HOW TO SECURE Windows 2000/XP/Server 2003, & VISTA - Page 3
Page 3 of 3 FirstFirst 123
Results 21 to 28 of 28

Thread: HOW TO SECURE Windows 2000/XP/Server 2003, & VISTA

  1. #21
    Banned
    Join Date
    Dec 2007
    Posts
    17

    STEP #12 - Windows Server 2003's "SCW" (Windows Server 2003, ONLY!)

    12.) Windows Server 2003's SCW was run over it FIRST (this only exists on Windows Server 2003, not on 2000/XP or VISTA (you have to install this, it does NOT install by default) first to help security it (SCW = security configuration wizard, & it's pretty damn good believe-it-or-not, (@ least, as as starting point))...

    Directions for its installation are as follows:

    Start the Add or Remove Programs Control Panel applet.

    Click Add/Remove Windows Components.

    On the Windows Components Wizard screen, select the "Security Configuration Wizard" check box, as the figure shows. Click Next.

    The Windows Components Wizard builds a list of files to be copied and finishes installing SCW. Click Finish.

    DONE! Now, run it...

    It is very simple to use, and will help even TRIM services you do not need running (which saves Memory, other resources, & I/O to cpu/ram/disk etc. AS WELL AS PROVIDING SECURITY should any services you disable turn up vulnerabilities (this has happened before)).

    ALSO, per TPU forums user (username "xvi") @ techpowerup.com forums (software section): Use Microsoft Baseline Security Advisor, a free download from Microsoft as well to check your system for security holes, patch updates, etc. (be wary of the fact it does require various services running though, iirc, Terminal Server Services Client - I do NOT keep that running here anymore, & this program failed on me because of that (would not initialize @ all))

    APK

  2. #22
    Banned
    Join Date
    Dec 2007
    Posts
    17

    A LAST CLOSING IMPORTANT POINT (Browser Security)

    AN IMPORTANT POINT:

    STOP JAVASCRIPT USAGE IN YOUR BROWSERS (along with ActiveX & JAVA) On the PUBLIC internet, PERIOD (well, with SOME exceptions on sites that demand you use it, OR those that cannot function properly without it, some examples below)!


    Why? Well, read on:

    Fact is, that today? Well... Javascript's dangerous & can be used AGAINST you, as well as help you... it truly is, or can be, a 'double-edged sword'...

    (For example - if you follow security related news, you will see that JavaScript is the key avenue being used against you in today's attacks (even thru adbanners!)). Some examples:

    http://www.wired.com/techbiz/media/n...11/doubleclick

    &

    http://apcmag.com/5382/microsoft_apo...e_to_customers

    If you MUST use Javascript (for instance, on a particular site like banking or shopping oriented ones)?

    Try "NoScript" (the .xpi addon for FireFox/Mozilla/NetScape 9 etc.) & let it let YOU decide sites to use it on, & then DISABLE JAVA/JAVASCRIPT globally...

    (& if you use IE, trying to do the same can be a nightmare (as IE will "nag you to death" if you turn off javascript on sites that use it)).

    Opera has similar functionality, ALBEIT, built into it by default as a NATIVE tool!

    I.E.-> The ability to GLOBALLY block scripting tools like Javascript, BUT... to also allow it for sites you MUST use it on as exceptions to the GLOBAL rule set in Tools, Preferences menus it has on its menubar.

    Opera has the NATIVE BUILT IN ABILITY to allow you to use it on sites you visit IF you must, via rightclicks on the page & "EDIT SITE PREFERENCES" popup menu submenu item that appears.

    Either way? It works, & I STRONGLY recommend this. I also recommend Opera for these reasons (less security holes period, & the 1 it had yesterday? Patched yesterday too... fast!)

    =====
    SECUNIA DATA ON BROWSER SECURITY (dated 11/29/2007):
    =====

    Opera 9.24 security advisories @ SECUNIA (0% unpatched):

    http://secunia.com/product/10615/?task=advisories

    ----

    Netscape 9.0.0.4 (0% unpatched)

    http://secunia.com/product/14690/

    ----

    FireFox 2.0.0.11 security advisories @ SECUNIA (22% unpatched):

    http://secunia.com/product/12434/

    ----

    IE 7 (latest cumulative update from MS) security advisories @ SECUNIA (37% unpatched):

    http://secunia.com/product/12366/

    ----

    Those %'s are the latest for FireFox 2.0.0.11, Netscape 9.0.0.4, IE7 after last "patch Tuesday" from MS with the "CUMULATIVE IE UPDATES" they have (see the security downloads URL I post in the 12 steps above to secure yourself), & Opera 9.24... all latest/greatest models.

    So, as you can see?

    Well, NOT ONLY IS OPERA MORE SECURE/BEARING LESS SECURITY VULNERABILITIES?

    It's faster too, on just about ANYTHING a browser does
    , & is probably the MOST standards compliant browser under the sun (not counting HTML dev tools). This is borne out in these tests:

    http://www.howtocreate.co.uk/browserSpeed.html

    AND, yes others (most recently in Javascript parsing speeds, oddly enough, lol... given the topic of my post here that is), right here:

    http://nontroppo.org/timer/kestrel_tests/

    Opera's just more std.'s compliant, faster, & more secure than the others... so, "where do you want to go today?"...

    ALSO - HOW TO SET THE "KILL BIT" ON ACTIVEX CONTROLS:

    (I.E.-> This is how to stop an ActiveX control from running in Internet Explorer)

    http://support.microsoft.com/kb/240797

    In case you have "problematic" or security vulnerable ActiveX controls, per this RealPlayer example thereof:

    http://service.real.com/realplayer/s...007_player/en/

    APK

    P.S.=> Yes, it's LONG, & takes about 1-3 hours to do & test, but worth it... enjoy guys, & IF you have more to add or valid critique? Please do so, thanks... apk

  3. #23
    Banned
    Join Date
    Dec 2007
    Posts
    17

    STEP #1 - reposted from front page (I couldnt post all my points earlier & am now)

    ===================================================================================
    APK 12 STEPS TO FOLLOW TO SECURE YOUR WINDOWS NT-BASED SYSTEM (2000/XP/SERVER 2003/VISTA):
    ===================================================================================

    1.) HARDENING & SECURING SERVICES HOW-TO:

    Many services I do not need are either cut off OR secured in their logon entity to lower privilege entities (from default, near "ALL POWERFUL" SYSTEM, to lesser ones like NETWORK SERVICE or LOCAL SERVICE). I went at ALL of the services in Windows Server 2003 (some will not be in XP for instance, & Windows 2000 has no NETWORK SERVICE or LOCAL SERVICE as far as I know, but not sure, you can always make a limited privelege user too for this on 2000 if needed)...

    I did testing to see which services could be run/logged in as LOCAL SERVICE, or NETWORK SERVICE, rather than the default of LOCAL SYSTEM (which means Operating System entity level privileges - which CAN be "misused" by various spyware/malware/virus exploits).

    ===================================================================================

    LOCAL SERVICE startable list (vs. LocalSystem Logon Default):

    Acronis Scheduler 2 Service
    Alerter (needs Workstation Service Running)
    COM+ System Application
    GHOST
    Indexing Service
    NVIDIA Display Driver Service
    Office Source Engine
    O&O Clever Cache
    Remote Registry
    Sandra Service
    Sandra Data Service
    SmartCard
    Tcp/IP NetBIOS Helper
    Telnet
    UserProfile Hive Cleanup Service
    Volume Shadowing Service
    Windows UserMode Drivers
    Windows Image Acquisition
    WinHTTP Proxy AutoDiscovery Service

    ----------

    NETWORK SERVICE startable list (vs. LocalSystem Logon Default):

