-
April 8th, 2004, 08:18 PM
#1
Senior Member
Best Way to lock down Windows
Hey people, what software out there is recommended to lock down Windows 2000 Pro and Windows Xp. I know we can use gpedit, but I want more options.
-
April 8th, 2004, 08:58 PM
#2
Is this in a client\server environment or stand alone machines? Are you locking down for security or so users can't run things?
\"You got a mouth like an outboard motor..all the time putt putt putt\" - Foghorn Leghorn
-
April 8th, 2004, 10:12 PM
#3
If it's to lock down so users can't physically do anything on Win2k press ctrl+alt+del and click Lock Computer, to unlock it you would need the password to the current users account and if you have the Admin password you can switch to the Admin account.
To lock it down for security reasons you can always just download a firewall (Zone Alarm?) and look for the lock down feature.
WARNING: THIS SIGNATURE IS SHAREWARE PLEASE REGISTER THIS SIGNATURE BY SENDING ME MONEY TO SEE THE COMPLETE SIGNATURE!
-
April 8th, 2004, 10:16 PM
#4
There was a good tutorial written recently about hardening remote access to windows xp.
http://www.antionline.com/showthread...hreadid=255353
-
April 8th, 2004, 10:51 PM
#5
As a minimum, start here:
http://www.microsoft.com/technet/sec.../mbsahome.mspx
When you are done with that, give the specific business role (what it does, what are it's asset values, etc) and its environment details (what is around it, how much can be spent on counter-measures, who maintains the system) and you can be provided with accurate follow-up information.
catch
-
April 9th, 2004, 12:15 AM
#6
Re: Best Way to lock down Windows
Originally posted here by mrlucifer
Hey people, what software out there is recommended to lock down Windows 2000 Pro and Windows Xp. I know we can use gpedit, but I want more options.
Why not put some effort into it ? Microsoft already provides the necessary tools to arm the box.
If you're using XP home, you also have a few accounts that need to be dealt with. Bring up a command line and type "net users". This will list all the accounts on the machine. You won't be able to delete "Administrator" or "Guest", but you can delete "HelpAssistant" and "Support"
Just type
Code:
net user "accountname" /delete
Next, Type
Code:
"control userpasswords2"
and change the name of "Administrator" to something that looks more like a basic user account name and make the password fairly strong. Do the same with "Guest".
Next, navigate to these keys within the registry and apply the neccessary configuration:
HKEY_LOCAL_MACHINE-->Software--> Microsoft--> Ole--> Enable DCOM Set it's value to a N instead of the Y thats shown.
HKEY_LOCAL_MACHINE-->Software--> Microsoft--> Rpc Once there, take a look over at the right hand panel and you'll see "DCOM protocols", double click it. Do not modify the entire value, but instead only remove ncacn_ip_tcp from the DCOM Protocols value, and leave everything else untouched.
HKEY_LOCAL_MACHINE-->SYSTEM-->CurrentControlSet-->Services-->NetBT-->Paramaters now look in the right hand panel at TransportBindName and double click it. It should have a value set of "/device/" just remove it and your good to go.
And finally, use this text file and turn it into a .reg file by simply changing the extension within your favorite text-editor. Double-click it, and reboot. Once you get that up go check how many ports are open. There probably won't be any at all.
This configuration is to my needs of course, which are Internet(Normal desktop usage) & the ability to run without third-party software like a firewall. I'm quite comfortable with my configuration.
Edit***
Just wanted to add: if this is after a fresh install and pre MS-patches, some ports will reopen after caertain patches are applied (not completely sure which ones, could be sp1, I don't know, I don't install all MS patches ) so you will have to re-apply a few of the registry changes and possibly re-apply the .reg tweak. Just wanted to notify you of that.
-
April 9th, 2004, 06:37 AM
#7
Depends on the reasoning for your security. If you are interested in just locking it down to be more secure, then follow some of the advice mentioned herein.
If you actually want to gain some knowledge. Set up another pc, doesn't have to be anything extremly powerful. Just something with enough power to run an OS. For example you could run a version of nix and make install smoothwall(learn some iptables while your at it). Run it between your windows machine and the internet.
I know this will require some more knowledge of another OS. But if you are interested in learning what better way?
I know it might seem kind of funny to use a nix box as a layer of extra security for a windows box, but there is no better place to hide than right out in the open.
I learned some basic networking with the desire to run turn based Heroes of might and magic. I had three pc's, I installed some old token ring cards, then hooked it all up with an Andrew Mau. I learned how to set up some basic tcp/ip services. Along with some other stuff, I learned alot.
As far as physical security goes, I think in many cases it is more difficult than remote security. With IE and notepad you can do just about anything you need to break a Windows box. Those two apps are both evil and a blessing(depends on which hat you wear perhaps). I'd defenitley listen to imitationrust on the accounts however. Learn how to use and edit the registry. There are lots of useful things you can change in the registry.
Hope my opinions and advice helped.
Be safe and stay free
Your heart was talking, not your mind.
-Tiger Shark
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|