• Sign in to Neowin Faster!

    Create an account on Neowin to contribute and support the site.

Sign in to follow this  

HOW TO SECURE Windows 2000/XP/Server 2003 & EVEN Vista in 12 steps

Recommended Posts

betasp    56
If you use a custom adbanner blocking HOSTS file & folks don't like it on certain sites? Edit it with NOTEPAD.EXE, & redeploy it again enmasse via logon scripts for example to they, newly edited.

How much productivity in dollars does that costs each time?

Above all else - it takes FAR LESS TIME, to edit a HOSTS file, or port filtering list (via .reg file merges &/or edits of a file & redeploying it) than it does to remove a virus/trojan/spyware/malware in its entirety generally... this IS certain, & I am sure you concur in MOST cases.

Same question?

In a well run corporate environment, it would take at least a few weeks for each modification to go through change control to protect the infrastructure. In that time, there are things/sites not working that is impacting user productivity. This would especially be true it browser functionality is considered a critical business function.

Note: There is not really constant change in IT, there is constantly planned, and documented changes to IT systems... Instead of wondering why this thread is getting rated lower, listen to what some of us are willing to come here to say. The first time I read your post I rolled my eyes and thought to myself "another server geek spouting what is best for a machine without realizing what is best for a company." I don't have the time nor inclination to go through your post line for line and tell you the pros and cons of each, but there are lots of holes in your philosophy. I think that throwing a machine securing step-by-step guide in a forum and acting like it is gospel hurt's your credibility since you seem to be spending much of your time defending it rather than adapting it based on the thoughts of others. Then again, I stopped day to day tech a few years ago when I moved to management. Remember, change is not what keeps us working, benefiting that bottom line is what keeps us working. Server securing and optimizing can be outsourced...

PS. If you don't see why I don't even acknowledge Pepwin's success story, I can't help you.

Share this post


Link to post
Share on other sites
APK    0
How much productivity in dollars does that costs each time?

Less than it takes to remove a virus/spyware/malware/trojan for the most part in MOST cases with them as I stated above... & the "downtime" that incurs for the user typically also while removing them from their affected system!

E.G./I.E.-> To do these, COMPLETELY? Takes 1-3 hours typically, for COMPLETE removals, OR, risking losing a user's data (say, by rolling them back via SYSTEM RESTORE, or even disk images, which are usually @ least SOMEWHAT, out of date/stale to @ least SOME extent).

An ource of prevention >= 1 lb. of "cure"...

As far as "broken sites"? They ARE broken, IF they are spreading virus/trojans/malwares/spywares etc. et al... either way? YOU as the tech support person, can't win... face it.

Russian Business Network, & the exploits they put upon us all via Javascript + Flash & Shockwave Objects are classic cases of this in fact, & on sites you'd THINK were "safe" too.

Countering for that is NOT "planned". FAR from it...

Also, waiting out vendor patches is a definite danger period as well. Setting up "test rigs" for patches are another "wait & see" timeperiod also... but, one that OUGHT to be practiced with specific CUSTOM APPS (especially) your organization has, to see if the patches adversely affect them, or not (same with changes like these too).

Nice part is, changes are what keep YOU & I, working.

I don't have the time nor inclination to go through your post line for line and tell you the pros and cons of each

Why not? That is what makes it better period. It IS what I asked for as well, in my init. post in this thread: I am always "on the lookout for that" in fact... it makes this post, that much stronger, each time they occur & who gains??

End users.

there are lots of holes in your philosophy.

Funny... pepwin didn't think so & initially, neither did you it seemed, per this quote excerpt of your words:

m not trying to pick your whole assessment apart because there are many good ideas in it

( & pepwin's results (home user, to which this post is noted to be GEARED TO MOSTLY, mind you & I state that @ its outset/onset) are spoken for via his own words in testimony here in fact, by his own trying this stuff & applying it)

... & 1 thing's certain about that, as regards any "holes' present: HIS OS NOW HAS FAR LESS OF THEM, lol!

APK

P.S.=> Incidentally - This ENTIRE post is geared to HOME users by the way & I state it from the outset.. didn't I? Pepwin's results & testimony are just 1 example thereof!

Not that it matters... for the reasons noted above using logon scripts for .reg file merges OR HOSTS file edits & replacements, BUT especially step #2 & warnings I note on it??

It's NOT "impossible to do", for corporate LAN/WAN environs either!

It just demands you DO YOUR JOB, & setup test rigs with custom apps your company may be using, especially "in house" developed ones.

That takes less time than burning off virus & such from user's rigs, especially if they number into the 100's/1,000's & have been victimized... & then just having them happen AGAIN, because you did not apply preventative measures as are noted in this thread & educating your users.

(This comes from my working as a developer for 10 of the 15 yrs. I have as a pro in this field in that capacity, but also for network engineering which I have been @ during that time also (have to be BOTH nowadays imo @ least, to TRULY understand it & to do your job, period))... apk

Edited by APK

Share this post


Link to post
Share on other sites
Phixion    10

Nice job, I will read through it more thoroughly after I've slept :)

Oh and stop hating on him, he obviously has an idea as to what he's talking about, there's been alot of rude replies when, IMO, they are clearly not warranted.

He's doing people a favour here, he didn't have to post this information, be grateful.

Share this post


Link to post
Share on other sites
APK    0
Nice job, I will read through it more thoroughly after I've slept :)

Thank you. I think you'll be glad you did, & using the CIS Tool as your guide, you can actually make this sort of "fun" to do, & learn a new trick or two quite possibly from it (I certainly did, this is certain).

Just when you think you "know it all", a tool like CIS Tool (using myself as an example in fact) might just show "an old dog, a new trick" (or two, or more etc.)... it certainly did me.

Oh and stop hating on him, he obviously has an idea as to what he's talking about

Well, I personally like to think I can "get the job done" & all that... but, nobody knows it all.

Again: The CIS Tool made me realize this VERY thing = I thought I had my system "locked down as tight as possible" prior to running it... & I nailed around a 72.xxx/100 score, initially, prior to using the CIS Tool's suggestions...

Afterwards, upon utilizing its security suggestions (based on "best practices" for any platform it's run on)? I got up to 85.706/100 (quite a jump, imo @ least)... & that alone proved to me, there was something to gain by using it.

It's suggestions DID "bear out as true", when I checked it against information from Micorosoft & other reliable sources in fact.

, there's been alot of rude replies when, IMO, they are clearly not warranted.

I actually ASK for critique of the points I put out here, & in my VERY FIRST POSTING in fact (@ its terminating P.S. paragraph in fact)... betasp stated there are "holes" in my ideas, but he offers NO SPECIFICS.

And, like I said above, about MY system & pepwins? The only "holes" there were, were ones in my security (and, pepwins prior to using this thread's suggestions & CIS Tool's as well)... there are "holes no more" now, @ this point, because of the material in this being applied by us BOTH (pepwin & myself).

That is what I actually ASKED for, just to make it stronger, in the form of SPECIFIC critiques...

betasp offers none though & said it would be "too much for him to do so" etc. (to each his own, but, imo @ least? IF you're going to cut something down, be specific as to WHY you are doing so, with examples).

The last thing I want is to lead others astray - other's critiques help to avoid that. I do NOT know everything, & it IS possible I make mistakes too... thus, I specifically did ask others critique its points, but, with concrete examples as to where they may be "wrong" etc.

He's doing people a favour here, he didn't have to post this information, be grateful.

I hope you enjoy taking the CIS Tool test, & using its suggestions then.

I think you will, & hopefully, like pepwin here did?

You find it useful to have installed, run, & applied its suqgestions + my own ontop of it to secure yourself online, especially today/nowadays (it's nuts out there with virus/trojan/spyware etc. et al)...

APK

Edited by APK

Share this post


Link to post
Share on other sites
APK    0
Oh and stop hating on him, he obviously has an idea as to what he's talking about, there's been alot of rude replies when, IMO, they are clearly not warranted.

He's doing people a favour here, he didn't have to post this information, be grateful.

On this point of yours - I actually DO invite "critique" of my points though, & do specifically ask for it (initial post "P.S. section" @ its termination in fact)...

Albeit, I would like documented evidences from reliable sources that contradict that which I put up, so users can read BOTH my views, vs. that of my naysayers, themselves... & decide FOR themselves, as you have + others replying here.

Also, as noted above in my last reply to you, I can see "cutting something down", but, only after offering up concrete data & proofs to substantiate it... not just "hot air"...

HOWEVER:

When I ask those that attempted to "cut this thread down" for those, ontop of my offering up data that is verifiable from reliable sources which contradicts theirs (mainly thunderrooster, raskren, & now betasp)?

I got NO replies.

APK

P.S.=> I'll discuss ANY point in this set of 12 points with anybody, as to their effectiveness & capabilities, and when to use them (or, to modify them for "special circumstances" & HOW, quickly, via .reg file merges, & file copies during logon scripts operations, OR Group Policies in AD, as I did with betasp), OR not.

OR about security points on browsers (as I did with raskren), & I got no replies back (but, certainly a "mod down" rating, lol, & that only)

OR about AntiVirus program (or antispyware etc.) as I did with thunderrooster... & the latest antivirus ratings data from av-comparatives (the site he cited in fact) tends to 2nd me yet again that NOD32 outperforms AVG (his choice as the "best" antivirus in fact) & most all others on the MOST grounds, from their latest Nov. 2007 testings!

Whenever I have put out data that contradicts theirs, did I get factual replies based on observations from reliable sources?

No... Just "mod downs" down ratings of this thread...

That's not very good to do, unless you can back it up, imo @ least!

Plenty of THAT happens in forums, but, I don't think the "mod downers" realize that anyone with ANY sense @ all can take a read & say as you did (in essence):

"Gee, this thread has some good information in it, & those that attempted to cut it down inside offered no specifics or verifiable data as to WHY!"

(Doubtless other readers besides yourself have, such as yourself, pepwin, Colin-UK (mod here who put this in ESSENTIAL GUIDES section here in fact) & others as well (thunderstruck) as some examples thereof)... apk

Edited by APK

Share this post


Link to post
Share on other sites
Joseph B    37

Pretty good guide.

But work on your people skills, writing essay replies for every comment is a little overboard.

Share this post


Link to post
Share on other sites
APK    0
Pretty good guide.

Thanks - it just works.

But work on your people skills, writing essay replies for every comment is a little overboard.

I put out COMPLETE, & documented (usually) evidences in replies (unlike my "naysayers" here) to my "naysayers", & it's not just from "my mouth/pen/keyboard" many times, also...

(This is for the benefit of the readers, so they CAN make "informed decisions", & based on information from others, which are usually reliable sources that others know about).

APK

P.S.=> I invited my "naysayers" to do the same... what did I get here though from they (thunderrooster, raskren, & betasp)? ZERO, just cut down & run tactics @ best.

Again - I freely invite critique, but when I can show workarounds OR faults in my naysayers replies? They just "cut down & run", & you never see them reply again, & CERTAINLY not with specifics.

(Specific example = mine, vs betasp: Even in corporate LAN/WAN setups, though this post is specifically geared to home users WITHOUT LANS & states it @ its outset? That is NOT undoable in corporate environs either... I know so, I have it applied that way @ work in fact on workstations there. The SAME THING happened with thunderrooster (others cut him down though 1st), & also raskren)... apk

Share this post


Link to post
Share on other sites
APK    0
Note: There is not really constant change in IT, there is constantly planned, and documented changes to IT systems...

Sure, from YOUR perspective as a "manager" (been there myself, I know first hand)...

Try tell that to a coder developing an app, or network techs/engineers fielding changes to the network itself (or, even in testing MS Patch Tuesday's patches on test boxes & ESPECIALLY with in-house custom developed apps - been there myself for YEARS, on ALL/EACH of those levels).

Instead of wondering why this thread is getting rated lower, listen to what some of us are willing to come here to say.

I have - I pointed out the very weaknesses in YOUR reply, based on time/money used for corrections... things I have to do, FIRST HAND "in the trenches" every day on the job!

Most unlike yourself presently per your own words & on the SPECIFIC grounds & views of the people that actually DO THE JOB, unlike yourself in mgt. presently.

What I pointed out, vs. your points? I got NO REPLY from YOU on... same with the other "naysayers" like raskren, & thunderrooster (who was severely cut down by others in fact for it).

The first time I read your post I rolled my eyes and thought to myself "another server geek spouting what is best for a machine without realizing what is best for a company."

AND, I read yours, & thought:

"Another 'manager', who is SO FAR REMOVED from the actual work, he is talking out his YOU-KNOW-WHAT, as is usual for MOST mgt."

Additionally - this "geek's" been & done some things noted in THIS VERY THREAD in fact, that I severely DOUBT you have, in THIS field, over more than a decade in this field!

E.G. #1: In written publication (10 over time so far), reviewed by peers OR superiors in technical editors (e.g. Mr. John Enck of Windows NT/2000/.NET/IT Pro magazine)

OR

E.G. #2: Taking corporate bodies (EEC/SuperSpeed.com) to FINALIST positions 2 yrs. in a row running @ Microsoft Tech Ed, via research I did for they while being on paid contract to improve another of their wares (up to 40% improvement in fact), in the HARDEST CATEGORY THERE:

SQLServer performance enhancement.

That's just SOME... there are others, & plenty of them (iirc, noted in this thread)... BUT... that'll do.

I don't have the time nor inclination to go through your post line for line and tell you the pros and cons of each

You sure you didn't mean "I don't have the skills or know-how to do so, vs. his replies @ this point (which were in reply to my own?"

but there are lots of holes in your philosophy.

LOL, again: It seems the only "HOLES" were the ones in pepwin's system that no longer are there, per the CIS Tool's guidance & points of my own...

(&, of course, the "holes" I put into YOUR reply, based on your OWN points even THOUGH THIS IS GEARED TO HOME USERS WHO DON'T USE A LAN (the majority) & CONNECT TO THE PUBLIC INTERNET!

which you COMPLETELY IGNORED, & I offered workarounds to even corporate LAN/WAN environs users to whom you attempted to steer this to, mind you, to which you are left with zero reply!)

Don't skim next time... read closer, Mr. Manager. You'd think all your day of email replies would have taught you that @ least.

I think that throwing a machine securing step-by-step guide in a forum and acting like it is gospel hurt's your credibility since you seem to be spending much of your time defending it rather than adapting it based on the thoughts of others.

I defended my points, & to which it seems, you are struck "speechless"... with NO valid replies.

Then again, I stopped day to day tech a few years ago when I moved to management.

Nuff said, & YOU SAID IT YOURSELF... you're possibly TOO FAR REMOVED & for too long, to do this job anymore?

Have you considered that??

I mean, I offered easy workarounds to your points (& this post is geared to HOME USERS WITHOUT A LAN, not corporate ones, which you SKIMMED PAST completely!

(Though I point out SIMPLE & FAST ways around that too & note them from the onset in point #2 in fact)

AND, they're ones that cost LESS in manhours + time/wage, than it would be for damage incurred by NOT planning ahead & securing end point nodes (workstations).

See here, OR, just query "SECURING ENDPOINTS" on Google... ok?

http://64.233.169.104/search?q=cache:p7jTv...;cd=2&gl=us

That's from a mgt. viewpoint, no less... & all about securing endpoints (which workstation nodes count as 1 example thereof) since you state so much about "planning" etc. et al.

Remember, change is not what keeps us working, benefiting that bottom line is what keeps us working. Server securing and optimizing can be outsourced...

I know, I am a contract employee in fact currently.

Bottom line of protecting system OUGHT to be paramount to corporate bodies especially... or, is protecting vs. data breach breakins NOT part of YOUR program?

Apparently so, though you "talk a good game" about planning etc. et al.

PS. If you don't see why I don't even acknowledge Pepwin's success story, I can't help you.

BOTTOM-LINE:

If you can't read, & see this post is geared to folks like he, & NOT corporate bodies (which it states nearly immediately @ its outset/onset, WHICH YOU COMPLETELY MISSED, lol)?

Then I DON'T KNOW WHAT TO TELL YOU...

& there are workarounds for those environs even, fast ones, that help planning vs. attacks/hackers/crackers above, & when I put them out??

You outright RAN, vs. those points... I can speculate why too:

You are TOO FAR REMOVED, as "mgt.", & don't actually do the work involved, point-blank (your lack of reply to my reply to you above, notes this clearly in fact)...

APK

Edited by APK

Share this post


Link to post
Share on other sites
APK    0

betasp, what's the matter?

Cat got your tongue??

OR, is it that you shot your mouth off talking trash about pepwin's results using the material in this post, & did not realize that this post is geared to people JUST LIKE HE (a home user with NO LAN & connected to the internet) because you skimmed past that, which it states @ its VERY BEGINNING no less, & you outright skimmed over that???)

I post things on this page that even make it SIMPLE TO DO on a LAN (be it home or corporate) & it works!

I have done exactly that, applying this material, on LANS before in BOTH home & corporate environs & it works.

(Simply by following step #2 & using netstat -b allows you to also make exceptions WITH EASE for port filtering, & that's easily migrated using .reg files, IF NEED BE, as well in LAN environs (& even AD Group Policies iirc as well) plus, filecopies in the case of a HOSTS file via logonscripts)

Those are just 2 examples of where YOU ARE WRONG/OFF, & in CORPORATE ENVIRONS!

