HOW TO SECURE Windows 2000/XP/Server 2003 & EVEN Vista in 12 steps

[blaszta]

FYI, your first point is not working on Vista Home Premium (just happened to have one pre-installed in my notebook :-))

[APK]

QUOTING POINT #1, note the bolded part:

1.) Windows Server 2003's SCW was run over it FIRST (this only exists on Windows Server 2003

& that part's ALL you need to know really...

(After all, it's "Windows Server 2003's", as in possessive, & not for any other version of this OS that is in release, afaik.)

In fact, I noted that for 2000/XP, (& yes, I omitted VISTA) in the part I did NOT quote here.

However, I thought that'd be apparent based on the "possessive" part.

(Nitpick, but decent one!)

APK

P.S.=> If I could perform an edit on my init. post here, I would, but I can't so "HEY EVERYONE" (lol):

To clarify point #1 - so you don't take it the way the last poster did? Don't try step #1 on "VISTA"

(Windows ME the 2nd).

If that offends anyone, it's just my opinion, which IS mixed. Do I like AERO Glass? Sure! It's cool, but, as the saying goes:

"Looks aren't everything"

VISTA does have some GREAT ideas in it though, "under the skin", & I will agree on that with anyone who does really, but... many are just from the version of Windows I use in Server 2003 SP#2 & below anyhow, since it is its ancestor code.

Still, some like ASR Layer for executables which are NOT in Windows Server 2003, are good too!

However, it's got some stuff (& known problems) in it I have seen that need work!

E.G. (& this is JUST opinion on it so far, based on tools I was used to/accustomed to from prior versions)

Some stuff that should NOT have been changed the way it has & especially regarding networking front ends via CONTROL PANEL imo!

I.E.-> Some things, at least end-user reconfig tools people were used to for reconfigging the system in CP, should NOT have been changed period. They worked FINE, as is, originally & had not changed for many Windows NT-based OS' generations.

I got VERY used to them, & this new 'wizardy stuff' (like CATEGORY VIEW in XP, as an analog that folks that have not used VISTA will understand, vs. "CLASSIC VIEW")? Well, I for one, don't like it (& don't get me wrong, some wizards are alright, like email setup ones, but for Control Panel?? What for???)

Hey - Why fix a watch that runs in other words & one that tons of people STILL prefer & use, that exist in this field & work @ it?

Main Question (& one I am NOT 'aware of' on VISTA is this):

Can you see the CONTROL PANEL, "old-school style" circa Windows 2000/XP in CLASSIC VIEW, in VISTA?? I am curious. Thanks. I don't own it, OR use it @ home. It doesn't provide enough for me to switch over to be honest, not yet. Not enough "valueadd" really for me.

It's not as fast as a performer on many things & I think that MS ascribing to all this new "caching" they're trying is not working out as planned. & I think it's due to HOW they're applying it. Trying to make a software cache THAT big & running it fast, isn't working it seems!

(which just goes to show you that all the "theory" in the world, doesn't always translate to real world gains in practice it seems, & instead results in HUGE memory bloat occupation & any gains made, are robbed apparently, during cache flushes & paging, apparently).

Also - The FileCopy/Multimedia subsystem conflict problem & the slowness of it is not showing a noticeable improvement @ least during the public test releases so far, & on this one & other areas, MS is dropping the ball on VISTA imo & NOT listening to customers (who the heck wants the DRM stuff in it? The RIAA imo, only))... there's others too.

UAC? Sorry, it's NOT for me. It "means well" but, well, nobody likes popups (ala webbrowser ads) really & it reminds me of that personally.

Additionally: Everytime they 'change' an OS, there's sometimes "key apps" I can't get ahold of for it, OR, have not been 'totally made ready' for some of its changes (the driver model, for one, in VISTA vs. previous ones, & that means turn around time & waiting).

Been there before, during Windows NT-based OS transitions (worst between NT 3.5x & 4.0, then NT 4.0 -> 2000 imo being the worst of the lot) So...

I'll wait awhile myself, before I go to VISTA, if ever.

Will I learn things about it, to support or develop on it? No choice, I'll have to, & I have been (as I still have questions on or about it as shown above...

Still, I do have reservations about it, currently @ least, based on what I've seen it it & HAD TO deal with, so far (networking mixed node LANS using it can be a bummer where it can see XP shares & such, but VISTA-to-VISTA won't work! Is it me? Possibly, but I was like "WTF!", lol).

apk

Edited November 27, 2007 by APK

[J_Smith]

Thanks :spindj:

[APK]

Thanks :spindj:

You're welcome from me, if you were addressing me.

