1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Comments Required

Discussion in 'General Security' started by lunarlander, Dec 4, 2010.

Thread Status:
Not open for further replies.
Advertisement
  1. lunarlander

    lunarlander Thread Starter

    Joined:
    Sep 21, 2007
    Messages:
    9,700
    Hi,

    I have written some instructions on how to harden/lock-down Windows XP Home edition. And would greatly appreciate it if you all can comment on it. It is not complete as yet, and I will add more content as comments come in. In particular, I would like to know if any of my recommended components to disable are needed for regular functioning of XP and thus should not be disabled. ( Like, for example, I just discovered that the DCOM Server service is required in order for Windows Update to run ).

    The intended audience is a XP Home edition user, who uses the computer to surf and play games. So features needed to, for example, run an Apache web server are not considered and the lock-down will probably make it not work.

    Before any of you ask why I disabled Limited User accounts from running many command line tools. Let me explain that, in line with a Least Privilege configuration / hardening, anything that you don't use regularly should not be made available. Because any attacker that compromises your account will have access to them. And those tools will be used against you. For example, some attacker just managed to open up a command prompt to your machine, the next thing he would do is to bring over his tools. For that, he could use the command line FTP program. Most people use the browser to do FTP transfers and probably aren't even aware that there is a command line FTP tool on their system. So again, if it is not used, it should be disabled.

    Future additions will probably include securing browsers and using alternative browsers, and add-ons, as that is the primary interface to the outside and source of attacks.

    The only thing I currently don't like, is that I chose a blog platform to host this, and the articles are listed in reverse chronological order.


    The site address is in my signature line.
     
  2. Ent

    Ent Trusted Advisor

    Joined:
    Apr 11, 2009
    Messages:
    5,467
    First Name:
    Josiah
    I think you could do with a bit more information about what side affects these changes will have, particularly around turning off services. I know you have a particular audience in mind, but any deviants from your standard audience should be accommodated.

    I also don't agree with your plan to turn off all command line programs. I run in a standard account but use, out of preference, the command line for various tasks. As a general guide I'd say let it be if it doesn't ask for admin privileges to run it. That means that sort, attrib, xcopy, doskey and that level of program should be allowed. Your hypothetical hacker wouldn't be stopped by the doskey executable being barred to users!

    In terms of other entries, at some point you have to mention secure and security programs. E.g. Firefox (with noscript etc) rather than IE; Antivirus, Firewall, sandbox etc. Something about physical security (no root access is good, no boot access is better) and encryption might be useful as well.
     
  3. lunarlander

    lunarlander Thread Starter

    Joined:
    Sep 21, 2007
    Messages:
    9,700
    Hi Ent,

    Very good points you made.

    Regarding documenting the side effects of turning off the services I recommend. Firstly, I only test to see if one can still surf and play games, as that is my intended audience. I can never hope to duplicate what blackviper.com does. It has extensive documentation on services for all versions of Windows, and what they are used for. So I think I will add a link to their site for those who are curious.

    How I chose which services to disable is based on the service description given in services.msc. If a service processes input data from the network, I will regard that as a networking service. So it is not limited to obvious networking services like IIS. Input parsing is a tricky thing to do well, and there will be chances of exploitation. Take for example the cups printing service in Linux. It has been around for so long and seems mature. Enough so that Red Hat hard coded a firewall exception to allow it. Then out of the blue a security vulnerability surfaced. And since then, Red Hat has removed that entry from its firewall rules. So, if a service is not needed to surf or play games, I will err on side of being too strict and disable it. Also one should note that XP was created prior to Microsoft implementing their secure development lifecycle. So error checking was much less stringent in those days. Hence XP is so insecure.

    I imagine a lot of command line users has moved on to Linux. Your recommendations on allowing access to non-admin command line programs are noted. I will have to think it through.
     
  4. lunarlander

    lunarlander Thread Starter

    Joined:
    Sep 21, 2007
    Messages:
    9,700
    Hackers have been adding hidden characters into the batch file code so that some lines will be skipped. I have since removed those characters. I can only guess, but it seems that that batch file is doing something good that the hacker didnt like.
     
  5. lunarlander

    lunarlander Thread Starter

    Joined:
    Sep 21, 2007
    Messages:
    9,700
    site updated with new entries today.
     
  6. lunarlander

    lunarlander Thread Starter

    Joined:
    Sep 21, 2007
    Messages:
    9,700
    Whenever PC security is mentioned, most people immediately think of anti-virus or firewall. While those are valid security tools, they are not where one should begin.

    Windows is a general purpose operating system, and as such, has many built in features designed to fit many uses. As more and more lines of code accumulate, there are bound to be bugs. And programmers talk about bugs per 1000 lines of code as a common simple measurement. It is unavoidable to have bugs in code, and Windows XP Home is no different. In fact, in large projects such as Windows, it is common to ship out code while there are still low priority bugs that are unfixed. And these could number in the low thousands. Then, there are the not-yet-discovered bugs that only surface when certain features are used in combination.

    Some bugs will be security related, and Microsoft keeps a watchful eye out for them, more seriously so after the many security problems surfacing for Windows XP. In fact, they made commitments to improve security as a number 1 priority for Vista. Prior to Vista, they relied on outside security researchers to find security bugs and tell them about it. Then they would move in, fix it, and release a Windows Update. For the most part, Microsoft considers XP a finished project. So your PC’s security is reliant on these well intentioned white hat hackers offering their services for free. ( Although some of them are in employment within the IT security industry, and both their employer and the researcher themselves gain brownie points when they reveal a security bug. There are a few intrusion detection system vendors that offer to pay for bugs.)

    So where should one begin when securing a system? The answer is hardening the system. Hardening a system properly will mitigate many of the flaws that exist. And you will be less susceptible to attacks. Viruses are just one form of attack you face. Hackers create viruses, worms, trojans, rootkits, attack tools, backdoors, botnet clients and malware, which together can be considered well distributed paths to taking over your system. You may not have a hacker dedicated to attacking your PC or your home network, but all his creations are out there to prey on you nonetheless. And in professional terms, they are called attacks.

    Hardening Windows XP Home is in one way easy and another way not. That is because Microsoft had mistakenly thought that only companies need more security. They didn’t think about the home user conducting online banking, doing online purchases with credit cards, and wanting to keep private things private. So, for Windows XP, a majority of security features are only present in Windows XP Professional. That is the hard part of hardening XP Home. The easy part is that since we are only given limited tools, we can only do so much. There are free tools that also help, but for the most part, hardening a system is done using the built in features, which you don’t have to pay extra for.

    I have conducted some google searches on how to harden/lockdown XP. Most recommend features present in XP Professional, some are dated and some not complete. So lets see if I can contribute more to the subject.

    Let there be no mistake, if your system has already been compromised, following this blog’s advice will not help you, because there is no telling what backdoors and botnets have been installed on your system. You cannot fight back at someone who already has administrator control of your system. You best chance of survival is to re-install your legit copy of Windows and then hardening it to prevent further attacks from happening.
     
  7. lunarlander

    lunarlander Thread Starter

    Joined:
    Sep 21, 2007
    Messages:
    9,700
    New content added - how to enable Software Restriction Policy in Windows XP Home.
     
  8. lunarlander

    lunarlander Thread Starter

    Joined:
    Sep 21, 2007
    Messages:
    9,700
    Just installed and played with MS Office 2007 Home and Student edition. All appears fine.
     
  9. lunarlander

    lunarlander Thread Starter

    Joined:
    Sep 21, 2007
    Messages:
    9,700
    Just added 3 entries on Detection ( intrusion )
     
  10. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/966492

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice