Results 1 to 7 of 7

Thread: Best Way to lock down Windows

  1. #1
    Senior Member
    Join Date
    Aug 2002

    Question Best Way to lock down Windows

    Hey people, what software out there is recommended to lock down Windows 2000 Pro and Windows Xp. I know we can use gpedit, but I want more options.

  2. #2
    Senior Member
    Join Date
    Mar 2004
    Is this in a client\server environment or stand alone machines? Are you locking down for security or so users can't run things?
    \"You got a mouth like an outboard motor..all the time putt putt putt\" - Foghorn Leghorn

  3. #3
    Senior Member Raion's Avatar
    Join Date
    Dec 2003
    New York, New York
    If it's to lock down so users can't physically do anything on Win2k press ctrl+alt+del and click Lock Computer, to unlock it you would need the password to the current users account and if you have the Admin password you can switch to the Admin account.

    To lock it down for security reasons you can always just download a firewall (Zone Alarm?) and look for the lock down feature.

  4. #4
    AO Veteran NeuTron's Avatar
    Join Date
    Apr 2003
    There was a good tutorial written recently about hardening remote access to windows xp.

  5. #5
    Join Date
    May 2003
    As a minimum, start here:

    When you are done with that, give the specific business role (what it does, what are it's asset values, etc) and its environment details (what is around it, how much can be spent on counter-measures, who maintains the system) and you can be provided with accurate follow-up information.


  6. #6

    Re: Best Way to lock down Windows

    Originally posted here by mrlucifer
    Hey people, what software out there is recommended to lock down Windows 2000 Pro and Windows Xp. I know we can use gpedit, but I want more options.
    Why not put some effort into it ? Microsoft already provides the necessary tools to arm the box.

    If you're using XP home, you also have a few accounts that need to be dealt with. Bring up a command line and type "net users". This will list all the accounts on the machine. You won't be able to delete "Administrator" or "Guest", but you can delete "HelpAssistant" and "Support"

    Just type
    net user "accountname" /delete
    Next, Type
    "control userpasswords2"
    and change the name of "Administrator" to something that looks more like a basic user account name and make the password fairly strong. Do the same with "Guest".

    Next, navigate to these keys within the registry and apply the neccessary configuration:

    HKEY_LOCAL_MACHINE-->Software--> Microsoft--> Ole--> Enable DCOM Set it's value to a N instead of the Y thats shown.

    HKEY_LOCAL_MACHINE-->Software--> Microsoft--> Rpc Once there, take a look over at the right hand panel and you'll see "DCOM protocols", double click it. Do not modify the entire value, but instead only remove ncacn_ip_tcp from the DCOM Protocols value, and leave everything else untouched.

    HKEY_LOCAL_MACHINE-->SYSTEM-->CurrentControlSet-->Services-->NetBT-->Paramaters now look in the right hand panel at TransportBindName and double click it. It should have a value set of "/device/" just remove it and your good to go.

    And finally, use this text file and turn it into a .reg file by simply changing the extension within your favorite text-editor. Double-click it, and reboot. Once you get that up go check how many ports are open. There probably won't be any at all.

    This configuration is to my needs of course, which are Internet(Normal desktop usage) & the ability to run without third-party software like a firewall. I'm quite comfortable with my configuration.


    Just wanted to add: if this is after a fresh install and pre MS-patches, some ports will reopen after caertain patches are applied (not completely sure which ones, could be sp1, I don't know, I don't install all MS patches ) so you will have to re-apply a few of the registry changes and possibly re-apply the .reg tweak. Just wanted to notify you of that.

  7. #7
    AO Part Timer
    Join Date
    Feb 2003
    Depends on the reasoning for your security. If you are interested in just locking it down to be more secure, then follow some of the advice mentioned herein.

    If you actually want to gain some knowledge. Set up another pc, doesn't have to be anything extremly powerful. Just something with enough power to run an OS. For example you could run a version of nix and make install smoothwall(learn some iptables while your at it). Run it between your windows machine and the internet.

    I know this will require some more knowledge of another OS. But if you are interested in learning what better way?

    I know it might seem kind of funny to use a nix box as a layer of extra security for a windows box, but there is no better place to hide than right out in the open.

    I learned some basic networking with the desire to run turn based Heroes of might and magic. I had three pc's, I installed some old token ring cards, then hooked it all up with an Andrew Mau. I learned how to set up some basic tcp/ip services. Along with some other stuff, I learned alot.

    As far as physical security goes, I think in many cases it is more difficult than remote security. With IE and notepad you can do just about anything you need to break a Windows box. Those two apps are both evil and a blessing(depends on which hat you wear perhaps). I'd defenitley listen to imitationrust on the accounts however. Learn how to use and edit the registry. There are lots of useful things you can change in the registry.

    Hope my opinions and advice helped.

    Be safe and stay free
    Your heart was talking, not your mind.
    -Tiger Shark

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts