Although Win 2000 and XP Pro are miles ahead of 95, 98, ME in terms of security.

Connect to the internet for less than one minute, with a clean install of either OS and you will be infected by a virus, worm, or trojan.

By default, Win 2000 and XP are wide open for attack.

However users can, if they want to spend the time and effort, systematically lock down and secure the system themselves before connecting to the internet.

So lets proceed and make your system 99% secure.

Viruses, Worms, Trojans. Biological viruses cannot reproduce on their own and must infect a CELL and order it to make more viruses. Computer virus cannot run independently either and must infect the OS and use its system files and scripting agents to make more viruses and exploit your computer.

If you block the OS programs that activate the virus, you block the attack. The only problem is you need most of these OS files to run your computer like the body needs its cells to live. But you can block some without imparing the normal operation of your computer. Most of what we are blocking has been shown to be the most common pathway used by viruses, worms, trojans, and spyware.

viruses, worms, trojans come in thru Internet Explorer (IEXPLORE.EXE) or Outlook Express (MSIMN.EXE) >

then to the Internet Explorer Web browser control (SHDOCVW.DLL) >

which, in turn, calls the HTML parser (MSHTML.DLL) and rendering component >

the rendering component then calls on one of these scripting agents >

ActiveX
Java
Visual Basic
System Files

which activates the virus and compromises your machine

Block the scripting agents and system files the virus must have to spread and you can block the attack!

That is our approach. PROACTIVE. Not to rely on OS patches or antivirus definitions which are always too little too late.

These recommendations apply to Win 9x, 2000, and XP and intended for those who have already done the basics:

1) Install an Antivirus program
2) Install a Firewall
3) Install all Microsoft updates and patches

WARNING: This is a general guide and not site specific. Primarily designed for a standalone workstation that is not part of a domain and not being accessed or administered remotely.

We don't know what applications you have installed on your computer or what you need to run. Using the registry editor incorrectly or changing system files may prevent certain programs from working. Especially any "automatic update" sites that need to read your files, send out information, install and delete things automatically which is what we are trying to stop from happening.

There are about 100 different changes in total we are recommending here and in our Bonus Security Tips that is added to our additional practice exams "2006 Edition". Ensure you know how to use the Last Known Good Configuration, ERD, and system state backups. Do five at a time and test your computer for a day or two. If everything works fine. Do the next five and so on.

We have organized these tips in sequencial order from those you should definately do to those you should do if you are an experienced user and want an extremely secure, iron clad, vault type lockdown.

All the security steps outlined were configured on Win 2000 and Win XP test computers and did not intefere with using the internet, email, or its basic operation.

1. BACKUP YOUR DATA.

2. Boot Disks - Make your four (4) floppy boot disks by running /bootdisk/makeboot.exe on your Win 2000 installation CD in case you can't autoboot off the CD.
   
   
3. Disaster Recovery - The first step in fixing a computer with "problems" is using the Last Known Good Configuration. Press "F8" while booting.
   
   
4. ERD - The second step if its still broken is using your recently updated emergency repair disk (ERD). You should make an ERD after installing the OS then make others after any program installations or changes you make in the OS or registry. ERD's are made in Start > Programs > Accessories > System Tools > Backup.

   To use your ERD, you need to boot your computer first using the four startup floppies or installation CD There is an option that asks if you want to install or repair; choose repair and follow directions. It will ask you to insert your ERD.
   
   

5. System State Backup - The third and relatively easy fix is to use your system state backup which can be made by the backup program.

6. Recovery Console - The fourth and most difficult tool to use in the event the above doesn't solve your problem is the recovery console. This lets you create/format partitions, disable/enable services, ... and many other things. You should load the recovery console on your computer immediately after your OS installation from the Windows installation disk by typing Start > Run > X:\i386\winnt32.exe /cmdcons where "X" is the CD-ROM drive letter (note there is a space between "winnt32.exe" and "/cmdcons"). It has many DOS like commands that can be viewed by typing HELP once your in the recovery console or viewed here.
   
   
7. Last Resort - Clean Install. You should have partitioned your drives so only the OS is on the C:\ your data on the D:\ and all your application executables are on the E:\. That way you can reinstall the OS on C:\ install all your programs from E:\ and your data should still be on D:\.

8. Defrag - After the installation of an operating system the drive is fragmented. Go to:

   My Computer > right click the drive > Properties > Tools > Degragment Now

   This will defragment everything except your pagefile which probably has 200-300 fragments. To defragment this you need remove the pagefile, Restart the computer, Defrag, and then put it back. Note the size of your pagefile.

   Then go to:

   right click My Computer > Properties > Advanced > Performance > Change

   and set the pagefile to 0. Restart the computer, Defrag, Shut down the computer, restart it, and then put back the pagefile.

9. Firewalls - Get a Firewall (necessary "must have" item). A good one not Microsoft's built-in firewall because the XP firewall does NOT block outgoing connections (even with SP2 which is one of the things Microsoft should have included). For extra security get two. It will be money well spent. A software firewall from either ZoneAlarm, Symantec, or Sygate and a hardware firewall.

   Hardware firewalls (or NAT routers) provide NAT, stateful packet inspection, and port forwarding. A router with a built-in hardware firewall conceals ports: The router's ports, not your PC's, are visible on the Internet. Hardware firewalls cloak almost all of their ports by default, opening them only when necessary. Software firewalls hide ports, too, but a router's firewall does an inherently better job. Additional advantages include they are difficult to hack because they are not software and stop the attacker before it ever reaches your OS. They also do not use system resources like software firewalls which slow the OS down a bit. Some of the largest manufacturers of hardware firewalls include DLink, Linksys, NetGear, and SMC. Firewall reviews and information can be obtained at FirewallGuide.com or PCWorld.com

   Of course, software firewalls are easier to update and reconfigure than routers. The ultimate solution is --- to use both. Together, these two firewalls are the best protection for your computer when connected to the Internet. Home users can obtain a free software firewall from either ZoneAlarm or Sygate.

   For XP (only recommended if you don't have another firewall):

   Enable the XP built-in firewall by right-clicking on an Internet connection in Network Connections > Properties > Advanced > and check the box.

10. Security Template Snap-ins:

    One of the powerful tools Microsoft has provided the user to enhance security is security snap-ins. It changes about 50 default settings to more secure settings with one or two clicks.

    The Security Configuration Manager allows administrators to define security templates that can be applied to individual machines or any number of machines via group policy. Security templates contain password policies, lockout policies, Kerberos policies, audit policies, event log settings, registry values, service startup modes, service permissions, user rights, group membership restrictions, registry permissions and file system permissions. Microsoft provides a number of predefined security templates to help you lock down your computer via Group Policy. These templates represent low, medium, and high security configurations. The highest level of security provided by Microsoft is the hisecws.inf template.

    Or you can read all about security templates and download an even more secure one from the U.S. National Security Agency (NISTWin2kProGoldPlus.inf) at this link here. The most secure one you can get. They also have templates for Win XP.

    Once hisecws is applied you can then make more changes and save (export) everything you've done as a text-based .inf file. This enables you to easily import all of the template attributes to other computers in the network. With the exceptions of IP Security and public key policies, all security attributes can be contained in a security template.

    The initial Local Security Policy template should be exported to a .inf file before you start this procedure to preserve initial system security settings in case you ever want to restore them. After you make all the changes recommended in this article you should also save them by going to Admin Tools > Local Security Policy > Security Settings > Local Policy > Security Settings (yes you must click this again) > Action > Export Policy and give it a name and save the current .inf

    To apply all the security settings in hisecws in one easy step Go To:

    CTL Panel > Admin Tools > Local Security Policy > Action > Import Policy > hisecws.inf

    And Your Done.

11. Accounts:

    Select Run > compmgmt.msc > Local Users and Groups > Users > Right-click on the Administrator account in Users and select Rename. Give it a name (not Administrator or Admin). This is your Administrator.

    Make a dummy Administrator account by right clicking on Users and select make a new user. Name it Administrator.

    Then click "Set Password", and give this fake Administrator a very, very, very long password of lower-case, upper-case, numerals, and special characters like !@#$%. It can be up to 127 characters long. Right click this fake Administrator account and make it a member of nothing (delete User). After spending time to crack this dummy Administrator password they will find out it has no privileges and can't do anything. This will keep some of the hackers trying to break into your Administrator account busy for quite a while.

    Make sure the Guest Account is Disabled. Run > lusrmgr.msc > click Users
    and you should see a red X over Guest. If not right click Guest and Disable it.
    
    

12. Windows Explorer - Setting the Active Desktop and Web View features to "Classic" can greatly reduce risks from buffer overflow exploits that occur when Explorer Auto-Previews a malformed .asx file.

    Go to Explorer > Tools > Folder Options and change to Use Windows Classic Desktop and Use Windows Classic Folders.

    One reason for using Windows Classic Folders can be found here.

13. NTFS and Drive Permissions - Convert all drives to NTFS and set the appropriate permissions. You should have at least three (3) drives. Put your OS on C:\, your Data on D:\, and all your program Executables on E:\.

    This way if it ever comes to the Last Resort, a Clean Install, you don't lose your data or all the programs you installed. After reinstalling the OS on C:\ use Add/ Remove Programs and browse to the E:\ drive to reinstall all your programs. Your data should still be on D:\.

14. Don't accept any Word, Excel, or email attachments from unknown sources. They may contain Macro or other viruses. And the same goes for downloading and launching visual basic VBS or EXE programs which can do just about anything to your computer. Download from the major download sites ie. download.com, tucows.com, shareware.com ... who run a check on these programs beforehand for viruses and spyware.

    If you are using Outlook or Outlook Express (we recommend Mozilla Thunderbird and Mozilla Firefox instead of IE)
    
    

15. Outlook and Outlook Express::

    The Outlook and Outlook Express e-mail programs contain many security flaws that have been exploited in recent years. These programs are particularly susceptible to email viruses, worms, trojans, and malicious HTML code. Never open attachments with files that are executable. These end with

    .bat, .cmd, .com, .cpl, .exe, .hta, .jav, .js, .jse, .ocx, .pif, .scr, .shs, .vbe, .vbs, or .wsf

    In addition Disable the preview pane. Uncheck this option in View > Layout > Show Preview Pane for Outlook Express and View > Preview Pane in Outlook.

    Many worms (like BubbleBoy) can now spread even though you don't open the attachment. They activate by just receiving the mail in the preview pane. Another interesting fact BubbleBoy was an Active X program Marked Safe for Scripting. This and the preview pane are both set to run by default in Windows.

    In Outlook Express 6, Go To: Tools > Options > Read and check Read all messages in plain text. In Mozilla Thunderbird, select View > Message Body As > Plain Text.

    Outlook and Outlook Express DCOM Vulnerability:
    The Distributed Component Object Model (DCOM) is a protocol that enables software components to communicate directly over a network. Previously named "Network OLE," DCOM is designed for use across multiple network transports.

    The Microsoft RPCSS Service is responsible for managing Remote Procedure Call (RPC) messages. There are two buffer overflow vulnerabilities in the RPCSS service, which is enabled by default on many versions of Microsoft Windows. These buffer overflows occur in sections of code that handle DCOM activation messages sent to the RPCSS service.

    IMPACT:
    By exploiting either of the buffer overflow vulnerabilities, remote attackers may be able to execute arbitrary code system privileges. By exploiting the denial-of-service vulnerability, remote attackers may be able to disrupt the RPCSS service which may result in general system instability and require a reboot.

    SOLUTION:
    Disable DCOM

    Warning:
    There are potentially many built-in components and 3rd party applications that will be affected if you disable DCOM. Make this one change and test your system after disabling DCOM to check if everything works.

    To Disable DCOM on all Windows NT-based operating systems (ie. Win 2000) follow these steps:

    1. Run > Regedit
    2. Locate HKEY_LOCAL_MACHINE > Software > Microsoft > OLE
    3. Change the EnableDCOM string value to N.
    4. Restart the operating system for the changes to take effect.

    Disabling DCOM will also prevent these three vulnerablities:

    1) Heap-based buffer overflow in the Distributed Component Object Model (DCOM) interface in the RPCSS Service allows remote attackers to execute arbitrary code via a malformed RPC request with a long filename parameteras exploited by the Blaster worm.

    2) And buffer overflow in a certain DCOM interface for RPC in Microsoft Windows NT 4.0, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary code via a malformed message, as exploited by the Blaster/MSblast/LovSAN and Nachi/Welchia worms.

    3) And the RPC DCOM interface in Windows 2000 SP3 and SP4 allows remote attackers to cause a denial of service (crash), and local attackers to use the DoS to hijack the epmapper pipe to gain privileges, via certain messages to the __RemoteGetClassObject interface that cause a NULL pointer to be passed to the PerformScmStage function.

    Security Zones: Tighten the settings relating to the Security zone associated with incoming E-mail. Go to Tools > Options Security > Restricted sites zone (More secure) in Outlook Express then
    Open Internet Explorer and choose Tools > Internet Options > Security > Restricted Sites > Custom Level > High

    This is still not very good security since in High Java and Active X marked safe for scripting are still enabled. These things can allow viruses and worms to activate. The only way to really make IE security High is to choose the Custom zone now and uncheck these two things.

    Never respond to spam, even to "unsubscribe".

16. Disable unused Script interpreters and Remove their binaries:

    Begin with the Windows Scripting Host. The ILoveYou virus was activated using the Windows Scripting Host. This technology lets users automate Windows tasks by using a simple scripting code from either the desktop or an application. However, this automated capability is also the technology's weakness because it allows text files with certain file extensions to be run as Visual Basic scripts with application or administrative level privileges.

    For Win 9x go to Start > Settings > Control Panel > Add/Remove Programs > Windows Setup > Accessories and uncheck Windows Scripting Host. The Windows Scripting Host and HTML application support are NOT but should be turned off by default in Windows when a computer ships from the factory. These two features make it far too easy to distribute viruses and worms.

    For Win 2000 go to My Computer > Tools > Folder Options > File Types and change the .wsc .wsf and .hta extensions to open with notepad (so you can restore them later if needed). Notepad will deactivate these scripting agents and any old or new viruses or worms that uses them (and many do) will not infect your computer. A proactive technique! The only way to really secure your computer.

    Note: If you block file types by extension this will not protect you using Internet Explorer. Internet Explorer does not determine file types by the file name extensions. Therefore, if an attacker alters the file name extension, Internet Explorer will still execute the file type and exploit the vulnerability even if you change it to open with Notepad. Another Microsoft flaw and another excellent reason NOT to use Internet Explorer. Change to Firefox.

    Windows will automatically launch these scripting services when invoked by a hack or when you are tricked into double-clicking a script file like the Windows Script Host (.wsc, .wsf), Visual Basic (.vbe, .vbs), .pif (a program information file that tells Windows how to run an old DOS app), .msi (a Windows installer database), .hta (an HTML application), and .scr (a screen saver).
    
    

17. Disable Universal Plug and Play:

    In Windows XP

    1. Click Start > Control Panel >Administrative Tools > Services
    2. Click Universal Plug and Play Device Host > General > Startup Type
    3. Click Disable and Ok
    
    In Windows ME
    1. Click Start >Control Panel > Settings >Add/Remove Programs
    2. Click Windows Setup > Components Field > Communications
    3. Uncheck the box labeled "Universal Plug and Play" and Ok

    In Win 98 and Win 98 SE
    There is no built-in UPnP except in the case of computers on which the Win XP Internet Connection Sharing client has been installed.
    
    

18. Always show the extensions of files so you know if it is a VBS (the code used by Goner, LoveLetter, AnnaKournikova) or EXE file (ie. SirCam, CodeRed, Nimda) which will launch when opened. Go to My Computer > Tools > Folder Options > View > Check Show Hidden Files. Uncheck Hide file extensions and Uncheck Hide protected OS files.

    For XP: While you're here also Clear the Use Simple File Sharing box to Disable it. This stops file shares you create from being accessible to anyone on the internet (see Microsoft's Q304040 for more info).

    Although recently this is becoming of little value since most modern viruses ie. the keystroke logging BadTrans (the #1 spreading virus for Nov'01, Dec '01, and Jan '02) can execute when the user reads or even just previews an e-mail within Outlook or Outlook Express. In other words, you don't have to double-click on the attachment to launch the virus. It opens automatically by just starting your email program. Gone are the days of "just don't open an attachment".

    A good indication your infected by BadTrans, SirCam, ... is to look in the registry at HKEY_LOCAL_MACHINE\Software\Microsoft\ Windows\CurrentVersion\Run or \Run Once or \Run Services. If you see anything strange besides your antivirus software and firewall then look at its file properties and make sure it belongs to your OS. This key controls which programs run at startup. These are some of the favorite places where crackers hide worms and viruses.

19. Disable Visual Basic:

    My Computer > View > Folder Options > File Types
    Select the VBScript Script Files (.vbs and .vbe) so they open with notepad which disables the scripting.

    Go to C:\winnt\system32\vbscript.dll and rename or delete the vbscript.dll file

    Antivirus software depends on matching known patterns or signatures to be detected. Given the speed at which new viruses are proliferating it is likely you will encounter a virus which is not known yet and will elude detection. Many of the procedures outlined here will protect you in this case because they require VBS scripting to run and if you disable it, they can't.

    .vbs or .vbe viruses or worms (like Melissa) can create, delete, copy your documents and email them out.

20. Disable Java:

    The IEEE Symposium on Security and Privacy has concluded that the Java system in its current form cannot easily be made secure. Java applets written by an attacker can be loaded while you are at a legitimate web page. For example, an attacker could develop a "Trojan Horse" program that presented misleading information. If you failed to recognize the malicious applet for what it was, you could accidentally disclose sensitive information to the attacker that you thought was being asked by the legitimate web page. The default setting of Internet Explorer (IE) enables Java. Note: Java (by Sun) and Javascript (Netscape) are two different languages. Our recommendation is Disable Java

    In IE go to Tools > Internet Options > Security > Custom Level > Java Permissions > highlight the box that says Disable Java

    As with all of these changes make a notation in your computer log so that if you ever need VBS or Java you can change it back.
    
    

21. Change System Failure Settings:

    When Windows 2000 has a system crash, it automatically does a number of things, including creating a "dump file" and potentially rebooting the computer. The dump file can provide someone trying to break into your system with valuable information, such as passwords. Another trick is to crash the computer to have it automatically reboot, so someone can run a boot trojan or attempt to break into the Administrator account. Both should be disabled.

    Start > Settings > Control Panel > System Properties > Advanced > Startup and Recovery

    Clear the boxes labeled:

    Write an event to the system log
    Send an administrative alert
    Auto Reboot

    change the options for: Write Debugging Information to "None". You can reenable the debugging information at a later date if you really need the dump files (usually to send to Microsoft).

22. Restrict Anonymous Access to the LSA (Local Security Authority)- Microsoft Rating - Critical:

    Anyone with a NetBIOS connection can easily get a full dump of all your usernames, groups, shares, permissions, policies, services and more using the Null user. Needless to say, that is a tremendous amount of information for an attacker to have when attempting to breach your network's security. This configuration weakness in Windows systems is still being exploited by newer families of bots and worms. To prevent this go to:

    HKLM > System > CurrentControlSet > Control > LSA

    and ensure that the RestrictAnonymous Dword value is 1 (Enable).

    For a complete lockdown set the DWORD value to 2, and there will be No more Null user access without explicit anonymous permissions. This may however cause problems with certain applications.

    Note: This tip was posted here by Aplus Omega 5 years ago but only now (Aug 7, 2006) is being fixed by Microsoft. CERT discusses this as a workaround solution to Microsoft's latest critical set vulnerabilities. For over 5 years it has been known the Administrators should change this registry key to restrict access over anonymous connections.

23. Server Service fails to restrict Anonymous Access:

    There are three main avenues of attack via file shares.

    1) NetBios File Sharing - Disable NetBIOS over TCP/IP and the WINS service which close ports 137-139 (Discussed in tip #14 above).
    2) SMB/ CIFS File Sharing Server Service (Disabled below)
    3) RPC

    These tips will show you how to Disable the first two which leaves you with just RPC (one of the most troublesome aspects of Windows). Don't disable RPC or your computer won't run.

    The Server service (C:\winnt\system32\srvsvc.dll) is a component of the Server Message Block (SMB) the file sharing component in Windows, and its follow-on, Common Internet File System (CIFS). These are network protocols that Windows uses to share files, printers, serial ports, and communicate between computers. If the Server service is running on Windows, a remote attacker may be able to access it anonymously via a named pipe. Named pipes allow communications between different computers. In addition, if that attacker supplies the service with a specially crafted message, they will receive a response that may allow them to determine what other users are accessing a shared resource. If you have a standalone computer and don't need to share files or printers - you don't need this service and should disable it.

    Go to C:\winnt\system32\srvsvc.dll and rename or delete the file srvsvc.dll

24. Remove the OS/2 and POSIX Subsystems - These systems are installed to provide backward compatibility for programs used by the government . Not many others really use them. They are old legacy subsystems that can introduce serious vulnerabilities to the OS. If you don't need them, Disable or Delete them. This will clear up a little bit of memory too.

    HKEY_LOCAL_MACHINE
    Key: \System\CurrentControlSet\Control\Session Manager\Environment
    Name: Os2LibPath
    Delete

    HKEY_LOCAL_MACHINE
    Key: \System\CurrentControlSet\Control\Session Manager\Subsystems
    Name: Optional
    Delete

    HKEY_LOCAL_MACHINE
    Key: \System\CurrentControlSet\Control\Session Manager\Subsystems
    Name: OS2 and POSIX
    Delete entries for both OS2 and POSIX

25. Write protect all floppies you use on customer's computers. Nothing we know of (including viruses) can be written to a write protected floppy (both holes uncovered).
    
    

26. Users Rights Assignments:

    For Win 2000 go to Admin Tools > Local Sec Settings > Local Policies > Users Rights Assignments.

    Assignments for Users should only include these three things:

    Bypass Traverse Checking
    Log On
    Shut Down the System

    Everything else should be assigned to the Administrator.

    For the logon and shut down rights it is obvious why the user needs them. What about - Bypass Traverse Checking. What is this?

    The Bypass traverse checking user right allows the user to browse through folders in the NTFS file system or in the registry without checking for the Traverse Folder special access permission. The Bypass traverse checking user right does not allow the user to list the contents of a folder; it only allows the user to traverse these folders to get to other files and folders.

    The easiest way to manage permissions is to leave user's with the right to "Bypass Traverse Checking." That way, when you view the ACL of a file, you know that you are viewing all the permissions that are applied.

    Computers that are running Windows 2000, Windows XP Professional, or Windows Server 2003 will not be able to apply computer policy and user policy when the required file system permissions are removed from the SYSVOL tree if the Bypass traverse checking user right is removed. This could lead to operating system instability and the blue screen of death. A necessary item which should not affect security. Keep this user's permission.

    In theory then, when you sign on to the internet as this user and the computer is taken over, the hacker can only do as much as this user and with these three user's rights - that's not much. Especially if you start restricting the user's file permissions too. Well that's theoretically if Windows worked like it's supposed to. An important part of the hacking process though is escalating the user's rights to the administrator's level.

    You are about a 1/3 of the way to locking down your computer.

27. For Complete Protection

    Buy our 2006 Edition 500 addn A+ practice exams and receive the rest of our security recommendations for a complete system lockdown!

28. BACKUP YOUR DATA and remember "Paranoia is your Best Defense" and helps maintain a very healthy network.

    System Security Scans for open ports and stealth operation can be performed at any of these links. A virus scan can be performed at Symantec.