Results 1 to 6 of 6

Thread: Securing A Windows System

  1. #1
    Banned
    Join Date
    Sep 2001
    Posts
    2,810

    Securing A Windows System

    Copy and pasted, I know...tut, tut, tut...

    Anyway I liked this thought it would fit in well here at AO.

    End the Flaming!

    Securing a Windows System
    >Written by: Paperghost [paperghost@vitalsecurity.net] Vital Security -
    >www.vitalsecurity.net
    >irc.vitalsecurity.net - #vitalsecurity
    >22/4/2001
    >If this article scrolls off the edge of the page, go to Edit and select
    >Word Wrap.
    ## Windows: Ease of use at a price ##
    It is no secret that the Windows range of operating systems offer simplicity
    of use at the cost of security....indeed, many of the main tools that come
    with Windows are actually the main weapons of choice for hackers! (ie
    Telnet, for example....a method of opening up a direct connection to a
    remote computer on a port that you specify.....go to MS-DOS and type

    telnet

    to open it up. You won't be able to do much with it at this stage, though).

    Windows is full of holes; someone with only a little knowledge can remove
    most admin restrictions on a network within about ten minutes flat, your
    passwords are easily accessed, it doesn't have a built-in Firewall (the new
    Windows operating system should change all that though) and it is extremely
    vunerable to Denial of Service attacks, which should be of great concern to
    all....


    ## What is a DoS attack? ##

    DoS stands for Denial Of Service. Basically, it's all about knocking off
    some (or all) of the net services being provided to a user without
    permission. This is usually achieved by flooding the bandwidth connection
    to your machine. The less raw data your computer's modem can handle, the
    more you should worry, because someone with a more powerful machine will
    blow you out of the water every time (although, as with everything, there
    ARE exceptions). After a DoS attack, your computer might not be able to
    connect to the net for a while, and a REALLY bad attack can knock it out for
    quite some time. Apart from the bandwidth attack, some other common points
    of entry are the Swap Space on your computer, filling up the empty portion
    of your hard drive with data, cache attacks and email bombing. Repeated
    nailing of an address with identical emails equals a high bandwdth attack,
    but things can always get worse, because if you try to reply back to a spam
    attack, the mail will bounce back at you if the sender's address is false.
    This means you'd be getting hit with twice the amount. Resist the
    temptation to reply to such mails. Apart from anything else, if they ONLY
    have your email address but not your IP, when you reply to them it's as easy
    as pie to deduce your IP address from your email's header.


    ## File and Print Sharing: The dangers ##

    Windows has an option called file and print sharing. Using this option, you
    can share your drive and printers with the whole world if needs be, and this
    is obviously a huge security risk. Indeed, there are numerous Trojans that
    exploit this, some of which make your printers spew out endless sheets of
    paper, plastered with thick ink....and, of course, there are FAR more
    dangerous Trojans out there. With this option on, your Port 139 is open
    (your NetBIOS Protocol), which is the port that understands commands used to
    remotely access your file/print sharing servers. If you have this sharing
    option enabled on your computer, then ANYBODY could access your files
    without your knowledge and you'd be none the wiser. You really don't need
    this option enabled on a home machine, so go to:

    START/Settings/Control panel/Network

    and then click on the panel that says "File and Print Sharing" and make sure
    that both tick boxes are UNCHECKED. You may get a message saying "insert
    windows 95/98 Disk" and some other things happening, but don't worry; simply
    close down any boxes that open up. The option to file share will still be
    turned off. If you don't believe me, go back into the FileShare section and
    you'll see that everything is in order.

    Another problem of having this port open is that it makes you highly
    vunerable to a Winnuke attack (a form of DoS attack that makes you
    disconnect and sends you to the "Blue Screen: System Unstable Mode"). Now,
    with all these Trojans and Nukes easily available, coupled with the dreadful
    security that Windows "imposes", you may be thinking that there isn't an
    awful lot that you can do. The sad truth is, that's partially true; there
    are new Trojans, Nukes and forms of Virus created daily, and it is almost
    impossible to keep up with them all....BUT....there are methods and software
    you can employ that, when combined, offer you just about the best protection
    that you can get your hands on. The secret is to use a number of programs
    that don't either cripple each other or your system. With the right level
    of balance attained, you can fend off all but the severest of attacks, and
    seeing as how most of the very worst DoS attacks have the potential to take
    out whole reams of users (not just the target), you can guarantee that
    someone, somewhere is going to notice someone tampering with their system
    and track the Nuker down....


    ## Anonysurfing ##

    Remember your IP address? Well, if someone obtains it, then they can
    pinpoint you for numerous DoS attacks, and if that happens, all you can do
    is try to weather the storm and patch your computer to withstand the
    attacks. Proxy Surfing is a very useful way of hiding your IP Address from
    those that might want it......

    # How a Proxy Works

    A Proxy works as a barrier, raising itself between you and the rest of the
    Web by acting like a go-between, channeling information between users and
    the rest of a network. Bear in mind though that the proxy in question MUST
    be able to strip your IP address from the requests going out over the net,
    or it isn't a very good proxy. Also, it should cover up your operating
    system, the user-agent (the program you are using to browse the Web) and
    your referrer (the site from which you are linking).
    A word of warning though, some Proxy services don't allow lots of fancy web
    related effects to function such as Java, ActiveX and, of course, Cookies,
    so some of your favourite sites may either not work very well or, indeed, at
    all, but that's the price you have to pay for anonymity. If you want to use
    a Proxy, find one from a ProxyList (easily obtainable from any search
    engine), and then go to:

    TOOLS/internet options/connections/settings

    Click on the "use proxy settings" box, then click on

    Advanced

    Once in, type your Proxy Service's address in the HTTP part (along with the
    port it will use) and also in the FTP part. It should look a little like
    this:


    TYPE: Proxy address to use Port

    HTTP: www.myproxy.cache.net 8080

    FTP: www.myproxy.cache.net 8080


    Please note that you are legally obliged to ask the permission of the person
    running a Proxy Server before you use it. Alternatively, you can go to www.webveil.com

    For more information on Proxy Servers, and also a list of companies like
    Anonymiser and Freedom that run Public Proxy Servers.


    ## Proxy Chains ##

    There are a number of methods to "chain" various Proxy Servers together, but
    the most common one is to put a

    -_-

    inbetween the various Proxy addresses.

    TYPE: Proxy address to use Port

    HTTP: www.myproxy.cache.net-_-www.proxyproxyproxy.net 8080

    FTP: www.myproxy.cache.net-_-www.proxyproxyproxy.net 8080


    This results in excellent security, because someone trying to get at you
    will have to go through a considerable amount of effort to track you down,
    although the more Proxies you use, the slower the loading times, because the
    incoming data packets are being bounced around each proxy in the chain.
    Also, if one of the Proxies goes down without warning (as they are liable to
    do), you will need to both find another proxy to use, and (worse still) try
    and deduce which proxy isn't working anymore (which involves trying each
    proxy manually, one at a time).


    ## Firewalls ##

    A firewall is a very simple (yet effective) tool for protecting yourself
    from outside attacks. It simply runs whilst you go about your business
    online, and analyses each and every data packet that attempts to pass in or
    out of your PC. Before the data can reach you, the Firewall uses a set of
    rules to determine whether or not the data packet can be forwarded to its
    eventual destination. As this can be quite an intensive process to set up,
    the firewall is often set up on a dedicated piece of hardware away from the
    Network, so that no incoming traffic can get at private network resources.
    This is what happens in business; for home use, the application is a little
    different....

    # Types of data acceptance

    Firewalls use many different rules and regulations when examining what data
    is being sent to them. Some use a set of "acceptable" IP addresses to
    accept data transmissions from, and bar all other incoming traffic. Others
    take a more drastic approach, checking EVERYTHING that comes their way,
    using various types of approaches to ensure that specific application
    attacks can be blocked. Some companies and websites use multi-layered
    firewalls, with firewalls between the "public" internet and the web servers,
    and another between the web servers and the application servers that run
    everything the site/machine(s) need to function. A home firewall isn't
    really a firewall at all, because it runs on the machine that is actually
    accessing the internet (ie - a personal firewall runs on the PC that's
    running critical applications). This is bad, because problems can be caused
    if the Firewall leaks (or, indeed, the machine itself), whereas at least if
    this happens on a Network Firewall set-up, the critical systems are shielded
    from the leak on a seperate, protected machine). Making sure you install a
    Firewall that does NOT leak is essential to your security, and to date the
    only Personal Firewall which achieves this criteria is ZoneAlarm, and you
    can get the free version from www.zonelabs.com

    What people sometimes don't know is that Firewalls can halt the flow of
    traffic OUT as well as in. This is excellent, because if you have programs
    installed on your system that include SPYWARE then you can stop unwanted
    breaches of your security by the program trying to "ring home", to tell its
    makers what you get up to....

    # Spyware

    There is evidence that Realplayer rings home every so often, letting its
    makers know EXACTLY what music you've played on it, where you got it from,
    what tracks you played etc, in order for them to use this information as
    they see fit (usually, worryingly detailed "trend/browser/user habit"
    databases), and you can imagine how invaluable such a bulk of information
    would be to marketing companies and the like. And, truth be known, there
    are MANY programs that do this; Realplayer is most definitely not alone in
    this disturbing trend. You may get quite a shock when first using a
    Firewall, because very often, a window will pop up asking for permission to
    let "such and such a program" to access the internet; sometimes, it might
    just be to let the program take you to the product's website for an update,
    but at the risk of sounding slightly paranoid, there really isn't any
    difficulty in accessing the webpage etc in your own time, instead of letting
    a program connect for you, possibly sending back compromising information to
    its creators. When in doubt, it is best to just deny net access to the
    program in question.


    # PortScanners

    A portscanner is a device which simply scans PC's for open ports, so that
    the hacker can begin to manipulate your system as they see fit. Some are
    configurable, allowing the user to scan a specific range; most have to go
    from 0 to 65536.

    # Trojan Benifits

    What if you DO have a Trojan installed on your PC, just waiting for somebody
    with a PortScanner to pick it up, and then connect to you at their end?
    Well, again the Firewall is invaluable here. Since a firewall checks,
    scans, and blocks traffic flowing both ways through it, both into and out of
    your computer, it is easy to prevent unauthorized communication by a Trojan
    horse program. If you had a Trojan that didn't attempt any outward bound
    connections, but simply sat and waited for incoming traffic, no passing
    Trojan scanner could detect or know of the Trojan's existence, because all
    attempts to contact the Trojan inside your computer would be blocked by your
    firewall.

    # Logging attacks

    Since every arriving packet must contain the correct IP address of the
    sender's machine, (in order for the receiver to send back a receipt
    acknowledgement), you will ALWAYS recieve an IP address to go along with the
    attempted connection, which will usually be stored in the firewall's Log
    File for later use. Of course, they might be using a fake IP address to get
    around this, but it still means they have to put in more time and effort to
    try and break into your system, and this is time and effort which will STILL
    be thwarted, resulting in a futile connection attempt. Some people become
    disheartened at the amount of unknown connections that are attempted on
    their machine; they shouldn't be, because if you actually got a warning
    about a blocked transmission, then that's exactly what it was: BLOCKED. It
    never actually reached your computer; it simply bounced off into the
    wilderness.


    ## Freeware ##

    By and large, the ONLY Freeware that actually does what it claims to are
    Virus and Trojan removers. Most Port Monitors don't actually function as
    they're supposed to, actually making your security holes WORSE. A prime
    example of this is Nukenabber. I used to use this program myself, thinking
    that the Ports specified would be blocked from all attacks. The irony is,
    they ARE.....use a PortScanner on yourself on some of the "blocked" ports to
    prove it. The problem lies with the fact that these programs actually have
    to activate the ports selected so they can sit on them and monitor their
    activities, meaning that when a Hacker runs a PortScan on you, instead of
    getting NO results back (like they would if you had your PC in "Stealth"
    mode with ZoneAlarm, for example) the Scanner picks up the selected ports
    that you've blocked off, which makes them think they've found the world's
    biggest ever collection of ports ready to tamper with....cue sustained
    attack on all quarters. When THIS happens, you're in trouble because for
    all you know, they might pass word around about a machine that's full of
    holes (ie - YOURS). This isn't keeping a low profile, and will result in
    more trouble than it is worth. I've stopped using these programs, and so
    should you. Stick with a Firewall; they do everything you need, monitor all
    port connections and disallow anything untoward; what other protection could
    you possibly employ on top of something that's doing it all anyway? A good
    example of what I'm talking about is the Program GENIUS, which has a whole
    host of useful functions. It has a PortScan detection feature, which you'd
    probably be tempted to use. If you actually check the settings however, or
    even stop to think for a second, you'd realise that, in order for it to
    monitor for PortScans, it would actually have to OPEN a port to begin with,
    in order to sit on it and wait for a connection!
    Why open up extra Ports in order to try and stop people from accessing them?
    It doesn't make sense! A Firewall doesn't open your ports up, and in
    Stealth mode makes them seem they don't actually exist at all, which is
    INFINITELY better than a Freeware Program like Nukenabber returning a CLOSED
    status to a PortScanning Hacker, as we shall see....


    ## Stealth ##

    Normally, your Ports will appear to be either Open or Closed to a
    PortScanner. When you have a Stealth function activated on a Firewall, it
    makes it look like your computer is either off or not online; instead of
    open or closed, they simply appear not to exist. So, even if you had been
    attacked and logged by a malicious user for future use, upon their return
    they would find that your computer no longer appeared to be there; it would
    seem like you had either left the internet forever, or else the machine no
    longer existed. They would soon get bored and move on to other targets.
    The other good thing about this mode is that, because of its nature, the
    Scanner is actually damaged a little when attempting to find open holes on
    your machine.
    Stealthed ports are, strictly speaking, a violation of proper TCP/IP rules
    of conduct. Proper conduct requires a closed port to respond with a message
    indicating that the open request was received, but has been denied. This
    lets the sending system know that its open request was received so that it
    doesn't need to keep retrying. But, of course, this "affirmative denial"
    also lets the sending system/Hacker know that a system actually exists on
    the receiving end....now can you see why a Program like Nukenabber is bad
    when it returns a CLOSED status? Above all else, THIS is what we want to
    avoid in the case of hackers attempting to probe our systems, which they
    simply cannot do when you are in stealth mode, because to them you're not
    even there.
    You cannot hurt that which you cannot see.


    ## Reviews ##

    As something to get you started, I include here a number of reviews of
    various Firewalls, taken from my Toshogu Online Security website. I haven't
    included the URL here, as this is an article for Vitalsecurity and so has
    noting to do with my own website. If you feel the need to visit it, email
    me and ask for the address.

    ## Freeware Firewalls ##

    ZONE ALARM (www.zonelabs.com)

    Is there anyone who DOESN'T have this thing?? Very popular, and easy to see
    why; straightforward to use, heaps of features and an excellent Stealth
    mode, let down slightly by the fact that it is almost TOO basic a program;
    there aren't many configurable options, so if you want more customisation,
    go for TINY. ZA blocks unwanted intrusions with near Martial efficiency,
    and also only allows Programs to access the Net that YOU want to access it.
    Its MAILSAFE feature also allows you to check out any emails that have
    Visual Basic Scripts attatched to them, monitoring and controlling them
    where neccessary. IMPORTANT: Early versions of ZONE ALARM are **NOT** as
    safe as later versions, so go to www.zonelabs.com to upgrade. Its FREE for
    the Standard version, so there's NO excuse!

    Marks Out of Ten: 10


    TINY PERSONAL FIREWALL (www.tinysoftware.com)

    Oh, this is GOOD....used by the US Air Force, no less, and built upon ICSA
    Certified Security Technolgy, WinRoute Pro. As well as doing all the
    standard stuff, TINY also includes an excellent Application Filter, which
    notifies the User when an Application attempts to bind to a Port for
    Comminication. In addition to this, it is hugely customisable, so if you
    know what you're doing or feel a little restricted by a product like ZA then
    this is the Firewall to get. PLEASE NOTE though that TINY will NOT function
    properly on a machine using WinRoute or Microsoft Internet Connection
    Sharing.

    Marks Out of Ten: 9


    GATEWAY GUARDIAN PE (www.gatewayguardian.com)

    Want an entire Linux Operating System Firewall running off a 3-1/2" Floppy
    Disk? You got it. Download THIS little number, and run it on a machine
    that ISN'T the Internet Gateway (that's right, you need two
    machines.....doh!) BUT....do it, and watch with glee as it uses a pure Java
    application to sort out your hardware, custom settings and a rock-solid
    Firewall is now in place. AND....after you remove the Disk, the machine
    reverts back from Linux to whatever system you were running
    previously....there are NO changes to your machine's Internal Hardware
    Configuarations. So, if you DO have two computers requiring shared access
    to the Net through a single connection, use THIS and be really rather happy
    with yourself. PLEASE NOTE: You need Java Runtime Environment to use this
    Program (as well as more than one PC!)

    Marks Out of Ten: 9


    ## Firewall Shareware##

    BlackICE DEFENDER

    A powerful detection and analysis system like no other provides pretty much
    all the protection you can shake a digital stick at. Numerous network ports
    and protocols are monitored for suspicious behaviour, and when it FINDS
    some....it springs into action, using sophisticated attacker analysis
    techniques. First off, using network algorithms, it ferrets out the
    attacker's computer and automatically blocks any and all transfers from that
    machine in the future, but at packet level. This basically means that,
    HOWEVER hard they try to get into your machine, any transmission sent to you
    by them is stopped before it even gets inside your computer.

    Marks Out of Ten: 10


    NeoWatch (www.neoworx.com)

    With NeoWatch on your machine, your computer is Stealthed like no other, and
    you simply will NOT appear to have any kind of presence on the net whatsover
    to all but the most determined of snoopers. After installation, you are
    totally invisible to all manner of port scans, pinging, unwanted TCP
    connections and UDP packets. Also, you won't be picked up by streaming
    media of most types, standard browsing or plain old Email. ICQ will still
    work whilst you have NeoWatch running, however. This program incorporates
    NEOTRACE technology to allow you to pinpoint the intruder on an incredibly
    accurate series of maps including (and not limited to) Satellite
    Photography, Ordinance Survey maps, Topography charts etc. On top of all
    this, NeoWatch uses HackerWatch.Org to compile hacker attempts from hundreds
    of thousands of users, and the data is then monitored and actively pursued
    to shut down unwanted intruders forever.
    How cool is that?

    Marks Out of Ten: 10


    ConSeal PC FIREWALL (www.consealfirewall.com)

    Unlike other desktop Firewalls that only protect Winsock applications, this
    Program protects all operating system devices (like printer and file shares,
    for example). It also uses encrypted communications tools for added
    security. Pretty easy to use, and you can be as basic or as complex with it
    as you like.

    Marks Out of Ten: 8


    Private Firewall (www.privacyware.com)

    This easy to maintain program utilises techniques such as Secure Socket
    Layer Encryption (amongst others) to ensure the protection of all POP3 Mail
    such as Outlook Express and so on. Alongside this, it focuses in on the
    more sensitive areas of your computer, constantly monitoring them and
    letting the user know when they're under attack. Also does all the usual
    basic packet filtering, port scanning, IP Tracking etc.

    Marks Out of Ten: 8


    ## Links ## www.grc.com An excellent site devoted to testing how secure your PC
    is.


    ## Summary ##

    I hope this Article is useful in showing you both how to secure yourself
    against unwanted connections, and also how to shield yourself from unwanted
    scans and Spyware. The Internet is by no means as anonymous as some people
    think it is, and although this is to the detriment of people's security
    online, this also works both ways....it IS possible to find and stop even
    the most determined of attackers, you just have to be patient and keep
    hunting for clues and techiques which will help you put an end to their
    exploits. Just remember:
    You cannot hurt that which you cannot see.


    >Article "Securing a Windows System" Copyright (C) 2001 Paperghost All
    >Rights Reserved
    >Loyalty and Protection for all our families
    >email paperghost@vitalsecurity.net with comments.
    >irc.vitalsecurity.net

  2. #2
    AntiOnline Senior Member
    Join Date
    Oct 2001
    Posts
    514
    Good post! Keep it up!

  3. #3
    Senior Member
    Join Date
    Oct 2001
    Posts
    689

    Post

    I disagree with the author of the article's view on Tiny Personal Firewall as being not as good as BlackIce Defender. It has been shown in tests that BlackIce doesnt block unknown trojans, viruses, or spyware. Does a product such as this deserve a perfect score of 10? Tiny on the other hand does provide that security, and is freeware. By the way ennis I too feel that it is time to give up the flaming and go back to our technical related discussions.
    Wine maketh merry: but money answereth all things.
    --Ecclesiastes 10:19

  4. #4
    Senior Member
    Join Date
    Nov 2001
    Posts
    1,255

    Talking Warning, humour approaching!

    Interesting read, but I rarely put any faith in authors who promote specific personal firewalls -- especially those which have found to have some form of severe vulnerability.

    Anyways, my guide is a lot better and a hell of a lot more securable...

    CHSH's Six Step Guide to Securing Windows
    (YES! it is possible!)

    This tutorial is written based on the assumption that you are currently up and running in one of the various Windows operating systems.

    Step #1: Click on Start.
    Step #2: Click on Shut Down.
    Step #3: Once the computer has successfully shut down, ensure it is powered off, then disconnect the phone cable, and any network cables.
    Step #4: Press the power button, turning your computer back on.
    Step #5: Call your ISP and cancel your internet service.
    Step #6: Visit the Betty Ford clinic to rid yourself of the withdrawal you will no doubt be suffering from.
    Chris Shepherd
    The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
    \"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
    Is your whole family retarded, or did they just catch it from you?

  5. #5
    Senior Member
    Join Date
    Nov 2001
    Posts
    185
    chsh, you kill me /me lmfao

    Ok, nice to see you back Ennis, you need to thicken your skin a little man. You are too level headed to let lamers - flamers - and theives chase you off this forum, ....right?

    Ok, my little add-on to Ennis's post.

    Go get nessus and test you box with the complete set of attack plugins that are available. nessus is available for both Windows and Linux. It is also a great idea for you IT pro's out there, it can save it's findings in a handy dandy pie chart html format that is very professional looking for showing management etc.

    It is free and it will most likely save you a lot of sleep.

    Check it out at http://www.nessus.org

    Better than, SATAN, SAINT, SARA and any other network security integrity checker I have ever used.
    Know this..., you may not by thyself in pride claim the Mantle of Wizardry; that way lies only Bogosity without End.

    Rather must you Become, and Become, and Become, until Hackers respect thy Power, and other Wizards hail thee as a Brother or Sister in Wisdom, and you wake up and realize that the Mantle hath lain unknown upon thy Shoulders since you knew not when.


  6. #6
    Banned
    Join Date
    Sep 2001
    Posts
    2,810
    Originally posted by UberC0der
    chsh, you kill me /me lmfao

    Ok, nice to see you back Ennis, you need to thicken your skin a little man. You are too level headed to let lamers - flamers - and theives chase you off this forum, ....right?

    I took MsMittnes advice a little to late and stepped back had a look at things and came back in good humour with no grudges and so on.


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •