December 13th, 2002, 02:56 AM
How to Lock Down Your WinXP Box...
How To Lock Down Your Windows XP Box
This paper is going to show you how to secure your Windows XP box, both home and professional editions. I will make a note when something is useful only for a specific edition. It is geared towards people who aren't on a network, as a lot of network services will be disabled, but if you need a specific service running (such as NetBIOS or Active Directory), then you'll want to leave it running, naturally. Some of the topics covered in this paper include the following:
Disabling Universal Plug and Play (UPnP)
Disabling Remote Assistance/Desktop/Registry
Disabling the Guest account
Renaming the Administrator account
Setting up a bogus Administrator account
Disabling Active Directory
Enabling NTFS and EFS file systems
Encrypting the temp directory
Disabling unnecessary services
There will be more topics covered. That list was just to give you an idea of what is to come. So, without wasting any more of your time, let's get started.
Disabling Universal Plug and Play (UPnP)
A big service that can leave you extremely vulnerable to attacks is the Universal Plug and Play service. UPnP is actually Network Plug and Play. UPnP is a set of communications protocol standards that allow networked TCP/IP devices to announce their presence to all other devices on the network and to then interoperate in a flexible and pre-defined fashion. There is no reason to use this if you're not on a network. If you are on a network then you only need to use UPnP if you have any UPnP devices. If you aren't sure, chances are you don't. And if you don't have any UPnP devices, you don't need to be listening for other UPnP systems to talk to.
UPnP listens for connections on TCP port 5000 and UDP port 1900. To see if UPnP is running on your computer click Start -> Run and type 'cmd'. Then type 'netstat -an'. This will show all active connections whether they are established or simply listening for a connection. Under the section 'Local Address' you will see your IP address followed by a colon followed by the port number. So if you have UPnP running you will see '127.0.0.1:5000' and '127.0.0.1:1900' (substitute 127.0.0.1 for your IP address if you're online at the moment or if you're on a LAN). If you see that, shut down UPnP as explained in the next paragraph.
To disable UPnP click Start -> Run and then type 'services.msc'. Find the service labeled 'Universal Plug and Play Device Host', right-click on it, and select Properties. Under the 'Service status:' area, click the Stop button. Under the 'Startup type:' drop-down box, select Disabled. Now disable 'SSDP Discovery Service' the same way. This is the other part of UPnP. Once these two services are stopped, UPnP is gone.
Disabling Remote Assistance/Desktop
Disabling Remote Assistance/Desktop is simple. Right-click on the My Computer icon on your desktop (or click the System icon from within the Control Panel). Then click on the Remote tab. Uncheck the two check boxes that are there. Nobody needs (or uses, for that matter) Remote Assistance or Remote Desktop.
NOTE: Remote Desktop is only available in the professional edition.
To disable Remote Registry click Start -> Run and then type 'services.msc'. Find Remote Registry and disable it like you did with UPnP. Disable Remote Desktop Help Session Manager while you're at it (if you're using the professional edition).
Disabling the Guest account
The Guest account is just plain stupid. There is no reason to have it enabled. In the control panel double-click the User Accounts icon. By default the Guest account is disabled. If it is then it will be grayed out. If it's not, click on it. By the way, you will either need to be logged on as the Administrator or you will need to be in the administrator group to disable it. Click the link to turn off the Guest account. Pretty easy.
Renaming the Administrator account (pro edition only)
In the control panel double-click the Administrative Tools icon (you may need to click the 'Switch to Classic View' link at the left of the icons if you can't find it). Then double-click the Computer Management icon. Now select 'Local Users and Groups' and a list of users and groups will show up in the pane to the right. Right-click on the Administrator account and select Rename. Do NOT disable this account.
While you're here though, for added security, go ahead and rename the Guest account to something stupid like Printer or Bob or something else. No need for people to even know you have a Guest account.
I would suggest deleting the account, but I'm not sure if any processes require it for anything. Some things may need to be run under this account just like some things under Linux need to be run under the 'nobody' account (like the updatedb program). And just for your information, renaming the Guest account won't have any effect on things since the account ID is what gets used.
Renaming the Owner account (home edition only)
From the control panel select User Accounts. Choose the 'Owner' account and select 'Change my name.' and pick a name like Jack, Jill, Fred, or something that sounds like a normal user account.
By default the home edition does not force you to create a password on this account (WHAT?!). Select the account again and click 'Create a password.' and make sure it is a secure password.
Setting up a bogus Administrator (or Owner) account
Since the real Administrator account has been renamed, why not give crackers a difficult time by creating a bogus Administrator/Owner account to play with? Create the account like you would any other account, but make sure you don't give it administrator privileges. And then give it a 50+ character password just to irritate the crackers (you know they'll never crack it). Sometimes the simplest things can make you so much more secure.
NetBIOS is just another way of saying Exploit World. Disable it. If you're on a network and need to share files and/or printers there are other ways to do it. If you're on a Windows + Linux network you might want to consider using Samba. If you're on a Windows + Windows network you can use FTP to transfer files and create a special directory that contains your printer and export it to the rest of the network. Just search Google for other methods. You'll find a ton of more secure methods.
Click Start -> Settings -> Network Connections. Select your connection and then right-click on it and view the Properties. Click on the Networking tab. If you see something called 'File and Print Sharing for Microsoft Networks' (or something about sharing files and printers), either uncheck the box beside it or completely uninstall it. Leave this window open for the next section.
Enabling Internet Connection Firewall (ICF)
From your network connections' properties window, click on the Advanced tab. Under the Internet Connection Firewall area, check the box that says 'Protect my computer and network by limiting or preventing access to this computer from the Internet.' (if it isn't already checked). You should feel a bit more secure now.
Disabling Active Directory
Active Directory performs almost the exact same functions as NetBIOS, and from what I've read from various places, it provides even more information about your computer than NetBIOS does. If you aren't sharing files and printers, I suggest disabling it. To disable Active Directory, click Start -> Run and type 'regedit'. If you don't know anything about regedit, don't modify anything except what I tell you to. If you do, you might end up with some serious problems. To be safe, back-up your registry first.
Click on HKEY_LOCAL_MACHINE -> System -> CurrentControlSet -> Services -> NetBT -> Parameters. In the right pane you should see a key called 'TransportBindName' and it should contain the value '\Device\'. Right click on this key and select Modify. Delete that value and then click OK. When you restart your computer Active Directory will be disabled.
Note that this is required if you are using the Microsoft Client or if you are making outbound drive mapping connections to other Windows computers on a network (i.e. using File and Print Sharing).
In case you're wondering, Active Directory runs on TCP port 445. You can see whether it has been disabled or is still enabled by using the command 'netstat -an' from a command prompt.
Password protect your screensaver
Not so important perhaps for home users but it does stop people from looking at your screen. Once again this is a basic security step that is often circumvented by users. Choose the blank screensaver or logon screensaver. Avoid the OpenGL and graphic intensive program that eat CPU and memory.
Enabling NTFS and EFS file systems
NOTE: EFS is only available in the professional edition and on NTFS partitions.
Open up My Computer, right-click on a drive, and select Properties. If you are using NTFS already, you can skip this part (but start reading again when I get to the EFS part). If you are using FAT or some version of FAT, you should convert to NTFS.
Why would you want to do this? Basically, NTFS is more secure and reliable than FAT (I'm not going to go into all of the specifics). And it's a journaled file system, so you don't need to worry about your system becoming fragmented.
To convert, for example, your C drive to NTFS click Start -> Run and type 'cmd'. Then enter the command 'convert c: /fs:ntfs'. You will have to reboot your computer (I don't remember how many times) before the conversion program is finished. Do this for all of your partitions.
After you have done this you will need to check the permissions since these are often set to EVERYONE by this process. Just change this to Authenticated Users with the same rights from the Properties -> Security tab for that drive.
Setting up EFS is simple, because it's already done for you. Don't you just love it when the good features are turned on by default? Anyways, since it's done for you I'll show you how to use it. Before you use EFS however, you may need to turn of simple file sharing (SFS). To do this select Tools -> Folder Options and then click the View tab. In the 'Advanced settings:' area, scroll down until you see 'Use simple file sharing (Recommended)' and uncheck the checkbox (if it's checked). Now you can continue.
To encrypt a file you first need to open up Windows Explorer (not Internet Explorer!) so that you can find the file to be encrypted.
Locate the file that you want, right-click the file, and then click Properties. On the General tab click Advanced. Under Compress or Encrypt attributes, select the 'Encrypt contents to secure data' check box and then click OK. If the file is located in an unencrypted folder you receive an Encryption Warning dialog box. Use one of the following steps if you get this dialog box:
-If you want to encrypt only the file, click 'Encrypt the file only', and then click OK.
-If you want to encrypt the file and the folder in which it is located, click 'Encrypt the file and the parent folder', and then click OK.
Other users cannot copy/move or view the file or folder. Pretty easy, huh? Encrypting a folder is done the same way. Once you have a file/folder encrypted you might want to be able to share that file/folder with another user.
Right-click the encrypted file and then click Properties. Click the General tab (if it is not already selected) and then click Advanced. Click Details -> Add. Select the user you want to share access to the encrypted file with and then click OK. That's all there is to EFS.
Encrypting the temp directory (pro edition only)
Since this is the directory where your applications store their temp info, and since some of this info could be harmful if obtained by an attacker (such as passwords, usernames, etc), you should encrypt this directory. This also prevents race condition attacks on temp files.
Disabling default shares
There are certain shares created on your system by default such as IPC$, ADMIN$, FAX$, PRINT$, the NETLOGON share, and others. You only really need to worry about keeping these if you are on a network. In case you've never actually seen the ADMIN$ share, it's created when you map a drive to the system root folder (%SYSTEMROOT%).
