Securing Windows First Notes First of all, the topic lies a terrible lie. This document will in no way make your windows box completely secure, because that's impossible. But it will hopefully help you making your computer a bit more secure through simple tips and tricks. I have focused most on Windows NT systems (that is 2000/NT/XP) but much of the stuff mentioned will also work on other windows versions too. Virus Newbie warning!! The following are meant for complete newbies. If you do know how viruses work, scroll to the “Antivirus” part. Computer viruses are the most common cause of computer collapses. To be able to avoid viruses, you first need to know how they work. There are different types of viruses, but the most known are Trojan horses and worms. A Trojan is a virus that doesn’t do any direct damage to your computer, but it opens a backdoor so that a hacker can easily access your system and do what he/she (rarely female hackers, but worth a notice) wants with it. A worm is a virus that has the ability to spread around. And in some cases, real fast. These viruses infects new hosts completely automatically, without any work from the hacker’s side. All he has to do is make, and release it. Many worms does a lot of damage, others don’t. Some worms are even quite funny. One worm I heard of gave the poor user tons of error boxes that said “you’re an idiot”, and another one recognized pictures with child pornography from their filenames, and sent detailed information of the host to the police. And another kind of virus is both Trojan and worm combined. Only the most advanced viruses are able to infect computers “itself”. In most cases, the weak point that determines whether the computer gets infected or not, is the user. The human. Many people doesn’t react when they get a mail from an address they never seen before, containing a strange message like “take a look at this screensaver” and a malicious exe file. This is a typical way of spreading a virus. When you open the exe file, it will send the same mail you received to all the people in your contact list, and start eating up your files. (That was one way a worm might work. All worms have their differences, but the earlier mentioned is often a great similarity.) So an easy way to avoid computer viruses is simply not opening mails from people you don’t know especially if they contain an .exe, .bat, .vbs or any other malicious file format you can think of. But of course, I won’t leave you with this manual way of avoiding viruses. It’s absolutely not fool proof, and it might be annoying having to watch out for viruses every time you check your mail. Below you will find suggested links for free antivirus software that is absolutely recommendable. They protect your incoming and outgoing mail, scan your entire computer for viruses, and let you know immediately if you get infected. As new viruses comes up all the time, most antivirus software contain a fast and easy to use updater that downloads the newest definitions of viruses, and installs automatically. Antivirus TIP: install multiple antivirus software, to be even more secure. Sometimes, the different antivirus companies don’t manage to make the antivirus definition in time; therefore it can be great to have another AV software that has the update when you need it. http://www.symantec.com (Norton antivirus, my personal favorite) http://www.norman.com http://www.mcaffee.com These three are widely known AV companies. But you will also be able to find lots more if you visit www.download.com and search for “antivirus”. Symantec also have a great live scanning feature on their site, which requires no software installed, but scans your computer for viruses directly from the site. Firewall Firewalls are software that stops malicious data from reaching your computer. Firewalls are a pain in the a** for hackers, not only because they filter out the traffic that makes the computer safer, but also because it creates great confusion when a hack attempt is done. Most firewalls even stop simple ping requests. A great feature though. Have you ever got ping flooded when playing online? In that case, you know what I’m talking about. Ping flood attacks is an attack where the hacker sends a great amount of data to your computer, and the network device simply gets overloaded, which results in a horrible latency, so the game gets unplayable. You would just love to get rid of that wouldn’t you? I recommend sygate firewall pro, which also have a nice backtrace ability, that can be a real joy to use when you want to scare that little script kid that have been port scanning you for ages.  Sygate personal firewall pro can be downloaded from http://cyberspirit.isuber1337.com/tools Anti Spy software My personal opinion is that security and privacy are close related. I’m sure you understand and agree when I say that “I want to secure my privacy”. There is lots of so-called “Spywares” flooring around the web. These can be everything from a little software extension, to an independent program made for one purpose only, spying. You might believe that these are like Trojan horses, where in most cases you need to run a server program yourself to open the hole, but be aware, its not that simple. As the matter of fact, you will be surprised when you find out how many Spywares are installed at your computer in this very moment. In the matter of this kind of security, there is one more program I would like to recommend. It’s called “Ad Aware” and can be found from http://cyberspirit.isuber1337.com/tools The program will scan your entire computer from these nasty Spywares, the registry included. And when it finds something (I am almost 100% sure it will), it will ask you what you want to do with it. With software of the three categories mentioned above installed, your system will already be much harder to break. But I do believe that common sense is the most important tool of security ever. A little paranoia never hurt anybody. Back to windows Now to what this tutorial actually should have been about. The simple, manual things you can easily do yourself in windows to make the Operating system more secure. These things are originally meant for windows 2000, but should also work for NT and xp. I am not so sure about me/98 but you can give it a try, at least use if for a kind of inspiration or something. NetBIOS is a great security risk in windows, and I will now demonstrate a few tricks you can do to avoid getting hacked. (To learn what NetBIOS is, read the NetBIOS tutorial on http://cyberspirit.isuber1337.com/tuts ) Following is an example of how easy a hacker can gain access to the list of shares on a remote computer. IP address is censored. Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-2000 Microsoft Corp. C:\>net view \\24.**.52.** System error 5 has occurred. Access is denied. As you can see, the hacker’s first attempt of viewing the share list gets denied. C:\>net use \\24.**.52.**\ipc$ /u:"" "" The command completed successfully. So, the hacker establishes a null session to the remote computer. C:\>net view \\24.**.52.** Shared resources at \\24.**.52.** AteTrack Share name Type Used as Comment ------------------------------------------------------------------------------- Games Disk My Documents Disk Share Disk Susie Print Canon BJ-100 The command completed successfully. C:\> And with the third dos command, he gets the list he wanted. This is a very simple attack, but it can also be very dangerous. Fortunately, it’s also very easy to avoid such an attack. Open registry editor (start>run type “regedit”) and go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa Change “restrictanonymous” from 0 to 1. This will require a username and password to be able to view the share list. There is tools though, that are able to hack restrictanonymous too, so a better idea might be to delete the IPC$ IPC stands for Inter Process Communication – protocol. $ means that it’s a hidden resource that we will be discussing later. To delete the IPC$ simply open a command prompt, and type: C:\>net share IPC$ /delete When deleted, connections such as C:\>net use \\24.**.52.**\ipc$ /u:"" "" Will be impossible. When talking about hidden shares, there’s another thing that’s worth mentioning. If you are using a default Windows 2000 installation, take a look at the properties of your C:\ drive. You will notice that it says that the drive is shared as C$. If you have paid attention for the last two minutes, you will understand that this means that your C:\ is actually a hidden share! And even worse, All your drives are shared in this hidden mode, plus an ADMIN$ share that shares the c:\winnt\ directory! Open a command prompt, type C:\>net share And see for yourself. You may want to delete these to as earlier, but don’t waste your time. In a default windows 2000 installation, the shares will recover after your next reboot anyway. Therefore, you should have a .bat file in your startup directory that deletes all these shares. I heard of a place in the registry editor where you could simply delete it, but I (embarrassed to say) forgot where. Therefore, I will give you a detailed guide on how to make a bat file in case you don’t know. @echo off net share sharename$ /delete All you need to do is copy-paste into notepad, save as something.bat and place it in start>programs>startup. Just to avoid confusion, I will show you how my “netsharedel.bat” looks: @echo off net share c$ /d net share d$ /d net share f$ /d net share g$ /d net share h$ /d net share admin$ /d net share ipc$ /d As you can see, the file deletes all the hidden drive shared, plus the admin$ share and the ipc$ share. I have now demonstrated a couple of methods to harden your system against NetBIOS attacks, but you might want to have different settings on different network connections. What I’m actually talking about is that you might have one LAN connection, and another internet connection. This is very common, and if you delete the shares like shown above they will be deleted to all connections. Therefore it can in some cases be much more flexible and easy to simply disable NetBIOS for the desired connection. This is done by going to the “Networking and Dial-up Connections” in the settings at your start menu. Right click the connection you want to disable NetBIOS for, and select properties. Now, simply uncheck the box next to “File and Printer Sharing for Microsoft Networks”, press OK, and that’s it. (If the connection is currently active, you will have to disable it, and re-enable it). Windows NT services As I said in the topic, much of the stuff in this document will work on windows 9x, but this won’t. NT systems are designed for serving, and the control panel is equipped with some administrative tools that give a detailed overview of (among others) the running services. But on a default installation, there is a lot of unnecessary services that can be annoying, and in worst cases, exploitable and destructive. These services are the administrator’s task to get rid off. Luckily, the service overview is clean and easy understandable. Go to start>settings>Control Panel>Administrative tools>services or start>settings>Control Panel>Administrative tools>Computer Management>services (The computer management contains a lot of interesting information and is also a great tool in administrating the server. You should check it out) You can start, stop, pause or disable the different services as you want by right clicking the desired service, and selecting properties. I can’t tell you a correct way to configure your server, and this has its natural explanation. Every administrator needs its server to do different tasks, but I can give some examples of some services that are enabled by default, but rarely needed. Messenger First of all, few actually need the Messenger service. (Don’t get confused, It’s not the windows messenger (msn) live chat program we are discussing!) The messenger service gives you a pop-up box in the middle of the screen with a message from somebody when they run the following command. C:\>net send 111.111.111.111 you are an idiot! In this case, the server that has the IP address 111.111.111.111 would get a pop-up box in the middle of the screen that said Message from: You are an idiot! You might say it was a silly example. But this useless stuff is actually what the Messenger Service is most used to. Its not a very dangerous hole (if you can even call it a hole), it’s more like a useless service, that can’t do half the things a regular chat service can. (Ok you might be able to send a billion messages to a host and cause a system crash or something to call it a hole, but I never heard of anything like it so a very small hole in case) Also, net send flooding scripts are extremely easy to make, and it’s also extremely annoying to get flooded because when you get like a thousand messages, you have to press OK in every single box to get rid of them. Therefore, when I’m going to the services overview for the first time on a clean windows 2000 installation, the first service I completely disable is the Messenger Service. Remote Registry Service The Remote Registry Service is a service not useless, and not idiotic. It provides the ability for remote users to connect the server’s registry, and edit it. It can be very useful for an administrator on vacation to dialup to the server with his laptop, and do some quick changes in the registry. But I advice you to consider your actual need for a service like this one. In fact, the Remote Registry Service can be very dangerous. Imagine a black hat hacker (evil hacker), some how gaining administrative privileges to your server, and remotely accessing the registry. It’s a horrible scenario. I strongly recommend you to disable this service, if you don’t absolutely need it. Automatic Updates The Automatic Updates service does pretty much what the name says. It keeps your windows up to date with the newest security updates, service packs and driver kits. Pretty harmless by the first look, but there is a very important thing the name doesn’t say. In fact, very few actually talks about it. Some German scientists were able to discover that when the service is running, and your system is being updated, Automatic Updates sends a detailed list of all your software installed to a Microsoft server. This was discovered when running the windows XP automatic updates service, but I wouldn’t trust it in any other operating system either. Therefore, I recommend disabling this too, and update your system “manually” using the Windows Update button near the top of your start menu. Telnet A telnet server is a dos shell, that gives remote users the ability to connect to the server’s dos (command prompt) and run commands on the system. From my experience with telnet servers, I have learned that these are a major security risk. They are not using any encryption at all, not even in the logon authentication sequence. This service are not enabled by default, as the others mentioned. But I felt it was worth mentioning, and I want to warn you against using it. There are other alternatives. Try using SSH if possible. The rest The mentioned services are only a few of the services installed on a default installation, and you have to find out whether or not you need the other services available. Some of them might have major security holes in them too. Therefore, it’s important that you study the services you are running on the server, and exclude/disable the ones you don’t need. Final Notes That’s about the end for the windows security tutorial. The tips and tricks you have learned in this tutorial are (as earlier mentioned) only a few things you can do to harden your system, but it sure is a good start. Also, I hope it might be to your inspiration and maybe it gave you new ideas.