If not, then sorry. & sorry about the VISTA rant above... it's just my opinion though. I have had not the best experiences with VISTA (networking mainly, where I felt MOST things in Windows before VISTA, it was a megasnap, because changes to the fronts for tasks either stayed MUCH THE SAME, or altered VERY LITTLE, OR offered ways to see it as it had been for generations in previous Windows generations, for the most part)

Hey, I will admit though, on VISTA - & I don't use it enough to be making even more statements I might make here.

Yes, I don't keep it here @ home, & RARELY see VIST A on support calls in fact. Maybe 1 in every 50 I would guess?

VISTA doesn't seem to get much more than preinstalls, rather than "flocks buying it" as some previous Windows have (like 9x/2000/XP imo, especially) as you note you have.

However, from when I have supporting it, there are things I definitely do NOT like about it (though it has some great points & features).

I am personally surprised MS spent that much time & money to get this result. It's not "horrible & all bad" but, it's just amazing to me this is the end result so far with VISTA, when it had roots in the version I use that absolutely is solid & fast, vs. VISTA & Windows Server 2003 is proven on TONS of levels.

APK

P.S.=> DirectX 10.x is sweet looking though, & this I have to admit (water is outstanding in it imo as far as flash & looks possible in it, & I like the fact that 7,000 new API calls in this OS are more efficient than past generations (DirectX allegedly HAS a big efficiency/speed gain here in some of its new lib calls & routines from what I read))...

I have also heard tell that OpenGL has performance hassles vs. earlier versions of Windows, but, it's not all MS fault iirc, some of its the driver manufacturers,. quite possibly, STILL adapting to a new driver model, & API calls changes etc.

(I think MS would LOVE to "kill" OpenGL, lol, so DirectX is "uber alles" etc. et al though... this is part of the 'business reasoning' I absolutely HATE out there today - kill the competing way, even IF it means hurting your own product by 'crippling the competing std. on your platform', type b.s., which I think this is... now, I have heard of ways supposedly that you have to "hack it in" & such, & that to me? Turn off!)

I wonder if that is "fixed/changed"? Thanks for the OpenGL on VISTA info., if you have it.

For me though, since I have a GOOD "watch that runs" in the OS version I use of Windows?

The DirectX 10 stuff's just not enough for me, not yet, in addition to the things I like about it (ASR Layer & AERO GLASS & maybe some ideas VISTA's IE7 has, but they CAN be duplicated in Windows Server 2003, OR other versions of Windows too (XP))

vs.

What I personally do not like noted above such as problems known in it that should not be there imo, due to taking risks on a new caching design imo & memory mgt. to an extent + multimedia & networking file copy hassles etc., & also DRM which imo, ONLY the RIAA likes & others like they PLUS the "OpenGL vs. DirectX on VISTA" question I had above which has me in doubt about it... apk

Edited November 27, 2007 by APK

[APK]

FYI, your first point is not working on Vista Home Premium (just happened to have one pre-installed in my notebook :-))

On this note, again: I wonder if it can be "hacked in" to VISTA? The reason I ask is this & it actually makes me WISH I had a VISTA rig to try it on:

An example of that type of thing, is 'hacking in' XP's "System Restore" feature into Windows Server 2003 (which does not have it, nor do its service packs). It's "doable", & actually works, once you install the necessary .inf files (via right click & iirc, it even does the filecopying for you, etc. to the right folders like it would inside Windows XP, albeit on Server 2003) from an XP installation CD in fact & pretty simple to do.

That said, I truly wonder if SCW (Security Configuration Wizard) from a Windows Server 2003 can be similarly hacked into VISTA... and most importantly, IF possible to do? Have it work as well (doubt it though, on fully, because one thing I am aware of is yet MORE services running in VISTA than XP or Server 2003 have & I'd wager that SCW will fail on trimming those if you tell it the role of your machine, since it is probably unaware of those (but, you could probably 'stall them' manually anyhow if it did)).

APK

P.S.=> Thanks for the answers to my questions to this, IF you VISTA users find the time... & also about OpenGL on VISTA, PLUS, about the possibiliity of a "CLASSIC VIEW" (as it is on XP) in CONTROL PANEL that I asked about above... apk

Edited November 27, 2007 by APK

[APK]

raskren: Still waiting for answers to your questions/critiques from above - thanks.

(The reason I ask for them is simple: IF you can supply VALID critique as to WHY you'd be against turning off the SERVER service in ANY Windows OS if a user is not part of a LAN/WAN, mainly (or, serving up a website from their machine may be another)).

APK

P.S.=> As to your point of "WHY MS HAS NOT DONE THIS STUFF"?

Well, again:

They have to SOME extent (e.g.- altering the logon entity used & thus, the priveleges said entity has (LocalSystem, vs. NetworkService vs. LocalService) in service pack updates, but not for ALL services that can do it & still function + certainly not for 3rd party services (which my list contains quite a few of that still work when lessened from LOCALSYSTEM).

They also do not cover port filtering, OR custom HOSTS file usage, etc. (& more in that list above of 12 points above that you can use to secure yourself)...

P.S.S.=> Also, your point about "tuning off Java/Javascript" & having a tough time online (globally)?

Well, then ONLY use it on sites that demand it, as I noted! Browsers like Opera (fastest, most secure, & most std.'s compliant BROWSER there is) make this a snap, with its native tools... FF/Mozilla/Netscape CAN, albeit thru the .xpi addon called "NoScript"... otherwise, risk being infected by bad adbanners, OR sites that maliciously use javascript.

MS might not be too keen on that, as it may "mess up" their initiatives in .NET / AJAX primarily I would wager. BOTH use javascript extensively is why. I know, I build these things for a living & know the "upside" vs. the "downside".

See, the reason I am against globally "turning on" scripting (of any kind, like JAVA/Javascript + ActiveScriting/ActiveX controls usage) is simple:

If ANY of you read sites like www.secunia.com (which you should sometimes if not)? You'll see that javascript is a commonly utilized attack vector. IFrames is yet another.

Although Javascript offers added functionality, sometimes which you cannot avoid on some sites & have to make exceptions (which I note above with a couple generic examples), it is truly a double-edged sword... apk

Edited December 2, 2007 by APK

[APK]

I note somebody's rated this post "down" as well... to that, I can only ask that my "naysayers" reply to the points I am asking (like with Raskren above).

You backup your bad rating 'bluster" above, with valid facts & critique as to WHY the points my list of 12 points are bad, & answer my points (like raskren's above) & I'll merit that... otherwise?

WELL... to be blunt about it? Your statements (& 'down rating' this post, lol) aren't standing up to my rebuttal to you above, & secondly, not very well vs. the CIS tool score (based on "best practices" in this field for Windows for security).

APK

[LTD]

Good luck with all that. Wow.

While I espouse a different platform, I do respect the fact that you went to this much effort for the benefit of others. Nicely done.

[APK]

Good luck with all that. Wow.

LOL, thanks. It works, it really truly does... anyone that goes thru that list & applies it will understand just what I mean, AND surf not only more securely, but also faster as well.

While I espouse a different platform, I do respect the fact that you went to this much effort for the benefit of others.

Well, for others, but also for myself - I have to clean @ LEAST 5 systems a day that do NOT apply the points above & from those that believe an antivirus (especially this alone) & Antispyware app combination is enough.

(E.G.-> IF that truly were the case? Then, why am I & many others in this field, cleaning them from virus/malware/trojan/spyware etc. et al, each day?? Answer - they are NOT ENOUGH, by themselves is why...)

Why is this of benefit to ME, personally??? Well, killing virus/malware/trojans/spwares are INCREDIBLY time-consuming calls... around 2-4 hours each. I don't like "burning" that much time on a support call, period. There are simpler/easier ones, like networking printer & client setups for example, that eat 1/10th of that to fix them, for example.

Nicely done.

Thanks. Again - it JUST WORKS!

Still waiting on my naysayer's replies (especially those that rated this post down)... especially raskren, per my post before this & its questions to he.

APK

P.S.=> I note you use another OS platform... well, IF it's LINUX? Then, this is as CLOSE as you can get, in Windows, to something like SeLinux (comes with KUBuntu for example, & IT even is not set as "stringent" as it can be... just like Windows default policies are, & other things).

How can I say that??

Look @ the scores SuSE gets above in the "intro" post, on default policies (albeit run under VMWare, which some feel secures you more, others not (due to possible holes in the VMWare & added complexity it brings, Theo DeRaadt being one iirc)), shown above in the "intro" 1st post of this thread, & see what I mean... apk

Edited December 2, 2007 by APK

[LTD]

APK, I'm on OS X. Unix based, built on technology that had been developed at NeXT and acquired by Apple, basically a Mach kernel/BSD combo.

At this point, viruses and malware aren't a problem, although for how long this will last, no one really knows. The Unix security model is pretty solid, but nonetheless, I've got the firewall on and I employ ClamXav antivrius. For now this is sufficient.

BTW, I'm pretty excited about OpenGL:

http://www.winmatrix.com/forums/index.php?showtopic=13647

APK, I'm on OS X. Unix based, built on technology that had been developed at NeXT and acquired by Apple, basically a Mach kernel/BSD combo.

At this point, viruses and malware aren't a problem, although for how long this will last, no one really knows. The Unix security model is pretty solid, but nonetheless, I've got the firewall on and I employ ClamXav antivrius. For now this is sufficient.

BTW, I'm pretty excited about OpenGL:

http://www.winmatrix.com/forums/index.php?showtopic=13647

[Knife Party]

sorry, i got none of that :(

[APK]

APK, I'm on OS X. Unix based, built on technology that had been developed at NeXT and acquired by Apple, basically a Mach kernel/BSD combo. At this point, viruses and malware aren't a problem, although for how long this will last, no one really knows.

