Hey, I've been reading a lot of the tutorals here, but I'm still having a little trouble figuing out how I can secure my computer easily, so if anyone sees this and has something useful to say it would be appreciated. Thanks!
Printable View
Hey, I've been reading a lot of the tutorals here, but I'm still having a little trouble figuing out how I can secure my computer easily, so if anyone sees this and has something useful to say it would be appreciated. Thanks!
Wrong question................you are not searching properly...........
You do not secure your computer, you secure your operating system, browser and applications.
There are plenty of tutorials on that :)
Yo dude,
This should get u started :-)
http://www.cert.org/homeusers/HomeComputerSecurity/
http://www.cert.org/homeusers/HomeComputerSecurity/
Is a good site for grandma with her new dell, but terrible for pretty much anyone else.
It uses incorrect terminology and suggests techniques that don't survive well as you gain more knowledge.
Keep this in mind when using the site.
cheers,
catch
Greeting's
You can start by the following :
1. UPDATE, UPDATE and UPDATE you windows and all other software Esp. Anti-virus and Spyware remover.
2. Install a firewall configure it properly, dont accept the default configuration and if you do accept go over it once and check it. Moniter the log's of your firewall and never ever turn of your firewall.
3. Install an anti-virus and always update it. Run a full system scan every 2 days (If you are paranoid likfe me run it once everyday just before shutdown for the day)
4. Install a spyware remover update it and run a scan. IF YOU FIND A SPYWARE AND AGAIN FIND IT AFTER A SCAN RUN YOUR ANTISPYWARE SOFTWARE IN SAFE MODE AND THEN YOUR ANTIVIRUS SOFTWARE.
5. Download Hijackthis and then copy the log your self to www.hijackthis.de and analyse your log.
6. Get Firefox or any other browser except IE. if you love IE and only want to use it then go to Tool>Internet Option>security and in internet click custom level and then scrol down to DOWNLOAD file's and enable it.
6-B Go to privacy go to advanced click override automatic cookie handling block first and third party cookie just accept session cookie
6-C Go to Autocomplete and disable all also clear any previously rememberd forms or password's
8. weekly scan your computer online at site's like : http://housecall.trendmicro.com
7. Disable NETBIOS OVER TCP/IP
9. IN YOUR NETWORK CONNECTION uninstall EVERYTHING EXCEPT TCP/IP
8. THIS IS ADVANCED SETTINGS RECOMMEND ONLY FOR WINDOWS xp PRO. backup your entire registry first <-------- imp
(sorry for poor formatting :) )
go to start then run then type : regedit.exe
--> Go to (if key/value does not exist, create one by right clicking in the right window)
---> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
----> EnableDCOM (REG_SZ)
-----> Set to: N
---> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc
----> Value: DCOM Protocols
-----> Remove ncacn_ip_tcp
---> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\
----> Value: MaxCachedSockets (REG_DWORD)
-----> Set to: 0
---> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters
----> SmbDeviceEnabled (REG_DWORD)
-----> Set to: 0
---> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters\
----> REG_DWORD
-----> AutoShareServer
------> Set to: 0
-----> AutoShareWks
------> Set to: 0
---> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSession Pipes\
----> NullSessionPipes
-----> (Delete all value data INSIDE this key)
----> NullSessionShares
-----> (Delete all value data INSIDE this key)
---> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\AllowedPaths\
----> Machine
-----> (Delete all value data INSIDE this key)
9. go to start > run > syskey then enable encrytion and store key locally
10. In windows XP pro rename your administartor ac**** and give it a aplanumerical name.
11. Creat a power user account for your day to day activity. DO NOT USE YOUR ADMINISTRATOR ACCOUNT FOR SURFING THE INTERNET.
12. Disable WELCOM SCREEN FOR LOGGING ON. (go to user accounts in windows xp and uncheck use welcom screen)
13. Disable index service to all your drive's
14. enable password for your screen saver
15. Backup your computer (have a nice strategy. one of the most followed is Normal-diffrential) meaning backup everythin on your computer weekly and for all the days in that week use a diffrential backup.
