Installing Microsoft Windows Vista (Photo credit: cocoate.com) Installing Microsoft Windows Vista (Photo credit: cocoate.com) In this article, I will share some tips on how to harden security of the computer running on windows XP and windows 7 as much as possible. The only true way to ensure the security of a computer is to remove its connectivity to any network altogether. However, this is quite understandable that method mentioned is impractical and sometime impossible to implement in practice. We will not going into the intricacies of Internet Protocols IPSec or a hardware firewall traffic rather, we will get into the Windows operating system and implement simple counter measures that are quite easy and can quickly be implemented to improve the security of any Windows XP and Windows 7 box on your network. This article assumes that you have administrative rights onto the pc. Tip number 1: Disable the server Services The server services also known as the File and Printer Sharing for Microsoft Networks component can be very dangerous when enabled. In such a case, you would be well advised to open your network Connection folder and deselect or entirely remove the file and printer sharing for Microsoft. As added measures you also need to disable the server and computer browser services in services.msc in Microsoft Management Console. Tip number 2: Hide the Computer from network browse list This is a nifty windows registry hack that will ensure that your computer will never appear in “My Network Places” browse list. Here is the step by step procedure on how achieve it. 1. Open the registry editor by typing “regedit” in the run prompt or you type in windows command prompt. In windows 7 you click start and type regedit in search programs and files and hit the enter key in your keyboard. 2. Browse to the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesLanmanServer registry key. 3. Create a REG_DWORD value named “Hidden” and give it a value of “1”. 4. Reboot windows. This procedure will effectively make your workstation invisible on NetBIOS browse list. Tip 3: Remove administrative Shares Most network administrators know that they can access the root volume of domain workstations and servers by adding dollar sign ($) to the drive letter of each root volumes hidden administrative share. For instance I can use the Universal Naming Convention (UNC) statementmyServerc$ to connect to the root of the drive C of the windows server named “myServer” provided I have the proper administrative rights to the domain to begin with. This registry hacks that allows you to remove those administrative shares manually from a Windows XP and Windows 7 computer that should not have those shares enabled for security reasons. To enable this hack, follow these steps. 1. Open the registry editor by typing “regedit” in the run prompt – the keyboard shortcut is window + R. In windows 7 you click start and type regedit in search programs and files and hit the enter key in your keyboard. 2. Browse to the following registry key HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesLanmanServerParameters 3. Create two new REG_DWORD values: “AutoShareServer” and “AutoShareWks” and set each value to “0”. 4. Reboot the computer. You can verify your work by opening the Computer Management Console MMC, expanding the Shared Folders node, expanding the Shared node and verifying that the hidden administrative shares no longer exist. Tip 4: “Mung” the Computer Name and Local Account Names Technically munging refers to altering ones e-mail address on web pages, so it doesn’t picked up by spam harvesters (nat at gmail dot com) for example. However, in this context I’ll use the term munging to refer to choosing a host name for your workstation that in no way, shape or manner serves to identify the computer on your LAN. That is, naming a computer “DATABASEBOX” probably isn’t a great idea to store confidential data or databases to begin with. On the other hand a workstation named “89XYZYX98” is interesting only to a mathematician due to its palindromic nature. A shopworn but always-cogent recommendation is to change the names of the two default local accounts: Administrator and Guest. Also throw in a plug for choosing strong passwords for both of these accounts. A Good strong password account meets the following criteria. 1. Includes a healthy mix of letters, numbers and non-alphanumeric characters. 2. At least eight characters long. 3. Does not include any part of users birth name. 4. Is not a word that appears in any major language dictionary. Finally, disable any local accounts on the computer that not regularly be used, and log on to the workstation as an administrator only when necessary to use administrative privileges. Tip 5: Secure the root volumes First of all, if you’re using windows 7 encrypt your root drive. Windows 7 has default encryption system with bit locker. If you’re still using XP and is still using FAT32 as file system, it is high time for you upgrade to NFTS. You can do so by typing convert.exe in command line utility that converts FAT to NTFS. Ensure that the NTFS permissions on all root volumes are configured appropriately. For instance, it is not wise idea to grant the “everyone” special group any permission on any disk volume on the workstations that stores confidential data. On the other hand, be careful not to set NTFS permissions too strictly. To wit, ensure that the system special account has allow full control NTFS permission, or you certainly will have problems with special services failing as you will preventing the operating system OS from accessing its own core files. Tip 5: Install a personal firewall Both XP and windows 7 has windows firewall preinstalled. However, it has limitations and one of them is that it can only protect incoming traffic not outgoing. If your systems happens to be infected with malicious code windows firewall will allow this malicious code to be deploy as many packets through your network interface as it wants assuming that all packets originates from inside your computer. The company I’m In is using Mcafee and is pretty much great. There are also some other great firewall out there such as Kerio, Sygate, ZoneLabs, Agnitum and Norton. Tip 7: Install Anti Virus Software It would be a great idea to install virus scanner in the windows operating system. There are plenty of antivirus software out in the market today. Tip 8: Audit early and regularly System auditing is perhaps the only way in which you can ascertain who is attempting to do what you system at any given point in time. The window Event Log services are pretty much impressive, and you can learn a quite bit studying the event logs by using the event viewer MMC console. Also, it is recommended viewing the virus logs from time to time. |
Search This Blog
Monday, July 16, 2012
Windows Tips and Tricks
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment