• Sign in to Neowin Faster!

    Create an account on Neowin to contribute and support the site.

Archived

This topic is now archived and is closed to further replies.

HOW TO SECURE Windows 2000/XP/Server 2003 & EVEN Vista in 12 steps

Recommended Posts

APK    0

HOW TO ACHIEVE 85.xxx (or, better) CIS TOOL scores for Windows users via the APK "12 step program" 4 a secure Windows NT-based OS (2000/XP/Server 2003/VISTA))

INTRODUCTION:

Windows CAN be secured very well, but, you have to go thru some "GYRATIONS/EFFORT" to do it, but, it IS doable (but not to any 100% levels, because again - new holes/vulnerabilities appear in the OS & its libs + apps, but this gets you closer, if not as close as a body needs to be!).

THIS IS GEARED TO "stand-alone" systems online on the internet (However - it can be adapted for LAN/WAN office or home networked environs, BUT, pay attention to step #2's 'warnings' about pulling Client For Microsoft Networks, &/or File & printer sharing - most networks require/need this)

BACKGROUND & INFORMATION + TOOLS YOU CAN USE TO HELP YOU SECURE YOUR SYSTEM:

Here I am running Windows Server 2003 SP #2, fully current patched by MS update pages, here (I check it every 2nd Tuesday of the month of course, on "Patch Tuesday's"):

http://www.microsoft.com/downloads/Browse....rder=descending

It is a personally 'security-hardened' model I have been working on for many years, using principals I learned & used since the NT 3.5x days onward to this version of the OS: As is now?

I score an 85.760 on the CIS Tool 1.x currently as of 10/10/2007!

attachment.php?attachmentid=10053&d=1192208359

This is up from my past score here of 76.xxx on it (default score I had prior to this security hardening via CIS TOOL & its advisements & past the 84.735 I initially hardened it up to, & later 85.185 as well), & here is how to do it!

Currently, I can go NO higher than this score of 85.760 (of 100 total) on CIS Tool 1.x for Windows, pictured here (photo proof/pictures DO say, a 1,000 words (like this post, lol)) & even IF I could get past the few areas I know are wrong (the test errs, as it does on some areas in LINUX as well), I cannot get past 88% or so, period!

============================================================================

HERE ARE LINUX SCORES FROM CIS TOOL (SuSE Enterprise Linux under VMWare):

============================================================================

HARDENED LINUX:

attachment.php?attachmentid=10194&stc=1&d=1192894351

DEFAULT LINUX:

attachment.php?attachmentid=10193&stc=1&d=1192894012

(It appears that LINUX has FAR LESS TESTED, when compared to the SIZE of the Windows tets, & Linux CAN reach 90++ scores (but there is an error in CIS TOOL preventing myself from going to a higher than 85.760 score & I have submitted the data to CIS TOOL's authors on that account WITH PROOFS, and even if I could get the few areas I am scored down on still, it would not add to past 88% or so... bug, bigtime, do the math from my score & see))

============================================================================

BUT, that is a GOOD score (especially considering the default score of VISTA even, is FAR BELOW THAT! Nice part is? The techniques noted here can LARGELY APPLY TO VISTA AS WELL! Read on...)

(For CIS Tool - There are Linux, Solaris, BSD variants, & other OS models ports (some only in .pdf security guide form though, not programmatically automated yet, like MacOS X) of this are available too by the way - not really "ports" strictly speaking, they require JAVA to run)

DOWNLOAD URL FOR CIS TOOL (for multiple platforms), from "The Center for Internet Security" here:

http://www.cisecurity.org/bench.html

(IMPORTANT: This tool IS invaluable in guiding you to a more secure OS, on any OS platform really!)

APK

P.S.=> Now that the "introductory material" (tools to use, how/why, results possible, etc. et al) has been put down, here we go to the actual "meat" of the subject in my next post(s). Also - IF you have more to add to this, OR critique of my points? Please - have @ it & let 'em rip (we ALL can gain by it)... thanks! apk

APK 12 STEPS TO FOLLOW TO SECURE YOUR WINDOWS NT-BASED SYSTEM (2000/XP/SERVER 2003/VISTA):

1.) Windows Server 2003's SCW was run over it FIRST (this only exists on Windows Server 2003, not on 2000/XP (you have to install this, it does NOT install by default) first to help security it (SCW = security configuration wizard, & it's pretty damn good believe-it-or-not, (@ least, as as starting point))...

Directions for its installation are as follows:

Start the Add or Remove Programs Control Panel applet.

Click Add/Remove Windows Components.

On the Windows Components Wizard screen, select the "Security Configuration Wizard" check box, as the figure shows. Click Next.

The Windows Components Wizard builds a list of files to be copied and finishes installing SCW. Click Finish.

DONE! Now, run it...

It is very simple to use, and will help even TRIM services you do not need running (which saves Memory, other resources, & I/O to cpu/ram/disk etc. AS WELL AS PROVIDING SECURITY should any services you disable turn up vulnerabilities (this has happened before)).

ALSO, per TPU forums user (username "xvi") @ techpowerup.com forums (software section): Use Microsoft Baseline Security Advisor, a free download from Microsoft as well to check your system for security holes, patch updates, etc. (be wary of the fact it does require various services running though, iirc, Terminal Server Services Client - I do NOT keep that running here anymore, & this program failed on me because of that (would not initialize @ all))

---------------------------------------------------------------------------------------------------

2.) Disable Microsoft "File & Print Sharing" as well as "Client for Microsoft Networks" in your LOCAL AREA CONNECTION (if you do not need them that is for say, running your home LAN)!

E.G.-> Here? I pull ANY Networking clients &/or Protocols in the Local Area Connection, other than Tcp/IP typically (& disable NetBIOS over Tcp/IP as well if you don't have a HOME or WORK LAN as well, because I don't need it here - these depend on ports 135/137/139/445, & that is for port filtering below as a reference IF you maintain a home LAN/home network), on a stand-alone machine that is not dependent on Microsoft's File Sharing etc. on a LAN/WAN. I also disable that too!

Stopping the SERVER service in services.msc also is another layer you can apply here (and, save CPU/Memory & other forms of I/O by NOT running it, bonus) because it stops the C$ default hidden administrative share as well. Not recommended though, IF you have a HOME LAN (or, business one).

---------------------------------------------------------------------------------------------------

3.) Use IP security policies (modded AnalogX one, very good for starters, you can edit & add/remove from it as needed) - Download url link is here for that:

http://www.analogx.com/contents/articles/ipsec.htm

(Search "AnalogX Public Server IPSec Configuration v1.00 (29k zip file)" on that page & follow the directions on the page!)

NOTE: This can be 'troublesome' though, for folks that run filesharing clients though.

An alternative to this is using IP Ports Filtrations, in combination with a GOOD software firewall &/or NAT 'firewalling' (or true stateful inspection type) router. All of these work in combination w/ one another perfectly.

(HOWEVER - Should you choose to use it, and do filesharing programs? No problem really, because you can turn them on/off @ will using secpol.msc & the IP stack in Windows 2000/XP/Server 2003/VISTA is of "plug-N-play" design largely, & will allow it & when done? TURN THEM ON, AGAIN! These work WITH software & hardware router firewalls, IP port filtering, and security IP policies, simultaneosly/concurrently, for "layered security", no hassles!).