(& I'd discuss ANY OF THEM & did on others in fact on this VERY PAGE above, that is, IF one of you 'naysayers' would actually have something valid to say, instead of lame 'generalities' but, no specifics @ all on your parts.).

Now, if you do NOT plan for securing endpoints, & layered security in your company, vs. online attacks... what kind of security is that?

BetaSp, you in particular:

YOU refuse to discuss ANY SPECIFICS, though you cut this post down... lol!

I think that is because you lack the ability to do so, & ANYBODY can state generalities, & especially "mgt." (no hands on b.s.'ers MOSTLY in this field, unfortunately, though there are exceptions, but you are NOT proving to be one of those RARE mgt. people in THIS field)...

Above all, your lack of specifics, & inability to back your "points" with them, vs. my replies on the things you noted?

Speaks worlds about you. Anyone can read the above, & judge for themselves.

APK

P.S.=> Plenty of "naysayers", but, never any specifics... raskren, thunderrooster, & betasp???? Who do you 3 think you are fooling???? apk

Share this post


Link to post
Share on other sites
betasp    56

nevermind.

Edited by betasp

Share this post


Link to post
Share on other sites
APK    0
nevermind.

I suppose, but, you complained I "lumped business LAN concerns together with desktop home user ones" in essence!

(AND, I stated, right from the outset in the 1st post in this thread, IT IS GEARED TO STANDALONE HOME USERS, not business ones, which you outright "SKIMMED" over missing it!)

Not that it matters, because of points #1, & #2 below in THIS post (and because of my 2nd post in this thread which outlines what NOT to use/turn off-on, as far as LAN/WAN users are concerned)...

Fact is, by using tools like:

=====

1.) Active Directory Group Policy Management console? You can MASS DEPLOY any of the settings noted by CIS Tool you need to... just like using local SECPOL.MSC basically, albeit @ a domain level (& you can even TELL it to override the domain wide policy with the local secpol.msc policy for that machine even in its AD-wide ones).

----

2.) LOGON SCRIPTS: Ever used THESE?? You can easily merge in .reg files OR in the case of a custom adbanner blocking HOSTS file, recopy (after edits IF any are required for a particular user that is) it to the user's default location for it of %windir%\system32\drivers\etc, with ease.

=====

You CAN deploy this stuff, WITH EASE, to all network nodes, for layered endpoint security... or, is it NOT part of your security @ your job, to do this?? If so, "shame on you"... period.

So, that all given? How can you state, this:

There is no way to lock down 10,000+ PCs in a company the way you describe, and the help desk would be overwhelmed with "broken" sites.

B.S. - see the above, ok?

You said you have an MCSE to me in private messaging/mail here... well, given your reply quoted above? I do NOT believe that...

APK

Edited by APK

Share this post


Link to post
Share on other sites
shockz    6,650

APK... the personal insults stop now... as well as the PM's you've been sending to him.

Anymore issues and you will be restricted.

Share this post


Link to post
Share on other sites
APK    0
How much productivity in dollars does that costs each time?

Agaijn: MUCH LESS than it would to remove them from 100's to 1000's of compromised machines, as is the case with virus & spywares for example (which, generally, to FULLY remove them? Takes 1-3 hours per workstation IF compromised).

I know - I actually DO the job is why...

In a well run corporate environment, it would take at least a few weeks for each modification to go through change control to protect the infrastructure.

So? Does that mean that because it takes time, to protect vs. data breach intrusions, that it is NOT worth doing?? What kind of security do you actually have I must ask...

Hey - layered security & securing ENDPOINTS (of which client workstations are mind you, as 1 form of them) are the thing to do, not just perimeter defenses.

In that time, there are things/sites not working that is impacting user productivity. This would especially be true it browser functionality is considered a critical business function.

So, you'd rather they hit a website with known issues like adbanner blocking custom HOSTS files can protect you against... such as the Javascript/Shockwave object/Adobe FLASH issue allows, ala the "Russian Business Network" etc. et al??

Note: There is not really constant change in IT, there is constantly planned, and documented changes to IT systems...

Try to tell that to guys that actually DO the work, like coders &/or network admins-techs... ok?

You mention custom apps...

FACT:

I spent more than a decade professionally building them, along with being a network tech/admin in fact as well (have to be to do THIS level of work, especially ENTERPRISE CLASS apps)!

(... & department heads always ask for changes quite frequently, as well as their users, from little useability issues, to new reports or mods to existing ones, IF NOT BUGS outright that need corrections).

Instead of wondering why this thread is getting rated lower, listen to what some of us are willing to come here to say.

You offer NO specifics, & avoid proving HOW my points are bad, period... no specifics is telling me you do NOT know what you're talking about, period.

The first time I read your post I rolled my eyes and thought to myself "another server geek spouting what is best for a machine without realizing what is best for a company."

AND, again: I just thought to myself: Here is another buddy of the company owner, who has his job, because he has his PAPER MCSE, but doesn't actually know what the hell to do in an actual production environs!

After all - you didn't even REALIZE AD Group Policy mgt. allows for most of the settings to migrate to clients (from the suggestions of CIS Tool) & that logon scripts allow for it for things like .reg file merges &/or HOSTS file copies to client node workstations...

Give us a break.

I don't have the time nor inclination to go through your post line for line and tell you the pros and cons of each

No, I am fairly SURE you are nothing but a "paper MCSE" actually, based on your ignorant statement that the settings here cannot be easily mass deployed to a corporate LAN/WAN & its nodes on its network (servers AND workstations).

there are lots of holes in your philosophy.

Really? I'd like to hear the specifics from you then, as to who/what/when/where & why...

(Especially in regards to Active Directory Group Policy Mgt. tools usage, IF NOT logon scripts (for example, for the areas I mention above in fact as just 2 points' examples from my post here). I will GLADLY discuss others too... please, feel free).

The only "holes" there were, were in my system & pepwins prior to applying this stuff I wrote up... they are there, no longer.

Plenty of holes in what you state though: See next points...

I think that throwing a machine securing step-by-step guide in a forum and acting like it is gospel hurt's your credibility since you seem to be spending much of your time defending it rather than adapting it based on the thoughts of others.

Defending it against AMBIGUOUS b.s. from you? Absolutely... especially when I disprove your points, EVEN ON A COPORATE LEVEL... though, I specifically initially state this is for HOME users connected online to the public internet.

PS. If you don't see why I don't even acknowledge Pepwin's success story, I can't help you.

Ugh... see the first post? Does it say it is geared to corporate users?? NO... you, however, state it cannot be done & I show you how, easily, & with WHAT TOOLS, & in point #2, what to look out for & NOT do.

Care to dispute that?

APK

P.S.=> Every person (thunderrooster, raskren, & now betasp) who put this down, when faced with verifiable &/or documented replies from myself that clearly & cleanly disprove their "ambiguous" putdowns of this thread, has not been able to disprove my points in rebuttal...

& betasp tells me "I should listen to them"... yea, ok, sure... lol! apk

Edited by APK

Share this post


Link to post
Share on other sites
Mando    5,117

Id like to say THANK YOU @O.P

I read through it and most of the guidelines and advice given has allready been implemented at home.

But hey itll be cos im another server geek ;)

to the negative posts......at least the guy is trying to help and share his knowledge from the corporate workplace....what have you donated or shared with others here? If you dont like his post or what hes sharing heres a concept........move along to anothers post!

Its amazing how many people get so worked up about things people post in the premise of actually trying to be helpful for others for FREE

Its so depressing how the standards have fallen here :( we used to be one big happy family and appreciate people parting their knowledge for others to use or not use as they saw fit.

APK this is a prime example to why we should be more like BFOH ;)

BOFH home

Peace out fellow Silicon Chimp

Edited by Mando

Share this post


Link to post
Share on other sites
APK    0

Something VERY cool, as regards online security, that I stumbled onto during my meanderings online today!

(A fairly big day in security news imo @ least on a number of grounds, not just with it being "MS Patch Tuesday" *big patch today too imo, from MS*, on Tcpip.sys & lsass.exe, but in terms of security breaches etc. & all this week on application exploits (FireFox REALMS spoofing bug & more), but this one in particular is one that ought to be part of this post, so... here goes):

Read on, past this part, this is just crediting the slashdotter who turned me onto the REAL TREAT in this thread, later, that will definitely help you with layered security online by ALL means, & not just HOSTS files, but better DNS servers (like OpenDNS, great stuff, BUT... A NEW ONE (for me @ least) with an ADDED security 'twist'):

----

MASS HACK INFESTS THOUSANDS OF SITES:

http://it.slashdot.org/comments.pl?sid=409...mp;cid=21953040

It's one done by a combination of Javascript (like usual the past few years now), & SQL Injection (concatenated statements inserted into DB columns because the coders on the front end didn't "scrub/sanitize" the outputs from it, usual cause)...

----

Well, if you read the above in the "12 steps to securing your Windows NT-based OS" above?

Then, you know my thoughts on HOSTS files being used to protect you!

(AND, using a modified/custom HOSTS file to speed you up online via making access to fav. sites of yours faster by not having to query DNS servers even IF YOU WISH... PLUS blocking out potentially malicious adbanners which we ALL have heard tons about lately, caused by Javascript, bum ActiveX controls, &/or Java even being misused)

Anyhow, the URL? That is largely what that link above is about from TODAY (date of this post)

Also then you know my thoughts & reasons on points also, like limiting Javascript in browsers!

Opera's the best (& fastest + safest browser there is) @ doing THIS also, imo, by natively allowing you to first GLOBALLY block Javascript's use on MOST ALL sites to protect yourself against threats like the above, or others more geared to "home users" etc. et al even...

(ONLY allowing it on sites that demand it... thus, limiting your "attack surface area" only to those websites you use, that demand you use Javascript, because you need it on them FOR REAL, not just "glitzy features" but for database access/queries return recordsets & updates/inserts etc. et al, on sites like banking &/or shopping ones for example).

ANYHOW/ANYWAYS:

Well, from that thread, I got another "layer of security" (and, for parents WITH KIDS? An excellent "AntiPr0n" shield that works too with EASE, because of the DNS servers being used)...

ScrubItDNS:

http://www.scrubit.com/

:)

* GREAT IDEA, & it WORKS, painlessly... AND F A S T, too!

APK

P.S.=> Take a read of what it does, how EASY it is to implement (lol, they even give a GUI to do the job for you, because digging into your network connection MIGHT be a "bit much" for some folks, to make it easy for anyone really... 2 clicks!) & YOU DECIDE...

I have tried it, & it DOES work, by filtering off sites thru it that are 'dangerous' OR 'offensive' (like ones you might find that are involved with the above exploit, or others like GOOGLE + SPYBOT Search & Destroy help you with) - PLUS, Pr0n sites (some of you, lol, may NOT like that "feature" though).

Still, bottom-line - For layered security? This is a GOOD idea, this "scrubit" DNS server... imo, so far @ least... apk

Edited by APK

Share this post


Link to post
Share on other sites
APK    0
Id like to say THANK YOU @O.P

Thanks man... same to you, fellow "silicon chimp" (lol)... one of my co-workers (pretty damn sharp tech too) goes to that site: "The Register", & he keeps telling me about it, to try it (more of a /.'er here (slashdot)).

