RE: XP box maintainance and lockdown

From: Jones, Steve (sjones_at_LMIT.com)
Date: 12/31/03

  • Next message: Fernando Gont: "RE: Traces"
    To: "J. Yoon" <supercool9000@hotmail.com>
    Date: Wed, 31 Dec 2003 13:12:23 -0600
    
    

    It's always a good idea to rename the Administrator account. Try renaming
    your Administrator account to Guest(you'll also need to rename the original
    Guest account). I mean, who the hell would want access to the guest account
    anyway? ;)

    -Steve

    -----Original Message-----
    From: J. Yoon [mailto:supercool9000@hotmail.com]
    Sent: Tuesday, December 30, 2003 1:30 PM
    To: security-basics@securityfocus.com
    Subject: XP box maintainance and lockdown

    I'm doing a routine maintainance and locking down an XP box
    Please advise if there's anything I've missed.

    Preliminaries : run a simple disk cleanup, spyware scan, and a quick virus
    scan

    Hardware Drivers.
    - Update all Drivers for soundcard/diskcontrollers/videocards/usb/etc/...
    - Update BIOS and do a new flash if needed.
    - Update Router firmware

    Software Patches
    - download latest XP patches from windowsupdate.microsoft.com
    - download latest virus definitions
    (I'm using 2 virus scanners, Grisoft AVG
    http://www.grisoft.com and Norton Antivirus
    )

    - download latest updates for your IDS or software Firewall
    (such as Sygate Personal Firewall from
    http://smb.sygate.com/support/documents/spf/spf_download.htm
    )

    (By the way, is there any significant benefit in using a software firewall
    if i already have a router.. other than it working like an IDS)?

    - latest updates for Ad-Aware
    (a spyware removal software from
    www.lavasoft.de/software/adaware/
    )

    Scan / Fix
    (Unplug computer from internet at this point in time)
    - run a full system cleanup and get rid of all cookies/temp files/junk/ etc
    - run a full spyware scan using "deep scan"
    - run virus scan to check for ALL files with heuristics (and/or 'houndog')
    turned on,
    - run scandisk or diskdoctor of some sort
    - run a full defragmentation using defrag/speedisk/diskkeeper of some sort

    Account configuration
    - change all passwords so that it has a combination of upper/lowercase
    letters, numbers,
    and does not use any words from the dictionary from any language
    - create a user account for yourself and others
    so that you don't get in the habit of using the administrator account all
    the time.

    Router Configuration
    - take care of any license issues
    - disable all ports/services (so that we can enable services on a
    "need"-only basis)
    - Refer to history/log of applications that has been running
    to obtain protocol, local port, remote port, and IP address needed to grant
    access.
    - If additional security is needed, assign to mac address instead of IP

    For Sygate Personal Firewall only :
    - Enable intrusion detection, port scan detection, anti-mac spoofing,
    anti-ip spoofing
    - Enable driver level protection, OS fingerprint masquerading
    - configure so that it blocks all traffic when service not loaded
    - enable stealth mode browsing but disable this if too much problem seems to

    occur.
    - Enable DLL authentitation and check automatically allow known DLL's
    - enable smart DNS, smart DHCP, and SmartNETBIOS
    - Automatically block attackers IP for.. a number of seconds
    - you may also want to set it so that it notifies you via email of any
    attacks.

    Browser Configuration
    - disable all scripting, java, flash, active-x, and plug-ins and enable only

    as needed
    - delete all existing cookies
    - disable 3rd-party cookies and/or set cookie policy according to privacy
    settings
    - configure popup window blocking feature if needed
    - use encryption when storing sensitive data
    - configure so that it warns you if you're entering/leaving unecrypted page
    - configure client certificate selection and CRL/OCSP (certificate status
    protocol) as needed

    Mail Configuration
    - set any POP/Mail clients to use encryption/ SSL so that passwords are not
    sent unencrypted
    - disable cookies in Mail and Newsgroups
    - disable defaut viewing of images as they can be used for tracking purposes

    by spammers
    - set a filter so that any email address that does not contain the @ "at
    sign" and . "dot" are automatically rejected.
    - you may also wish to set a filter so that if your own email address does
    not appear in the "To:" or "CC:" field, the email be considered as spam.

    Access Control
    - set and verify folders that need to have access restrictions
    - enable ecryption on private files if necessary

    Recovery Disk
    - make a boot disk from your Operating System
    - make a password recovery disk
    - make a virus boot disk as well
    now you have 3 ways to get back on your feet in case something happens

    Test
    - Run a port scanner such as Blue Globe Software, for example, offers a
    program called Port Scanner (www.islandnet.com/~cliffmcc/portscanner.html)
    Raw Logic Software's NetView Scanner (www.rawlogic.com/products.html)
    provides details about vulnerable ports and additional tools for detecting
    network clients that have Windows file and print sharing enabled
    I've heard that Nessus is also great. i suppose you can use others such as
    Insecure.org's NMAP
    (www.insecure.com/nmap) and cotse but i don't know if they work on XP.

    Backup
    - locate and backup private keys and additional configuration files
    - backup all the latest drivers you've downloaded so far
    - make a full backup to a removable storage

    Opt-Out / Proactive Privacy protection
    - goto www.doubleclick.com and search for a link where you can tell them not

    to track or abuse your personal information
    - not posting private email or personal information when posting to online
    newsgroups
    or mailing lists may also help
    - not sure if they are still in effect but the national donotcall registry
    might help reduce some unwanted spams

    _________________________________________________________________
    Enjoy a special introductory offer for dial-up Internet access - limited
    time only! http://join.msn.com/?page=dept/dialup

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------


  • Next message: Fernando Gont: "RE: Traces"

    Relevant Pages

    • Re: cannot send mail from Windows mail
      ... When a username/password combination doesn't work in Windows Mail, ... I mean I dont use it but as outgoing address for my ISP account. ... youir username and password are correct for your mail server". ... Ask your home ISP if they support SMTP on a port other than 25. ...
      (microsoft.public.windows.vista.mail)
    • Re: cannot send mail from Windows mail
      ... Enable your Gmail account for POP: ... Do not change the incoming server. ... Should O ask my ISP? ... Ask your home ISP if they support SMTP on a port other than 25. ...
      (microsoft.public.windows.vista.mail)
    • Re: Error message on emails
      ... Delete the old account. ... The connection to the server has failed. ... A port 25 block because your Internet connection is from some ... Sprint is not involved in your port 25 block, but they could fix it by ...
      (microsoft.public.windows.vista.mail)
    • RE: Mysterious "Support" account created on Win2k server
      ... Once a worm/trojan or an attacker successfully connect to a system via port ... Once a system is compromised with an administrator account, ... > for guessing admin ids and passwords. ...
      (Incidents)
    • Re: cannot send mail from Windows mail
      ... A likely reason for the username/password failing is account corruption. ... youir username and password are correct for your mail server". ... Should O ask my ISP? ... Ask your home ISP if they support SMTP on a port other than 25. ...
      (microsoft.public.windows.vista.mail)