    ASP.NET State Service
    Application Layer Gateway
    Clipbook (needs Network DDE & Network DDE DSDM)
    Microsoft Shadow Copy Provider
    Executive Software Undelete
    DNS Client
    DHCP Client
    Error Reporting
    FileZilla Server
    Machine Debug Manager
    Merger
    NetMeeting Remote Desktop Sharing Service
    Network DDE
    Network DDE DSDM
    PDEngine (Raxco PerfectDisk)
    Performance Logs & Alerts
    RPC
    Remote Desktop Help Session Manager Service
    Remote Packet Capture Protocol v.0 (experimental MS service)
    Resultant Set of Policies Provider
    SAV Roam
    Symantec LiveUpdate
    Visual Studio 2005 Remote Debug

    ===================================================================================

    PLEASE NOTE: Each service uses a BLANK password when reassigning their logon entity (when you change it from the default of LOCAL SYSTEM Account), because they use SID's as far as I know, not standard passwords.

    WHEN YOU TEST THIS, AFTER RESETTING THE LOGON USER ENTITY EACH SERVICE USES: Just run your system awhile, & if say, Norton Antivirus refuses to update, or run right? You KNOW you set it wrong... say, if one you test that I do NOT list won't run as LOCAL SERVICE? Try NETWORK SERVICE instead... if that fails? YOU ARE STUCK USING LOCAL SYSTEM!

    If you cannot operate properly while changing the security logon entity context of a service (should NOT happen w/ 3rd party services, & this article shows you which ones can be altered safely)?

    Boot to "Safe Mode", & reset that service's logon entity back to LOCAL SYSTEM again & accept it cannot do this security technique is all... it DOES happen!

    If that fails (shouldn't, but IF it does)? There are commands in the "Recovery Console" (installed from your Windows installation CD as a bootup option while in Windows using this commandline -> D:\i386\winnt32.exe /cmdcons, where D is your CD-Rom driveletter (substitute in your dvd/cd driveletter for D of course)) of:

    ListSvc (shows services & drivers states of stopped or started)

    Enable (starts up a service &/or driver)

    Disable (stops a server &/or driver)

    Which can turn them back on if/when needed

    (ON Virtual Disk Service being removed, specifically (because it used to be in this list)): This was done solely because, although it will run as LOCAL SERVICE, diskmgmt.msc will not be able to work! Even though the Logical Disk Manager service does not list VirtualDisk as a dependency, this occurs, so VirtualDisk service was pulled from BOTH the LOCAL SERVICE and NETWORK SERVICE lists here... apk)

    CUTTING OFF SERVICES YOU DO NOT NEED TO RUN IS POSSIBLY THE BEST METHOD OF SECURING THEM, AND GAINING SPEED SINCE YOU ARE NOT WASTING I/O, MEMORY, or OTHER RESOURCES ON THEM, PERIOD, in doing this - do consider it, when possible! Many guides online exist for this, & I authored one of the first "back in the day" for NTCompatible.com as "Article #1" back in 1997-1998 - the latest ones are even BETTER!

    ===================================================================================

    SECURING SERVICES @ THE ACL LEVEL VIA A SECURITY POLICY HOW-TO:


    STEP #1: CONFIGURE A CUSTOM Microsoft Management Console for this!

    Configuring yourself a "CUSTOM MMC.EXE (Microsoft Mgt. Console)" setup for security policy templates, here is how (these are NOT default Computer Mgt. tools, so you have to do this yourself, or run them by themselves, but this makes working w/ them convenient):

    The next part's per BelArcGuy of BELARC ADVISOR's advice (pun intended):

    http://forums.techpowerup.com/showthread.php?t=16097

    "Security Configuration and Analysis" is an MMC snap-in. To access the MMC, type in mmc to the Windows Run.. command to pop up the console. Then use it's File|Add/Remove Snap-in... command and click the Add button on the resulting dialog. Choose both "Security Configuration and Analysis" and "Security Templates", close that dialog, and OK. You'll end up with a management console that has both of those snap-ins enabled. The whole MMC mechanism is a bit weird, but does work"

    (It's easy, & it works, & is necessary for the actual steps to do this, below)

    Next, is the actual "meat" of what we need to do, per Microsoft, to set ACLs!

    STEP #2: HOW TO: Define Security Templates By Using the Security Templates Snap-In in Windows Server 2003

    http://support.microsoft.com/kb/816297

    Create and Define a New Security Template

    (To define a new security template, follow these steps)

    1. In the console tree, expand Security Templates
    2. Right-click %SystemRoot%\Security\Templates, and then click New Template
    3. In the Template name box, type a name for the new template.

    (If you want, you can type a description in the Description box, and then click OK)

    The new security template appears in the list of security templates. Note that the security settings for this template are not yet defined. When you expand the new security template in the console tree, expand each component of the template, and then double-click each security setting that is contained in that component, a status of Not Defined appears in the Computer Setting column.

    1. To define a System Services policy, follow these steps:
    a. Expand System Services
    b. In the right pane, double-click the service that you want to configure
    c. Specify the options that you want, and then click OK.

    (And, of course, the user feedback on its effectiveness (Makes your Win32 NT-based OS very much like how MacOS X treats its daemon processes via privelege levels), which uses the same general principals)

    It works, & although many service packs for Windows OS' have changed their services (not all but many nowadays) to less than SYSTEM, my list covers those they may not have in recent service packs AND 3rd party services are listed too that you may be running possibly!

    DONE!

    APK
    Last edited by AlecStaar; December 9th, 2007 at 09:49 PM. Reason: Repeating from first page, since I now can post my points here finally

  4. #24
    Banned
    Join Date
    Dec 2007
    Posts
    17
    Quote Originally Posted by AngelicKnight
    Interesting...

    Did some googling myself, skimmed over the first result.

    http://www.windowsitpro.com/articles...1095&cpage=148

    Read the comments.
    Yes, please do.

    That's where Arstechnica's JEREMY REIMER had first impersonated me on his OSY forums (& only LATER, after all of the above, admitted to it publicly)!

    Then Jeremy Reimer's friends made threats to "come and fix me" etc.

    That's when I called Law Enforcement on them, had portions of Reimer's website removed under force from his ISP/BSP & law enforcement.


    Jeremy Reimer of arstechnica then showed up @ Windows IT Pro forums pursuing me there, & with his friends, to NTCompatible.com as well... always off topic no less.

    It is also where Jeremy Reimer of arstechnica's ISP/BSP shut him down for email harassment as well & he cut that out VERY quickly.

    It is also where I pointed out Jeremy Reimer has no degree, no certification, & no years to decades of professional experience in the arena of computer sciences, & it showed...


    After all : Jeremy Reimer of arstechnica (one of their "authors") was unable to comment on ANY of the 15 points I noted in favor of memory optimizers, proving my points, wrong. Neither could the article's author, in Dr. Mark Russinovich of Microsoft.

    Jeremy Reimer of arstechnica was offtopic the entire time, & came there to cause trouble... all he got, was his own trouble, of his own making.

    Jeremy Reimer of arstechnica HAD to stay off topic (and, he's supposed to be some "techincal authority" in this field?) because he lacks the know-how to BE on topic of discussions of THAT nature.

    ----------------------------------------------

    Especially regarding how Memory Fragmentation adversely affects:

    1.) On how FireFox is adversely affected by Memory Fragmentation

    2.) On how IBM DB/2 database engine is adversely affected by memory fragmentation.

    3.) On how Microsoft Exchange Server is adversely affected by Memory Fragmentation.

    ----------------------------------------------

    AND, what stops this from happening? You guessed it - Memory Optimizers.


    (ALL/EACH to which Jeremy Reimer of arstechnica was unable to disprove, & how Arstechnica's friend Jay Little of arstechnica said he was an "expert" on Exchange, & was unaware of the 3rd point above, & he fell flat on his face on that note).

    Jay Little of arstechnica made a post on his forums & petitiononline.com that "APK MUST BE PUT TO DEATH" & his hosting provider removed that, & removed Jay Little's website from crystaltech.com.

    Which makes sense: They're from arstechnica, lol.

    Need more? I'll gladly supply it, as to the UTTER LACK of technical credibility, lack of honesty, & dirty tricks arstechnica uses & GETS CAUGHT IN (lol)!

    Especially including Jeremy Reimer of arstechnica admitting he impersonated me, publicly, on his OSY forums & Jay Little having his website removed by his hosting provider for death threats made to me (on 2 sites).

    Lastly, more than a few of Arstechnica friends of Jeremy Reimer were laughingly CAUGHT posting as others (to "support themselves", lol) under alternate logon guises, lol... & GOT CAUGHT IN IT, admitting to it. Some "nice honest guys" arstechnica people are, apparently!

    Hilarious, & TOO easy.

    APK

    P.S.=> By the way - that same posting is where I confront a former fellow co-worker of mine in Dr. Russinovich, in regards to memory optimizers (to which he was unable to disprove my points, especially the "top 3" I note in THIS post, above) & where I also show prior to that article issuing, where I had to help Dr. Mark Russinovich correct & stop a ROOKIE hardcode error in his pagedefrag.exe tool.

    All to which Dr. Mark Russinovich of Microsoft emailed me, & thanked me for, prior to that article even being put into print, mind you... apk
    Last edited by AlecStaar; December 9th, 2007 at 10:04 PM.

  5. #25
    Senior Member
    Join Date
    Oct 2001
    Posts
    748
    Why is this drama being brought here? I'd rather have no posts in the MS forums, than this crap..

    Anybody who doesn't know that Exchange suffers from memory issues doesn't know crap about exchange.

  6. #26
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,191
    Memory managers are basically snakeoil crapware.

    1. Either you have enough memory or you do not. If the latter then go buy it.
    2. Most of these things do not actually defragment the memory, they just release memory that is no longer being used by an application, but has not been released. If there is true fragmentation, then it remains.
    3. If your problem is with crapware applications, then that is what you have to resolve. A memory manager is like banging your head against the wall and taking aspirin for the pain

    Having said that, I use them frequently because they (or some of them) are excellent for detecting memory leaks and application contentions.

    If they were sold as diagnostic/troubleshooting tools, with memory management as a by-product, then I would have no problems with them.

    But there wouldn't be any money in that now would there?
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  7. #27
    Senior Member
    Join Date
    Oct 2001
    Posts
    748
    And who would be stupid enough to run a memory manager on an exchange server? Exchange basically takes all of the user mode memory and manages it itself. Most of the problems come about as a limitation of 32 bit memory structures and not poor management techniques. Now if we are talking about Exchange 5.5 or Exchange 2000 without any service packs, then yes, it did a horrible job at managing memory.

    Right now, as long as you watch how your kernel mode memory is being allocated, as in making sure you don't deplete non-paged pool memory, you will not have problems on a properly sized system. Most NPP problems I've come across recently are a result of poorly coded NIC drivers, and problems with the new TCP/IP chimney offloading in windows 2003 Sp2.

  8. #28
    He had law enforcement shut down half the site?

    WOW this guy sounds reeeaaalllly fishy, post-whorring aside.

    Evidently it was ridiculously easy for me to hit a nerve there.

    Nice to see the APs still pack a punch.

Similar Threads

  1. October MS updates
    By mohaughn in forum Microsoft Security Discussions
    Replies: 2
    Last Post: October 13th, 2004, 05:31 AM
  2. Usefull Windows XP, 2k, NT, and 9x tips and tweaks
    By Cybr1d in forum Miscellaneous Security Discussions
    Replies: 11
    Last Post: June 10th, 2004, 01:09 AM
  3. Tcp/ip
    By gore in forum Newbie Security Questions
    Replies: 11
    Last Post: December 29th, 2003, 08:01 AM
  4. Windows 2003 Server Vulnerability
    By warl0ck7 in forum Microsoft Security Discussions
    Replies: 7
    Last Post: August 14th, 2003, 01:23 PM
  5. MS 1st critical update of 2003
    By qwerty_smith in forum Microsoft Security Discussions
    Replies: 1
    Last Post: February 5th, 2003, 09:41 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •