readermaniax
Ambassador of Buzz
1), Use NTFS, not FAT for your filesystem. If you're FAT and want to change, drop to a DOS prompt and type in
"convert c: /fs:ntfs".
2), Give every account on your PC a password. And make them HARD passwords. I follow the rule that it should be at least 7 letters long, not be a dictionary word, use both upper and lowercase letters, and contain a numeral and/or other ASCII character in it somewhere. For instance, real good passwords would be like: $uPrn0v@, 1nMe&U2, Ih8$p@m. Ok passwords: ilbcnU2, 14daroaD, p1zz4isgood. BAD passwords: john1, password,
3), Disable the guest account, unless you have a real reason to use it. And if you do need to use it, still give it a password. Disable or delete any other account that you do not need to use. The more active accounts you have, the more venues a hacker has to attempt an entry.
4), Rename your default administrator account. Just so it's not so easy to guess.
5), Create a separate account for you to use, not the default administrator account. You can give your account admin access while you set things up and install apps, but generally you want to make any account you use daily at most a 'Power User'. This is not only for security, but also for safety from data corruption. And if something within your profile gets corrupt and you can't log in as yourself, you can still get in as the admin account and fix things.
6), Log on as admin and go into the Local Security Policy MMC (start>Settings>Control panel>Administrative tools>Local Security Policy) and change the following:
6a) under 'local policies', 'user rights assignment', open up "Access this computer from the network" and remove everyone. Unless you have a specific reason to access file shares or printers from another computer. And in that case, add only the accounts you need and remove all the rest.
repeat for "Allow logon through Terminal services". Even if you have 3 accounts that need to access a printer remotely, they don't need to use Terminal services. Remove everyone from here, unless you have a specific reason for them to be here.
6b) under 'local policies', 'security options', open up "Network access: do not allow anonymous enumeration of SAM accounts". Set this to "enable". This will stop people from using certain software tools from scanning your computer and getting your account names, share names, etc. Using a simple program called Winfo, I can scan a computer and get all the user accounts, shares, computer name, etc, if they're on the internet and have not changed this setting.
6c) 'user rights assignments'>'force shutdown from remote system'. Remove anyone here.
7), Turn off services/programs that you do not need running all the time. Some I disable, and some I just set to manual. Get to them by start>settings>control panels>administrative tools>services. Double click each service and hit the pulldown to change it's startup type. Be careful here, disable the wrong one and your system may not reboot.
The services I disable on Win XP SP1 are (you may not have all of these):
Terminal Services, unless you actually use this feature.
Telnet server, same as above. Huge security risk here.
Background intelligent transfer service
Messenger (prevents those idiotic popups)
Remote registry service (why the hell this is enabled by default I don't know.)
Routing and remote access, only usefull if you use ICS.
Computer Browser, this is just for backward compatibility with Win98/95. You may kill it.
DHCP, only if you have set your computer to a static IP. Otherwise leave it alone.
NetMeeting Remote Desktop Sharing
Portable Media Serial Number
Remote Desktop Help Session Manager
Server, unless you want to share files.
SSDP Discovery Service, you'll probably never have reason to use this.
TCP/IP NetBIOS Helper Service, only usefull if you often access other Window's shares to get files.
Windows Time, unless you use an internet time server.
Wireless Zero Configuration. With some wireless cards it works, with some it doesn't. If you don't have a wireless network card, kill it.
Alerter
For SP2 add:
Security Center (another useless service)
Windows Firewall, unless you use it.
Application Layer Gateway (a part of the Windows Firewall setup)
The services I set to manual:
Automatic updates (or disable, unless you use it)
Cryptographic services, won't hurt anything, but doesn't need to run until you need it.
Distributed Link Tracking Client
Error Reporting Service
Help and Support (this could also be disabled, up to you)
IPSEC, probably won't use it, but keep it available in case.
Security Accounts manager
Task scheduler
Web Client, another one you'll never use.
Upload Manager
These are the only default Windows services I'd probably touch. You may have lots of other services as well. My best recomendation is to google them and see what they go to before altering them.
8), Anti-Virus software! This is no longer just good to have, it's mandatory. And keep it up to date. This is to prevent you from getting trojans and worms that you can get by doing nothing more than plugging in your cable modem. I usually recomend that you have more than one AV program. One that runs all the time (usually called "realtime" or "autoprotect") and one that does not, and only runs when you manually run it. This way they do not conflict with each other. Why 2? Because none of them catch everything. And I'm paranoid.
There's a couple threads already discussing which is best, so I won't into that here.
Of similar importance is antispyware software. I have 4 of those as well. Giant, Ad-Aware, Spybot, & Hijackthis!. The rest, imho, are garbage.
9), While disabling services, check and make sure that IIS (internet information server) is not installed and running if you do not want to run a webserver, ftp, or mail server. If you find it, you can uninstall from the control panel. If you only want to run one of the 3 services it provides, disable the other 2 (the 3 should be HTTP server, FTP server, & SMTP server). And make sure it's patched!
10), keep up-to-date with your critical updates and service packs. Set it to automatic, if you trust it.
11), Firewalls. It's a mixed bag. Some people swear by software firewalls, but I personally don't care for them. They tended to crash too much and use resources. The best option is to use a router that actually has a full state packet inspection firewall built into it (or another dedicated firewall device). Recomended models: Linksys BEFSX41, NetGear FR114P & WGU624, Gigabyte GN-B41G, GN-B49G & GN-BR404W. There's already a how-to on software firewalls, so I won't go into that here.
12), In Internet Explorer, hit 'tools>internet options>security>internet>custom level'. Either set it to "high" or manually disable all the ActiveX and scripting options. You can set certain websites to be "trusted" in that same place (like microsoft.com needs to be to run windowsupdate) if you need them to run ActiveX controls and scripting commands. Otherwise, you do not want arbitrary websites to run them. If you're paranoid like me, don't even use IE. Use Firefox. It blocks popups and ActiveX by default. You still need to set these options in IE though, because these settings affect the OS and all MS programs (because IE is built into the OS).
13), Open Windows Media Player. Hit 'tools>options>security'. Make sure "run script commands" is unchecked, and "Do not run script commands.....inside a web page" IS checked. WMV files have scripting abilities (thanks MS) and these scripts can be made to do malicious things. Even if you try to not ever use WMP, it's hard to prevent it from opening media while web browsing. Windows would prefer if WMP was the default for everything, and occasionally it somehow gets reset back to default.
14) Right click "My Network Places">properties. Right click "local area connection">properties. On the "general" tab, if you do not plan on sharing folders or accessing Windows shares on your local LAN, uncheck "Client for MS networks" and "File & printer sharing for MS networks". This effectively disables these protocols on this network card. If you see "NWLink IPX/SPX" or "Client for Netware" you can uninstall them, unless you happen to have a Novell Netware server. None of this will affect web browsing or bittorrent and the like.
15) Right click "My Computer">properties. On the "Remote" tab, make sure Remote assistance and Remote desktop are both turned off. Unless you actually use Remote Desktop.
16) Shared folder permissions. There are actually 2 sets of permissions. Share permissions and NTFS permissions. NTFS permissions override share permissions. You need to set/check both to be sure that you are giving access to who you think you are. When adding users to the permissions window, be as specific as possible. That is, only add users that need to open it, and only give them enough access to do what they need. Don't just add 'everyone' with full control. Don't add the whole "Users" group if your one account is the only one that will ever access it.
17) Auditing. This might be overkill for some of you, but here goes. Go back to the Local Security Policy MMC in #6. Under 'local policies'>'audit policy'
Generally I will set "Audit Account Logon Events" to Success and Failure, and "Audit Logon Events" to just Failure. What this does is the system will record every time someone logs into the PC, or accesses a share, or if they attempted and failed. To see these recorded logons, you open the Event Viewer (start>run>eventvwr), and click on "security log". It'll tell you date/time, account names, PC name they were on, and etc. Great for tracking down if someone hacked, or tried to hack you with the good old "net use" commands or something.
"convert c: /fs:ntfs".
2), Give every account on your PC a password. And make them HARD passwords. I follow the rule that it should be at least 7 letters long, not be a dictionary word, use both upper and lowercase letters, and contain a numeral and/or other ASCII character in it somewhere. For instance, real good passwords would be like: $uPrn0v@, 1nMe&U2, Ih8$p@m. Ok passwords: ilbcnU2, 14daroaD, p1zz4isgood. BAD passwords: john1, password,
3), Disable the guest account, unless you have a real reason to use it. And if you do need to use it, still give it a password. Disable or delete any other account that you do not need to use. The more active accounts you have, the more venues a hacker has to attempt an entry.
4), Rename your default administrator account. Just so it's not so easy to guess.
5), Create a separate account for you to use, not the default administrator account. You can give your account admin access while you set things up and install apps, but generally you want to make any account you use daily at most a 'Power User'. This is not only for security, but also for safety from data corruption. And if something within your profile gets corrupt and you can't log in as yourself, you can still get in as the admin account and fix things.
6), Log on as admin and go into the Local Security Policy MMC (start>Settings>Control panel>Administrative tools>Local Security Policy) and change the following:
6a) under 'local policies', 'user rights assignment', open up "Access this computer from the network" and remove everyone. Unless you have a specific reason to access file shares or printers from another computer. And in that case, add only the accounts you need and remove all the rest.
repeat for "Allow logon through Terminal services". Even if you have 3 accounts that need to access a printer remotely, they don't need to use Terminal services. Remove everyone from here, unless you have a specific reason for them to be here.
6b) under 'local policies', 'security options', open up "Network access: do not allow anonymous enumeration of SAM accounts". Set this to "enable". This will stop people from using certain software tools from scanning your computer and getting your account names, share names, etc. Using a simple program called Winfo, I can scan a computer and get all the user accounts, shares, computer name, etc, if they're on the internet and have not changed this setting.
6c) 'user rights assignments'>'force shutdown from remote system'. Remove anyone here.
7), Turn off services/programs that you do not need running all the time. Some I disable, and some I just set to manual. Get to them by start>settings>control panels>administrative tools>services. Double click each service and hit the pulldown to change it's startup type. Be careful here, disable the wrong one and your system may not reboot.
The services I disable on Win XP SP1 are (you may not have all of these):
Terminal Services, unless you actually use this feature.
Telnet server, same as above. Huge security risk here.
Background intelligent transfer service
Messenger (prevents those idiotic popups)
Remote registry service (why the hell this is enabled by default I don't know.)
Routing and remote access, only usefull if you use ICS.
Computer Browser, this is just for backward compatibility with Win98/95. You may kill it.
DHCP, only if you have set your computer to a static IP. Otherwise leave it alone.
NetMeeting Remote Desktop Sharing
Portable Media Serial Number
Remote Desktop Help Session Manager
Server, unless you want to share files.
SSDP Discovery Service, you'll probably never have reason to use this.
TCP/IP NetBIOS Helper Service, only usefull if you often access other Window's shares to get files.
Windows Time, unless you use an internet time server.
Wireless Zero Configuration. With some wireless cards it works, with some it doesn't. If you don't have a wireless network card, kill it.
Alerter
For SP2 add:
Security Center (another useless service)
Windows Firewall, unless you use it.
Application Layer Gateway (a part of the Windows Firewall setup)
The services I set to manual:
Automatic updates (or disable, unless you use it)
Cryptographic services, won't hurt anything, but doesn't need to run until you need it.
Distributed Link Tracking Client
Error Reporting Service
Help and Support (this could also be disabled, up to you)
IPSEC, probably won't use it, but keep it available in case.
Security Accounts manager
Task scheduler
Web Client, another one you'll never use.
Upload Manager
These are the only default Windows services I'd probably touch. You may have lots of other services as well. My best recomendation is to google them and see what they go to before altering them.
8), Anti-Virus software! This is no longer just good to have, it's mandatory. And keep it up to date. This is to prevent you from getting trojans and worms that you can get by doing nothing more than plugging in your cable modem. I usually recomend that you have more than one AV program. One that runs all the time (usually called "realtime" or "autoprotect") and one that does not, and only runs when you manually run it. This way they do not conflict with each other. Why 2? Because none of them catch everything. And I'm paranoid.
There's a couple threads already discussing which is best, so I won't into that here.
Of similar importance is antispyware software. I have 4 of those as well. Giant, Ad-Aware, Spybot, & Hijackthis!. The rest, imho, are garbage.
9), While disabling services, check and make sure that IIS (internet information server) is not installed and running if you do not want to run a webserver, ftp, or mail server. If you find it, you can uninstall from the control panel. If you only want to run one of the 3 services it provides, disable the other 2 (the 3 should be HTTP server, FTP server, & SMTP server). And make sure it's patched!
10), keep up-to-date with your critical updates and service packs. Set it to automatic, if you trust it.
11), Firewalls. It's a mixed bag. Some people swear by software firewalls, but I personally don't care for them. They tended to crash too much and use resources. The best option is to use a router that actually has a full state packet inspection firewall built into it (or another dedicated firewall device). Recomended models: Linksys BEFSX41, NetGear FR114P & WGU624, Gigabyte GN-B41G, GN-B49G & GN-BR404W. There's already a how-to on software firewalls, so I won't go into that here.
12), In Internet Explorer, hit 'tools>internet options>security>internet>custom level'. Either set it to "high" or manually disable all the ActiveX and scripting options. You can set certain websites to be "trusted" in that same place (like microsoft.com needs to be to run windowsupdate) if you need them to run ActiveX controls and scripting commands. Otherwise, you do not want arbitrary websites to run them. If you're paranoid like me, don't even use IE. Use Firefox. It blocks popups and ActiveX by default. You still need to set these options in IE though, because these settings affect the OS and all MS programs (because IE is built into the OS).
13), Open Windows Media Player. Hit 'tools>options>security'. Make sure "run script commands" is unchecked, and "Do not run script commands.....inside a web page" IS checked. WMV files have scripting abilities (thanks MS) and these scripts can be made to do malicious things. Even if you try to not ever use WMP, it's hard to prevent it from opening media while web browsing. Windows would prefer if WMP was the default for everything, and occasionally it somehow gets reset back to default.
14) Right click "My Network Places">properties. Right click "local area connection">properties. On the "general" tab, if you do not plan on sharing folders or accessing Windows shares on your local LAN, uncheck "Client for MS networks" and "File & printer sharing for MS networks". This effectively disables these protocols on this network card. If you see "NWLink IPX/SPX" or "Client for Netware" you can uninstall them, unless you happen to have a Novell Netware server. None of this will affect web browsing or bittorrent and the like.
15) Right click "My Computer">properties. On the "Remote" tab, make sure Remote assistance and Remote desktop are both turned off. Unless you actually use Remote Desktop.
16) Shared folder permissions. There are actually 2 sets of permissions. Share permissions and NTFS permissions. NTFS permissions override share permissions. You need to set/check both to be sure that you are giving access to who you think you are. When adding users to the permissions window, be as specific as possible. That is, only add users that need to open it, and only give them enough access to do what they need. Don't just add 'everyone' with full control. Don't add the whole "Users" group if your one account is the only one that will ever access it.
17) Auditing. This might be overkill for some of you, but here goes. Go back to the Local Security Policy MMC in #6. Under 'local policies'>'audit policy'
Generally I will set "Audit Account Logon Events" to Success and Failure, and "Audit Logon Events" to just Failure. What this does is the system will record every time someone logs into the PC, or accesses a share, or if they attempted and failed. To see these recorded logons, you open the Event Viewer (start>run>eventvwr), and click on "security log". It'll tell you date/time, account names, PC name they were on, and etc. Great for tracking down if someone hacked, or tried to hack you with the good old "net use" commands or something.
