Page 1 of 3 123 LastLast
Results 1 to 10 of 28

Thread: HOW TO SECURE Windows 2000/XP/Server 2003, & VISTA

  1. #1
    Join Date
    Dec 2007

    HOW TO SECURE Windows 2000/XP/Server 2003, & VISTA

    That's the original of this post. I could not get ALL/EACH of my 12 points to post here earlier, quite oddly enough, & now... I can, & have, from page #2 onwards.


    Last edited by AlecStaar; December 9th, 2007 at 09:28 PM. Reason: I could not get my posts to take here for some reason, & now I can & I have edited them in

  2. #2
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    United Kingdom: Bridlington
    APK, that rings a bell somewhere methinks? ah! yes, Alexander Peter Kowalski. I think that I know you from somewhere

    When I put:

    "HOW TO SECURE Windows 2000/XP/Server 2003, & VISTA"

    Into a Google search, I am truly amazed at the number of times that "APK" has posted this very same thread on other forums. Before he deigned to cast the pearls of wisdom before the swine of AO.

    Once? OK, twice? fine, three times? perhaps. When you get into double figures, I call that "spamming".

    AhHa! I remember where I know you from, ArsTechnica wasn't it?

    Be careful.

  3. #3
    Join Date
    Nov 2007
    Springfield, MO area

    I looked at this thread initially, thinking..
    "Hmm, does this go anywhere."

    The entire time I was also thinking..
    "Why is this user's first post a 'tutorial' on securing Windows, and then fills a post with nothing but 'My score this and that."

    IMO, if you're going to post a tutorial as a first post, anywhere, you should have it completed enough that input other than..

    "Where is the stuff a Vista user needs to know about securing the OS?"


    I understand that it may take a while to post, but please, share something other than security scores that are 2 to 3 month's old.

  4. #4
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    United Kingdom: Bridlington

    Please do a Google search as I suggested and form your own opinion.

    This is what we mods and admins know as a "prelude to a spam" I would fully expect that the "snake oil" will be proffered in subsequent posts. That is usually how these things work.

  5. #5
    Senior Member Ouroboros's Avatar
    Join Date
    Nov 2001
    Superior, WI USA
    Sounds like a abominable cross-breed of e-mail spam and an infomercial.

    The submitter's CAPS LOCK button seems to be broken, as well.

    "entia non sunt multiplicanda praeter necessitatem"

    "entities should not be multiplied beyond necessity."

    -Occam's Razor

  6. #6
    Join Date
    Nov 2007
    Springfield, MO area
    Just finished reading through a couple of other threads this person has posted.

    IMO - Anyone using a 'server' version of windows should be doing half of the stuff already, at the recommendation of the OS itself.

    Also, what I saw of the Vista information was speculation and theory. I'm sorry, but I can do most of what was provided in the articles natively in Windows anyways.

    I apologize to the mods and other regular users if anyone takes this as complaining, but I feel this is more a criticizing post like the OP asked for. I understand he said he wanted to spread the world, but why include Vista in the mix if you have nothing firm to support?

  7. #7

    Did some googling myself, skimmed over the first result.

    Read the comments.

  8. #8
    Senior Member
    Join Date
    Oct 2007
    do a whois search on my ip...
    I am with zallison on this one, I fail to see any value in the tutorials.... when is cis going to make a tool for vista???

  9. #9
    Join Date
    Dec 2007




    Many services I do not need are either cut off OR secured in their logon entity to lower privilege entities (from default, near "ALL POWERFUL" SYSTEM, to lesser ones like NETWORK SERVICE or LOCAL SERVICE). I went at ALL of the services in Windows Server 2003 (some will not be in XP for instance, & Windows 2000 has no NETWORK SERVICE or LOCAL SERVICE as far as I know, but not sure, you can always make a limited privelege user too for this on 2000 if needed)...

    I did testing to see which services could be run/logged in as LOCAL SERVICE, or NETWORK SERVICE, rather than the default of LOCAL SYSTEM (which means Operating System entity level privileges - which CAN be "misused" by various spyware/malware/virus exploits).


    LOCAL SERVICE startable list (vs. LocalSystem Logon Default):

    Acronis Scheduler 2 Service
    Alerter (needs Workstation Service Running)
    COM+ System Application
    Indexing Service
    NVIDIA Display Driver Service
    Office Source Engine
    O&O Clever Cache
    Remote Registry
    Sandra Service
    Sandra Data Service
    Tcp/IP NetBIOS Helper
    UserProfile Hive Cleanup Service
    Volume Shadowing Service
    Windows UserMode Drivers
    Windows Image Acquisition
    WinHTTP Proxy AutoDiscovery Service


    NETWORK SERVICE startable list (vs. LocalSystem Logon Default):

    ASP.NET State Service
    Application Layer Gateway
    Clipbook (needs Network DDE & Network DDE DSDM)
    Microsoft Shadow Copy Provider
    Executive Software Undelete
    DNS Client
    DHCP Client
    Error Reporting
    FileZilla Server
    Machine Debug Manager
    NetMeeting Remote Desktop Sharing Service
    Network DDE
    Network DDE DSDM
    PDEngine (Raxco PerfectDisk)
    Performance Logs & Alerts
    Remote Desktop Help Session Manager Service
    Remote Packet Capture Protocol v.0 (experimental MS service)
    Resultant Set of Policies Provider
    SAV Roam
    Symantec LiveUpdate
    Visual Studio 2005 Remote Debug


    PLEASE NOTE: Each service uses a BLANK password when reassigning their logon entity (when you change it from the default of LOCAL SYSTEM Account), because they use SID's as far as I know, not standard passwords.

    WHEN YOU TEST THIS, AFTER RESETTING THE LOGON USER ENTITY EACH SERVICE USES: Just run your system awhile, & if say, Norton Antivirus refuses to update, or run right? You KNOW you set it wrong... say, if one you test that I do NOT list won't run as LOCAL SERVICE? Try NETWORK SERVICE instead... if that fails? YOU ARE STUCK USING LOCAL SYSTEM!

    If you cannot operate properly while changing the security logon entity context of a service (should NOT happen w/ 3rd party services, & this article shows you which ones can be altered safely)?

    Boot to "Safe Mode", & reset that service's logon entity back to LOCAL SYSTEM again & accept it cannot do this security technique is all... it DOES happen!

    If that fails (shouldn't, but IF it does)? There are commands in the "Recovery Console" (installed from your Windows installation CD as a bootup option while in Windows using this commandline -> D:\i386\winnt32.exe /cmdcons, where D is your CD-Rom driveletter (substitute in your dvd/cd driveletter for D of course)) of:

    ListSvc (shows services & drivers states of stopped or started)

    Enable (starts up a service &/or driver)

    Disable (stops a server &/or driver)

    Which can turn them back on if/when needed

    (ON Virtual Disk Service being removed, specifically (because it used to be in this list)): This was done solely because, although it will run as LOCAL SERVICE, diskmgmt.msc will not be able to work! Even though the Logical Disk Manager service does not list VirtualDisk as a dependency, this occurs, so VirtualDisk service was pulled from BOTH the LOCAL SERVICE and NETWORK SERVICE lists here... apk)

    CUTTING OFF SERVICES YOU DO NOT NEED TO RUN IS POSSIBLY THE BEST METHOD OF SECURING THEM, AND GAINING SPEED SINCE YOU ARE NOT WASTING I/O, MEMORY, or OTHER RESOURCES ON THEM, PERIOD, in doing this - do consider it, when possible! Many guides online exist for this, & I authored one of the first "back in the day" for as "Article #1" back in 1997-1998 - the latest ones are even BETTER!



    STEP #1: CONFIGURE A CUSTOM Microsoft Management Console for this!

    Configuring yourself a "CUSTOM MMC.EXE (Microsoft Mgt. Console)" setup for security policy templates, here is how (these are NOT default Computer Mgt. tools, so you have to do this yourself, or run them by themselves, but this makes working w/ them convenient):

    The next part's per BelArcGuy of BELARC ADVISOR's advice (pun intended):

    "Security Configuration and Analysis" is an MMC snap-in. To access the MMC, type in mmc to the Windows Run.. command to pop up the console. Then use it's File|Add/Remove Snap-in... command and click the Add button on the resulting dialog. Choose both "Security Configuration and Analysis" and "Security Templates", close that dialog, and OK. You'll end up with a management console that has both of those snap-ins enabled. The whole MMC mechanism is a bit weird, but does work"

    (It's easy, & it works, & is necessary for the actual steps to do this, below)

    Next, is the actual "meat" of what we need to do, per Microsoft, to set ACLs!

    STEP #2: HOW TO: Define Security Templates By Using the Security Templates Snap-In in Windows Server 2003

    Create and Define a New Security Template

    (To define a new security template, follow these steps)

    1. In the console tree, expand Security Templates
    2. Right-click %SystemRoot%\Security\Templates, and then click New Template
    3. In the Template name box, type a name for the new template.

    (If you want, you can type a description in the Description box, and then click OK)

    The new security template appears in the list of security templates. Note that the security settings for this template are not yet defined. When you expand the new security template in the console tree, expand each component of the template, and then double-click each security setting that is contained in that component, a status of Not Defined appears in the Computer Setting column.

    1. To define a System Services policy, follow these steps:
    a. Expand System Services
    b. In the right pane, double-click the service that you want to configure
    c. Specify the options that you want, and then click OK.

    (And, of course, the user feedback on its effectiveness (Makes your Win32 NT-based OS very much like how MacOS X treats its daemon processes via privelege levels), which uses the same general principals)

    It works, & although many service packs for Windows OS' have changed their services (not all but many nowadays) to less than SYSTEM, my list covers those they may not have in recent service packs AND 3rd party services are listed too that you may be running possibly!


    Last edited by AlecStaar; December 9th, 2007 at 09:48 PM.

  10. #10
    Join Date
    Dec 2007
    Quote Originally Posted by zallison
    IMO, if you're going to post a tutorial as a first post, anywhere, you should have it completed enough that input other than..

    "Where is the stuff a Vista user needs to know about securing the OS?"


    I understand that it may take a while to post, but please, share something other than security scores that are 2 to 3 month's old.
    I tried to post it in its entirety, but, your forums board is not updating & not even putting my posts up immediately, so I only put up a link to a board that posts it properly... see the URL above.


    P.S.=> My points are NOW on the page #2 of this thread, onwards, including a reply to AngelicKnight... a good read that, in & of itself! apk
    Last edited by AlecStaar; December 9th, 2007 at 09:46 PM.

Similar Threads

  1. October MS updates
    By mohaughn in forum Microsoft Security Discussions
    Replies: 2
    Last Post: October 13th, 2004, 04:31 AM
  2. Usefull Windows XP, 2k, NT, and 9x tips and tweaks
    By Cybr1d in forum Miscellaneous Security Discussions
    Replies: 11
    Last Post: June 10th, 2004, 12:09 AM
  3. Tcp/ip
    By gore in forum Newbie Security Questions
    Replies: 11
    Last Post: December 29th, 2003, 08:01 AM
  4. Windows 2003 Server Vulnerability
    By warl0ck7 in forum Microsoft Security Discussions
    Replies: 7
    Last Post: August 14th, 2003, 12:23 PM
  5. MS 1st critical update of 2003
    By qwerty_smith in forum Microsoft Security Discussions
    Replies: 1
    Last Post: February 5th, 2003, 09:41 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts