Securing 2000 Pro
Results 1 to 9 of 9

Thread: Securing 2000 Pro

  1. #1
    Junior Member
    Join Date
    Feb 2005
    Posts
    7

    Securing 2000 Pro

    Here is a text file I wrote. I am looking for feedback to make it better.




    Originally posted Chuckie's Site by akachuckie


    This is my guide on securing a Windows 2000 computer.
    Written by chuckie


    Contents
    1. Intro
    2. Installing windows 2000 securely
    A. Pre-installing
    B. Installing
    1. Installing
    2. Networking section
    3. Creating the users and
    A. Creating the users
    B. A little about the user access levels
    C. Securing rest of users
    4. Changing folder access and securing your drives
    5. Administrative Tools
    A. Local Security Policy
    1. Working with Account policies
    2. Working with Local Policies Settings
    B. Event Viewer
    6. Registry Editing
    A. How do you edit your registry?
    B. Some Security Tweaks
    7. Programs to disable
    8. Working with default shares.
    9. Other stuff




    1: Intro
    ________________________________________________________________________________
    I have set it up as a single user, non-server computer. These tricks might not work on all computers. Some will say this is to extreme, but better safe then sorry. Be careful when doing anything to your computer. If you do not know what it will do… Look it up on the internet first or ask a friend.
    I assume you know a little about your computer. If you are brand new to computers, I would wait before trying any of this.



    2: Installing windows 2000 securely
    ________________________________________________________________________________


    Pre-installing
    When I start, I make sure there is no virus’s on the drive. I use a program called clean1k. You can find these types of programs on the internet. It wipes all partitions on the drive. Usually you insert the disk into your A: drive. Then restart your computer. When your screen comes back on your bios starts up.
    You have to edit your bois to boot from A: drive and you will have to hit a key to access the bios. It will usually tell you somewhere on that first screen. However, some of the Common ones are F5, F1-F3, and F10. If any of these should not work, I would search the internet for your motherboard key. Somewhere in the menus is “boot menu”. Make sure that A: drive and a cd drive are selected. Save and exit. Do not put your install cd yet. When it comes back up follow the instructions on screen. Then I would restart to save it to the MBR. Next Put in your bootable floppy and when it gets to the A: prompt. Type “fdisk”. Answer yes to any questions. Hit “1” then “1”. Partition the whole drive. Hit esc and restart the computer. When you are A: prompt comes up type “format c:” After this finishes, shutdown your computer.

    Installing
    Put your install cd into your drive and take out the boot disk. Start your computer and hit any key to boot from cd. Delete the partition that we created above because it is just making sure there is nothing left on the drive. When it asks you how much of the drive you want to format. I usually set it for like 75% of the drive so I can have a second partition to install my swap file and any back-up stuff. The second partition should be at least 2 gigs. Install 2000 on your first partition. It will give you an option NTFS or FAT. Choose to install on a NTFS file format. It allows more security and advanced feathers to many to list in this text file. Also during the install when it ask what dir to install Windows NT click on other and change the dir to something like C:\Mydrive That will change the default dir from \winnt to \Mydrive. I will explain more later if it does not give you the option. This will prevent some hacker tools from running and will make it harder for hacker programs to find your programs.
    For your computer name make sure you use a unique name. When you put the password for your administrator account, use numbers and letters together. Try to not use words because they can be brute forced. Also, you might want to use alt characters. You can find these by going to Start=>programs=>accessories=> system tools=>character map. Click on the ones you want to use and at the bottom right corner is the code. Write it down. IF it does not have anything there they will not work for this. To use hold down the “ALT” key and press the number sequence. Then release “alt”. This makes your password VERY hard to brute force.
    Networking section
    Uncheck “file and printer sharing”. Do not do this if you plan to share stuff. You can reinstall it if you want later. Click on TCP/IP=>properties. Under the DHCP tab, select “advanced”. Select the “WINS” tab, select “disable NetBIOS over TCP/IP”. Then click on the “Options tab”. Go to IP security=>properties. Click on “Use this IP security Policy” and change it to “server (request security). Then hit ok. “TCP/IP filtering” is fun to mess with but be careful because you can cause some of your programs to not be able to connect to the internet. Only add the ports you will use (80, 8080, etc...). You can change these later by going to start=>settings=>network and dial up connections=>your network device. OK now workgroup name. Make sure it is unique and it cannot be traced to you. Example, Do not use your name, location, etc… Then it will restart and install all of the programs it needs. After it is done, it will ask you to remove your cd and restart. When it starts up again, make sure you disable booting from anything BUT your hard drive. When you restart the “network Identification Wizard” will come up. Make sure you select “User’s must enter password”. You do not want someone being able to sit down in front of you computer and log on without a password.