16. Dont visit warez site and dont use a P2P software.
Optionally
17. Start > Run > telnet then type "unset ntlm"
18. Subscribe to a news group like secunia.
19. All of the following suggestion are advance settings and use at your own risk. what i mean to say is use them only if you know what you are doing.
Go to My computer right click on your %systemroot% drive mostly C:
now go to securiy tab click ADD
- Type: Authenticated Users
- Press enter
- Select: Authenticated Users
-- Allow: Read & Execute, List folder content, Read.
- Advanced
- Unselect: Inherent from parent permission entries...
- COPY
- Remove all other users except: Administrator, System and Authenticated Users
- Select: Replace permissions entries...
- THEN OKAY AND YES
Go to C:\documents and settings\
Right click on administrator folder
Go to security and then advanced
- Unselect: Inherent from parent permission entries...
- Copy
- Remove: Authenticated Users
- Select: Replace permission entries...
okay and yes
NOw select all other folders in that directory (remaining users folders)
go to properties > security > advanced
- Unselect: Inherent parent permission entries
-copy
-Remove: Authenticated users
- Add that users name (like "userX") who's folders these are. This will prevent all other users except admins from getting into their folders.
- Allow : Full control
- Select: Replace permission entries...-
-okay and yes
Go to %temp% folder (mostly C:\windows\temp
go to properties > security
select : > authenticated users
then allow full controll
this is all i can think right now, Its 5 in the morning here I havent slept all night. but anyway hope all this help's.
Use AO's search engine ... you will find a lot to learn .... don't be too lazy
You may visit the following links ...
http://www.google.com/search?hl=en&l...ls&btnG=Search
http://www.google.com/search?hl=en&l...ms&btnG=Search
http://www.google.com/search?hl=en&l...ls&btnG=Search
Cheers
I am sorry i am posting again instead of updating the last one but I have a nice document if you want...
Its from microsoft and it will help you a lot but only thing is its windows Xp with sp 2 specific. It will help other users if you mention your OS in your post.
GO to microsoft.com and search for Microsoft Baseline Analyze download it and test your security setting's I am sorry i couldnt get the link for you my interntet connetion seems to like a snail right now, but ill update the post ASAP. Thanks
ByTeWrangler did a really good job is summaring things ... But here are a couple of other things that you could try ....
[1] Check Your Security Score Today -- PreView
Download the Beta version and give it a try ...
[2] If you still plan on using Internet Explorer ... then read this ....Quote:
PreView is the first security application that lets you see the relative security of your Windows computer against known threats in the wild. By looking at four critical elements in a layered security approach, we are able to generate a Security Score. This score is based on the core system security configurations, installed commercial security software, installed security patches, and how effective your firewall protection is configured.
How to strengthen the security settings for the Local Machine zone in Internet Explorer
[3] Give this a try ... Easy to use and does a good job at protecting windows ...
Qwik-Fix Pro
But dont rely just on software to do the job for you .... Remember if you want your OS to stay safe and sound a little reading will take you a long way ....
Ummm.... no.Quote:
10. In windows XP pro rename your administartor ac**** and give it a aplanumerical name.
Get rid of the guest account, setup a limited user account and name that one "Administrator", have the administrative account renamed to guest. Setup passwords for them both.
This is really no better.Quote:
Get rid of the guest account, setup a limited user account and name that one "Administrator", have the administrative account renamed to guest. Setup passwords for them both.
The guest account comes disabled.
Not much of a reason in the subject's environment to rename the "administrator" account, much less actually adding an account to call it that.
Keep it simple, if you want to rename your admin account, that is fine... it really doesn't help the situation any, it most likely won't hurt anything, though it is just one more thing to remember.
Most of the advice in this thread is just too much, leaving the user unlikely to do any of it (much less any of it correctly) on top of the fact that you don't even know what OS the user is running. All this advice will work great on say... Windows Me or OSX or Mandrake (remember Linux has been targeting the beginer crowd for a while now and more OEM systems ship with it.)
cheers,
catch
"It uses incorrect terminology and suggests techniques that don't survive well as you gain more knowledge."