:)

Here are some examples where folks have started using CIS Tool & my points in this list, to their benefit:

BUSINESS USER WHO HAS APPLIED IT IN HIS COMPANY LIKE I HAVE - Thronka is his name:

http://www.xtremepccentral.com/forums/showthread.php?t=28430

HOME USER WHO HAS APPLIED IT IN HIS HOME STANDALONE SETUP, AND SCORING 7x.xxxx & then 85.388 iirc, & nearly off the bat no less (default score of 46.xxx though @ first) - Alexstarfire is his name on this URL page below:

http://forums.guru3d.com/showthread.php?t=246538&page=2

POST WHERE IT WAS IMMEDIATELY MOVED TO A STICKY STATUS (GUIDE, like here & how Colin-UK did that for it here) IN ANOTHER FORUMS:

http://www.proprofs.com/forums/index.php?showforum=135

A SECURITY FORUMS HAS EVEN RECEIVED IT WELL, note the viewcounts etc.

http://www.security-forums.com/viewforum.p...a53b48c2aac977c

* There's others, but... that'll do, for now. The point is, this is starting to get around, & you guys can see some successes by normal folks, & GEEKS/NERDS alike, using it & doing well on it, & its views in total summation, have crossed over 30,000 views by this point across 25 forums or so (roughly avg.'ing between 600-1500 views per forums), in only a month's time, approximately!

(AND, THAT IS THE POINT - to help folks, help themselves, via a fairly "FUN" test in CIS Tool, that guides you to it, in addition to some more in my points above to supplement it for things CIS Tool does NOT account for!)

Anyhow - Enjoy, & I thought I would "share some good news" with you guys about it, & to show that it DOES work for workplaces too, & not just mine, but others also...

APK

P.S.=> This "proof material" & testimonials URL's above & such, is MAINLY for my naysayers in this thread so far... like:

1.) ThunderRooster Whom others scolded worse than I did here...

2.) Raskren (who a few pages back must NOT have looked @ the results from the AntiVirus testing sites HE even used, in av-comparatives, because NOD32 absolutely ROCKED AVG there, & again lately too in Nov. 2007 tests, but also from vb100, another well rated antivir test site)

3.) & lastly - betasp on this page above & the one before it..

Heh -.On this page here, the MCSE above in betasp stated this would not be "good for a company to do", & layered security DOWN TO THE ENDPOINTS, is the recommendation for security nowadays (I mean, hey - look @ it out there, you know?)!

Additionally - HIS (betasp above) outright omitting the fact I applied it on workstations on the job in a company that has more nodes than his does & more locations etc. as well) from business environs where a person besides myself is enjoying the benefits of layered security, & DOWN TO THE NETWORK NODE ENDPOINTS (Pc's) doesn't make too much sense - I'd rather pay some network techs a few more bucks 1 week, than risk lawsuits based on data breaches for instane

----

+ others who doubtless "downrated" this thread YET offered no discussion why & NO specifics, like the MCSE in betasp above (who overlooked the fact I gear this MAINLY to home users with single PC's at home, no LAN, but I show HOW it can be done easily across many nodes on a LAN/WAN via techniques noted above on THIS very page!))... apk

Edited by APK

Share this post


Link to post
Share on other sites
iZoom    2

With skimming through this thread and seeing both sides of the issue, I don't agree or disagree with any specific theories put forth. However, despite those who are educated beyond measure in technology and IT and so on and so forth, your posts honestly give me a headache trying to read them. You get your point across in what you say, but I would suggest a more linear, smooth-flowing format.

Reading broken lines like that with text in bold thrown in randomly, along with the quotes is hard to follow a thought from beginning to end. Just a suggestion for future forum postings so that it doesn't get picked apart for how you said and not what you said. I do agree that some security measures can be taken by people.

Edited by jzoom6

Share this post


Link to post
Share on other sites
APK    0
However, despite those who are educated beyond measure in technology and IT and so on and so forth, your posts honestly give me a headache trying to read them.

The 1 "agreed weakness" my post MAY have, & others felt as you have on other forums, is that there is SO MUCH of it (bulk), & it 'scares folks'... same thing used to happen to me, while reading code too... I would "make the mistake" of "looking @ it ALL @ ONCE", instead of starting one line @ a time (just like reading anything, & every journey starts with 1 step etc.).

You get your point across in what you say, but I would suggest a more linear, smooth-flowing format.

The "smoothest" I have found thusfar, is to break up the points, each into its OWN posting - it's "gone over better that way" with folks on forums where I have done it that way, rather than "lumping everything into 1 single post" type formats (on a couple forums, it DID start that way, until folks suggested busting it up, each point, into its OWN theadpost reply).

Just a suggestion for future forum postings so that it doesn't get picked apart for how you said and not what you said.

Point taken. It's just "tough to do" @ times, because of the amount of the material is all, as I stated...

I do agree that some security measures can be taken by people.

Absolutely... in fact, on the CIS Tool test? MOST FOLKS will get around 46.xxx scores on it initially... BUT, get into the 90's via CIS Tool suggestion & guidance, in the end when they are done!

Thus, showing there is defintely, "room for improvement".

ON A SIDE-NOTE:

It often makes me wonder WHY it is, that MS has not "hardened it up more" via service packs & such, but, SOME things are turned on by MS initially @ least, because of "mass deployments" & such, so "everything just works" & you can security-harden later (same with services, MOST ALL are "on by default" & you trim back ones you don't need ALL THE TIME, & in ALL SCENARIOS (say, non-LAN networked standalone rigs online (or not)).

I would guess that is the reason our OS' from MS do NOT ship fully hardened for security, OR, why so many services run by default (whether your particular setup needs them, or not).

APK

Share this post


Link to post
Share on other sites
APK    0

http://img297.imageshack.us/img297/2240/52041100vo6.png

52041100vo6.png

That's an example of where your score (for users on Windows XP SP #2 no less fully hotfix patched as of this date) can be @ scoring-wise, on the CIS Tool benchmark test gauge of Windows Security, after following its suggestions for security-hardening your systems.

A 90.112 score... & that was AlexStarFire's score from the 3dguru.com forums, once he applied it to his home system ("stand-alone", non-HOME or WORK-LAN system, online on the public internet), which is way, Way, WAY up from its initial default score of 46.xxx/100...

:)

* Here is an example of a user named Thronka, who employed it to security-harden the endpoints on his LAN/WAN setup @ work, who is also enjoying it successfully as well, albeit this time, in a BUSINESS environs (as I have it as well, for both HOME standalone machine online today, & also on the job):

http://www.xtremepccentral.com/forums/showthread.php?t=28430

APK

P.S.=> I hope you guys also employ it thus as well - it starts with reaching just 1 person, & then, by example? Others start to apply it also, & then things start to change "for the better", because by securing yourself, & maybe even setting up your pals & families machines' this way? You lessen the possibility of "spreading the diseases" out there online today... apk

Share this post


Link to post
Share on other sites
APK    0

ONE THING THAT I HAVE TO NOTE, THAT IS RATHER IMPORTANT:

Using an external DNS server (like OpenDNS &/or ScrubIT DNS, which I mention last page - but, omitted this little critical factoid) in a business settings that utilizes Active Directory, is NOT a good idea:

SURE, ones like OpenDNS & ScrubIT DNS are excellent, fast, & more secured than std. ones your typical ISP/BSP gives you, no doubt...

HOWEVER:

There IS a catch-22, because they won't FULLY "mesh" with your internal LAN AD (active directory) setup, mainly since because AD is SO DNS dependent, it's not funny.

Makes sense though - & I omitted this in my earlier posts about ScrubIT DNS in fact:

I mean, how on EARTH could an external DNS server be able to serve up IP addresses that are privatized behind a router & a subnet (unless LMHOSTS could work around it, that is)...

Systems under your LAN/WAN subnet with privatized non-internet broadcastable IP Addresses especially, like 169.254 (not that you'd usually see THAT, lol), 10.x.x.x, 172.x.x.x, & 192.168.1.xxx DHCP assgined ones... so, be wary of using them with LANS/WANS.

SO, anyone with a LAN/WAN (be it HOME, or BUSINESS)? Beware of using OpenDNS or ScrubIT DNS servers, even though I "extolled their virtues" on the pages preceeding this one.

OpenDNS &/or ScrubIT DNS are GREAT for home users that have "stand-alone" (meaning not networked to other computers' drives + printers, etc. et al) setups, that are hooked up to the internet... they WILL "mess some stuff up" in ActiveDirectory/AD networks though.

Found that out myself in the past: For example - Things like Outlook (FULL) when setup to hitch up with EXCHANCE SERVER (instead of a POP or IMAP or even HTML mail account) will "flake out" for instance, IF you use external 3rd party DNS servers that are external to your network (LAN/WAN & home OR business).

:)

* Sorry about that, I will have to edit that post for this too...

APK

Share this post


Link to post
Share on other sites
APK    0

HOW TO REMOVE MALWARE - INTRODUCTION (using 110% free tools, OR ones you have in your OS already natively, to remove malware infestations of ANY kind HOW TO):

NOW, after ALL of the above? IF you do find yourself "infested" though, one day??

(Which is going to RARE (if @ all) - Usually, after the above set of steps you can use to secure yourselves, the ONLY way you usually can be reinfected, is to click & run a bogus email attachment, OR, by turning on Javascript & IFrames for instance! (or, allowing shockwave or a bum ActiveX control to run)).

YES - It happens! Far more rarely than it had before (using a buddy of mine Jack as an example in fact - I chose him as a tester because he was nearly constantly infested is why & this all worked for he, until he violated javascript usage rules I mentioned above).

E.G.-> I have had users violate that/those "rule(s)" from above & that was how they were reinfected - BUT, one tester of mine DEFINITELY gets infected FAR LESS than he used to, by applying the above... this is certain!

I.E.-> I have had this setup running Windows Server 2003 (SP#2, fully hotfix patched & hardened per the above as of this date) since early 2003, running "110% bulletproof & bugfree" because of following the rules & suggestions noted above!

ANYHOW - Malware infested? TRY THIS SET OF TOOLS & TECHNIQUES:

How to clean yourself up?

This "toolkit" & process has helped me get thru over a 1,000 spyware/virus clean up calls, & hopefully? It will yourself, as well, so... here goes:

==========

1.) Reboot your system to F8 @ startup "Windows Advanced Options" bootup menu that stops you during the boot sequence.

----

2.) There, choose "safemode with networking" (via the "Windows Advanced Options" menu you get presented with while tapping the F8 key repeatedly @ system startup).

----

3.) Once in safemode with networking Windows, download/install & RUN these tools (they are not much to look at, BUT, they do work on MOST threats today & get regularly updated):

a. Run IE, use its TOOLS menu, Manage Addons Submenu, & turn off ANY BHO etc. objects that you do NOT absolutely NEED, or know what they are (many malwares in the form of bogus toolbars or BHO (browser helper objects) often hide here).

ALSO, GREAT NEW POINT EDITED IN NOW (01/13/2008) per Delightus14 @ Neowin forums: ALSO CLEAN OUT YOUR WEBBROWER CACHES & %temp/tmp% temp. ops locations so no maladies exist there also awaiting re-awakening by accident

You do this via Internet Explorer (using IE as an example, it is the same idea in Opera/FireFox/Netscape/Mozilla etc. too) via its Tools menu, Internet Options submenu, & on IE options screen, use the "Browsing History" group in IE7, & delete things as necessary from IE's browser caches etc. & for OS + app level %temp% & %tmp% environmental values' areas? Type SET @ a DOS prompt to see where you located those, & burn their contents via DEL commands, OR via explorer.exe/MyComputer filemanagement.

b. Run msconfig.exe, & stall out ANY apps you do NOT absolutely NEED to run (many malware start here in fact). If you do NOT know the name of the program & what it does? Look it up on GOOGLE... same with BHO's above in IE.

c. DOWNLOAD & INSTALL SpyBot 1.51x

d. DOWNLOAD ComboFix (don't run it yet - there is no installer, it IS its own install + run package)

e. DOWNLOAD SmitFraudFix (which also has its own LSP (layered service provider fix I have heard tell), BUT, againL Don't run it yet - as AGAIN -> there is no installer, it IS its own install + run package)

----

4.) Clean out your rig, running SpyBot, first (most of the threats today are SPYWARE related, or TROJANS, more than std. typical traditional viruses by the way).

----

5.) Then, run ComboFix (this will reset your webbrowser homepage & background desktop wallpaper, you will have to reset these, & possibly your date/time clock in Windows too).

----

6.) Then, run SmitFraudFix

----

7.) Reboot to "normal Windows" (no F8 stuff this round) - it MAY hesitate/be slower this bootup though, because SpyBot/ComboFix/SmitFraud do a 2nd look type check on bootup many times... so, be prepared for this part.

----

8.) Then, once in normal Windows again, scan with your AntiVirus solution (now fully updated hopefully & if not, do update it first & then scan).

Good suggested FREE one, is AVG AntiVirus (I suggest this one, because it is free + complete w/ mail protection too that's decent enough, & just in case your antivirus solution is expired... if it is not expired, update the one you use. Keeping another around for a "2nd Dr.'s Opinion" is NOT a bad idea, BUT: ONLY RUN 1 OF THEM, "resident" (meaning runnings its background application & file scanning engine, usually implemented as a service + trayicon app). IMO, NOD32 is the best performer all-around in terms of antivirus programs. av-comparatives & vb100 tend to 2nd me here as well.

* @ that point? You probably will have 'caught the culprits', OR, @ least have the name + location of any threats they could NOT eliminate... & here is where it gets REALLY "fun"...

==========

NOW, when you CAN'T remove a virus using "script kiddie automated tools" like those noted above (not putting them down calling them that because they ARE somebody's hard work & freely given time as well... but, they ARE that, because they're only automating what YOU can do, yourself, with other tools like msconfig/IE manage addons, & more tools like Process Explorer + regedit & explorer.exe (OR even Recovery Console) can allow YOU to do, yourself, albeit slower... the nice part about the automated killers like the tools I mention above, is that they operate FAR FASTER than human beings do).

ANYHOW - IF you can get its name, & location on disk say, via a report from AVG or other programs you use for this?

Boot your system from the OS install CD, & go to RECOVERY CONSOLE!

There, switch to the folder that houses it using CD (almost like DOS one, but uses .. ONLY, to switch to ancestor folder roots really (instead of \ etc. et al))!

Then, once you are in its folder, fry it then (nothing will be loading & thus, locking it, there) using the DEL command -> DEL filename.

****

It's THAT, or using Process Explorer in UserMode/Ring 3/RPL3 operation...

You would do a suspending the calling process via right click popup menu options for this it offers! Once the calling process is suspended (& many times, also the called or DLL injected library as well), you can delete ANY potential offending injected DLL/lib virus-trojan-spyware-malware being called by said parent process, on disk.

(This ia assuming this is a lib loaded virus/spyware/trojan/malware etc., not a standalone .exe type)

That's done via watching loaded DLL's that ANY app may have loaded presently (For that, you would have to use ProExp's CTRL+D keystroke shortcut, with the lower pane view present/visible, & set like that) IF there is one and this thing doesn't launch by itself from one of the registry RUN areas or startup groups that is...

Using Process Explorer can help!

(Again, especially if this is being run by "DLL Injection" (like an OLEServer being injected into a process via CLSIDs, shell extensions, or being run by rundll32.exe OR svchost.exe, process hosting executables that can spawn either .exe OR .dll/lib based ones)).

****

The easier/simpler route?

My first suggestion:

Use Recovery Console, once you have its name & location on disk... DEL command will take care of it, lickety-split, no-$heet.

APK

Share this post


Link to post
Share on other sites
dr.bisho    0
Um it's quite easy. Get a hardware firewall, a decent anti-virus and don't be a muppet. Works for me.

lol....

Share this post


Link to post
Share on other sites
APK    0
lol....

It'd be GREAT, if it was that simple - it TRULY would be... but, everyday on the job professionally? I have to fix folks with that EXACT belief system: Which, obviously, is NOT WORKING for them (especially when I have to fix them up & they're paying for it).

Many times ALL THEY HAVE is an antivirus program + firewall (useless vs. email attachments that "Bear Bombs" etc. OR sometimes, even vs. adbanners that are laden with these things & + javascript/IFrame/Bad ActiveX controls) & that's it...

AND then, @ times? Their antivirus subscription's expired @ times too, OR, isn't strong enough in stalling spywares (vs. traditional viruses), & those 'slip thru', instead.

(I do see a GREAT DEAL more spyware, than I do traditional viruses out here daily, by the by).

APK

Share this post


Link to post
Share on other sites
APK    0

I have been @ looking for information about the "RBN" (Russian Business Network) to help others NOT be 'victims' to their machinations online to

map them & their affliates, & did find quite a lot (below) from reputable respected sources online (like spamhaus).

As regards the "Russian BUsiness Network" (RBN) who has been @ the heart of MANY online

attacks (or, things like Zlob trojan, the STORM worm, & other IDTheft related attacks, etc. et al)?

Use this information to protect yourselves, from them.

P.S.=> If any of that information is inaccurate, or "off", please - post about it here, I can make corrections via edit in seconds (or, the mods here can)... thanks! apk

see post #84 for updated information

Edited by dreamz

Share this post


Link to post
Share on other sites
iMonkey    1
You should block all IPs starting with these if you do not care about Russia and China:

193.

194.

195.

212.

213.

217.

62.64.

62.76.

202.

203.

210.

211.

Just to let you know that the IP address ranges 202.x 203.x 210.x 211.x and 212.x can and are assigned in Australia and New Zealand (And in some cases the western USA/Canada) - in the case of any TelstraClear customers, blocking the above ranges would deny acces to their DNS server, their mail server and their ISP homepage for starters.

Share this post


Link to post
Share on other sites
This topic is now closed to further replies.
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.