    3: Creating the users
    ______________________________________________________________________________

    Creating the users
    Ok first off you need to create a user other then the default Administrator. I will call it user-one for this text. Create user-one by going to Start => settings => control panel. Then click on Administrative Tools. Go to Computer Management =>Local users and groups and hit the +. Click on Users and at the top under the menu Action selection select "new user". Create the user "user1" and under description put nothing so if Hackers are able to view the users they cannot figure out what the user has access to make sure to make the password at least 8 characters long and numbers and letters. It is always best if you do not use words as they can be brute forced. Click on the box next to “User must...” and then click “user cannot change the password”. (Because you can always change it with Administrator account) After you are done, hit create and close that window. Now click on the user that you just created, click on Member of tab. Hit ADD, and add Administrators to the list. Then hit ok. Then hit apply and hit ok. Now your new user will be created and has Administrator access. You can repeat this for as many users as you want. But I would only create as many users as you absolutely need.

    A little about the user access levels
    Administrators: Administrators have complete and unrestricted access to the computer/domain. Can create, delete users; change the passwords on user accounts. Change ownership on folders/files.
    Power Users: Power Users possess most administrative powers with some restrictions. Can create, delete users, and change the passwords on user accounts. Cannot edit the administrator account. Able to use the Administrative Tools. Can edit file/folder permissions.
    Users: Users are prevented from making accidental or intentional system-wide changes. Cannot even view, edit, or change the Administrative Tools by default. Cannot edit file/folder permissions.
    Guests: Guests have the same access as members of the Users group by default,
    Except for the Guest account which is further restricted. Cannot even view, edit, or change the Administrative Tools by default.

    Securing rest of users
    Ok now on the user account screen select the Administrator account by right clicking on the Administrator name and hitting "Rename" Change the name to something like user2. Then hit enter. After changing the name, you need to double click on the name so that the properties come up. Delete everything in the full name and description box. Then hit apply and ok. Now create a user with the name Administrator and the description "Built-in account for administering the computer/" Make them a Member of "Guest". Ok now we do the guest account. Rename it to user3. Delete everything in the full name and description box. Then hit apply and ok. Also disable this account by double clicking on the user3 and clicking in the box Account is disabled and user cannot change the password. If you want, you can create a fake guest account but make sure you put "Built-in account for guest access to the computer/domain" in the description box. Ok you have now fixed you member access. What this does is make it harder for an attacker to figure out which account is the administrator. They will waste time brute forcing the wrong account. Make sure that only your user1 and the built in administrator has Administrator as its group. Make sure you do not give to much access to your users. They will use it to mess things up.


    4: Changing folder access and securing your drives
    ________________________________________________________________________________

    Changing folder access and securing your drives
    Go to my computer. Open your c: drive. Select all the folders in there BUT WINNT and the programs. If you select them to change access, it may cause programs not to run. Right click on one of them making sure the ones you want are still selected. Select properties. Select the security tab. At the bottom un-check the box that says, "Allow inheritable..." when the box pops up select "copy". Then select everyone and hit remove. Then hit "ADD". The names with two heads are user groups and the ones with one head are users. Add your user that you created user1 (1head), System (2heads), and what ever you named your administrator account. That will only allow you, administrator, and the system to access those folders. Don’t add administrators (2heads). So that even if the attacker gets Administrator access they will have to change all the permissions. When you hit ok you will come back to the security menu. You need to give all of these "Full Control". Then hit apply and ok. If you add a program that writes to the root dir (C:), you need to add these properties to it. Unless you have them set up to inherit permission from the parent folder. You can also change whole drive settings. We will call it E: for this example. Go to my computer=> then right click on E: and select the security tab. Then ADD user1, System, what ever you named you administrator account, and any other accounts you want to access that drive. After you add all the accounts then you can adjust how much access you want them to have. After that, you will want to click on "advanced" click the box that says, "Replace permission entries..." What that does is change all the security settings on all folders under that drive. If you double click on any user/group on that screen, you can change more security options. You can do this to other folders BUT be careful it can mess up your system. Also, you will want to delete all files in the C:WINNT\repair\. These are the back-ups you system creates at install. The file “Sam” and “Security” stores your passwords and can be decrypted and used to get the passwords, or used to replace the files and reset your passwords back to what they were at install.
    Always back up :)


    5: Administrative Tools
    ________________________________________________________________________________
    Ok first off I would have to warn you BE CAREFULL. Ok first go to =>start =>settings =>control panel =>Administrative Tools

    Local Security Policy

    Working with Account policies
    Click on Password policy.
    Ok we will start with password Policies. Click on Account Policies and then click on Password Policy. On the right side click on Enforce Password history and make sure it says zero passwords remembered. This will not store any passwords. Always a good idea.
    Ok now we will move on to Minimum password length. You can set what you want the min. number of characters you want them to use. You do not have to mess with this one. This can be handy if you want to let your users to set there own passwords. Remember the longer the better.
    Next, we have Passwords must meet... That is to make sure all your passwords meet the complexity requirements like letters, numbers, and no words. This is also a good idea if you want your users to set there own passwords. Ok on to Store passwords using reversible... This is a very good idea. Make sure you enable this one. It makes it a lot harder to use a program to decrypt your passwords.
    Then click on Account Lockout...
    Change Account lockout duration to 60 minutes by double clicking on Account lockout duration. Then change it to 60 in the box. When the box comes up just hit ok. Then change Account lockout threshold to 3 invalid... and change Reset account... to 60 minutes. That will make it if someone tries 4 times to guess your password it will lock them out for 60 min. This will prevent brute forcing the password from the logon.

    Working with Local Policies Settings.
    Click on Local Policies on the left side menu.
    Click on Audit Policy. Click on each one so you can change it to a check on the box next to success and failures. Do it to all of them. That way you can log all failures and success. That way to can track what your users are doing.
    Now on to User Rights Assignment.
    Make sure that none of the "local settings" has anyone But Administrators, user1, and system. If they do double click on the policy and uncheck the ones you do not want and add any that you do want. Make sure you add the Group (2 heads) Administrators. Remember you want to prevent anyone from accessing anything with out your permission. I will point out some that are important to edit. Ok the one that is called Log on remotely make sure you ONLY add the user you want to logon (Administrator, user1) from the network. I would allow NO ONE to log on from the network. You can still connect to other computers. Be very careful whom you give access to because they can be used to get into a box from the network/internet. Also, check out what is under log on locally... Make sure only necessary accounts can log on locally. This is the simplest way to get on to a computer and cause damage. Uncheck anyone you do not want to be able to sit down in front of your computer and log-on. That will prevent people from login on and running exploits. If you do not add a user, THEY WILL NOT BE ABLE TO LOG ON AT ALL. Manage auditing...log make sure, only your Administrator can access the logs so that someone cannot edit or delete the logs used to track your users. Load and unload device drivers. Make sure that only Administrators can add drivers. Bad or hacked drivers are an easy way for someone to hack you box.
    Force shutdown...system. Remove everyone from this. It makes it way to easy for someone to shut down your system
    Security Options
    This is going to be a long one.
    "Additional restrictions for....". Change local policy settings to "No access without explicit anonymous permissions" This will stop people from accessing your computer as an anonymous user.
    "Allow system to be… log on" change it to Disable by clicking on the circle by "disable". What this does is allow you to log on and do stuff then log off but let your computer still run. Now no one can shut down your computer without pushing the power button or logging on.
    "Audit..." there are two of them. You want to Enable both of them as it can also help you track what your users are up to.
    "Disable CTRL+ALT+DEL requirement for logon" to "disable" This will require you to hit CTRL+ALT+DEL to log on. Very good security option. This prevents a program from running during or before you log-on.
    "Do not display last user name in logon screen" to "enable". This way someone trying to log on to your computer will not have a user name to brute force.
    The next one is not really a security option but it is fun to play with. "Message title for...." change it to what you want it to say in the message title. Then change "Message text.." to what you want to be the text for the message. It will be displayed after they hit CTRL+ALT+DEL and before the logon screen.
    "Prevent users from...drivers" Like above you do not want to allow users to install drivers because they could cause you computer to become unstable or hacked.
    "Recovery Console: Allow automatic administrative logon" change it to "Disable". You do not want anyone to be able to get on the computer with out a password.
    "Recovery Console: Allow Floppy copy..." to "Disable". This will prevent any exploits that might be out there.
    “Rename administrator account” Change it to what ever you named your administrator account above.
    “Rename guest account” Change it to what ever you named your guest account above.
    "Restrict CD-ROM access..." Change it to "enable".
    "Restrict Floppy access..." to "Enable" That will stop a NT password disk from being able to get the passwords or change them. It also stops most boot-up programs from reading the NTFS volume.
    Very helpful.
    Ok that is all for the Local Security Settings.
    After you are done working on these, you will have to restart to have to changes take effect.

    Event Viewer
    First thing is click on event viewer. Right click on “Application Log”=> Properties. Then change “Log Size” to a higher setting. The max is 4194240 kb. You will also want to make sure “Do not overwrite events” is selected. The reason is you want to make sure you record as much information as you can.
    Next is some registry tweaks. If you don’t know how to edit your registry. Please skip forward to Chapter 6.
    This registry tweak allows you to restrict access to the event log to administrators and system accounts only.
    [HKEY_LOCAL_MACHINE/System/CurrentControlSet/Services/EventLog/Application]
    "RestrictGuestAccess"="1"
    [HKEY_LOCAL_MACHINE/System/CurrentControlSet/Services/EventLog/Security]
    "RestrictGuestAccess"="1"
    [HKEY_LOCAL_MACHINE/System/CurrentControlSet/Services/EventLog/System]
    "RestrictGuestAccess"="1"


    6. Registry Editing
    ________________________________________________________________________________
    How do you edit your registry?
    First thing I have to do is warn you modifying the registry can cause serious problems that may require you to reinstall your operating system. Be very very careful.
    What is the Registry? The Registry is a database used to store settings and options for your programs and Operating System.
    You can get to the registry by going to start=>run=> and type ”Regedit” or “regedit32”.
    Here are what the keys you see are for.
    HKEY_CLASSES_ROOT - This branch contains all of your file association mappings to support the drag-and-drop feature, OLE information, Windows shortcuts, and core aspects of the Windows user interface.
    HKEY_CURRENT_USER - This branch links to the section of HKEY_USERS appropriate for the user currently logged onto the PC and contains information such as logon names, desktop settings, and Start menu settings.
    HKEY_LOCAL_MACHINE - This branch contains computer specific information about the type of hardware, software, and other preferences on a given PC, this information is used for all users who log onto this computer.
    HKEY_USERS - This branch contains individual preferences for each user of the computer, each user is represented by a SID sub-key located under the main branch.
    HKEY_CURRENT_CONFIG - This branch links to the section of HKEY_LOCAL_MACHINE appropriate for the current hardware configuration.
    HKEY_DYN_DATA - This branch points to the part of HKEY_LOCAL_MACHINE, for use with the Plug-&-Play features of Windows, this section is dynamic and will change as devices are added and removed from the system.
    Here is how to edit it using the vales I use.
    Example:
    [HKEY_LOCAL_MACHINE/System/CurrentControlSet/Services/EventLog/Application]
    "RestrictGuestAccess"="1"

    Click on the + next to each key till you get to the last value.
    +HKEY_LOCAL_MACHINE
    +System
    +CurrentControlSet
    +Services
    +EventLog
    +Application
    The next part you click on the last value “Application”. On the right side are the values stored in that key. Look for the value “RestrictGuestAccess”. If it isn’t there do not worry just create the value. Double click on “RestrictGuestAccess” and change to value to whatever. In this case “0”.
    If you have to create the value you will be given the choices of String, Binary, and Dword. Here is what they are used for.
    REG_BINARY - This type stores the value as raw binary data. Most hardware component information is stored as binary data, and can be displayed in an editor in hexadecimal format.
    REG_DWORD - This type represents the data by a four byte number and is commonly used for Boolean values, such as "0" is disabled and "1" is enabled. Additionally many parameters for device driver and services are this type, and can be displayed in REGEDT32 in binary, hexadecimal and decimal format, or in REGEDIT in hexadecimal and decimal format.
    REG_SZ - This type is a standard string, used to represent human readable text values.

    Some Security Tweaks

    Internet explorer
    1. Empty cache after closing window
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache]
    "Persistent"="0"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache]
    "Persistent"="0"
    2. Disable Caching of Secure Web Pages
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    Internet Settings]
    ”DisableCachingOfSSLPages”=”1”
    3. Change the Internet Explorer User Agent String
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent]
    “(Default), Compatible, Version, Platform”=”Whatever” (String Value)
    This tweak may affect some online services that read this information to detect the operating system such as Microsoft Windows Update
    4. Change the Number of Simultaneous HTTP Sessions
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    Internet Settings]
    ”MaxConnectionsPerServer, MaxConnectionsPer1_0Server”=” Number of Simultaneous Connections”

    Remote access
    1. Configure Remote Access Client Account Lockout
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\
    Parameters\AccountLockout]
    ”MaxDenials, ResetTime (mins)”=”some number in min.”
    2. Number of Remote Access Authentication Attempts
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\
    Parameters]
    ”AuthenticateRetries”=”1-10”
    3. Restrict Anonymous User Access
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA]
    ”RestrictAnonymous”=”0 = allowed, 1 = restricted, 2 = require anonymous permissions”


    7: Programs to disable
    ________________________________________________________________________________
    You can disable these programs by going to =>start =>settings =>control panel =>Administrative Tools=>Services
    To disable them double click on the program, under service status hit stop. Wait for it to stop. Then under start-up type change it to disabled.
    Messenger= you want to stop all those annoying netsend messages, disable this program. Warning you will not get your alert messages either.
    Telnet= for remote accessing your computer. Disable
    Remote registry service= um... like it says. Disable
    Also, disable any programs that you are not using or it could be used for an exploit.


    8: Working with default shares.
    ________________________________________________________________________________
    Windows has some default shares. You can disable them by going to start => settings => control panel => Administrative Tools. Click on Computer Management and select "shared folders" on the left. Then click on "Shares" And just right click on each one and select "end share" then hit ok. If you restart your computer, the shares will be back so you will have to disable them each time. You can stop them from reappearing by using REGEDIT. Go to
    [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters]
    "AutoShareServer"="0"
    [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters]
    "AutoShareWks"="0"
    These are some default shares IPC$, c$, e$, etc. They can be used on a network to gain full access to your computer.


    8: Other stuff.
    ________________________________________________________________________________
    Next, you need to make sure you get a good firewall because winnt does have some default programs running that can be exploited. And there are ALOT of exploits out there for windows. It is best if you keep up on the exploits out there. And how to protect your self from them.


    9: Security Programs.
    ________________________________________________________________________________
    Baseline scanner from Microsoft. It scan’s you computer for updates, exploits, and security issue’s.
    http://www.microsoft.com/technet/sec.../mbsahome.mspx


    I will keep working on this and add more... If you have any ideas send me some E-Mail.

    ;)

    Chuckie at ickielf.C0M



    Install
    NVIDIA
    WinZip
    Fire fox
    Nero
    Word 2002

    Swap Files
    First, we are going to move the swap file to a different place and make it a little bigger. Right click on "my computer", "Advanced" tab. Click on "performance options" under performance title. Under Virtual memory click on "change". I use between 1000 to 1500 swap size on new drive.

    Viewing Hidden files
    Open c: drive, TOOLS=>FOLDER OPTIONS...=>"View" Tab=>Check mark all under
    "Files and Folders", "Hidden files and folders" Select "Show hidden Files and folders", DE-select "Hide file extension for known file types" and
    "Hide protected operating system files"
    Its not are you paranoid, But are you paranoid enough
    FTP server up someday I hope...

    Freedom of information is Your right..

  2. #2
    Senior Member
    Join Date
    Sep 2003
    Posts
    137
    Good article,

    I do have a recommendation:

    Why are you adding admin rights to the user you created above? It is not recommended to be logged on with admin rights unless you are specificly doing something that requires those rights. I would not add the administrators group to the new account.

    In addition to that, you can do many administrative functions using the "RunAs.." command.

    The rest of your statement looks ok, just my 2cents
    \"Common Sense, isn\'t that common\"
    \"It is a lot easier to raise a child then it is to repair an adult\"
    -Kruptos

  3. #3
    Junior Member
    Join Date
    Feb 2005
    Posts
    7
    hm..

    I am working on what to do with the new account right now
    The only reason is so you can run simple programs like X-Setup. Then you edit the reg to make it
    more secure then make the rights power user.
    (will recomend to make user but some of my new idea's will not work with out power user or above)

    I am also trying to block alot of fuctions like regedit from the new account
    Its not are you paranoid, But are you paranoid enough
    FTP server up someday I hope...

    Freedom of information is Your right..

  4. #4
    ********** |ceWriterguy
    Join Date
    Aug 2004
    Posts
    1,608
    That's a solid little tut you're building there. I'd suggest the aforementioned, plus *zero* access to not only the registry, but also the administrative tools, services, etc., as I see you've done. I would also most definitely put in some sort of upload/download logging in if the network has internet access - keep your finger squarely atop of what your (l)users are up to and nail them as necessary.

    All in all, I see this tut as solid! Enjoy the Greens.
    Even a broken watch is correct twice a day.

    Which coder said that nobody could outcode Microsoft in their own OS? Write a bit and make a fortune!

  5. #5
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177
    akachuckie, I think this looks like a solid tutorial. I'm curious why you've chosen this topic though...when this work has been done, and THOUROUGHLY, buy others already...
    article re: Win2k Pro Gold Standard security benchmark

    There are also several tools available to help organizations achieve something resembling this state.

    Like I said, it looks great and I'm not knocking it...but I'm curious where your coming from. One of the best ways for me to clarify my thoughts and knowledge on a subject is to explain or teach it to others (Stephen Covey has somethings to say about this as well.)

    But really, this is a good effort. Nicely done.
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  6. #6
    Junior Member
    Join Date
    Feb 2005
    Posts
    7
    Originally posted here by zencoder
    [B]akachuckie, I think this looks like a solid tutorial. I'm curious why you've chosen this topic though...when this work has been done, and THOUROUGHLY, buy others already...
    I am very intrested in security and Windows is something I know about. I have been useing windows at almost every job I have been on. Also I want to make sure that I am useing good logic when trying to secure an o.s. And I want to make sure that people are safely useing windows 2000 because ALOT of networks out there use it.

    There are also several tools available to help organizations achieve something resembling this state.
    Checked out the link. Very interesting. I am going to play around with it a little and see how it does. I love how it does a securty audit on your computer kind of like baseline scanner from microsoft.

    Like I said, it looks great and I'm not knocking it...but I'm curious where your coming from. One of the best ways for me to clarify my thoughts and knowledge on a subject is to explain or teach it to others (Stephen Covey has somethings to say about this as well.)
    I would love to talk about any information you may have about windows. I am always learning.
    Its not are you paranoid, But are you paranoid enough
    FTP server up someday I hope...

    Freedom of information is Your right..

  7. #7
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177
    Well, that's all good. Dead-on right for learning and growing...like I said, it helps me to more thoroughly understand the subject matter when I have to explain it to others...especially when they ask questions and make me think about it differently.

    That tool and such...that is what many enterprise sized corporations base their own processes off of. They may not match up to it 100%, but they use that as the guideline to build their own, often.

    The Center for Internet Security is the authority source behind the win2000 gold standard (and several others, as you may have noticed.) SANS is pretty active with them, as is the NSA and Microsoft. It's a great place to get some help.

    Good work!
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  8. #8
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Just as a note:-

    Win2k/XP works perfectly well in a standalone, multiuser or domain environment if you select the C: drive, allow only Administrator and System "Full Control" and then open the advanced tab and tell it to force the permissions down through the tree before you do anything else. This is more secure than allowing the arbitrary user full control of the entire drive. Usually all the arbitrary user can screw up is stuff in the C:\Documents and Settings\username folders.

    Other than that you seem to have a nice little checklist there....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  9. #9
    They call me the Hunted foxyloxley's Avatar
    Join Date
    Nov 2003
    Location
    3rd Rock from Sun
    Posts
    2,528
    Just my little niggles :

    You did say it was a text file, but couldn't you have pasted into Word [or something like] and done the 'spell check' ? carefull = careful etc.

    Also : Paragraphs and gaps between paragraphs, make the reading easier, and helps in keeping your place when disturbed.

    Your underlines are too long now ..........

    It all shows a lack of polish, and engenders a feeling that we [AO] aren't worth the time to get it RIGHT..........

    As I said, only niggles, no biggies.

    I've printed it to pass to my In-Laws
    [off topic] whats the difference between in-laws and out-laws ?

    Ans : Out-laws are wanted

    [on topic]
    Just to give them no more excuses. re:- "I couldn't remember !!"
    I'll be the one implementing it, but they will be the ones testing it to DESTRUCTION
    55 - I'm fiftyfeckinfive and STILL no wiser,
    OLDER yes
    Beware of Geeks bearing GIF's
    come and waste the day :P at The Taz Zone

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides