===========================================================================================

A.) Boost IE connection limits for speed with this registry hack:

[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet Settings]
"MaxConnectionsPer1_0Server"=dword:00000050
"MaxConnectionsPerServer"=dword:00000050

-------------------------------------------------------------------------------------------

B.) CONSIDER USING RAMDRIVES FOR YOUR INTERNET BROWSER'S TEMP AREA, & CACHING AREA:

Read this site & article for how that can benefit your internet speeds!

http://www.superspeed.com/aptipandhin.html#t6

(Using a RamDrive can speed up Browsers TREMENDOUSLY, by allowing cache reaccess @ RAM speed, vs. the slower disk access of a harddisk speed (nanoseconds vs. milliseconds respectively) & also stop filesystem clutter & fragmentation due to the many files in the browser's cache on disk... at shutdown? They all go away as Ramdisk storage is volatile! READ THE ARTICLE for the plusses & minuses/caveats in this technique!)

-------------------------------------------------------------------------------------------

C.) Speedup Network Card #1 tip:

Determinet the IRQ of your network card then, reserve RAM for its use alone!

Edit the System.ini file with notepad.exe or sysedit.exe.

Find the [386enh] Section in System.ini & add Irq[n]=4096 under it,

(where [n] is IRQ # your NIC uses & add 4096 bytes as the RAM amount reserved in Kilobytes for its use as a buffering mechanism)

You can use higher #'s but this is a good amount, experiment if needed!

Exit your editor & you must reboot for this to take effect, as do all the registry hacks above! They are all system & driver initialization parameters, some of which take when you restart Tcp/IP (as it is now a plug & play driver design in 2k & XP) but not all do!

[386enh]
Irq5=4096

Whatever amount of RAM you assign here? Is less that the diskcache & apps can get to, be judicious!

(May be a "legacy" entry for Win3.x/9x, but I still include it! Much of these files are STILL useful)

-------------------------------------------------------------------------------------------

D.) Speedup Network Card #2 tip:

If on a Dual CPU/SMP system? Consider the use of IntFilter.sys for 2k/XP or intbind.sys for NT! This allows you to set DRIVER LEVEL AFFINITY on your boards driver, increasing cache locality efficiency on your machine! This also works for OTHER equipment on a dual cpu box that drives hardware & possesses interrupts control! These two drivers can be found on most internet search engines, or the Microsoft FTP Site.

-------------------------------------------------------------------------------------------

E.) Disable Tcp/IP Performance Counters using the resource kit tool, called Extensible Performance Counters (extctrlst.exe), it's a freebie from MS!

Downloadable here (this can cut them off for MANY things, speeding up the system by not making their entries & wasting cycles on this. If you need to analyze one of them, simply use this tool to turn them on again!)

http://www.microsoft.com/windows2000/library/resources/reskit/tools/existing/exctrlst-o.asp

-------------------------------------------------------------------------------------------

F.) Refer to this article for more system speedups, if the system runs fast & efficient? So will the parts of it like your networking! There alot more to get more speed & efficiency out of your Operating System there!

http://www.ntcompatible.com/article1.shtml

===========================================================================================
TROUBLESHOOTING:
===========================================================================================

A.) If for any reason, any of your services fails to start if you tune them?

Look at their properties! They will show any other services they depend on! If that does not do it? Microsoft built a VERY smart NT OS! If for instance, you cannot start Workstation or Server services after this to install say, Diskeeper?

(Diskeeper is dependent on 'named pipes' networking, & that is LanManager based I believe (memory is a junkyard, specifics on this may elude me, feel free to correct me), you should use the recovery console & use these commands:

listsvc (to show all the service names)
enable lanmanworkstation SERVICE_AUTO_START
enable lanmanserver SERVICE_AUTO_START

(should this fail, complaining of say, a deleted registry key or marked for deletion? You simply bootup, & remove Client for Microsoft Networks, File & Print Sharing Service, & Tcp/IP... reboot again, reinstall them, reboot... and your system is back to normal! Install ALL your software at this point, If you can? Ghost your machine in basic form, then redo this tuning for speed & security!)

-------------------------------------------------------------------------------------------

B.) IF YOU CANNOT REINSTALL NETWORKING, HERE IS A WAY TO GET AROUND THAT & IT WORKS GREAT:

If you did uninstall TCP/IP & cannot get it to reinstall?

Install it! Then use regedt32 to delete the following keys (and their sub-keys) out of your registry:

HKEY_LOCAL_MACHINESoftwareMicrosoftDhcpMibAgent
HKEY_LOCAL_MACHINESoftwareMicrosoftDhcpServer
HKEY_LOCAL_MACHINESoftwareMicrosoftFTPSVC
HKEY_LOCAL_MACHINESoftwareMicrosoftLPDSVC
HKEY_LOCAL_MACHINESoftwareMicrosoftNetBT
HKEY_LOCAL_MACHINESoftwareMicrosoftRFC1156Agent
HKEY_LOCAL_MACHINESoftwareMicrosoftSNMP
HKEY_LOCAL_MACHINESoftwareMicrosoftSimpTcp
HKEY_LOCAL_MACHINESoftwareMicrosoftTcpip
HKEY_LOCAL_MACHINESoftwareMicrosoftTcpipCU
HKEY_LOCAL_MACHINESoftwareMicrosoftTcpPrint
HKEY_LOCAL_MACHINESoftwareMicrosoftWins
HKEY_LOCAL_MACHINESoftwareMicrosoftWinsMibAgent
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesDHCP
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesDhcpServer
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesFTPSVC
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesLmhosts
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesLPDSVC
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNetBT
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSimpTcp
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSNMP
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpip
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWins
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWinSock
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWinSock2
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesxParametersTcpip

is your NIC's name (lol, nicname... bad humor) and x is the number.

You may have to use Regedt32 on Security/Permissions to grant Administrators Full Control, before you burn the following keys out of the registry:

HKEY_LOCAL_MACHINESystemCurrentControlSetEnumRootLegacy_DHCP
HKEY_LOCAL_MACHINESystemCurrentControlSetEnumRootLegacy_Lmhosts
HKEY_LOCAL_MACHINESystemCurrentControlSetEnumRootLegacy_LPDSVC
HKEY_LOCAL_MACHINESystemCurrentControlSetEnumRootLegacy_NetBT
HKEY_LOCAL_MACHINESystemCurrentControlSetEnumRootLegacy_TCPIP
HKEY_LOCAL_MACHINESystemCurrentControlSetServicesLanManServerLinkageBind
HKEY_LOCAL_MACHINESystemCurrentControlSetServicesLanManWorkstationLinkageBind

REBOOT the computer. You should be able to install TCP/IP after this.

AND IMPORTANT: DO NOT forget to reinstall the latest Service Pack, after the TCP/IP install/delete/reinstall.

-------------------------------------------------------------------------------------------

TCP/IP dialog isn't useable &/or DHCP errors out with 2140, the Fix:

If there's a registry key conflict this happens, & to solve it follow these steps:

1. Control Panel/Network/Protocols/TCP/IP/Remove and press Yes.
2. Press Yes to reboot the computer.
3. Re-install the latest Service Pack.
4. Remove keys in the registry as described above.
5. Reboot the computer.
6. ControlPanel/Network/Protocols/Add.
7. Choose TCP/IP & press OK.
8. Click Yes to dynamically assign an IP address or No to assign it manually.
9. Click!
10. Close all apps & click Yes to reboot the computer.
11. Re-install the latest Service Pack.
12. Reconfigure TCP/IP now.

-------------------------------------------------------------------------------------------

If you ever see a slow network? Here are some things to look over:

A. NIC's running full throttle?

Check & see if the cards' BIOS's are configured right. 3Com's come with a utility called 3c90xcfg that allow you to change many settings. Make sure everything is right & maxed out. (Full duplex, ect...)

B. Hubs or switches?

Hubs put all the machines attached on same collision & broadcast domain. This causes severely reduced performances because the increased traffic on the segment in question. (Switches isolate each node on the segment as if they had a dedicated connection to the router. Switches totally break up the broadcast and collision domain structures.)

C. Broadcasting any unnecessary protocols?

Netadmins will many times enable TOO many protocols for their network(s). NetBEUI &d TCP/IP for instance. Use one or the other, not both. BUT, if you use TCP/IP, the best one I feel, then you need a WINS server. This is needed if you have nodes across multiple subnets in your organizations LAN topology!

D. Do you analyze your network utilization?

You find this using a network analyzer program, like the one that comes with NT server. It's limited because unless you are multihomed (multiple adapters on multiple subnets), you won't be able to see other subnets on your LAN/WAN.

E. Are my NIC's working properly?

A malfuctioning NIC can bring entire networks down to performing REALLY badly! So run diagnostic/analysis programs on your NICs.

F. Network settings setup right?

MTU is a BIG one! It's how large packets are on the network you're attached to! The Maxiumum Transmission Unit (MTU) usually is around 1450-1500 for ethernet networks (see PING -f -l [size of packets] [yourISPserver] tip above to tune this yourself manually to perfection!)

* Use of switches is also recommended if you MUST have a lan... better than hubs, less collision of packets!

-------------------------------------------------------------------------------------

Well, that's it folks! Enjoy a faster & safer/more secure internet experience online!

* Believe me, you speed up & can see it using it, and also make your connection WAY more secure against SYN attacks & ICMP attacks as well as a bonus!

Works with BOTH NT 3.5x-4/2000/XP & also in conjunction with firewalling softwares like XP's native one, ZoneAlarm, & BlackIce as well as combining it with a LinkSys DSL/CableModem NAT 'firewalling' router!

All of them in combination also at once too (NAT Firewall, Software Firewall of some type, + IP Ports Filtrations)...

Pure redundancy, and safe is the reason I use all that stuff enumerated above! Think of it as a door with chainlocks, deadbolts, normal locks, and more on it JUST IN CASE! I'm NOT going to make it easy to bust into my work is all... I hope you all feel the same & understand why I put together this list!

(I do that here, works great, no forwarding of IP required either!)

*

APK

P.S.=> Enjoy a FASTER connection PLUS a more secure one following these tips! If you have add ons to this?? Email me with them, or corrections & caveats for STANDALONE systems like most folks have at home... I will credit you in this article! Thank-You! apk

Neowin.net