Just wondering catch could you elaborate a bit more if you dont mind ?....
Cause I have read that article many times but it's probably my lack of knowledge [Still consider myself a newbie ] which keeps me from noticing things .....
Greeting's :
Just to complete my previous post and too add to security of a computer here is addition to my previous post. Hope this help's. I had asked the thread starter to either update his post stating his OS but thats not happened so far anyway followind settings have been tried on Windows XP Pro with SP2 i am not sure if they will work on win 95/98 but they should on win2k and later.
here it goes :
Goto : Control panel
Performance and maintenance
Administrative tools
Local security policy
Account policies
Password policy
-Enforce password history - 0 passwords remembered
-Maximum password age - 15 days (thats my level of paranoia for a home computer when -implimenting the same in a diffrent enviourment use your own level our paranoa )
-Minimum password age - 0 days
-Minimum password lenght - 21 characters
-Password must meet complexity requirements - Enabled
-Store passwords using reversible encryption for all users in the domain - Disable
Account lockout policy
-Account lockout threshold - 3 invalid logon attempts.
-Account lockout duration - 60 minutes
-Reset account lockout counter after - 60 minutes
Local policies
-Audit account logon events - Success, failure
- Audit account management - Success, failure
-Audit logon events - Success, failure
-Audit Object access - Success, failure
-Audit policy change - Success, failure
-Audit system events - Success, failure
-User rights assignment
-Adjust memory quotas for a process - LOCAL SERVICE,NETWORK SERVICE,Administrators
- Back up files and directories - Administrators
--Bypass traverse checking - Authenticated Users,Administrators
-Change the system time - Administrators
-Create a pagefile - Administrators
-Debug programs - Administrators
-Deny access to this computer from the network - Everyone
-Deny logon through Terminal Services - Everyone
-Generate security audits - LOCAL SERVICE,NETWORK SERVICE
-Increase scheduling priority - Administrators
-Load and unload device drivers - Administrators
-Lock pages in memory - LOCAL SERVICE, Authenticated Users,Administrators
-Log on locally - Authenticated Users, Administrators
-Manage auditing and security log - Administrators
- Modify firmware environment values - Administrators
- Perform volume maintenance tasks - Administrators
-Remove computer from docking station - Authenticated Users,Administrators
- Replace a process level token - LOCAL SERVICE
-Restore files and directories - Administrators
-Shut down the system - Authenticated Users, Administrators
-Accounts: Administrator account status - Enabled
- Accounts: Guest account status - Disabled
-Accounts: Limit local account use of blank passwords to console logon only - Enabled
- Audit: Audit the access of global system objects - Disabled
-Audit: Audit the use of Backup and Restore privilege - Disabled
-udit: Shut down system immediately if unable to log security audits - Disabled
- Devices: Allow undock without having to log on - Disabled
-Devices: Allowed to format and eject removable media - Administrators
-Devices: Prevent users from installing printer drivers - Enabled
-Devices: Restrict CD-ROM access to locally logged-on user only - Enabled
-Devices: Restrict floppy access to locally logged-on user only - Enabled
-Devices: Unsigned driver installation behavior - DO not allow installation
-Domain controller: Allow server operators to schedule tasks - Disabled
-Domain controller: LDAP server signing requirements - Not defined
-Domain controller: Refuse machine account password changes - Enabled
--Domain member: Digitally encrypt or sign secure channel data (always) - Enabled
-Domain member: Digitally encrypt secure channel data (when possible) - Enabled
-Domain member: Digitally sign secure channel data (when possible) - Enabled
-Domain member: Disable machine account password changes - Enabled
-Domain member: Maximum machine account password age - 1
-Domain member: Require strong (Windows 2000 or later) session key - Enabled
-Interactive logon: Do not display last user name - Enabled
-Interactive logon: Do not require CTRL+ALT+DEL - Disabled
-Interactive logon: Message text for users attempting to log on -
-Interactive logon: Message title for users attempting to log on -
-Interactive logon: Number of previous logons to cache (in case domain controller is not vailable) - 0 logons
-Interactive logon: Prompt user to change password before expiration - 7 days
nteractive logon: Require Domain Controller authentication to unlock workstation - Enabled
-Interactive logon: Smart card removal behavior - Lock Workstation