From the control panel select Administrative Tools -> Computer Management. You will see in the left pane an icon labeled Shared Folders. Click on it and in the right pane double-click on the Shares icon. Right-click on the share(s) you want to disable, select Stop and then click OK.
By default, any shares such as C$, D$, ADMIN$ and any other administrative shares that are stopped are recreated when the machine reboots. To prevent this from happening click Start -> Run and then type 'regedit'. Click HKEY_LOCAL_MACHINE -> System -> CurrentControlSet -> Services -> LanmanServer -> Parameters. Right-click on the key AutoShareServer and set the value to 0. If you are not setup as a server and are setup as a workstation, the key you need to change will be named AutoShareWks. If the key isn't present you need to create it by right-clicking in the right pane and selecting New -> DWORD Value. Create the AutoShareWks or AutoShareServer key as appropriate.
Disabling unnecessary services
Go to Start -> Run and type 'services.msc'. I'm not going to explain every service, but here's a list of services that are suggested you disable:
Alerter, Application Management, Background Intelligent Transfer Service, ClipBook, COM+ System Application, Computer Browser, Cryptographic Services (has nothing to do with EFS), DHCP Client (unless you know you need this), Distributed Link Tracking Client, Distributed Transaction Coordinator, DNS Client (only keep if you use IPSec), Error Reporting Service (yeah, like you need this), Help and Support (do you really need this?), Indexing Service (can we say resource hog? lol), Logical Disk Manager, Logical Disk Manager Administrative Service, Messenger (nothing to do with instant messangers), MS Software Shadow Copy Provider, NetMeeting Remote Desktop Sharing, Network DDE, Network DDE DSDM, Network Location Awareness (only keep this if you use ICF or ICS), Performance Logs and Alerts, Portable Media Serial Number, QoS RSVP, Remote Desktop Help Session Manager (if you didn't disable it earlier), Remote Procedure Call (RPC) Locator (do NOT disable the normal RPC service!!!), Secondary Logon (unless you use it), Security Accounts Manager (only required by IIS Admin), Smart Card, Smart Card Helper, System Event Notification, Task Scheduler (unless you use it), TCP/IP NetBIOS Helper Service, Telnet (not available on home edition), Terminal Services, Uninterruptible Power Supply (unless you need it), Upload Manager, Volume Shadow Copy, WebClient, Windows Image Acquisition (unless you have a scanner/camera), Windows Time, Wireless Zero Configuration, and finally WMI Performance Adapter.
Now that's a lot of unnecessary services. Not only are some of these services vulnerable to attacks, but you'll have a faster boot time with all that junk disabled and a slightly faster system since things like the Indexing Service really eat your memory up. My system only has 15/79 services running (things like PnP, Windows Audio, etc).
Disabling Distributed COM (DCOM)
Ever notice that TCP port 135 when you issue the 'netstat -an' command? That's Distributed COM. Having trouble getting rid of it? hehehehe
The best way to disable DCOM is in the registry. Click Start -> Run and type 'regedit'. Select HKEY_LOCAL_MACHINE -> Software -> Microsoft -> OLE. Change the key EnableDCOM from having a value of Y to having a value of N. Reboot your maching and issue the 'netstat -an' command again. TCP port 135 should not show up.
This port 135 is TCP. Do not confuse this with the UDP port 135. UDP port 135 is used by Messanger, and if you turn off this service you won't be able to be exploited with that pop-up exploit.
Auditing is something most people either don't want to do because it seems boring or because they are scared of the word. If you want to make sure your security is being maintaned you need to enable auditing. And it's not difficult either. To enable auditing just click Start -> Run and type 'secpol.msc'. Under 'Local Policies' select 'Audit Policy'. Enable auditing for anything you want to keep an eye on, such as bad login attempts, successful login attempts, or whatever. Since each item has a different value of importance when related to security for each person, you just have to set what you want to audit and disable the rest.
Finally, you need to download the latest Service Pack and any extra updates Microsoft provides through the Windows Update. A lot of these updates fix things like remote buffer overflow vulnerabilities and provide fixes to little bugs that can really become annoying. Most of these you can't fix yourself, so just take a little time to download the patches, service packs, security updates, etc.
You might also want to think about running a firewall such as ZoneAlarm or Tiny Personal Firewall which can both be found from google. From the scans I've run against my system, having a firewall is pointless if you use most of the methods described in this paper. But if you're extra paranoid, as I am, run a firewall.
This paper was just a brief overview of how to secure your computer. There are lots of other things you could do to secure your computer even further, but I didn't want this paper getting too long.
To test your security you can download the Microsoft Baseline Security Analyzer (MBSA) application from the Microsoft website at http://www.microsoft.com/technet/tre.../mbsahome.asp. It's only 2.7M so there's no reason why you can't download it.