Yup, aware of that... but, this might interest you on that note:

Native Windows PE File Loading on OS X?

http://apple.slashdot.org/apple/07/12/01/2040225.shtml

The Unix security model is pretty solid, but nonetheless, I've got the firewall on and I employ ClamXav antivrius. For now this is sufficient.

For now, for SOME things (questions/e.g.: Is the JAVA/Javascript on MacOS X totally "invulnerable" to these attack vectors? How about IFrame exploits??)

If so, disregard the question... if not though? I'd wager what is written even applies to that, in addition to custom HOSTS file usage (still BSD based IP stack on your OS of choice, so it ought to work... after all, MS "stole" an older BSD IP stack, for the Windows one, so THAT point on HOSTS files also helps you, too!).

APK

[APK]

ADDITIONAL POINTS I DID NOT MAKE EARLIER TO YOU (Sorry, watching NFL football during my posts today):

At this point, viruses and malware aren't a problem

They are there on the Mac, & have been before, just less:

Apple Patches OS X Flaws:

http://www.eweek.com/article2/0,1895,18365...405dtx1k0000599

Third flaw hits Mac OS X

http://www.techworld.com/security/news/index.cfm?NewsID=5429

Apple fixes 17 Mac OS X flaws:

http://www.infoworld.com/article/07/05/25/...-X-flaws_1.html

Mac OS X Exploit Rapidly Follows Patch

http://www.eweek.com/article2/0,1895,21383...EWKNLEDP053007C

SECUNIA DATA ON MACOS X VULNERABILITIES (known ones):

http://secunia.com/product/96/?task=statistics

(Which makes PERFECT sense, if you think about it from the malware author's point-of-view: Attack the MOST WIDELY USED PLATFORM THERE IS, in Win32, & get the greatest "attack surface area". MacOS has 1 thing going for it more than anything else - security, via obscurity (less used, thus less attacked)).

, although for how long this will last, no one really knows.

See the post URL I did above, very VERY recent, which is about Win32 Portable Executable format (.exe basically) points on Leopard, the latest/greatest MacOS X... that'll lend you some clues for speculation @ least.

Doesn't matter though - MacOS X... is it proof against javascripted exploits, or iframe driven ones? Are its webbrowsers (& other apps), absolutely "110% bugfree & bulletproof" vs. explots that can get to Windows via the web & apps that use it I noted above)?

No... they are not. If this is news to you, or anyone else here, sorry to disappoint if I have... just facts.

A WORM FOR YOUR APPLE:

http://www.beskerming.com/commentary/2007/..._for_Your_Apple

Ah, there's more (especially for the latest, Leopard MacOS X release, but... that'll do!)

The Unix security model is pretty solid, but nonetheless, I've got the firewall on and I employ ClamXav antivrius.

That's a start, but read the next paragraph - even the "best of the *NIX's" & their variants, can always be a BIT MORE secured... in addition to the points I made above, & now here again (java/javascript & HOSTS file benefits initially, but also bugs in MacOS X for security vulnerability, past & present, & apps that run on it).

For now this is sufficient.

Well, the folks @ CIS TOOL also have a guide in .pdf form that should help MacOS X users... it's just not automated like the FreeBSD version is, or the Solaris version, or the LINUX version, or the Win32 version - a clearcut case of less software being available for the Mac for purpose, imo... hopefully, a port comes soon & full java runtime compatibility.

Even various *NIX's gain from this multiplatform security test, & the test itself makes it actually sort of "fun" to do as well... & helps!

APK

[APK]

raskren:

I am still patiently waiting on your reply to my questions to you on page #2 of this thread, & @ the top of THIS page...

(If you have a valid point(s), vs. those I mention in rebuttal to yours, then, I'd like to hear it/them - as I only grow stronger for it, as would this posting... pretty simple. Either way, this post gains.).

:)

* Thanks, & mainly on the SERVER service (which apparently, you have not run Windows Server 2003, because it installs BY DEFAULT, in Workstation/Pro mode, & you only add 'server class' services (like IIS for example) as needed ontop of that), Javascript/Java, & "why MS has not made these improvements"!

(hmmm, good one that last one: Why hasn't MS fixed up IE to the levels of say, FireFox/Netscape/Opera then, too? Then again, there's SQLServer 2005, with 0% known vulnerabilities in its ENTIRE EXISTENCE thusfar to date).

APK

P.S.=> Above all else - The "down ratings" aren't justified on this post, until you do, specifically, because I strongly suspect you down rated it...

So, please - @ this point, vs. my rebuttals noted again here as they were above: Just back up your statements vs. my own with factual data (this goes to ANYONE rating this down in fact) please...

Now, if you are correct, then I only make this stronger for it via correction (even if only exceptions related data, but iirc, I cover that well enough)...

STILL, I fail to see where you are correct, & I am using YOU, as a 'case in point'... apk

Edited December 3, 2007 by APK

[APK]

raskren:

You could have @ least answered your "pm" I sent you, or replied here.

E.G./I.E.-> IF you have valid reasons for NOT turning off the SERVER service, other than if folks have a home or business LAN/WAN (as 1 example), then, I'd like to hear it...

(Critiques are always welcome, IF they have valid factual bearing that is).

It seems apparent to me that you probably have not run Windows Server 2003, & that's ok, because that does give one an excuse imo... Windows Server 2003 installs in a default "Workstation/Pro" type of mode (much like XP Pro does in fact, & you add server class stuff to it ONLY as needed).

I also just know that if you turn off the server service, you do not publish shared disks/folders/files, & this aids security...

Additionally, by turning off SERVER SERVICE (if you don't need it), you also save CPU cycles, RAM, & other forms of I/O by not running it... especially if you do not NEED it, & most folks, unless on a LAN/WAN @ home OR work, do not.

Care to discuss those points, vs. yours? Apparently not.

ABOVE ALL ELSE: Guys please/again - if you're going to "rate this post down", @ least have some valid points to do so, is about all I can state, & have the balls to discuss why. You may point me to something I overlooked, & that would make this guide that much stronger if so...

APK

P.S.=> LASTLY - On the java/javascript + ActiveX/ActiveScripting? Well, all I can say is, look @ all the exploits today based on them (even in adbanners the past few years now & I give examples above, some will shock/astound possibly), & IFrames are yet another widely used attack vector due to webbrowser vulnerabilities in them regarding IFrames/Frames... apk

[APK]

I was looking over it and it seemed interesting till I got to the part where you said NOD32 was the best.

Well, again: My own tests showed it was over my FORMER fav., which I still use @ work though, in NAV 10.2 Corporate Edition (as "lean" as Norton gets, with the 2002 interface even & same "moving external parts" in driver & services (in essence the whole engine)).

http://www.eset.com/products/compare.php

That website above, in the VB100 tests, as noteworthy, or moreso, than av-comparatives, seems to show its HEURISTICS "smells like a duck, tastes like a duck... MUST BE A DUCK!" engine kicks the snot out of everything else, as well as scanning speed/thoughput (both tests).

Seriously, I would say this would be the MOST valued feature, because of unknowns (no signatures via reverse-engineering disassembly & tracing code, filesystem & registry activity, mostly)

AND

I see NOD32 doing heuristics FAR FAR SMOOTHER & FASTER, too, than it's competition... From BOTH our sources.

Heuristcs IS where it is @ mind you: Especially vs. a "Zero-Day" huge attack that hits millions, fast.

You asked for the TRUE measure of an antivirus product??

To me, that's it - It expects the unexpected, & lol, instantly knocks the chocolate outta it. It doesn't need a picture (signature), just its own ESP (heuristics)... That IS, as good as it gets, & the speed?

Hey... lol: "THANK YOU ESET!"

Now, on YOUR advice? I rescanned the results @ the site you mention... av-comparatives:'

See for yourselves, same results, on same grounds ->

http://www.av-comparatives.org/seiten/ergebnisse_2007_08.php

And, they "split" the other results, 4 won each, to both AVG & NOD32 in the rest of the tests no less, a tie overall on the total test volley.

Now, onwards, & upwards -> HEURISTICS scores:

12/12 heuristics score for NOD32 by ESET.

3/12 heuristics score for AVG

400% in favor of Eset NOD32...

(Don't get me wrong, I said AVG's good stuff & I used to use it on customers systems who had no antivirus product, or antispyware one... not even a lesser performing one. Yes, folks like that DO exist, & by droves if you ask me... but, most nowadays have @ least, antivirus (expired OR trial only though, etc.)).

I just see what I see, based on BOTH the sources we used &... I got what I wanted, in the areas I wanted. Still, I am a fan of (if possible) monolithic Win32 exe files, no external libs called explicitly, just Win32 API if most for speed (inline asm if possible), but these guys built MOST of their thing in pure Assembler, which imo means time & backing.

Whoever backed it, imo? Got their returns in a great product. Per my own tests, & those done above... I switched in fact, from NAV Corporate 10.2, to NOD32.

Sometimes? You get LUCKY (& it was on the advice of a forums person named AshenSugar) & get GOOD solid advice or challenges... you learn/profit by the experience.

APK

P.S.=>

IThere is no such a thing as the best antivirus product.

No more than there is a "perfect babe", but... you have to check stuff out first, lol, to do that.

Same here.

IAVG has a better detection rate this time than NOD32.

Not with heuristics & THAT IS THE TRUE TEST, of an AntiVirus product in my eyes. Heck with signatures based detection, that's relatively easy... it's the heuristics engines that kick ass - they spot stuff, NOBODY knows about, & WHO DOES IT BEST?

Well... lol, you know, now!

IWhat defines what av product is the best detection rates?

Heuristics scores on tests like those above, & for the reasons I noted above... speed, & great heuristics.

And, from BOTH the sites we looked @! LOL, Eset NOD32 rocked out everyone, bigtime.

And, NOD32 tied AVG, 4/8 tests won by each, no less.

I never said AVG was a cruddy product... I just said I find NOD32 overall the best, & especially for my needs... others' results, besides my own, seem to second that, with as current test data as I had available from BOTH of us.

II can test and have different results than you did.

Mine ARE the current, & most current @ that, afaik. August 2007?

I You go by your experience when you buy a av.

Well, I do... in heuristics. The most important one... no doubt about it. Still, the SPEED of it, means it not only is best in the most important one to me @ least, but absolutely HAULS A$$ @ it.

Two... for the price, of 1.

I If you are into detection rates and detection rates makes that product the best look at some real legit test scores here AV-Comparatives. The NOD32 is the best av product thew me off what a joke.

I did... uhm, are you SURE you did? Lol... ah, anyways.

APK

Edited December 6, 2007 by APK

[pepwin]

Just wanted to thank you for putting this info out. I made the changes on my windows 2003 server and the changes are working good for my home environment, but I have been considering switching OS due to all the rootkits issues with Microsoft, Sony and others I learned about a few years ago. I feel Windows OS are eventually going to be "hosed" in the not to distant future. Not to mention -Storm- that is out there and has me really concerned. My only problem with making a switch to a different OS the applications I use are developed only for a windows OS. Subsequently, that makes it a little difficult to switch over to another OS.

What would you suggest?

[APK]

Just wanted to thank you for putting this info out.

Well, then I'd like to thank YOU, for using it: You're doing what should have been done for you by Microsoft Iin part, especially in terms of services being on, by default, that most folks REALLY don't need (& get back extra CPU cycles, memory, & more for speed... but, also for security!). but moreso, by helping secure yourself?

You help secure the rest of us as well in a way - by your not being as insecured as is the default, you will be more "proofed" than normal, vs. 'spreading the diseases' out there (malware/spyware/virus/trojans etc. et al (you name it)).

Just by using CIS Tool, applying its suggestions, + your being smart about Javascript usage (& even adbanners, which IF you applied the CUSTOM ADBANNER BLOCKING HOSTS file, you should have picked up a large amount of online speed with also) & also about email practices & more, all listed above.

Addtionally - I hope you found using CIS Tool fun - like a game almost! I did @ least, & got the benefits it helps you yield, for yourself, also.

THIS IS HOW GOOD THINGS, START - it starts with YOU, & when others see your results? They start the trend of changes... "IF YOU CAN REACH JUST 1 PERSON", & all that stuff...

I made the changes on my windows 2003 server and the changes are working good for my home environment

Excellent - BEST NEWS A GUY COULD HEAR , from MY end @ least.

but I have been considering switching OS due to all the rootkits issues with Microsoft, Sony and others I learned about a few years ago. I feel Windows OS are eventually going to be "hosed" in the not to distant future. Not to mention -Storm- that is out there and has me really concerned.

You'll be better off NOW, setup the way you are currently because of applying the above material, than you would be WITHOUT them... this IS certain, vs. today's online threats out there presently (and yes, in the future too).

The Windows NT-based OS' of today (2000/XP/Server 2003 especially) are fairly solid by this point... it's the APPS you run nowadays, that need the work (Internet Explorer &/or Microsoft Office variants/versions being a PRIME example thereof in fact) that need the work @ this point, the most, imo @ least.

My only problem with making a switch to a different OS the applications I use are developed only for a windows OS. Subsequently, that makes it a little difficult to switch over to another OS.

What would you suggest?

Well, as far as ROOTKITS? They did NOT originate on Windows... they CAME FROM THE UNIX WORLD, originally. PLUS, see the replies I did above regarding bugs of various kinds on the MacOS X noted above on this page - it's not like OS switching will be a "magical panacea" & you might not have the apps you do on Windows, on them, period.

Yes, sacrificing functionality, for perceived security ONLY, @ best imo @ least... you can secure windows just fine, & by following some constraints (such as noted above about javascript, email, etc.)? You'll be FAR better off than without using these tips/tricks/techniques!

(For BOTH Speed, AND security).

Personally, I don't think folks NEED to switch to anything other than Windows of modern varieties nowadays (XP SP #2, Server 2003 SP #2/RC2 etc.) IF they set themselves up as is shown above & by the CIS Tool's guidance...

It's not like other OS' don't get attacked too, they do... but, think about this: IF You were a virus writer, wouldn't YOU go after the largest single block of users possible...

Especially if you are out to 'steal their identity/money'?

Sure you would... this is the single largest reason WHY Windows is assailed as much as it is, imo @ least & thinking like a criminal might who is out to rob you.

"Security by obscurity" (using a lesser used OS), is not an answer in & of itself.

APK

P.S.=> ABOVE ALL ELSE:

After a response like YOURS here? It makes me TRULY wonder now, who rated this thread such a LOW SCORE rating...

Especially considering that the results it yields, when its points are applied as you have done, per your testimony alone, show otherwise...

(Oh well, proof's in the pudding, NOT the ratings given this thread)

... thanks for that much! apk

Edited December 29, 2007 by APK

[betasp]

I only have one issue with your assessment. You are lumping together server and desktop security measures when they should be looked at differently. By not taking that into account, you are ignoring a desktop users experience as being a key factor in PC usage and productivity. There is no way to lock down 10,000+ PCs in a company the way you describe, and the help desk would be overwhelmed with "broken" sites.

[APK]

I only have one issue with your assessment. You are lumping together server and desktop security measures when they should be looked at differently. By not taking that into account, you are ignoring a desktop users experience as being a key factor in PC usage and productivity. There is no way to lock down 10,000+ PCs in a company the way you describe, and the help desk would be overwhelmed with "broken" sites.

I've done it on my workstations @ work on the job, & it works (via followig the exceptions noted in step #2 mostly)... no hassles.

In fact - MOST of what you can do with this tool & the suggestions above ARE migratable en-masse to networked rigs even (via logon scripts .reg file merges, filetransfers (like HOSTS), or Group Policies)...

& lets you go online & use the apps you use daily, no problems, online & on your local LAN/WAN internal to your shops out there guys. IF you run into apps that say, for example, need more ports open IF you applied say, Port Filters?

Well... open up more! netstat -b shows you the Tcp/udp endpoints & apps that are using them... use it.

If you use a custom adbanner blocking HOSTS file & folks don't like it on certain sites? Edit it with NOTEPAD.EXE, & redeploy it again enmasse via logon scripts for example to they, newly edited.

As far as "broken sites"? They ARE broken, IF they are spreading virus/trojans/malwares/spywares etc. et al... either way? YOU as the tech support person, can't win... face it.

Above all else - it takes FAR LESS TIME, to edit a HOSTS file, or port filtering list (via .reg file merges &/or edits of a file & redeploying it) than it does to remove a virus/trojan/spyware/malware in its entirety generally... this IS certain, & I am sure you concur in MOST cases.

I go thru it, every day, and most likely? SO DO YOU.

One of the reasons we HAVE this job, is because we are prepared to deal with nearly constant changes... hard to accept, but a "fact of IT life" really.

APK

P.S.=> IF you can educate your users, and I do everyday, as to say... javascript usage &/or email practices (as are noted above, & just a couple examples I'll use here)?

I turn them onto Opera (for the reasons noted above in fact where I expound on security vulnerabilities & ONLY USING JAVASCRIPT on sites that demand it!)

(I used shopping & banking sites as examples most folks would run into here & WHY & explain about LIMITING javascript usage to those sites that demand it, ONLY.)

This keeps attack surface area to a minimum, & helps keep them safe/secure online too.

People, once you explain things to them in terms they understand that yield a practical benefit (especially IF it gets them BOTH speed, AND security)?

Just like pepwin above for example??

They understand it, perfectly, & are NOT stupid... apk

Edited December 29, 2007 by APK

[betasp]

I've done it on my workstations @ work on the job, & it works... no hassles. MOST of what you can do with this tool & the suggestions above ARE migratable en-masse to networked rigs even... & lets you go online & use the apps you use daily, no problems, online & on your local LAN/WAN internal to your shops out there guys.

APK

I completely disagree. I think it is great that you did your machines at work, but come to my organization with over 22 locations, 10,000+ machines, centralized PC support and server support and roll this out and support all of the users. Also, I work in manufacturing, have you taken into consideration applications that cannot run wit some of the tools you described installed (or even run with non-administrative privileges).

I am not trying to pick your whole assessment apart because there are many good ideas in it, but using a tool does not a security expert make.

[betasp]

double

[APK]

I completely disagree. I think it is great that you did your machines at work, but come to my organization with over 22 locations, 10,000+ machines, centralized PC support and server support and roll this out and support all of the users. Also, I work in manufacturing, have you taken into consideration applications that cannot run wit some of the tools you described installed (or even run with non-administrative privileges).

I am in the same type of scenario...

E.G./I.E. -> 155 locations nationwide & 1,000's of machines.

This is NOTHING a file copy &/or .reg file merge (say, via logon scripts) cannot handle with ease, OR by AD + Group Policies really, & pretty fast for MOST of what is noted above in my 12 points.

BUT, what helps the most, imo? Educating folks as to WHY this is done & what bennies it yields.

I am not trying to pick your whole assessment apart because there are many good ideas in it, but using a tool does not a security expert make.

I never said it did: It is MERELY A GUIDE/MENTOR... it helps you, help yourself though!

... & makes it as "fun as is possible' imo @ least, by making it a game almost (a security benchmark) that provides guidance to the user @ best, to secure themselves with.

APK

Edited December 29, 2007 by APK

[APK]

I only have one issue with your assessment. You are lumping together server and desktop security measures when they should be looked at differently. By not taking that into account, you are ignoring a desktop users experience as being a key factor in PC usage and productivity. There is no way to lock down 10,000+ PCs in a company the way you describe, and the help desk would be overwhelmed with "broken" sites.

I've done it on my workstations @ work on the job, & it works (via followig the exceptions noted in step #2 mostly)... no hassles.

In fact - MOST of what you can do with this tool & the suggestions above ARE migratable en-masse to networked rigs even (via logon scripts .reg file merges, filetransfers (like HOSTS), or Group Policies)...

& lets you go online & use the apps you use daily, no problems, online & on your local LAN/WAN internal to your shops out there guys.

EXAMPLES (small set, but some ideas for you):

===================

1.) IF you run into apps that say, for example, need more ports open IF you applied say, Port Filters?

Well... open up more, for the port needed, AS needed!

I.E./E.G.-> netstat -b shows you the Tcp/udp endpoints & apps that are using them... use it.

-----

2.) Same with services too... turn on ones you NEED, omit ones you don't (easily done via Group Policies for the most part), & get users back CPU/RAM & more security as well as speed.

-----

3.) If you use a custom adbanner blocking HOSTS file & folks don't like it on certain sites? Edit it with NOTEPAD.EXE, & redeploy it again enmasse via logon scripts for example to they, newly edited.

That's just some...

As far as "broken sites"? They ARE broken, IF they are spreading virus/trojans/malwares/spywares etc. et al... either way? YOU as the tech support person, can't win... face it.

Nice part is, changes are what keep YOU & I, working.

Above all else - it takes FAR LESS TIME, to edit a HOSTS file, or port filtering list (via .reg file merges &/or edits of a file & redeploying it) than it does to remove a virus/trojan/spyware/malware in its entirety generally... this IS certain, & I am sure you concur in MOST cases.

===================

I go thru it, every day, and most likely? SO DO YOU. An ounce of PREVENTION >= 1 lb. of "cure"...

One of the reasons we HAVE this job, is because we are prepared to deal with nearly constant changes... hard to accept, but a "fact of IT life" really.

Case in point, about change in this field, from the application development standpoint, rather than just that of an IT tech/admin:

I spent a GOOD 10 yrs. of my 15 as a pro in this field as a developer: Apps you build, custom ones especially? Are an ONGOING process for MANY things in them (new reports, changes to directory structures & shares as well as their security levels on ACL's etc.) happen...

Heck - look @ the changes occurring in the OS' & apps we use - near CONSTANT updates.

APK

P.S.=> IF you can educate your users, and I do everyday, as to say... javascript usage &/or email practices (as are noted above, & just a couple examples I'll use here)?

I turn them onto Opera (for the reasons noted above in fact where I expound on security vulnerabilities & ONLY USING JAVASCRIPT on sites that demand it!)

(I used shopping & banking sites as examples most folks would run into here & WHY & explain about LIMITING javascript usage to those sites that demand it, ONLY. IT scenarios would most likely be somewhat different, but the point's there... exceptions sites in Opera @ least, are INCREDIBLY easy to do & use!)

This keeps attack surface area to a minimum, & helps keep them safe/secure online too.

People, once you explain things to them in terms they understand that yield a practical benefit (especially IF it gets them BOTH speed, AND security)?

Just like pepwin above for example??

They understand it, perfectly, & are NOT stupid... & I am certain, lol, that HE did not "rate this thread down", just based on his results using this thread's points... I wonder who did, & WHY? apk

Edited December 29, 2007 by APK

[APK]

Just wanted to thank you for putting this info out. I made the changes on my windows 2003 server and the changes are working good for my home environment

Proof's in the pudding... & that quote's for betasp really.

Pepwin above shows it CAN be done, & works... & he's happy with it, as a case-in-point example from the repliers here.

His results alone are what is making me wonder WHY this post was rated so low... when, all it does, is give you more SPEED (via more RAM, cpu cycles, & more being freed up) & SECURITY (via all of this posts' 12 points noted above).

APK