January 18th, 2003, 03:42 PM
Your Windows computer security config?
Thought it might be an idea to post some some Windows security configs. It may be of interest
to others who do not what is available out there. So to start the drum roll here is mine;
a. SMC Barricade router (Soon to be a Cisco router/switch)
b. Norton f/w and a/v
c. The Cleaner by MooSoft (the best trojan remover out there)
d. TCMonitor by MooSoft (part of above program) monitors registry changes
e. ActivePorts by Smartline Inc. Used to monitor and kill if necessary my active connections
f. Ethereal, Windump to look at my incoming packets
That is it for mine. I would be interested to see what other people have on theirs!
January 18th, 2003, 04:31 PM
Those are some really excellent ideas Don. My suggestions are more Setting based than Software based. These suggestions are security oriented as well as privacy oriented.
1. Like you said, a AV and Firewall setup. In particular, the firewall configs are the most important. I found some websites with some standard firewall rulesets.
2. Disabling Referers (for privacy related issues)
3. Alteration of a good number of switches in my IE security options tab, focusing on things such as Java applet scritping and Active X control scripting.
4. Elimination of access to certain system files, in particular those that reference ad cache and scripting.
These are a few things I've done to boost my security configurations. I've got a long way to go, but it's a start
The object of war is not to die for your country but to make the other bastard die for his - George Patton
January 18th, 2003, 04:35 PM
Hey, great question, Don!
I currently run on both my laptop and desktop the following:
Active Ports - this is great if you are a netstat junky.
Spybot Search and Destroy
There are a few other programs on my desktop but they are pretty much overkill. I have nothing on my *nix box as it has yet to join my network.
January 18th, 2003, 04:38 PM
My os is windows 2000 pro with service pack3 and all the latest updates, make sure that you keep your os up to date with the latest patches, it makes it harder for crackers to enter
I have zonealarm pro for my firewall which I have set to block everything which I don't want, and mcafee 6 for my virus checker, which I run the virus shield all the time and do a whole disk check on fridays.
I have renamed my admin account and have created a fake admin account with a massive 48 letter password to confused would be hackers
I have also stopped a number of windows services that are a waste of time and could be used to break in or annoy you, eg the messenger service which creates pop-ups whist online from companys I stopped. Have a look on google to see what services to stop
I set the secuity policy to log bad log in attempts to keep on eye on phyical attempts to use my pc (eg my sister )
Next week when I have broadband installed, I plan to purchase a router, with NAT translation, Which will increase the security of the pc's in the house
January 18th, 2003, 09:25 PM
In my case, it usually means AVG as the antivirus, kerio firewall, use of Opera browser instead of IE, general security practices. Usually, but sometimes I am not using either fire or antivirus.
January 18th, 2003, 09:47 PM
At work our clients run windows 2000 professional.
First of all i have tightend the system in the settings under local security.
1 - I log all logins (succesfull and failed)
2 - If a system is idle for more than 20 mins, it logs out and also logs out of any shares on the local network.
3 - No user is allowed to install software or printers, or any drivers.
4 - I specify exactly which station is allowed to connect to my shares and which not.
5 - All users on the system (xcept myself) are restricted users.
6 - All users have to press ctrl+alt+del before logging on.
7 - I have legal disclaimers set up on every machine including the servers.
8 - alt+f4 is disabled aswell as ctr+alt+del when a normal user is logged in.
9 - Inside "start - programms" i only have the specific software needed for the company (no games, no multimedia, no nothing xcept office and a few other company related programms)
10 - All passwords must meet certain standards (like minimum of 10 chars, they have to include small, capital, numbers, and chars)
11 - All passwords have to be changed every 2 months.
12 - Users are not allowed to change passwords.
13 - Users cannot enter any kind of shell (command prompt)
14 - Regedit is disabled.
15 - No additional hardware can be set up by the users.
16 - Zone alarm is setup by admin, and no access to it can be done by users. (The admins settings are set once and thats it, no other rules or networks can be defined by users.)
17 - Users cannot apply any changes to the network settings.
18 - Panda antivirus is always in mode "realtime" scanning.
19 - After every reboot adaware scans the entire system.
20 - I have vnc servers on every machine (under a diff port other than its default ofcourse)
21 - My admin accounts have been renamed and all guest accounts are disabled.
22 - I have automated backup software that backup every night to a dedicated backup server on the lan (the backup server connects to the lan only the moment is doing the backups, then it disconnects from the lan again)
23 - Only admins can reboot or shutdown the machines.
24 - No remote access to any removable storage devices (cd, floppy)
25 - I have a prog called backweb that controls at what times the machines have net access (so after work hours, no net access is possible)
26 - All allowed services go through a proxy (to filter out urls, file types and bandwidth control)
27 - Not all machines have internet access.
28 - All java and active X is disabled on the browsers.
That was all local security for each office computer.
Then, i have a squid server running before the FW and a few internal webservers, ftp servers, and 2 dns (1 master and one slave), 1 windows 2000 server for the file sharing, then after the FW (inside the DMZ) i have a public webserver and a public ftp server. Nothing from the DMZ or the internet is allowed inside the LAN (except any states that are related or established from the inside). Then finally the router which allows access to the internet.
uhm... i left something out...ahhhh. The firewall itself. A dedicated box which sits between the dmz and the lan (although the whole network setup "lan+FW+DMZ+Router" are also a "firewall". No outgoing connections are allowed xcept destination ports 80, 25, 110.
Thats pretty much it (not counting my private laptop which is allowed everything)
Hope this gives you an insight of a simple security network.
Ubuntu-: Means in African : "Im too dumb to use Slackware"
January 18th, 2003, 09:57 PM
instronics, do they have the right click?
January 18th, 2003, 09:59 PM
Simple config here,
Sitecom cable broadband router with firewall and on my ordinary PC Win Xp Pro with Norton Security 2003 and system works.
One laptop with Win 2000 Pro and Zonealarm Pro as Firewall.
@ Cheesegoduk, I'm certainly going to search to stop those stupid , unnessecary running processes.
January 18th, 2003, 10:00 PM
jaguar, only on a file, not on the blank desktop. So they cant edit their background, or change the settings for the screens resolutions.
Ubuntu-: Means in African : "Im too dumb to use Slackware"
January 18th, 2003, 10:04 PM
Oh, if they did I was going to mention that half of your items can be broken through by a simple shortcut... for example: DOS is blocked off at my school, all I do is make a shortcut to command and presto: DOS shell open. Are you the head admin at your workplace? You seem to know everything that goes on in your network.