-Microsoft network client: Digitally sign communications (always) - Enabled
-Microsoft network client: Digitally sign communications (if server agrees) - Enabled-
-Microsoft network client: Send unencrypted password to third-party SMB servers - Disabled
-Microsoft network server: Amount of idle time required before suspending session - 1
-Microsoft network server: Digitally sign communications (always) - Enabled
-Microsoft network server: Digitally sign communications (if client agrees) - Enabled
-Microsoft network server: Disconnect clients when logon hours expire - Enabled
N-etwork access: Allow anonymous SID/Name translation - Disabled
Ne-twork access: Do not allow anonymous enumeration of SAM accounts - Enabled
Net-work access: Do not allow anonymous enumeration of SAM accounts and shares - Enabled
Net-work access: Do not allow storage of credentials or .NET Passports for network authentication Enabled
-Network access: Let Everyone permissions apply to anonymous users - Disabled
-Network access: Named Pipes that can be accessed anonymously -
-Network access: Remotely accessible registry paths -
-Network access: Shares that can be accessed anonymously -
-Network access: Sharing and security model for local accounts - Classic local users authenticate s themselves
- Network security: Do not store LAN Manager hash value on next password change - Enabled
-Network security: Force logoff when logon hours expire - Disabled
-Network security: LAN Manager authentication level - Send NTLMv2 response only * refuse LM anmd NTLM
-Network security: LDAP client signing requirements - Require signing
-Network security: Minimum session security for NTLM SSP based (including secure RPC) clients - -Require message integrity,Require message confidentiality,Require NTLMv2 session security,Require 128-bit encryption
-Network security: Minimum session security for NTLM SSP based (including secure RPC) servers - -Require message integrity,Require message confidentiality,Require NTLMv2 session -security,Require 128-bit encryption
-Recovery console: Allow automatic administrative logon - Disabled
-Recovery console: Allow floppy copy and access to all drives and all folders - Disabled
-Shutdown: Allow system to be shut down without having to log on - Disabled
-Shutdown: Clear virtual memory pagefile - Enabled
-System cryptography: Use FIPS compliant algorithms for encryption, hshing and signing - Enabled
-System objects: Default owner for objects created by members of the Administrators group - Object creator
-System objects: Require case insensitivity for non-Windows subsystems - Enabled
There are certain things that I am not sure of like this only is for a system locally but on the internet it can still be identified (OS fingerprinting) and can be exploited hence I am currently reading papers for that
for anyone who wants to read these papers :
http://voodoo.somoslopeor.com/papers/nmap.html
http://www.net-security.org/article.php?id=406
If on the above subject anyone has a better or a paper that they think is a must read please tell me. Also is there any threat that you think needs to be included in system security (not user security) I would love it if you add it here.
Thank you.
[edit]
also for knowing which service to run and which to stop
http://www.blkviper.com/
is an excellent site. I just checked it but it says it is underconstrustion but I think its a must read.
The limited user account is not there just to call it something else. It's needed. An administrative account for anything other than the equivalence of maintenance is not.Quote:
Not much of a reason in the subject's environment to rename the "administrator" account, much less actually adding an account to call it that.
What can I say, other than that it adds some humor to my event viewer.
judging by this policy, especially the short TTL on the passwords and the length Id guess you have never had to set policy for a non-tech staff before. Good luck trying to get 100+ people to remember a password that is 21 characters long, complex (so it includes letters numbers and symbols) and that they have to change every 15 days. I hope your helpdesk is ready to reset passwords VERY often.Quote:
-Maximum password age - 15 days (thats my level of paranoia for a home computer when -implimenting the same in a diffrent enviourment use your own level our paranoa )
-Minimum password age - 0 days
-Minimum password length - 21 characters
-Password must meet complexity requirements - Enabled
-Store passwords using reversible encryption for all users in the domain - Disable
I swear about a third to half of the antionline users are merely here because they love the idea of masturbating on the internet, but lack the guts to use a webcam.
Fake admin accounts.
21 char passwords.
Auditing everything.
Using a non-IE browser.
Disabling the indexing service.
I give up.
catch
You know there is pills for that.Quote:
I give up.
Quote:
You know there is pills for that.
better yet, just use a rusty butter knife.
ByTe Wrangler,
Well, he asked for security help, and my, my - you certainly delivered...
However, I feel that, for this particular member, your suggestions may had been a bit "overkill" (I'm assuming that this guy doesn't have a devoted legion of hackers on his ass - especially since he's *apparently* unable to use Google effectively (no offense to the original poster - but there are several sites devoted to this topic alone))... This guy likely just needs your basics - dontcha think???
Anyway, my "general" security pack for any Windows box includes the following (all free!):
****************************************************************************
- Updates (all of 'em - auto-updater in 2K/XP is great for this) - in order for Microsoft to remain competitive in the world of operating systems, they feel that they need to release "much-less-than-perfect" (to be generous) software to meet deadlines, which frequently needs updating - and, think about it - 95% of home PCs rely on some version of MS Windows - it follows that the majority of the world's malicious code writers are writing exploits for MS products...
- Firewall - I use Sygate Personal Firewall - it hasn't let me down yet, though others may vouch for other products... get it at http://smb.sygate.com/products/spf_standard.htm ...
- Antivirus
local machine: I use AVG - again, hasn't let *me* down, but different strokes for different
folks, right? Try it out (http://free.grisoft.com/doc/1)...
online scanners: Sometimes, it's nice to get a "second opinion" - try an online virus
scanner about once every two weeks or so (moreso if you're *really*
paranoid)... PandaActivescan does a nice job, but I prefer TrendMicro's
Housecall
(http://housecall.trendmicro.com/hous...start_corp.asp)
- Malware Detection & Removal: an antivirus won't prevent you from getting millions of
pop-ups, etc. For this kinda protection, I'd suggest Lavasoft's AdAware
(http://www.lavasoftusa.com/software/adaware/) and Spybot
S&D (http://www.safer-networking.org/en/index.html). Run these
two in SAFE MODE if you're experiencing malware symptoms (some
malware begins as a startup process - if it's running, you may be unable to
remove it - scanning in safe mode eliminates this problem)
After you've run these two, you may wish to install MS Antispyware
http://www.microsoft.com/athome/secu...e/default.mspx). I've found
that this proggie kinda sucks for cleaning an infected system, but works
great as a tool for prevention. However, you'll probably want to do some
configuring to this one - it's constant warning messages can become as
annoying as the spyware itself :p... I don't use this one personally, but it's
definitely a useful tool...
****************************************************************************
Now, this is a very basic list of proggies to implement security measures meant for very basic users... Given the nature of your post, this sounds like what you probably need... There's much more advanced security tools for much more advanced users, of course, such as Ethereal (to check out network traffic) and Nmap (general network vuln assessment, etc.) to name just a couple... feel free to shoot me an IM or an e-mail if you wish to learn how to use such programs...
Just a word of advice - forums like AO get posts like this *all* the time... so don't be suprised if no one rushes to answer a general query such as the one you've presented... check out the newbie section, yadda yadda yadda... I just felt like typing because I was drunk, and I've been meaning to put together a comprehensive list of my "basic" security tools, anyway...
One more thing - use Mozilla's FireFox (http://www.mozilla.org/products/firefox/) as your default web browser - timely updates are released, and it's not prone to a fraction of the exploits IE is... besides, it doesn't have 10% of the MS-dominated market for nothing... ;)
Remember - Google is GOD - by that, I mean "ask and you shall receive"... Please, if you want to know "how to secure your box," type in such a phrase in the textfield on Google.com - or use the AO search...
Anyway, I apologize to everyone else who made similar suggestions on this post - I just felt like rambling for a minute, and giving some specifics...
-Wiski C.
[edit] - sorry the formatting's fux0r3d - :p - I'll fix it if it *really* bothers anyone *that* bad...