---------------------------------------------------------------------------------------------------

4.) USE General security policies (in gpedit.msc/secpol.msc), these are VALUABLE tools (and will be needed & suggestions for it will be told to you by the CIS Tool noted above - great stuff!) and regedit.exe!

(Newly added - regedit.exe use is for registry ACL permissions, via its EDIT menu, PERMISSIONS submenu item (to add/remove users that have rights to regisry hives/values, & to establish their rights levels therein))

ALSO NEWLY ADDED - Explorer.exe "right-click" on drive letters/folders/files (for file access ACL permissions hardening) using its popup menu selection of "PROPERTIES", & in the next screen, the SECURITY tab (to add/remove users that have rights to said items, & to establish their rights levels therein), also - this is another requirement of CIS Tool 1.x & its suggestions for better security.

---------------------------------------------------------------------------------------------------

5.) HARDENING & SECURING SERVICES HOW-TO:

Many services I do not need are either cut off OR secured in their logon entity to lower privilege entities (from default, near "ALL POWERFUL" SYSTEM, to lesser ones like NETWORK SERVICE or LOCAL SERVICE). I went at ALL of the services in Windows Server 2003 (some will not be in XP for instance, & Windows 2000 has no NETWORK SERVICE or LOCAL SERVICE as far as I know, but not sure, you can always make a limited privelege user too for this on 2000 if needed)...

I did testing to see which services could be run/logged in as LOCAL SERVICE, or NETWORK SERVICE, rather than the default of LOCAL SYSTEM (which means Operating System entity level privileges - which CAN be "misused" by various spyware/malware/virus exploits).

LOCAL SERVICE startable list (vs. LocalSystem Logon Default):

Acronis Scheduler 2 Service

Alerter (needs Workstation Service Running)

COM+ System Application

GHOST

Indexing Service

NVIDIA Display Driver Service

Office Source Engine

O&O Clever Cache

Remote Registry

Sandra Service

Sandra Data Service

SmartCard

Tcp/IP NetBIOS Helper

Telnet

UserProfile Hive Cleanup Service

Volume Shadowing Service

Windows UserMode Drivers

Windows Image Acquisition

WinHTTP Proxy AutoDiscovery Service

NETWORK SERVICE startable list (vs. LocalSystem Logon Default):

ASP.NET State Service

Application Layer Gateway

Clipbook (needs Network DDE & Network DDE DSDM)

Microsoft Shadow Copy Provider

Executive Software Undelete

DNS Client

DHCP Client

Error Reporting

FileZilla Server

Machine Debug Manager

Merger

NetMeeting Remote Desktop Sharing Service

Network DDE

Network DDE DSDM

PDEngine (Raxco PerfectDisk)

Performance Logs & Alerts

RPC

Remote Desktop Help Session Manager Service

Remote Packet Capture Protocol v.0 (experimental MS service)

Resultant Set of Policies Provider

SAV Roam

Symantec LiveUpdate

Visual Studio 2005 Remote Debug

PLEASE NOTE: Each service uses a BLANK password when reassigning their logon entity (when you change it from the default of LOCAL SYSTEM Account), because they use SID's as far as I know, not standard passwords.

WHEN YOU TEST THIS, AFTER RESETTING THE LOGON USER ENTITY EACH SERVICE USES: Just run your system awhile, & if say, Norton Antivirus refuses to update, or run right? You KNOW you set it wrong... say, if one you test that I do NOT list won't run as LOCAL SERVICE? Try NETWORK SERVICE instead... if that fails? YOU ARE STUCK USING LOCAL SYSTEM!

If you cannot operate properly while changing the security logon entity context of a service (should NOT happen w/ 3rd party services, & this article shows you which ones can be altered safely)?

Boot to "Safe Mode", & reset that service's logon entity back to LOCAL SYSTEM again & accept it cannot do this security technique is all... it DOES happen!

If that fails (shouldn't, but IF it does)? There are commands in the "Recovery Console" (installed from your Windows installation CD as a bootup option while in Windows using this commandline -> D:\i386\winnt32.exe /cmdcons, where D is your CD-Rom driveletter (substitute in your dvd/cd driveletter for D of course)) of:

ListSvc (shows services & drivers states of stopped or started)

Enable (starts up a service &/or driver)

Disable (stops a server &/or driver)

Which can turn them back on if/when needed

(ON Virtual Disk Service being removed, specifically (because it used to be in this list)): This was done solely because, although it will run as LOCAL SERVICE, diskmgmt.msc will not be able to work! Even though the Logical Disk Manager service does not list VirtualDisk as a dependency, this occurs, so VirtualDisk service was pulled from BOTH the LOCAL SERVICE and NETWORK SERVICE lists here... apk)

CUTTING OFF SERVICES YOU DO NOT NEED TO RUN IS POSSIBLY THE BEST METHOD OF SECURING THEM, AND GAINING SPEED SINCE YOU ARE NOT WASTING I/O, MEMORY, or OTHER RESOURCES ON THEM, PERIOD, in doing this - do consider it, when possible! Many guides online exist for this, & I authored one of the first "back in the day" for NTCompatible.com as "Article #1" back in 1997-1998 - the latest ones are even BETTER!

SECURING SERVICES @ THE ACL LEVEL VIA A SECURITY POLICY HOW-TO:

STEP #1: CONFIGURE A CUSTOM Microsoft Management Console for this!

Configuring yourself a "CUSTOM MMC.EXE (Microsoft Mgt. Console)" setup for security policy templates, here is how (these are NOT default Computer Mgt. tools, so you have to do this yourself, or run them by themselves, but this makes working w/ them convenient):

The next part's per BelArcGuy of BELARC ADVISOR's advice (pun intended):

http://forums.techpowerup.com/showthread.php?t=16097

"Security Configuration and Analysis" is an MMC snap-in. To access the MMC, type in mmc to the Windows Run.. command to pop up the console. Then use it's File|Add/Remove Snap-in... command and click the Add button on the resulting dialog. Choose both "Security Configuration and Analysis" and "Security Templates", close that dialog, and OK. You'll end up with a management console that has both of those snap-ins enabled. The whole MMC mechanism is a bit weird, but does work"

(It's easy, & it works, & is necessary for the actual steps to do this, below)

Next, is the actual "meat" of what we need to do, per Microsoft, to set ACLs!

STEP #2: HOW TO: Define Security Templates By Using the Security Templates Snap-In in Windows Server 2003

http://support.microsoft.com/kb/816297

Create and Define a New Security Template

(To define a new security template, follow these steps)

1. In the console tree, expand Security Templates

2. Right-click %SystemRoot%\Security\Templates, and then click New Template

3. In the Template name box, type a name for the new template.

(If you want, you can type a description in the Description box, and then click OK)

The new security template appears in the list of security templates. Note that the security settings for this template are not yet defined. When you expand the new security template in the console tree, expand each component of the template, and then double-click each security setting that is contained in that component, a status of Not Defined appears in the Computer Setting column.

1. To define a System Services policy, follow these steps:

a. Expand System Services

b. In the right pane, double-click the service that you want to configure

c. Specify the options that you want, and then click OK.

(And, of course, the user feedback on its effectiveness (Makes your Win32 NT-based OS very much like how MacOS X treats its daemon processes via privelege levels), which uses the same general principals)

It works, & although many service packs for Windows OS' have changed their services (not all but many nowadays) to less than SYSTEM, my list covers those they may not have in recent service packs AND 3rd party services are listed too that you may be running possibly!

DONE!

---------------------------------------------------------------------------------------------------

6.) Another thing I do for securing a Windows NT-based OS: IP Port Filtrations (like ip security policies (per AnalogX above), it is often called the "poor man's firewall" & works perfectly with both IPSecurity policies, hardware AND software firewalls, all in combination/simultaneously running)!

DIRECTIONS ON HOW TO IMPLEMENT THEM (very easy):

Start Menu -> Connect To Item (on the right hand side) -> Local Area Connection (whatever you called it, this is the default, iirc) open it via double click OR, right-click popup menu PROPERTIES item -> Properties button on left-hand side bottom, press/click it -> NEXT SCREEN (Local Area Connection PROPERTIES) -> "This connection uses the followng items" (go down the list, to Tcp/IP & select it & /click the PROPERTIES button there) -> Press/Click the Advanced Button @ the bottom Right-Hand Side (shows Advanced Tcp/IP Settings screen) -> OPTIONS tab, use it & Tcp IP Filtering is in the list, highlite/select it -> Beneath the Optional Settings, press/click the PROPERTIES button on the lower right-hand side -> Check the "Enable Tcp/IP Filtering (on all adapters)" selection -> In the far right, IP PROTOCOLS section, add ports 6 (tcp) & 17 (udp) -> In the far left "tcp ports" list - check off the radio button above the list titled "PERMIT ONLY", & then add ports you want to have open (all others will be filtered out, & for example, I leave port 80,8080, & 443 here open, only - you may need more if you run mail servers, & what-have-you (this varies by application)) -> I leave the UDP section "PERMIT ALL" because of ephemeral/short-lived ports usage that Windows does (I have never successfully filtered this properly but it doesn't matter as much imo, because udp does not do 'callback' as tcp does, & that is why tcp can be DDOS'd/DOS'd imo - it only sends out info., but never demands verification of delivery (faster, but less reliable)) -> DONE!

For a LAN/network, your HOSTS file will need to have this entry (default one) in it also:

127.0.0.1 localhost

That's located under %windir%\system32\drivers\etc & can be edited with notepad.exe easily. More on that later, because it too can be used for security (AND, to speedup your online experience as well).

AND, you will have to leave ports 135/137/139/445 in your TCP lists in this section, IF you maintain a home LAN (or, even a business one, & you apply this technique, in the use of port filtrations).

Also - you may need even more ports open in YOUR personal lists, if you run: e.g.-> mail servers, various games, & what-have-you (this varies by application)!

You may need a reboot & it will signal if it needs it or not (probably will, even in VISTA):

I say this, because although IP Security Policies work with the "Plug-N-Play" design of modern Windows NT-based OS' (ipsec.sys) & do NOT require a reboot to activate/deactivate them in Windows 2000/XP/Server 2003/VISTA? This is working @ a diff. level & diff. driver iirc (tcpip.sys) & level of the telecommunications stacks in this OS family & WILL require a reboot to take effect (for a more detailed read of this, see here):

http://www.microsoft.com/technet/community...guy/cg0605.mspx

(In THAT url above? Trust me - Enjoy the read, it is VERY informative: That article shows you how TcpIP.sys, ipnat.sys, ipsec.sys, & ipfiltdrv.sys interact, PLUS how you can use them to your advantage in security!)

---------------------------------------------------------------------------------------------------

7.) Plus good email client practices like using .txt mail only, no RTF or HTML mail, not opening or allowing attachments unless I know the person & even THEN, scan it with an antivirus (still gets email scanned though by your resident antivirus email scan component (use AntiVirus programs with these, OR, manually scan ANY attachments before opening them (if you get Microsoft Office .doc, .xls, .ppt etc. files uncompressed? HOLD DOWN THE SHIFT KEY AS YOU OPEN THEM - this stops macros from running & macros are the avenue utilized using VBA script to infect you))

---------------------------------------------------------------------------------------------------

8.) I also use a LinkSys/CISCO BEFSX41 "NAT" true firewalling CISCO technology-based router (with cookie & scripting filtering built-in @ the hardware level), these are excellent investments for security.

---------------------------------------------------------------------------------------------------

9.) USE Tons of security & speed oriented registry hacks (reconfiging the OS basically - stuff like you might do in etc / conf in UNIX/LINUX I suppose)

Download them from here @ SOFTPEDIA (where they are rated 4/5):

http://www.softpedia.com/get/Tweak/System-...up-Guides.shtml

OR, just email me here for them -> apk4776239@hotmail.com

(The email option's the best, because I also have these PREBUILT, in .reg files, mind you, available by email, BUT, the ones I can mail ARE FULLY INTERNALLY DOCUMENTED!)

They are FULLY documented internally, with link url's to the Microsoft pages they came from, inside the .reg files, so YOU can look at what the hack does inside them, verify this @ MS, & know what the valid parameters are as well!

(This? It took me FOREVER a year or so ago to do this, but worth it!)

The urls, or downloadable .mht files, outline it all (as do my prebuilt .reg files, probably the BEST choice of the lot imo), as to what you can ".reg file hack" for better SPEED, and SECURITY online, in a modern Windows 2000/XP/Server 2003 OS & has references from Microsoft in it for each setting plus their definitions & parameters possible!

---------------------------------------------------------------------------------------------------

10.) The use of a CUSTOM ADBANNER BLOCKING HOSTS FILE (my personal one houses, as of this date, 90,000 known adbanner servers, OR sites known to bear malicious code & exploits (per GOOGLE mostly, from stopbadware.org))

Custom HOSTS files work in combination with Opera adbanner blocks & the usage of .PAC filering files + cascading style sheets for this purpose.

(As well as speeding up access to sites I often access - doing this, acting as my own "DNS Server" more or less, is orders of magnitude faster than calling out to my ISP/BSP DNS servers, waiting out a roundtrip return URL-> IP Address resolution. It may take some maintenance for this @ times, especially if sites change HOSTING PROVIDERS, but this is a rarity & most sites TELL YOU when they do this as well, so you can make fast edits, as needed (and, on Windows NT-based OS since 2000/XP/Server 2003 & VISTA? A reboot is NOT required upon edits & commits of changes in the new largely near fully PnP IP stacks!))

For a copy of mine, write me, here -> apk4776239@hotmail.com

And, I will send it to you in .zip or .rar format (with sped up sites # UNIX comment symbol disabled, enable the ones you use AFTER you 'ping' them first from my list, & add ones YOU PERSONALLY USE to it as needed after determining their IP address via a PING of them)

OR, JUST DOWNLOAD IT HERE:

http://forums1.techpowerup.com/attachment....mp;d=1172567412

An example of WHY you'd want to use one of these for security's sake? Read here:

http://forums.techpowerup.com/showthread.php?t=25937

---------------------------------------------------------------------------------------------------

11.) KEEP UP ON PATCHES FROM MICROSOFT, for your OS & Microsoft Office Apps, & IE, etc., HERE (ordered by release date) and run AntiVirus/AntiSpyware/AntiRootkit tools (& yes, keep them updated/current)!

http://www.microsoft.com/downloads/Browse....rder=descending

Again, keep up on antivirus/antispyware/antirootkit AND Java runtimes updates!

(Done either automatically via their services, or manually)

Download them manually & install them yourself (OR just let "Windows Automatic Updates" run)

ALSO - do the use of the "std. security stuff", like:

AntiVirus Programs (NOD32 latest 2.7x - best one there is, & that is not only MY opinion after testing it vs. my former fav. NAV Corporate 10.2 (it is lighter in RAM & resource uses than NAV Corporate even, finds more virus' than others, & uses less "moving parts" (in the way of services componentry, than most do, & certainly less than NAV))

Proof? See here -> http://www.eset.com/products/compare.php

+

SpyBot (Ad-Aware is another option) as my resident antispyware tool running in the background!

This tool in SPYBOT also installs & runs PERFECTLY in safemode (combined with ComboFix &/or SmitfraudFix, you can "burn out" just about ANY spyware/malware infestation in 30-60 minutes, depending on level of infection, speed of your disks/CPU/RAM, & amount of files on your disks - A good antivirus (See NOD32 above, best there is on speed/efficiency, resource consumption, & accuracy) alongside it plus vendor specialized "removal tools" is all a body needs (mostly) when infected.

AntiRootkit tools are another one to be conscious of nowadays, now that such machinations are available for Windows (they originated, afaik, in the UNIX world though).

The "best ones" (AntiRootkit scanners) & their download URL links are:

AVG AntiRootkit

BitDefender AntiRootkit

GMER

Rootkit Revealer

PrevX AntiRootkit

Rootkit Hook Analyzer

Sophos AntiRootkit

F-Secure Blacklight

Gromozon Rootkit Removal Tool

KLister

McAfee Rootkit Detective

PatchFinder

RogueRemover

VICE

System Virginity Verifier for Windows 2000/XP/2003

That is a list for you all to choose from, look them up on GOOGLE to download them from their homepages, as they all do a decent enough job though, & are 100% FREE - SO, DO use them!

---------------------------------------------------------------------------------------------------

12.) It is also possible, for webbrowsers &/or email clients, to create a "VISTA LIKE IE 7 Protected Mode"-like type scenario, isolating them into their own spaces in memory, here are 2 methods, how (not needed on VISTA though, afaik):

IE6/7 & FF + OPERA AS WELL (as noted by A/C slashdot poster in reply to my methods, both his & my own work well, & are listed here @ /. (slashdot)) on modern NT-based OS "how-to":

http://it.slashdot.org/comments.pl?sid=236...mp;cid=19310513

MY METHOD for RUNNING IE in a "runas limited user class" sandbox effect:

"It is actually possible to run IE securely: just create a throwaway restricted user account for IE use alone. The restricted account user can't install software and can't access files of other users, so even if IE autoexecutes any nastiness, it can't do any damage.

Of course, it's a hassle to log in as a different user just to browse the web. So we'd want to use "runas" to run just IE as a different user.

Unfortunately, MS has made running IE as a different user a little harder than necessary. Rightclicking and using "Run as" doesn't seem to work. What did work for me was the following.

Say the limited account is called "IEuser". Then create a shortcut to "runas /user:IEuser cmd". on your desktop. Double-clicking this will open a command prompt that runs as IEuser. Now you can manually start IE with "start iexplore". Or create a batchfile c:windowsie.bat that just contains the line "start iexplore" and you can start IE by just typing "ie". Remove all shortcuts to IE from you normal desktop and only run it from the restricted account. This way you can use IE without worry about any IE exploits"

OTHER, VERY QUITE POSSIBLY SUPERIOR METHOD:

http://theinvisiblethings.blogspot.com/200...-every-day.html

See section: Do-It-Yourself: Implementing Privilege Separation. Using the psexec tool as described results in a "clean" process tree where iexplore.exe will show up directly under the root avoiding beeing a child process.

Note - The "invisible thing"? She's "Yuriko DeathStrike" as far as I am concerned... Joanna Rutkowska, my fellow "Polish Person" & she's a regular "wonder" in the security/hacking/cracking world!

This is my runopera.bat which runs opera as user internet:

psexec.exe -d -u internet -p p4ssw0rd "cmd" "/d /D /c start /b Opera.exe"

PLUS, Windows Server 2003 has a hardened IE6/7 by default (which can be duplicated on other Win32 OS versions, because it mainly just does what I have been doing for a long time & noted by myself earlier, in stuff like turning off ActiveX & scripting + JAVA online on the public internet, of all types by default, & I do this in ALL of my browsers (IE, FF, & Opera) & only make exceptions for CERTAIN sites)

A USER SUGGESTED ADDON TO AUTOMATE THIS STUFF ON ISOLATION OF IE:

(Per "OILY 17" (TPU forums user) suggestion, to aid in automating this (a tool)):

http://forums1.techpowerup.com/showthread....0284#post500284

"For running IE,Firefox etc as a throw away account has anyone tried this app out yet.Recently came across it, but have not tried it out yet.

Anyone any views?

http://www.sandboxie.com/

As the name suggests runs IE etc in a sand box effect."

Thanks oily (apk)

============================================================================

AN IMPORTANT POINT:

STOP JAVASCRIPT USAGE IN YOUR BROWSERS (along with ActiveX & JAVA) On the PUBLIC internet, PERIOD!

Why? Well, read on:

Fact is, that today? Well... Javascript's dangerous & can be used AGAINST you, as well as help you... it truly is, or can be, a 'double-edged sword'...

(For example - if you follow security related news, you will see that JavaScript is the key avenue being used against you in today's attacks (even thru adbanners!)). Some examples:

http://www.wired.com/techbiz/media/news/2007/11/doubleclick

&

http://apcmag.com/5382/microsoft_apologise...re_to_customers

If you MUST use Javascript (for instance, on a particular site like banking or shopping oriented ones)?

Try "NoScript" (the .xpi addon for FireFox/Mozilla/NetScape 9 etc.) & let it let YOU decide sites to use it on, & then DISABLE JAVA/JAVASCRIPT globally...

(& if you use IE, trying to do the same can be a nightmare (as IE will "nag you to death" if you turn off javascript on sites that use it)).

Opera has similar functionality, ALBEIT, built into it by default as a NATIVE tool!

I.E.-> The ability to GLOBALLY block scripting tools like Javascript, BUT... to also allow it for sites you MUST use it on as exceptions to the GLOBAL rule set in Tools, Preferences menus it has on its menubar.

Opera has the NATIVE BUILT IN ABILITY to allow you to use it on sites you visit IF you must, via rightclicks on the page & "EDIT SITE PREFERENCES" popup menu submenu item that appears.

Either way? It works, & I STRONGLY recommend this. I also recommend Opera for these reasons (less security holes period, & the 1 it had yesterday? Patched yesterday too... fast!)

=====

SECUNIA DATA ON BROWSER SECURITY (dated 11/20/2007):

=====

Opera 9.24 security advisories @ SECUNIA (0% unpatched):

http://secunia.com/product/10615/?task=advisories

----

Netscape 9.0.0.3 (0% unpatched)

http://secunia.com/product/14690/

----

FireFox 2.0.0.9 security advisories @ SECUNIA (29% unpatched):

http://secunia.com/product/12434/

----

IE 7 (latest cumulative update from MS) security advisories @ SECUNIA (37% unpatched):

http://secunia.com/product/12366/

----

Those %'s are the latest for FireFox 2.0.0.9, Netscape 9.0.0.3, IE7 after last "patch Tuesday" from MS with the "CUMULATIVE IE UPDATES" they have (see the security downloads URL I post in the 12 steps above to secure yourself), & Opera 9.24... all latest/greatest models.

So, as you can see?

Well, NOT ONLY IS OPERA MORE SECURE/BEARING LESS SECURITY VULNERABILITIES?

It's faster too, on just about ANYTHING a browser does, & is probably the MOST standards compliant browser under the sun (not counting HTML dev tools). This is borne out in these tests:

http://www.howtocreate.co.uk/browserSpeed.html

AND, yes others (most recently in Javascript parsing speeds, oddly enough, lol... given the topic of my post here that is), right here:

http://nontroppo.org/timer/kestrel_tests/

Opera's just more std.'s compliant, faster, & more secure than the others... so, "where do you want to go today?"...

ALSO - HOW TO SET THE "KILL BIT" ON ACTIVEX CONTROLS:

(I.E.-> This is how to stop an ActiveX control from running in Internet Explorer)

http://support.microsoft.com/kb/240797

In case you have "problematic" or security vulnerable ActiveX controls, per this RealPlayer example thereof:

http://service.real.com/realplayer/securit...1007_player/en/

APK

P.S.=> P.S.=> Yes, it's LONG, & takes about 1-3 hours to do & test, but worth it... enjoy guys, & IF you have more to add or valid critique? Please do so, thanks... apk

Share this post


Link to post
Share on other sites
Evolution    16

Could you redo the post? You're actually not very clear with your words, and the organization of content is very annoying.

Share this post


Link to post
Share on other sites
APK    0
Could you redo the post? You're actually not very clear with your words, and the organization of content is very annoying.

I did it on SOME forums, using each numbered point, in its OWN post... I just did not do it that way here, sorry!

("Ya can't please EVERYONE, all of the time", etc. et al).

BUT... we try!

APK

P.S.=> In any event - I hope you find it useful for securing yourselves: Windows is no longer 'safe' from ROOTKITS (originally found on *NIX variants), & I know this from my job daily - doing what is above, combined with a 'pinch of common sense' as far as downloads/emails etc.? This, in theory, SHOULD "proof one" vs. those threats (since malware nowadays is coming equipped with ROOTKIT technology in it more & more)... apk

Share this post


Link to post
Share on other sites
APK    0
Could you redo the post? You're actually not very clear with your words, and the organization of content is very annoying.

Example of what YOU personally may find easier to deal with from another forums (as to the amount & clutter that comes with the package on a topic of this nature & potential complexity):

http://www.pctools.com/forum/showthread.php?t=49705

* :)

APK

P.S.=> Would that be a BETTER way to do it you think? Thanks for feedback... apk

Share this post


Link to post
Share on other sites
Colin-uk    134

moved here

very nice guide :)

Share this post


Link to post
Share on other sites
meeda    0

I couldn't really understand some parts due to your wording, but some links were good, like the softpedia one.

Share this post


Link to post
Share on other sites
APK    0
moved here

very nice guide :)

Excellent - I am glad you like it, and I hope it helps (especially in today's virus/spyware/trojan/malware (& probably, soon to be rookit) infested online world (& especially for Windows)).

APK

Share this post


Link to post
Share on other sites
Janitor    0

Um it's quite easy. Get a hardware firewall, a decent anti-virus and don't be a muppet. Works for me.

Share this post


Link to post
Share on other sites
APK    0
Um it's quite easy. Get a hardware firewall, a decent anti-virus and don't be a muppet. Works for me.

Well, that'll work, to an extent (common-sense above all else though - mainly about email attachments, files you download & install, & the webbrowser you use & sites you visit of course, + Java/JavaScript & ActiveX/ActiveScripting that browsers CAN allow).

Still, each day on the job? I have to "Bail out" @ least 5 folks a day successfully from things like virus/spyware/trojans/malwares in general etc. et al, & they put in place the things you do (some, not all) & STILL get "hit".

The list above, helps in that case. Take a peek @ it, & see why... there are things noted in it that can "slip thru" the defenses you mention, & folks everyday show this to me @ work.

APK

Share this post


Link to post
Share on other sites
thunderstruck88    0

well those registry files are from 2002. wtf

Share this post


Link to post
Share on other sites
APK    0
well those registry files are from 2002. wtf

Which ones are those? If you mean the ones that are downloable from SOFTPEDIA, then yes... but, they will still work on Windows 2000/XP/Server 2003 & probably/most likely, VISTA as well (although they MAY lack the TCPChimney stuff that VISTA & Windows Server 2003 SP #2 & RC2 have).

APK

Share this post


Link to post
Share on other sites
thunderrooster    0

I was looking over it and it seemed interesting till I got to the part where you said NOD32 was the best. There is no such a thing as the best antivirus product. AVG has a better detection rate this time than NOD32. What defines what av product is the best detection rates?, well you better get ready to buy a new av every month. How about cleaning or scan speed or ease of use the list goes on. I can test and have different results than you did. You go by your experience when you buy a av. If you are into detection rates and detection rates makes that product the best look at some real legit test scores here AV-Comparatives. The NOD32 is the best av product thew me off what a joke.

Share this post


Link to post
Share on other sites
APK    0
How about cleaning or scan speed or ease of use the list goes on. I can test and have different results than you did.

Speed of scanning appears to be in favor of NOD32, & I mention below, why (& if you code @ all, you will most likely agree on that point I would guess: ASM code is not the "end all, be all" & it's NOT a substitute for an efficient algorithm, but it helps, even over today excellent optimizing compilers (especially C/C++ ones, & Delphi, for speed of code))... & above all else?

http://www.eset.com/products/compare.php

Those are NOT "my results", they are ones done by parties noted @ the ESET homepage, in the URL above.

HOWEVER - as noted above, in my init. posting, I did my own tests!

NOD32 2.7, vs. Norton/Symantec Corporate Edition 10.2 (my former fav) & NOD32 just eats less RAM, & uses FAR fewer "moving parts" (drivers & services + GUI). More on this later, but I had to note this, first (hence, why I quoted you "out of order" here on this one).

I was looking over it and it seemed interesting till I got to the part where you said NOD32 was the best.

Well, I hope you did not "just stop" there... there is quite a bit more you might also find, interesting (and, useful in a practical capacity for security).

Above all else - I am GLAD you found it interesting... I also hope you found it useful, @ least in SOME capacity for your own security.

There is no such a thing as the best antivirus product.

Agreed - I note above, for example, that to rid yourself of spyware, I usually use a combination of 3 tools, because of the reasoning you state (combofix, smitfraudfix, & SpyBot 1.5x).

None of them, catches them "all", or removes ALL of them, in their entirety.

Same with AntiVirus products (hence, why specialized removal tools exist, because sometimes, you have to "kill" these things prior to explorer.exe/winlogon.exe running, ala the UserInit area of the registry for instance as 1 example. Sometimes, Recovery Console's your pal too here, as well as other methods.)

Quibbling semantics: I just judged by what was shown me, not only on ESET's homepage (as a SINGLE example only, not the ultimate authority by ANY means, but, a valid one), but also @ spots like av-comparatives.org (over time, when I last looked @ it in 2006 regarding THEIR tests, which like any, CAN be "countered" as you are attempting on ESET's results - "touche", but this tactic of yours, works BOTH ways)...

Lastly, I DID do my own tests I ran over @ techpowerup.com (noted above in fact, which was done because I was a HUGE fan of Symantec/Norton Corporate Client version 10.2 & another user there clued me into NOD32... & he was correct. He told me it ate less resources, & was faster, AND back in 2006 when we ran the tests, it was truth.)

I still am a HUGE fan of it, mainly because of its efficiency, speed, & accuracy, COMBINED! NOD32 seems to present one HELL of an "optimal" balanced solution, on all fronts noted.

(And, also because it is largely coded in pure Assembler language (which, when the time is taken to create Win32 Portable .exe files using Assembler code (or, macro asm), does show a difference in performance - even over Delphi & C/C++, which the former is still my fav. tool to use for code creation (Delphi 7))).

The reason this appeals to me so much, is that I value performance out of a system, & a "sad fact" of having to use antivirus products is that they DO slow you down (layered filtering drivers & such cause a "speed hit" when you touch files & it intercepts those & scans the file, "on-the-fly").

AVG has a better detection rate this time than NOD32. What defines what av product is the best detection rates?, well you better get ready to buy a new av every month.

Agreed - it changes, but from what I have seen over time @ ESET's site, & av-comparatives.org, & my own tests even... well, it appears NOD32 does a consistently GOOD job.

You go by your experience when you buy a av. If you are into detection rates and detection rates makes that product the best look at some real legit test scores here AV-Comparatives

I take it you take them @ that site as "the word of GOD", correct? Personally, I do not. I consider it a credible & valid source, but not the ultimate authority. There truly isn't one, because virus/spyware/trojans (malware in general) keeps evolving. I know, I have to deal in it, everyday, & stopping it.

So again - by that reasoning which you are employing, what makes the sources ESET used, any less than the one YOU cite now? Again, per the above?? "Touche", that works BOTH ways.

That said, anyone here reading is free to try it & compare it to others, as I have, & to make their own judgements based on their experiences comparing... this truly is, the best method, & one I did myself, as noted above.

To each his own. Point today, imo @ least? Is @ least have an antivirus product (& antispyware + firewall) for STARTERS, but don't fully depend on them alone.

I can only put out what I did, citing the sources I noted,& yes, my own experience (based on 15 yrs. as a pro in this field, ranging from field tech, to network engineer, to network admin, to programmer, to software engineer & yes, tests of this product vs. another superior one in NAV corporate edition... however, I'll admit, AVG is very good, & one I like as well - just not as much as NOD32 presently).

That is not the point of this though, the point is to put out information others can use to secure themselves better than the defaults provided by the OS itself, & also products like AntiVirus &/or AntiSpyware programs + firewalls.

Rootkit technology isn't just coming (originating LONG ago in the *NIX world actually), it's here & various spyware/malware/trojans & viruses are incorporating it...

This guide above SHOULD, in theory @ least, stop folks from contracting THOSE (once you get one of those, typically, it's "reformat & reinstall time", 'repave' being the 'recommended option').

Right now though? The LARGER threat, imo @ least, is NOT 'typical viruses', it's more in the spyware front (just what I see on the job daily - a LOT more spyware infections, vs. those from std. viruses).

APK

P.S.=> @ least your critique has some bearing & some valid points, so it's "cool" & all that. Keep them coming guys... it makes this list, stronger... apk

Share this post


Link to post
Share on other sites
thunderrooster    0

When writing up a how to it is not a good plan to say one product is the best and that is what you did. When writing a how to you should say that is your opinion or from your experience there is no proof that NOD32 is the best nor is there proof that any other product is the best. Yes I did just stop there cause anyone that would make a such a statement is obviously biased and I know of no one that knows that they are talking about would ever say such a statement. If they thought a certain product was the best they would say in their opinion it was. It is impossible to prove one product is the best. I suggest you rewrite you howto cause I am not th e only person that would lose interest in your howto with a statement like that.

Share this post


Link to post
Share on other sites
thunderstruck88    0
When writing up a how to it is not a good plan to say one product is the best and that is what you did. When writing a how to you should say that is your opinion or from your experience there is no proof that NOD32 is the best nor is there proof that any other product is the best. Yes I did just stop there cause anyone that would make a such a statement is obviously biased and I know of no one that knows that they are talking about would ever say such a statement. If they thought a certain product was the best they would say in their opinion it was. It is impossible to prove one product is the best. I suggest you rewrite you howto cause I am not th e only person that would lose interest in your howto with a statement like that.

i think thats ridiculous.

hell if we keep going by your line of thought be might aswell stop using words like best entirely, just so that its sufficiently politically correct for the extra touchy folk out there.

no one is ever going to come up with a nice bullet point comparative in this forum, just to please (your?) ideals. that kinda stuff is what reviews sites are for, i think its pretty pretentious to expect such a thing from guide around these parts, even more prentious to dismiss the whole guide because of it.

nod32 being the best antivirus is just common sense. and if that doesnt do it for you im sure youll find a zillion non sponsored articles proving the same exact thing. me or anyone else fetching one of said articles is just feeding the troll.

Share this post


Link to post
Share on other sites
APK    0
When writing up a how to it is not a good plan to say one product is the best and that is what you did. When writing a how to you should say that is your opinion or from your experience there is no proof that NOD32 is the best nor is there proof that any other product is the best.

Your argument fell apart the second you attempted to put up others' evidences, such as av-comparatives, vs. those on the page ESET has!

E.G.=> I asked 1 question, you failed to answer, & that is:

"What makes av-comparatives "the ultimate authority" here, vs. what ESET put out?"

Answer that please...

Yes I did just stop there cause anyone that would make a such a statement is obviously biased and I know of no one that knows that they are talking about would ever say such a statement.

Is THIS the "best" you have to offer here? Answer my question above.

While you're @ it, are you stating what is in the init. post above is invalid, & that the points above in their entirety do not work for better security for a Windows NT-based OS user (2000/XP/Server 2003 & VISTA)?

(Answer that as well...)

I If they thought a certain product was the best they would say in their opinion it was. It is impossible to prove one product is the best.

LOL, conversely/again: Can YOU prove that it's not & on ALL the levels noted?

I have quite the body of evidence above, & technical data (as well as results from a multiplatform gauge/test f security in CIS Tool) which are things folks can not only SEE (like your data, which I also noted mind you), but test themselves

vs.

Your avoidance of answers to my questions, period, & "word games/semantics", which I am in turn, now turning against you (fight fire, WITH fire), and you do not answer my points. Not a good move.

I'd also wager you have not been in this field as long as I have, nor do you have the levels of experience I have either on as many levels professionally (or, in publication in this field & not just from websites, but from mags & books in this field). This is just an assessement of your "talking a lot here" but offering NO technical substance.

I suggest you rewrite you howto cause I am not th e only person that would lose interest in your howto with a statement like that.

LOL, now you're arrogant enough to "speak for the planet/everyone"? Please... thunderstruck88 put you in your place, better than I ever could, & that alone tells me worlds when he stated "that's ridiculous".

On that note: What makes YOU, the ultimate authority/judge of what is written above anyhow, OR, that YOUR "evidences" (which are NOT your own, they are from a website I noted as well) are this "ultimate judge"?

Again - I did my OWN test, vs. Symantec/Norton Corporate Client 10.2 (an excellent product)... I noted them, & WHY I did them (because someone pointed out NOD32 to me, & I gave it a shot WITH ACTUAL TESTS & DATA I PRODUCED... have you? NO!)

Oh, by the way: I also suggest you produce proof of your phd in English, prior to telling others how to write.

APK

P.S.=> There's always 1 in a crowd, & this is the one here... then again, I see he is as much of a "noob" on these forums as I am... we're both recent attendees, so he is NOT "part of the normal crowd here" @ all. apk

Share this post


Link to post
Share on other sites
APK    0
i think thats ridiculous.

hell if we keep going by your line of thought be might aswell stop using words like best entirely, just so that its sufficiently politically correct for the extra touchy folk out there.

no one is ever going to come up with a nice bullet point comparative in this forum, just to please (your?) ideals. that kinda stuff is what reviews sites are for, i think its pretty pretentious to expect such a thing from guide around these parts, even more prentious to dismiss the whole guide because of it.

nod32 being the best antivirus is just common sense. and if that doesnt do it for you im sure youll find a zillion non sponsored articles proving the same exact thing. me or anyone else fetching one of said articles is just feeding the troll.

Agreed 110%... see what I wrote above, & know I am with you on that note. I am glad, unfortunately, to see that you are on the same page I am, about this person. He offers NOTHING to back his bluster up, technically, just word game semantics & b.s.!

What I found rather ridiculous, is how he avoids answering my questions period, OR his inability to counter the data I used regarding results from ESET, or how assembler code CAN & DOES benefit a program's performance.

What bugs me is this: He is stating my entire init. post is invalid, based on 1 statement OF MY OPINION (which I am entitled to, regardless of his opinion, but mine does have basis in fact, as an "all around optimal/most balanced solution")

(& when I confront him to prove it is incorrect, he conveniently avoids it with contrary evidence. He makes it out like av-comparatives (whom I mentioned before he did in fact) is the "word of GOD/ultimate authority" on this subject).

I state why I feel otherwise, to which from he, I got NO reply/rebuttal.

I would also like to see his phd in English, since he sees fit to attempt to tell others "HOW TO WRITE"... I wonder how many articles in this field he has been a part of in written publication in trade rags or books in this field (I can name @ least 5 to my credit over time since 1996).

APK

P.S.=> I put up what I did, point-by-point in quoting he, but he TOTALLY avoided my points which dealt in the technical reasons WHY I wrote I felt the BEST antivirus solution is ESET (on a number of levels it is, and I extolled WHY I felt this, as a programmer/analyst-software engineer speaking here with over a decade of professional experience in it, & NOT just from charts/graphs @ ESET or av-comparatives's site).

He seems to feel av-comparatives is "the ultimate judge/authority" here. I never felt thus, & cited they AND the data from ESET's website, but not only that, but the fact it is written in a faster language period (& I know what ASM code CAN DO for an application as far as performance)... apk

Share this post


Link to post
Share on other sites
dysmatik    0

nicely compiled. Thanks for sharing.

Share this post


Link to post
Share on other sites
APK    0
nicely compiled. Thanks for sharing.

Thanks, & I hope it works to help keep you online safer & faster!

As to "thunderooster's" points: You are free to do as I did (which evidently, he has not), which is test ESET's NOD32 vs. your current antivirus solution, & make your OWN decisions (the best way, as I stated above).

APK

P.S.=> Apologies for "thunderooster" & the exchange I am having with he, but I really WOULD like to see his replies to MY questions above now... apk

Share this post


Link to post
Share on other sites
raskren    0

What a horriffic waste of time.

I've never done any of this and I have yet to be "hacked" or have my machine compromised in any way.

Good luck surfing the internet with JavaScript turned off. And you recommend turning off the "Server" service on Win 2k3? Seriously?

If improving security is really this easy then why hasn't Microsoft done everything listed already?

Here's a good, comprehensive security guide:

  1. Update QuickTime

There, done.

Share this post


Link to post
Share on other sites
Shof    0

All of your info never clearly states it works on vista. The tuner program you link to softpedia is only for xp,2k and 2000

Share this post


Link to post
Share on other sites
APK    0
What a horriffic waste of time. I've never done any of this and I have yet to be "hacked" or have my machine compromised in any way.

It's possible, OR you may not be aware of it happening period. The point is, these are areas that help you with "layered security", which IF you follow security-related news, IS the "trend to follow" & makes sense.

E.G./I.E.-> If they bust thru one lock, you have yet another in the way (ala having a door with a knob based lock & also a chain lock etc. et al, as an analog anyone can drink in, & digest).

Do you seriously think the material does not help you with layered security??

Thanks for the answer.

Good luck surfing the internet with JavaScript turned off.

I do it all the time, for MOST sites in fact... but, I do make exceptions (which you skimmed past, please, read the entire post next time OR, @ least do not omit facts I stated, thanks).

Hmmmm, I never said TOTALLY turn it off, for ALL sites (some need it, banking & shopping are ones noted above)... please, @ least read before you comment like that next time... you're "skimming".

And you recommend turning off the "Server" service on Win 2k3? Seriously?

Sure! If your system's NOT networked, why keep it on? To waste CPU cycles, RAM, & other forms of I/O?? No thanks. If networked, you'll need it on though as I mention, because it creates default hidden admin shares & also disks you share out are made available thru it & FILE & PRINT SHARING. I note this all above.

Why ELSE would YOU keep it on then, if you don't have a HOME or OFFICE LAN then? I could use this advice IF you can supply valid reasons why it ought to be left on if no LAN is present (again, thanks).

If improving security is really this easy then why hasn't Microsoft done everything listed already?

Things my post notes, & does mention this? MS has altered the logon entities of MANY services in service packs, for example, but not all. They do NOT apply port filtering natively, & make you run TONS of services you may not require @ all... that is only SOME of it, mind you. Need more?? I can supply them.

I also DO know they have followed a great deal of things I have suggested for years now in VISTA!

(Ram & flash disks being used is one example, I can get into specifics where I was featured in mags in this field & on websites for corporate entities that produce such things (CENATEK & SuperSpeed.com/EEC systems are a couple. I was on their corporate websites on their front pages for them in fact for reviews and paid programming I did over time for they, as well as research that took the latter to a finalist position @ Microsoft TechEd 2000-2002 for the most difficult area: SQLServer performance enhancement, as a couple examples).

Even Linus Torvalds of LINUX fame is excited about SSD's (solid state drives/ramdisks in hardware)...they reduce latency is why. Need proof? I can supply on demand, no hassle.

Others are helping guys like Dr. Mark Russinovich (famous MS employee) improve his wares, & I used to contract out with he to a company he & I sold wares to, & this is how I know he. I also have had my diff.'s with he over time as well, but nevertheless, I respect him for the MOST part (I did catch him in a rather "ROOKIE" hardcode though in one of his wares once & told him how/why to correct it, he agreed & thanked me via email in fact).

Need more? I can produce it (mags & books I have appeared in over time now for the past decade in this field, etc.).

Here's a good, comprehensive security guide:
  1. Update QuickTime

There, done.

If it works for you, then it does. Still, do you feel the list above & its points are NOT beneficial for security? If so, why??

APK

All of your info never clearly states it works on vista. The tuner program you link to softpedia is only for xp,2k and 2000

I never clearly stated it did, because CIS tool does NOT have ports to EVERY OS... its the principles above you can apply that help (same as they do on its forebears in 2000/XP/Server 2003).

APK

P.S.=> If you need more help, ask... I will reply later on it! apk

Share this post


Link to post
Share on other sites
APK    0
All of your info never clearly states it works on vista. The tuner program you link to softpedia is only for xp,2k and 2000

First off: It's not a program, its a set of guides you can apply via registry hacks etc. (minor point, but one I have to make here).

The ones that THIS 'guide' I wrote lacks, are in it (mainly because if you want to know those .reg hacks, you have to search sites that exist for "tuning windows performance" etc. - I noted that above in fact. along with them comes 'cutting off services you don't need' type guides... if I put that in here? The init. post would be FAR MORE massive... maybe, too big!).

Those softpedia guides are registry hacks you CAN still use all the way across Windows 2000/XP/Server 2003 & yes, VISTA (though it will probably lack the NEW settings VISTA & Windows Server 2003 SP #2/RC2 have, in TcpChimney stuff (iirc, to "thunderstruck" above, I noted this as well)).

----------

Secondly: ON THAT LAST NOTE/COUNT - I noted this above to thunderstruck earlier, with his stating "the .reg files are from 2002" etc. & regardless of that, its settings apply across 2000/XP/Server 2003, & yes, VISTA for securing you. The Tcp/IP stack has changed SOME across those, but not so radically those settings DO NOT APPLY anymore.

----------

Third: I wrote those guides LONG ago, but, they work across ANY NT-based OS there is, Win2k onwards for helping secure you (& some of it the CIS tool covers, other settings not, which is why I noted it).

Good as CIS tool is? It does NOT account for NAT firewalling routers for instance, or the security AND SPEED potential of custom HOSTS Files, or Port Filtering for layered security for instance - this guide, does.

(Fact: Those files you mention literally used to be the primary foundation of the former Article #1 @NTCompatible.com (& believe it or not, it was the FIRST & ORIGINAL "tuning guide" for Windows NT-based systems, beginning its life in 1996 on forums & then @ NTCompatible.com as article 1, & I "girew & added to it" since then - I had a "falling out" with one of their partners & it was removed in 2003, but the "wayback machine" can prove my words if anyone doubts them... since that time, entire site have sprung up based on that premise (BlackViper is one many folks know about, & my work predates his in fact))

Now, above all else: I don't "own those settings", only MS can lay credit to that (& then not even on some counts... they "ripped off" the BSD IP stack to begin with, lol!). I merely compiled them (although some of its ideas are my own) so everyone CAN gain by them, if they apply them.

----------

QUESTION, mainly for 'raskren' above:

If this stuff does not work, as "raskren" noted, then how come folks with firewalls, antivirus, antispyware etc. et al have to be fixed by myself each day, when they get infected by spyware/virus/trojans/malware in general then?

ANSWER:

Because despite those methods & security tools, folks screwup, visit bogus sites with lousy malware loaded adbanners & yes, this happens, evidences are above & INCREDIBLY current in fact in my guide for your references... & they do download rotten stuff (trojans) & get loaded emails they get suckered by.

The guide helps stall that.

APK

P.S.=> Anyhow, any more "nitpicks" guys? I'll answer each point, unlike some I have replied to here (like thunderrooster above, oddly some "noob" here like me, but he felt he had to reply on my writing style & I said what I said, but another user thunderstruck agreed with me on)... apk

Share this post


Link to post
Share on other sites
APK    0
If improving security is really this easy then why hasn't Microsoft done everything listed already?

Uh, additionally, based on your statement? Well, why hasn't MS fixed:

IE up to the level of say, Opera &/or Netscape (both with 0% known unpatched vulnerabilities then)?? How come VISTA is proving to be such a "dog" on many levels??

That's a SINGLE example. There are others. Then again, you have SQLServer 2005, & last time I looked? 0% known unpatched errors @ SECUNIA.COM for instance. This took more than a decade to achieve, finally, & it runs a LARGE part of NASDAQ & unseated *NIX boxes for many roles there in fact (it IS the "official record & disseminator engine of trade related data in fact, & runs "bulletproof & bugfree" for them with 24x7 uptime in fact).

What about vulnerabilities in Office apps? What about Office 2007 having the rather DUMB bug it just showed in Excel regarding 16 bit max values?? **** happens is why, especially during large rewrites of large systems (been there myself, porting things like old FoxPro DB's into VB apps that leverage better DB engines like SQLServer OR Oracle for instance - users turn up little things only eventually (usually useability issues only, but still, issues)).

Why are SOME of the MS wares,'imperfect'?

Simply because MS is a leviathan that moves "slow" due to a large mgt. structure & chain of command, deals in MAKING MONEY, not necessarily 'better software' imo!

I liked when "King Billy" was in command of that company, not MR. Ballmer... why? Ballmer is about DOLLARS, not better product imo... he is not anywhere NEAR as technically skilled as Mr. Gates, & not as interested in this field either.

I don't believe a leader of ANY company should be someone like that... VISTA being my PRIME example, unfortunately... it's not doing well. Ballmer is using DRM b.s., which NOBODY but the RIAA etc. wants... he is NOT listening to customers... that's the "surefire route to business suicide" imo @ least.

(Though I will say their Windows Server 2003 SP #2 or RC2 is one HELL of an OS, that installs in "Workstation/Pro" mode, rather than Server with ALL of its features installed for "backoffice" industrial strength stuff, like IIS, SQLServer etc. et al)...

MS? Hey - They are NOT perfect... & "perfection"?

It's a ROAD, not a destination, as the saying goes.

I am certain there are some VERY brainy sharp folks @ MS, but, they have to deal in politics, going thru layers of b.s. to get their point across, & more... if you have not worked in a Fortune 100/500? Then, you will NEVER understand this... & good for you: I have, & largely, unfortuantely? It is, how it often is...

Politics, & greed, RULE, & it's a shame... sometimes, their results make me honestly ashamed to be a human being in fact...

APK

Share this post


Link to post
Share on other sites
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.