Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Improving Windows XP Security

Security

Improving Windows XP Security

by  jsauce  Posted    (Edited  )
Although Windows XP Pro is built on the Windows NT and 2000 kernel and does improve upon security, it still lacks some security by default. With a little help anyone can increase the security of their Windows XP Pro system. This FAQ was designed only for Windows XP Pro and not XP Home. Windows XP Home lacks a lot of the security features that Windows XP Pro has and as such I cannot recommend it if you are concerned with security.

NOTE: Some places in this FAQ I may recommend modifying your registry. Take great care in doing so and follow the directions as indicated. Do not attempt to modify the registry unless you feel safe in doing so.


SECURING YOUR MACHINE

Some people go through a lot of trouble providing security over a network, including a firewall and all the security settings associated with the system. Then they forget to lock the system locally. These are some of the things you can do to the machine.

1. Set a bios password to your system. By doing this you prevent any user from booting the machine and accessing the operating system. The only way a user can do this is then by opening the system up and resetting the CMOS battery.

2. If your computer case has a lock, use it. If your drives have locks, use them. Any little thing you can do can help to improve security helps. This is especially true if this machine happens to be a server.

3. If you are concerned with local security of the machine, disable the bios bootup of your cd and floppy drives. A hacker with a Knoppix STD cd can boot into your machine locally and bypass the operating system. With a little work they can gain access to your machine.

THE WINDOWS XP PRO OPERATING SYSTEM

1. NTFS is important. Use NTFS on all your drives. FAT and FAT32 are the older standard file systems that shipped with the old 9x kernel and they provide no security whatsoever. In contrast Windows XP uses the NT kernel which allows you to use NTFS which has security permissions that can be set all the way down to the file level. If you have FAT or FAT32 drives you should convert them using the built in convert.exe utility. Once you have converted a drive it cannot be converted back so be sure you really want to do this. Not only does NTFS provide file permissions it also provides Compression and the EFS (Encrypting File System). Using the EFS will prevent any user from seeing the contents of a file or folder unless that user is you. You cannot use compression and encryption on the same file so choose one.

2. Use strong passwords on all accounts. Strong passwords are passwords that are not easily guessable and contain both numbers and letters. Using your birth date or dog's name for your password will not do. These types of passwords can be easily guessed or brute forced cracked. Passwords that use both upper and lower case are also much harder to crack. A password should be alternating like this: 7g4W0b2Xs5Q. You should never make your passwords less than 6 characters long and of course the longer the better. Also know that in Windows 2000 and Windows XP passwords can contain spaces. In fact if you can type the password on your keyboard itÆs considered a usable character. Just a note, a password like the one I described could take about 100,000 years to crack, however as computer technology improves as well as the speed of the cpus this can take less time.

Windows XP converts and stores all passwords for every username in something called an NT password hash. This is a set of numbers and letters windows uses to match your password. Talking about local security here again, this can play an important role. If someone does gain access to your local machine within 5 minutes of being in front of the machine they can have complete access to it using a Linux boot disk with a program called NT Password. NT password will allow the person the ability to gain access to the SAM file which contains the list of usernames and associated encrypted hashes. The person can then simply insert a new hash associated with a new password. Then they only have to reboot the system, use the new password and gain access to the system. There is however an easy way to stop this. Use the EFS to encrypt the contents of the drive. By doing this the user would need the original password to the associated username or else they would not be able to see the encrypted files. A good hacker with a Knoppix STD cd can grab the sam file and copy it to a floppy or a usb thumb drive. They can then take the sam file away and work on cracking it. This is why strong passwords are very important. The longer and more random the password the harder it is to crack. Not only that but anytime you change your password, Windows automatically updates the NT password hash. Thus anyone who obtained the previous hash file would find it completely useless to them. NOTE: Windows actually makes two hash file changes when changing your password. The first is the hash contained in the SAM file but it also makes a second change to something called the LMHash (LAN Manager Hash). LMHash is the remains of the old password authentication used in Windows 3.1, 95, and 98. This hash is really bad because it is treated as two 7-character passwords and converted to all uppercase. This makes the LM Hash very easy to crack with brute force means. In Windows XP you do not need it and can remove it with a registry modification like this:

Open your registry editor by clicking Start and then run and by typing regedit and pressing OK. Then navigate to

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

Then in the right pane set nolmhash to hexadecimal 1.
If it doesnÆt exist, create a new dword called nolmhash. Then right click on it and select modify. Then set it to hexadecimal 1.

Now Windows XP will only create your passwords in NT Hash stored in the SAM file, which is much more secure.

3. Disable the Guest account. The Guest account while it seems like a good idea does leave your system open to possible access by hackers.

4. Disable Simple File Sharing. Having instructed you to disable the Guest account you also need to disable simple file sharing. Simple File sharing is a huge hole in security as it by default enables file sharing and makes all shares forced to logon using the Guest account to access shares. You can disable Simple File sharing by Double clicking on my computer, selecting tools and then folder options. Select the view tab and go to advanced settings. Uncheck the Use Simple File Sharing box and click apply. By doing this you can now setup permissions on folder per user by right clicking a folder and selecting Sharing and Security. It brings up the Sharing tab which you can now configure to your liking and what best suits your security needs.

5. Use Limited Accounts whenever possible. One problem I have had with Windows XP is that by default the first user is created as an administrator. You should use administrative privileges with care. That is if you are an administrator and someone gains access to your account they are an administrator. Its better to use the limited accounts and use the Run As command if you need to install something that requires administrative privileges.

6. Firewalls, Antivirus, and Spyware. IÆm always amazed by the number of people who use the internet but have never bought a firewall, an antivirus program or a spyware removal tool. The fact is the internet is a place full of people who want nothing more than to gain access to your machine and they will use whatever means necessary to do so. You wouldnÆt go outside in the middle of winter without a coat on, nor would you stand in a room of flu infected people without getting a flu shot. You would also never let someone you do not know stay in your home and go through your things. Everyday, millions of people everyday log onto the internet without any means of protection, so lets talk about some of the means to protect yourself on the internet.

Firewalls: A firewall is a piece of software or hardware that sits itself in between your computer and the internet. It does this by blocking access to the ports that your computer communicates on with the rest of the world. It also may inspect packets coming in and determine if the packets are safe to be used by your computer.

A firewall is a must have piece of software for any machine and the best part about it is there are companies out there that offer you a free firewall. You donÆt even have to purchase this useful piece of software, they want you to be more secure and you should want that to. Microsoft has also taken a step in the right direction by including a firewall with Windows XP called the ICF (Internet Connection Firewall). I donÆt like the ICF because it is not enabled by default and only checks ports coming in, that means that it allows any data to leave your computer without being examined. This is important and IÆll talk a little about that later. A good firewall is one that can both check incoming and outgoing information like ZoneAlarm, which is also free. You can find it at http://www.zonelabs.com

Antivirus: Antivirus software is an application or set of applications that are used to scan and repair files on your computer that can be or may be infected with virus machine code. Good antiviral software is software that can scan, clean, and repair any form of malware from your computer. Malware is an acronym for malicious software.

Just like a firewall, good antivirus software is a required component for your computer. And just like firewall software there are some companies out there that will give it away for free because they want your computer to be more secure. Good antivirus software should both clean and repair malware but it should also scan your system regularly, and provide a real-time scanner. Though not a requirement it should also provide scanning of your email. Since email is the new way to spread internet worms, you should take great care with it, and never execute anything that came attached to an email.
You can find a free antivirus software application called AVG at http://www.grisoft.com/
I like it because it can clean and repair malware and also provides an email scanner.

Spyware: In general, spyware is any technology that aids in gathering information about a person or organization without their knowledge. On the Internet, spyware is programming that is put in someone's computer to secretly gather information about the user and relay it to advertisers or other interested parties.

There has been a lot of debate about what exactly makes something spyware, and for me itÆs pretty clear. If an application installs another piece of software even with your knowledge and that software transmits data from your computer to another without telling you, its spyware. There is no reason that you would want something like this installed on your computer, yet millions of people are infected with this type of junk software everyday. Not only does spyware infect your machine like a virus, it uses up your system resources and your bandwidth to transmit data like your browsing preferences and the types of software you have installed on your machine. It can also be used to gathering information from your registry, like product codes and such. You never want to install anything that would install this type of software, that includes those browser plug-ins that advertise easier searches, or p2p software like kazaa media desktop. Again a lot of good companies have come forward and provided these spyware removal tools for free. The tool I like is Ad-aware and it can be found at http://www.lavasoftusa.com/ but there are many good tools to use. You can find them just by searching on Google.

7. Windows Update. Check it at least once a week. There is no better way to make sure your system is updated. By installing the newest security patches you help to make your computer a little safer. Microsoft releases these patches because they do not want to see your machine exploited. Everyone knows that if each user just takes the time to update their machine when a new vulnerability is discovered less and less of these worms would be a problem. The fact is I find that very often when I see a userÆs machine that it might never have been updated. So please do everyone a favor and update your machine if it needs it.


8. Wireless Everywhere. If you are one of those people who have started using wireless net access than you should know that its pretty easy to hack into your wireless network. But IÆll give you a few tips on how to secure that network.

Just about anyone with some knowledge and a few tools can hack into your wireless network and not only use your network bandwidth for free but gain access to your networked computers. They can do this by something called wardriving. A person can drive his or her car around with a laptop, a wireless card, and netstumbler. With this a person can gain easy access to any unencrypted wireless network.

So the first thing you will want to do when you setup your wireless network is change your SSID. Since a hacker has to know your networkÆs name to access it changing the SSID does help a little. Because SSIDÆs are usually assigned preset by the manufacturer, itÆs easy for a hacker to gain access if he has a list of the manufacturers SSID defaults. ItÆs also recommended you change the password to your access pointÆs admin account. Since again this password is set by default. If they have the SSID they also have the password.
Also if your access point allows you to disable SSID broadcasting, use it.

Now you will want to get your WEP (Wired Equivalent Privacy) working. Get a Wireless access point and card that support at least 128-bit encryption. Make sure when setting your WEP password itÆs long and difficult and doesnÆt repeat the same letters and numbers often. Just by installing and configuring WEP you are making it much more difficult for the hacker. However even WEP can be bypassed if the hacker wants to spend long enough.

A hacker with Knoppix STD and AirSnort can begin cracking away on your network. AirSnort begins by capturing packets, but it needs something called interesting packets or weak key packets to really break the encryption. AirSnort needs these packets because these are the packets that contain password information used to crack the WEP encryption. The more users on a wireless network the more weak keys that are generated and the shorter the time it will take to break the encryption. This is why strong password encryption is important, the stronger the password the harder and longer it will take to crack. So unless this hacker really wants to access your network, a strong password should be good enough. One things hackers can be described accurately as is lazy. Why would a hacker spend a month trying to crack your hard password when someone else may not be using WEP and they can logon to their network with ease? So use WEP and make sure itÆs a strong password.

9. Rename the Administrator account. Although a hacker can still gain access to the account by getting the SID from the sam file, it will keep the common script kiddies away. Also rename the account to something that isnÆt obvious like admin. Rename it to something that makes it seem like a normal account. Another trick is to create a dummy Administrator account with no privileges at all. Then if you give it a strong password a hacker could spend a long time trying to crack the account only to find out its useless.

10. DonÆt use Everyone. You should change the Everyone Group to Authenticated Users, so only authenticated users can gain access to the shares and printers on the network.

11. Clear the PageFile at shutdown. The pagefile can contain a lot of sensitive data that is stored in memory and if itÆs not cleared at shutdown a person can potentially gain access to that information by viewing it. To have windows clear it you must edit your registry like this:

Open your registry editor by clicking Start and then run and by typing regedit and pressing OK. Then navigate to

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management

Then in the right pane set ClearPageFileAtShutdown to hexadecimal 1.
If it doesnÆt exist, create a new dword called ClearPageFileAtShutdown. Then right click on it and select modify. Then set it to hexadecimal 1.

NOTE: By doing this you may add several seconds to your shutdown time.

12. Disable the Windows Default Shares. Windows XP starts up your system with a number of default shares enabled. The root of each partition is shared along with ADMIN$, FAX$, IPC$ and PRINT$, etc. You should at least disable the sharing of your drives by default. You may notice that if you try to disable them, Windows will just re-share them on startup. So to disable them permanently you need to modify the registry like so:

Open your registry editor by clicking Start and then run and by typing regedit and pressing OK. Then navigate to

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters
Create a new dword called AutoShareWks. Then right click on it and select modify. Then set it to hexadecimal 0.

NOTE: This will disable all default administrative shares. This can cause problems with some programs so do not do it unless you are absolutely sure, and if you find it does cause problems set the value to 1 or remove it.

13. Disable storing of credentials and .NET passwords. Windows by default stores authentication credentials and .NET passwords on the local system and you should disable it for better security when on a domain. This can be modified in the registry like so:

Open your registry editor by clicking Start and then run and by typing regedit and pressing OK. Then navigate to

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

Create a new dword called DisableDomainCreds. Then right click on it and select modify. Then set it to hexadecimal 1.

14. Harden your TCP/IP stack to defend against DOS. Denial of Service attacks are now part of internet life and can be a pain in the backside. There are a few things you can do to try and improve your windows xp machine against these types of attacks and they involved modifying the registry to modify how the TCP/IP stack responds to these types of attacks. Do this only if you are connected directly to the internet and only if you are sure you want to make these changes. Because these changes modify the TCP/IP stack it may not make your connection perform the best because of the added checking. This can be modified in the registry like so:

Open your registry editor by clicking Start and then run and by typing regedit and pressing OK. Then navigate to

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

YouÆll need to create several new DWORD values. EnableDeadGWDetect, EnableICMPRedirect, EnablePMTUDiscovery, KeepAliveTime, NoNameReleaseOnDemand, PerformRouterDiscovery, SynAttackProtect.

After creating the new dword values you will need to modify each one separately by right clicking on it and selecting modify. If they already existed just modify them as such.

EnableDeadGWDetect set to hexadecimal 0
Disables dead-gateway detection as an attack could force the server to switch gateways.

EnableICMPRedirect set to hexadecimal 0
Stops Windows from altering its route table in response to ICMP redirect messages.

EnablePMTUDiscovery set to hexadecimal 0
Disables maximum transmission unit (MTU) discovery as an attacker could force the MTU value to a very small value and overwork the stack.

KeepAliveTime set to hexadecimal 300000
Reduces how often TCP attempts to verify that an idle connection is still intact by sending a keep-alive packet.

NoNameReleaseOnDemand set to hexadecimal 1
Protects the computer against malicious NetBIOS name-release attacks.

PerformRouterDiscovery set to hexadecimal 0
Disables ICMP Router Discovery Protocol (IRDP) where an attacker may remotely add default route entries on a remote system.

SynAttackProtect set to hexadecimal 2
Automatically adds additional delays to connection indications and TCP connection requests quickly timeout when a SYN attack is in progress.

NOTE: Take great care in modifying your registry and backup the original entries just in case you want to return these values to normal.

15. Add SYN Flood Protection. You can modify your registry to add better SYN Flood protection to your system. YouÆll need to modify your registry like so:

Open your registry editor by clicking Start and then run and by typing regedit and pressing OK. Then navigate to

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

Create a new dword called SynAttackProtect. Then right click on it and select modify. Then set it to hexadecimal 2.

You can set its default back by changing the value back to 0.

16. Disable the Messenger. Windows Messenger while useful on a large office network is not needed by default in Windows XP or on a computer that is not on a network. Since this service is being used to spam users with advertisements it should be shutoff and you can do that by accessing the System Services like so: Click on Start and go to settings and then control panel. In the control panel you should find Administrative Tools. YouÆll then want to click on it and then on Services. Now a list will pop up with all the system services that start with Windows XP. Locate Messenger in the list, right click on it and click stop. Then right click on it again and click properties. Then in the startup type change it from automatic to disabled and click OK. Now it will no longer startup when your computer boots into Windows.

Update:March 02, 2004: After receiving an email I want to make it clear when I speak of Messenger I meant the Windows Messenger Service, not be to confused with Windows Instant Messenger. These are entirely different Applications, though both closely named, thanks Microsoft. Oh you can remove the instant messenger by going to start and run and then typing:

RunDll32 advpack.dll,LaunchINFSection %windir%\INF\msmsgs.inf,BLC.Remove


Well these are just some things you can do to improve the security of your Windows XP Pro computer. IÆll try to update this FAQ with information as I get more.










Register to rate this FAQ  : BAD 1 2 3 4 5 6 7 8 9 10 GOOD
Please Note: 1 is Bad, 10 is Good :-)

Part and Inventory Search

Back
Top