Previous Thread
Next Thread
Print Thread
Rate Thread
#15212 08/10/02 11:04 PM
Joined: Mar 2002
Posts: 1,136
P
pergesu Offline OP
UGN Elite Poster
OP Offline
UGN Elite Poster
P
Joined: Mar 2002
Posts: 1,136
For some strange reason, I'd like to have a secure box. I'm kinda new to the windows gig, so I'm pretty ignorant when it comes to its security. I'd like to make my box as secure as possible, both remotely and locally. What are some things I need to do? I know to install the service packs and hotfixes, as well as get any patches that come out for my software. But I always hear how windows can be broken into really easily, and so I'd like to minimize my vulnerability.

#15213 08/11/02 06:35 PM
Joined: Mar 2002
Posts: 185
M
Member
Offline
Member
M
Joined: Mar 2002
Posts: 185
A firewall is good, espically a hardware one, such as a router. You want to check the access each user has to different files. I'm assuming you're using NTFS, right? So you can set permissions on files. Make sure improtant files, such as regedit and stuff, have tight permissions set. Get rid of Null sessions (search on google for the registry key for null sessions cause I forget it off the top of my head). You'll also want to log on as a normal user for the most part, something I'm guilty of not doing. For pure laziness reasons I always log in as administrator and it's a dumb idea, but I'm not too worried. Hmm, what else. That's all I can think of for the basics off the top of my head. If I think up anything else I'll post it. unreal might have things to add, he has mad skillz in securing windows.


Cha want some w***up?

http://www.dopeskill.com
#15214 08/13/02 11:46 AM
Joined: Mar 2002
Posts: 815
S
nobody
Offline
nobody
S
Joined: Mar 2002
Posts: 815
remove netbios, client for microsoft networks unless you need it to connect to other computer on your LAN if you have one, if you don't remove it without thinking twice. That goes for ME and 9x also but i think MS got smart and didn't have it in the default install for XP I think.

#15215 10/12/02 09:12 PM
Joined: Oct 2002
Posts: 10
Junior Member
Offline
Junior Member
Joined: Oct 2002
Posts: 10
You can turn off null sessions without a regedit in 2k. Start -> Programs -> Administrative Tools -> Local Security Policy -> Local Policies -> Security Opetions

additional restrictions for anonymous connections should be set to "do not allow without explicit anonymous permissions."

This will kill anybody using any exploit that does a net view as <> to enumerate shares and users, which takes away the single easiest thing about cracking a windows box over the network - already having half of the username/password combination.

Any apps that you install that need service accounts, especially stuff like SQL or backup software that require high level user rights on SA, should have 14 character complex passwords, and should have non standard names.

Disable the guest account. Rename the Administrator account to something else, rename Guest to Administrator.

Load up Microsoft's Baseline Security Analyzer and hfnetchk.exe to scan for patches that you might have missed. Windows Update is NOT to be relied upon for staying up to date on security patches, as it only gets OS patches and not patches for services like MSSQL.

Turning off NetBIOS is a good idea, but alot of people like to be able to map network drives over SMB. If you leave this on, you've GOT to turn off null sessions as described above, and you should definitely configure account lockout and auditing. Strong password complexity is a must too - 7 character length pwds are more resistant to l0phtcrack than 8, 9, 10, 11, 12, or 13 char length pwds. 14 characters are substantially harder to crack. By strong passwords, I mean random character generations that utilize upper and lower case alpha numerics plus some standard ASCII like !, @, #, $, %, etc...

NTFS permissions are must. If you insist on running FTP services, don't allow anonymous access. Don't EVER ftp to your server using admin credentials, as these are sent in clear text and can be sniffed very easily. If you have to have an upload directory, create ONE user account with write permissions to that directory. Make sure that that user has NO rights to absolutely anything else on the server, period. If you want to know why, lemme know and I'll explain FTP vulnerabilities to malicious code execution exploits more thoroughly.

If you run IIS, disable default and admin web sites. Delete the admin scripts directory, or move it to a different drive with tight permissions. Don't keep your site scripts in your Inetpub directory. If you have SMTP enabled, make sure to lock down relay restrictions tightly. Patches, patches, patches!

Either load a software firewall to permit access only to the ports that you want, or get fancy with an IPSEC policy. A hardware firewall is ALWAYS a better way to go, but I'm assuming that you dont' have the cash to invest in one.

Check the service control manager and change the startup options on all services that you don't need. No reason whatsoever to run remote registry service, for instance, and that is turned on by default on Win2k. Big hole there, too. If you don't know what a service does, ask - I probably do, and 100 other people who also know will likely answer before I do ;.)

Do a netstat -an and check to see what ports you are listening on. If there's anything showing up that you don't recognize, spend some time looking it up and find out what's listening. Once you've got it down to the minimum listeners that can serve the data you want, put the firewall up and drop yourself online.

Be sure to take a screen shot of your listening ports and your running processes before doing so, and periodically check them and compare to your clean list to make sure that you haven't been owned.

Anyway, that's basic Windows 2k hardening 101 for ya. It's by NO MEANS a complete guide, and if you don't eat, sleep, live and breathe security for a while, you'll never get up to speed enough to really lock a Windows box down. The minute you stop keeping up to date, too, a new exploit will emerge and you will probably get owned.

It's so much easier in Unix! IPChains are your friend...

Regards,

Satori, who maintains security for over 3,000 Windows 2000 webservers, among other things.

#15216 10/12/02 09:52 PM
Joined: Mar 2002
Posts: 1,136
P
pergesu Offline OP
UGN Elite Poster
OP Offline
UGN Elite Poster
P
Joined: Mar 2002
Posts: 1,136
Thanks so much laugh


Link Copied to Clipboard
Member Spotlight
Phatal
Phatal
Houston, TX
Posts: 298
Joined: April 2004
Forum Statistics
Forums41
Topics33,840
Posts68,858
Average Daily Posts1
Members2,176
Most Online3,253
Jan 13th, 2020
Latest Postings
Where and how do you torrent?
by danni75 - 03/01/24 05:58 AM
Animation,
by JohanKaariainen - 08/15/19 01:18 AM
Blackbeard.....
by Gremelin - 10/03/18 07:02 PM
my old account still exists!
by Crime - 08/10/18 02:47 PM
Okay WTF?
by HenryMiring - 09/27/17 01:45 AM
The History Thread...
by Gremelin - 08/11/17 12:11 PM
My friend NEEDS your HELP!
by Lena01 - 07/21/17 12:06 AM
I'm having fun with this guy.
by gabithompson730 - 07/20/17 01:50 AM
I want to upgrade my phone
by gabithompson730 - 07/20/17 01:49 AM
Doom 3
by Cyrez - 09/11/14 08:58 PM
Amazon Gift Card Generator/KeyGen?te
by Gecko666 - 08/22/14 09:21 AM
AIM scene 99-03
by lavos - 09/02/13 08:06 AM
Planetside 2
by Crime - 03/04/13 07:10 AM
Beta Testers Wanted
by Crime - 03/04/13 06:55 AM
Hello Everyone
by Gremelin - 02/12/12 06:01 PM
Tracfone ESN Generator
by Zanvin Green - 01/18/12 01:31 PM
Python 3 issue
by Testing - 12/17/11 09:28 PM
tracfone airtime
by Drache86 - 07/30/11 03:37 AM
Backdoors and the Infinite
by ZeroCoolStar - 07/10/11 03:52 AM
HackThisZIne #12 Releaseed!
by Pipat2 - 04/28/11 09:20 PM
gang wars? l33t-wars?
by Gremelin - 04/28/11 05:56 AM
Consolidate Forums
by diggin2deep - 04/21/11 10:02 AM
LAN Hacking Noob
by Gremelin - 03/12/11 12:42 AM
Top Posters
UGN Security 41,392
Gremelin 7,203
§intå× 3,255
SilentRage 1,273
Ice 1,146
pergesu 1,136
Infinite 1,041
jonconley 955
Girlie 908
unreal 860
Top Likes Received
Ghost 2
Cyrez 1
Girlie 1
unreal 1
Crime 1
Powered by UBB.threads™ PHP Forum Software 7.7.5