Some security related issues here might work, some might not. Depending on your system. They
should all apply to Windows NT versions. Although you never know. . ..
Simpel security optionsFor a workable home secured way to surf and play online you should try to come as close to the below situation.
- after a fresh install apply the Microsoft security updates and service packs for your version [ preverably installing them from a local CDrom ]
- install a virus scanner with the latest updates and use it's autoupdate function
- if you can place a router between your internet connection and your computer. This will only send request from the internet at your computer which your computer specifically asked for.
-try to use another email client and browser then outlook and IE unless you know how to secure the. And never open attachments of unknown senders or files that you don't recognise.
- never,
never use the same passwords for internet accounts as you use for local accounts.
- have a look at
this article and deside which of the tings are required for your OS and situation.
- block autoinstall features and popups in your internet browser and avoid untrusted / unknown links.
Simpel as it might seem, the above should protect you from a lot of common viri and hacker attempts. Below are a few more advanced things I though might come in handy in some situations.
And might be overkill to others.
Some more hardend security optionsRed Button access hack uses Anonymous User Connections , also called
Null User Connection, to discover which account is the NT administrative account and what are the network shares. Disable by preventing anonymous connections to domains. This is block a significant informational exposure. Caution: this can have severe consequences on sql server access and creating/maintaining domain trusts. Registry hack:
Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Control\Lsa
Name: RestrictAnonymous
Type: REG_DWORD
Value: 1
-----------
Application is not listed in Add/Remove applet of Control PanelApplications are quietly installed or display installed.
Quiet installed applications do not appear in the Add/Remove Programs Applet in Control Panel whereas Display installed applications do. You can ignore it or you can use regedt32 and go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall which has subkeys for each application installed. Non-microsoft programs will have a key UninstallString or QuietUninstallString which points to the uninstall program while key DisplayName should let you know to which application the keys belong.
----------
The system automatically creates
hidden "administrative shares" for its logical drives C:, D:, and so forth which it names C$, D$ and so forth. It also creates the admin$ hidden share for to the \winnt folder. These shares are designed for remote access support by domain administrators. By default, if you delete these admin shares, they will be recreated when you reboot. To disable permanently so they will not be recreated on the next reboot, use the following Windows NT / Windows 2000 / Windows XP registry hack:
Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\LanManServer\Parameters
Name: AutoShareServer for servers
Name: AutoShareWks for workstations
Type: REG_DWORD
Value: 0
------------
When any web browser connects to a remote web server it presents its
User Agent string. The user agent string gives information about the browser and operating system. This information winds up in the web servers access log. If you have a firewall at work with a proxy server for web browsing, the user agent string is used to determine if your browser is an approved version. An example:
Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 4.0)
The following registry hack lets you control the User Agent string.
Hive: HKEY_LOCAL_MACHINE
Key: SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
Type: REG_SZ
The Post Platform key may have several values. These values make up the user agent string. To prevent this info from being spread around the Internet, delete the values under this key.
------------
Internet Explorer is notorious for consuming large amounts of disk space for cache. With this hack, you can
force IE to clean up its cache every time it's closed. You will save a lot of space and shouldn't see a performance problem unless you are in the habit of opening and closing IE multiple times during the day. This automatically clears the cache.
Hive: HKEY_CURRENT_USER
Key: Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache
Name: Persistent
Type: REG_DWORD
Value: 0 clear cache when IE exits
Value: 1 don't delete cached files
-----------
Microsoft published how to harden NT's tcpip stack against DOS attacks. The registry hacks documented here are taken from Microsoft sources.
Synattack protection involves reducing the amount of retransmissions for the SYN-ACKS, which will reduce the time for which resources have to remain allocated. The allocation of route cache entry resources is delayed until a connection is made. If synattackprotect = 2, then the connection indication to AFD is delayed until the three-way handshake is completed. Also note that the actions taken by the protection mechanism only occur if TcpMaxHalfOpen and TcpMaxHalfOpenRetried settings are exceeded. Apply the following registry hack:
Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Name: SynAttackProtect
Type: REG_DWORD
Value: 0
no syn attack protection
Value: 1
reduced retransmission retries and delayed RCE ( route cache entry ) creation if the TcpMaxHalfOpen and TcpMaxHalfOpenRetried settings are satisfied.
Value: 2
adds delayed indication to Winsock to setting of 1
When the system finds itself under attack the following options on any socket can no longer be enabled : Scalable windows (RFC 1323) and per adapter configured TCP parameters ( Initial RTT, window size ). This is because when protection is functioning the route cache entry is not queried before the SYN-ACK is sent and the Winsock options are not available at this stage of the connection.
TcpMaxHalfOpen parameter controls the number of connections in the SYN-RCVD state allowed before SYN-ATTACK protection begins to operate. If SynAttackProtect is set to 1, ensure that this value is lower than the AFD listen backlog on the port you want to protect.
Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Name: TcpMaxHalfOpen
Type: REG_DWORD
Value: 100
Professional, Server
Value: 500
Advanced Server
TcpMaxHalfOpenRetried parameter controls the number of connections in the SYN-RCVD state for which there has been at least one retransmission of the SYN sent, before SYN-ATTACK attack protection begins to operate.
Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Name: TcpMaxHalfOpenRetried
Type: REG_DWORD
Value: 80
Professional, Server
Value: 400
Advanced Server
EnablePMTUDiscovery : When this parameter is set to 1 (True) TCP attempts to discover the Maximum Transmission Unit ( MTU or largest packet size ) over thepath to a remote host. By discovering the Path MTU and limiting TCP segments to this size, TCP can eliminate fragmentation at routers along the path that connect networks with different MTUs. Fragmentation adversely affects TCP throughput and network congestion. Setting this parameter to 0 causes an MTU of 576 bytes to be used for all connections that are not to hosts on the local subnet.
Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Name: EnablePMTUDiscovery
Type: REG_DWORD
Value: 1
recommended
Value: 0
default
NoNameReleaseOnDemand : parameter determines whether the computer releases its NetBIOS name when it receives a name-release request from the network. It was added to allow the administrator to protect the machine against malicious name-release attacks.
Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Name: NoNameReleaseOnDemand
Type: REG_DWORD
Value: 1
recommended
Value: 0
default
EnableDeadGWDetect : When this parameter is 1, TCP is allowed to perform dead-gateway detection. With this feature enabled, TCP may ask IP to change to a backup gateway if a number of connections are experiencing difficulty. Backup gateways may be defined in the Advanced section of the TCP/IP configuration dialog in the Network Control Panel.
Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Name: EnableDeadGWDetect
Type: REG_DWORD
Value: 0
recommended
Value: 1
default
KeepAliveTime : parameter controls how often TCP attempts to verify that an idle connection is still intact by sending a keep-alive packet. If the remote system is still reachable and functioning, it acknowledges the keep-alive transmission. Keep-alive packets are not sent by default. This feature may be enabled on a connection by an application.
Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Name: KeepAliveTime
Type: REG_DWORD
Value: 300,000
recommended
Value: 7,200,000 (two hours)
default
PerformRouterDiscovery : parameter controls whether Windows 2000 attempts to perform router discovery per RFC 1256 on a per-interface basis.
Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Name: PerformRouterDiscovery
Type: REG_DWORD
Value: 0
recommended
Value: 1
enabled
Value: 2
enable only if DHCP sends the router discover option
EnableICMPRedirects : parameter controls whether Windows 2000 will alter its route table in response to ICMP redirect messages that are sent to it by network devices such as a routers.
Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Name: EnableICMPRedirects
Type: REG_DWORD
Value: 0
recommended
Value: 1
default
------------
sites to test the online security of your computer [ just basic scans ] and knowledge base articles.
GRC Shields UP!PcFlankMicrosoft Knowledge base------------
additional posts might follow
- stickying it for now.. -
