Thirty steps to PC security



TurboTramp
07-09-2005, 11:53 PM
This article describes the steps necessary to secure your Windows operating
system from malicious exploits. The solutions listed below will protect you
from every major vulnerability found on the Internet today, June 08, 2005. If
by chance you would prefer to use tested software to enable these solutions,
go to http://www.geocities.com/turbotramp2/samurai.html or click
http://www.geocities.com/turbotramp2/samurai.zip to download the most recent
version of Samurai. This Host-based Intrusion Prevention System will secure
your machine using the solutions listed below.


DISABLE INSECURE CONTROLS: Disable known insecure ActiveX controls.

This solution disables the use of insecure ActiveX controls. The registry
key “HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility” is
updated with the GUID’s of known insecure controls that do not affect normal
operation when disabled. The GUIDs are:

// ADODB control
{00000566-0000-0010-8000-00AA006D2EA4}
// Shell.Application
{13709620-C279-11CE-A49E-444553540000}
// AnchorClick DHTML Behavior
{8856F961-340A-11D0-A96B-00C04FD705A2}
// Image Control 1.0 (uses asycpict.dll)
{D4A97620-8E8F-11CF-93CD-00AA00C08FDF}
// DHTML Editing Control
{2D360201-FFF5-11D1-8D03-00A0C959BC0A}


PREVENT AIM EXPLOIT: Disable the AIM URL protocol handler.

This solution prevents the use of the AIM URL protocol by replacing the
insecure ActiveX GUID with a harmless substitute, in this case the HTML Help
GUID is used. The AIM URL protocol is not required for normal operation and
does not affect AOL Instant Messaging.

The registry key is “HKCR\PROTOCOLS\Handler\aim”.
The registry value is “CLSID”.

PREVENT ANONYMOUS ACCOUNTS: Prevent anonymous accounts.

This solution prevents the use anonymous sessions by setting the registry
value “HKLM\System\CurrentControlSet\Control\Lsa\restrictanonymous” to true.
This setting will not become active until the machine is rebooted. As such,
“The new configuration will require a reboot” will be displayed when this
setting is altered in Samurai.

DISABLE AUTO FILE OPEN: Disable automatic file open from explorer.

This solution prevents Explorer from opening files without first prompting
the user. This is accomplished by masking all auto open bits in EditFlags
values of registry keys located in HKLM\Software\Classes,
HKLM\Software\Classes\Shell\Open, HKLM\Software\Classes\CLSID,
HKCU\Software\Classes, HKCU\Software\Classes\Shell\Open and
HKCU\Software\Classes\CLSID.

STOP BIT SERVICE: Stop the Background Intelligent Transfer Service.

This solution stops the Background Intelligent Transfer Service. This
service is not required for normal operation and can be abused to allow full
control of a host machine from a remote computer.

DISABLE URL PROTOCOLS: Disable dangerous URL protocols.

This solution disables the use of insecure URL types "ms-its”, "ms-itss",
"its", "mk" and "local" by removing the type entries from the
“HKLM\Software\Classes\Protocols\Handler” and “HKCR\Protocols\Handler”
registry keys.

DISABLE DYNAMIC ICONS: Disable insecure job icon handlers.

This solution disables dynamic icon handlers for (.job) JobObject files by
removing the "IconHandler" keys from "HKCR\JobObject\shellex" and
"HKLM\SOFTWARE\Classes\JobObject\shellex". Dynamic job icon handlers are not
required for normal operation and can be abused to allow full control of a
host machine from a remote computer.

SECURE EXPLORER ZONE 0: Set and secure "My Computer" zone.

This solution secures “My Computer Zone” by resetting the values of the
registry key “SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\0”. These special settings prevent many vulnerabilities
including MS05-001, MS05-008 and MS05-014. The settings are:

1001 Download signed ActiveX controls Disable
1004 Download unsigned ActiveX controls Disable
1200 Run ActiveX controls and plug-ins Prompt
1201 Initialize and script ActiveX controls not marked as safe Disable
1400 Active Scripting Allow
1402 Scripting of Java applets Disable
1405 Script ActiveX controls marked as safe for scripting Allow
1406 Access data sources across domains Disable
1407 Allow paste operations via script Disable
1601 Submit non-encrypted form data Disable
1604 Font Download Disable
1605 Run Java Disable
1606 User Data persistence Disable
1607 Navigate sub-frames across different domains Disable
1608 Allow META REFRESH Disable
1609 Display mixed content Disable
1800 Installation of desktop items Disable
1802 Drag and drop or copy and paste of files Allow
1803 File Download Disable
1804 Launching programs and files in an IFRAME Disable
1E05 Software channel permissions 196608

DISABLE GRP ASSOCIATION: Disable dangerous .grp file conversions.

This solution disables the insecure association between “.grp” files and
“MSProgramGroup” by deleting both registry keys from HKCR.

DISABLE GUEST ACCOUNT: Disable the Guest Account.

This solution disables the guest account by removing account registry keys
“V” and “F” from “SAM\SAM\Domains\Account\Users\000001F5”. The guest account
is not required for normal operation and can be used by privilege escalation
exploits to gain full administrative control of a machine.

DISABLE HTML APP TYPE: Disable the HTML Application MIME type.

This solution disables the HTML application type by removing the
“application/hta” registry key from both “HKCR\MIME\Database\Content Type”
and “HKLM\SOFTWARE\Classes\MIME\Database\Content Type”.

PREVENT HTML FRAME EXPLOIT: Check FRAME/IFRAME NAME field.

This solution registers an HTML filter that checks for FRAME and IFRAME tags
with overly long NAMEs. The filter removes overly long names from the HTML
stream to prevent a well-publicized buffer overflow. This can only be
accomplished with the Samurai HIPS.

SECURE HTTP SETTINGS: Secure HTTP configuration parameters.

This solution adjusts registry values under the “HKLM\
System\CurrentControlSet\Services\\HTTP\Parameters” key to secure HTTP from
many common vulnerabilities. The settings are:

"AllowRestrictedChars" 0
"EnableNonUTF8" 1
"FavorUTF8" 1
"MaxConnections" 0x7fffffff
"MaxEndpoints" 0
"MaxFieldLength" 16384
"MaxRequestBytes" 16384
"PercentUAllowed" 1
"UrlSegmentMaxCount" 255
"UriEnableCache" 1
"UriMaxUriBytes" 262144
"UriScavengerPeriod" 120
"UrlSegmentMaxLength" 260

PREVENT IMAGE EXPLOITS: Check image files for correctness.

This solution hooks various system calls to block Animated Cursor (.ANI) and
GDI+ (.JPG) files containing buffer overflow exploits. Only files with
embedded buffer overflows will be blocked from image processing. Properly
formatted ANI and JPG files will not be affected by this solution. This can
only be accomplished with the Samurai HIPS.

STOP INDEX SERVICE: Stop the Windows Indexing Service.

This solution stops the Windows Indexing Service. This service is not
required for normal operation and can be abused to allow full control of a
host machine from a remote computer.

SECURE LICENSE LOGGING: Disable null session License Logging.

This solution disables insecure nullSession license logging by removing
"LLSRPC" from the “NullSessionPipes” value of the
“HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters“ registry key.

PREVENT LSASS EXPLOIT: Prevent LSASS (Sasser based) exploits.

This solution repairs a well-known LSASS vulnerability by setting the LSASS
dcpromo.log file to “read only”. The dcpromo.log file can be found in the
system directory under the “debug” directory.

STOP MESSAGE SERVICE: Stop the Windows Messaging Service.

This solution stops the Windows Messaging Service. This service is not
required for normal operation and can be abused to allow full control of a
host machine from a remote computer. This solution does not affect Instant
Messaging services.

STOP NET DDE SERVICE: Stop the Net DDE Service.

This solution stops the Network Dynamic Data Exchange Service. This service
is not required for normal operation and can be abused to allow full control
of a host machine from a remote computer.

DISABLE PCT SERVICE: Disable the Private Communication Transport.

This solution disables the PCT protocol by disabling both the “Client” and
“Server” registry keys under
“HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT
1.0”. The PCT protocol is not required for normal operation and can be abused
to allow full control of a host machine from a remote computer.

DISABLE UPNP SERVICE: Disable the Universal Plug and Play Service.

This solution stops the Simple Service Discovery Protocol, which disables
Universal Plug and Play. The SSDP service is not required for normal
operation and can be abused to allow full control of a host machine from a
remote computer. This solution does not affect local Plug and Play operation.

DISABLE RDS: Disable the Remote Data Services Datafactory.

This solution disables 3 insecure RDS datafactory objects;
RDSServer.DataFactory, AdvancedDataFactory and VbBusObj.VbBusObjCls by
removing the corresponding registry keys from
“HKLM\System\CurrentControlSet\Services\W3SVC\Parameters\ADCLaunch”. These
objects are not used in normal operation and will not affect other Remote
Data Services.

STOP REMOTE REGISTRY SERVICE: Stop the Remote Registry Service.

This solution stops the Remote Registry Service. This service is not
required for normal operation and can be used to remotely reconfigure a host
machine from a remote computer.

DISABLE ROOTKITS: Clear existing rootkits and prevent future loading.

This solution hooks system calls to prevent the loading of rootkits and
refreshes the kernel’s system call table to clear existing rootkits. This
solution also contains a user interface that informs the operator when
attempts are made to load device drivers during normal operation. This can
only be accomplished with the Samurai HIPS.

DISABLE RPC-DCOM: Disable RPC based DCOM.

This solution disables the DCOM client protocol of the Remote Procedure Call
protocol by setting “HKLM\Software\Microsoft\OLE\EnableDCOM” to “N” and
removing any data in “HKLM\Software\Microsoft\Rpc\DCOM Protocols”. The Client
DCOM portion of RPC is not required for normal operation and can be abused to
allow full control of a host machine from a remote computer. This setting
will not become active until the machine is rebooted. As such, “The new
configuration will require a reboot” will be displayed when this setting is
altered in Samurai.

DELETE SAM FILE: Delete the backup password file.

Many Windows operating systems save a backup copy of the SAM file in the
repair directory under the system directory. This file contains SMB username
and password data that can be decoded by utilities such as JohnTheRipper to
retrieve valid login information. The backup file is only used for emergency
backup and is not required for normal operation.

DISABLE SHELL URL: Disable the Shell URL protocol handler.

The solution disables the Shell protocol handler by replacing the insecure
ActiveX GUID found at “HKCR\PROTOCOLS\Handler\shell\CLSID” with a harmless
substitute, in this case the HTML Help GUID. The Shell URL protocol is not
required for normal operation and can be abused to allow full control of a
host machine from a remote computer.

BLOCK SYN ATTACKS: Prevent TCP/IP SYN attacks.

This solution helps to prevent SYN Flood Attacks from disabling TCP/IP by
setting the "SynAttackProtect" value of the
"HKLM\SYSTEM\CurrentControlSet\Services\TcpIp\Parameters" registry key. The
value is set to 2, which adds additional delays to connection indications and
allows TCP connection requests to quickly timeout when a SYN attack is in
progress.

DISABLE WWW DAV: Disable Distributed Web Authoring.

This solution disables the Distributed Web Authoring service by setting the
"DisableWebDAV" value of the
"HKLM\System\CurrentControlSet\Services\W3SVC\Parameters" registry key. This
service is not required for normal operation and can be abused to allow full
control of a host machine from a remote computer.

DISABLE WIN SERVICE: Disable the Windows Internet Naming Service.

This solution disables the Windows Internet Naming Service. This service is
not required for normal operation and can be abused to allow full control of
a host machine from a remote computer.

I hope this helps,
TurboTramp

Karl Levinson, mvp
07-09-2005, 11:53 PM
Those sound like generally useful things that shouldn't break too much on
most people's computers, though people should be aware that there are other
things one would want to do to secure their computers as well.

BITS is used by the Automatic Updates service, and I am not aware of any
vulnerabilities in it. I'm only aware of one current vulnerability in the
License Logging Service, though I'm not necessarily against disabling it.
Some users might be using the Remote Registry Service or RPC DCOM.


"TurboTramp" <TurboTramp@discussions.microsoft.com> wrote in message
news:7B03F9A5-EF3B-45B5-A173-F5959F3F35E0@microsoft.com...
> This article describes the steps necessary to secure your Windows
operating
> system from malicious exploits. The solutions listed below will protect
you
> from every major vulnerability found on the Internet today, June 08, 2005.
If
> by chance you would prefer to use tested software to enable these
solutions,
> go to http://www.geocities.com/turbotramp2/samurai.html or click
> http://www.geocities.com/turbotramp2/samurai.zip to download the most
recent
> version of Samurai. This Host-based Intrusion Prevention System will
secure
> your machine using the solutions listed below.
>
>
> DISABLE INSECURE CONTROLS: Disable known insecure ActiveX controls.

TurboTramp
07-09-2005, 11:53 PM
Thank you Karl. You are correct, Samurai by itself is not enough. I recommend
a layered security model that includes a firewall, anti-virus software, a
Host-based Intrusion Prevention System, strict patching standards and as much
encryption as you're willing to add on. As for not breaking too much on other
people's computers, Samurai is specifically designed to apply as much
security as possible without breaking anything, and it's completely
customizable, so just leave BITS on if you're using it. But you should leave
RPC DCOM off, you're not using it and there are many, many exploits in the
wild that take advantage of this vulnerability.

Thanks again,
TurboTramp

"Karl Levinson, mvp" wrote:

> Those sound like generally useful things that shouldn't break too much on
> most people's computers, though people should be aware that there are other
> things one would want to do to secure their computers as well.
>
> BITS is used by the Automatic Updates service, and I am not aware of any
> vulnerabilities in it. I'm only aware of one current vulnerability in the
> License Logging Service, though I'm not necessarily against disabling it.
> Some users might be using the Remote Registry Service or RPC DCOM.
>
>
> "TurboTramp" <TurboTramp@discussions.microsoft.com> wrote in message
> news:7B03F9A5-EF3B-45B5-A173-F5959F3F35E0@microsoft.com...
> > This article describes the steps necessary to secure your Windows
> operating
> > system from malicious exploits. The solutions listed below will protect
> you
> > from every major vulnerability found on the Internet today, June 08, 2005.
> If
> > by chance you would prefer to use tested software to enable these
> solutions,
> > go to http://www.geocities.com/turbotramp2/samurai.html or click
> > http://www.geocities.com/turbotramp2/samurai.zip to download the most
> recent
> > version of Samurai. This Host-based Intrusion Prevention System will
> secure
> > your machine using the solutions listed below.
> >
> >
> > DISABLE INSECURE CONTROLS: Disable known insecure ActiveX controls.
>
>
>

Alun Jones [MSFT]
07-09-2005, 11:53 PM
There are a bunch of other steps that should be applied first, not least of
which are the steps at http://www.microsoft.com/protect :

Use an Internet Firewall
Get Computer Updates
Use Up-to-Date Antivirus Software

Note that the second step above - keeping up with patches - renders several
of your settings unnecessary, as they appear designed to address known - and
fixed - flaws of some significant age.

Several of the settings you advocate will disable functionality that is used
by applications. [To mention one item that's already been discussed,
disabling RPC DCOM will prevent certain fax-sharing software from
communicating between client and server]

Alun.
~~~~
--
Software Design Engineer, Internet Information Server (FTP)
This posting is provided "AS IS" with no warranties, and confers no rights.

Imhotep
07-09-2005, 11:53 PM
TurboTramp wrote:

> This article describes the steps necessary to secure your Windows
> operating system from malicious exploits. The solutions listed below will
> protect you from every major vulnerability found on the Internet today,
> June 08, 2005. If by chance you would prefer to use tested software to
> enable these solutions, go to
> http://www.geocities.com/turbotramp2/samurai.html or click
> http://www.geocities.com/turbotramp2/samurai.zip to download the most
> recent version of Samurai. This Host-based Intrusion Prevention System
> will secure your machine using the solutions listed below.
>
>
> DISABLE INSECURE CONTROLS: Disable known insecure ActiveX controls.
>
> This solution disables the use of insecure ActiveX controls. The registry
> key ?HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility? is
> updated with the GUID?s of known insecure controls that do not affect
> normal operation when disabled. The GUIDs are:
>
> // ADODB control
> {00000566-0000-0010-8000-00AA006D2EA4}
> // Shell.Application
> {13709620-C279-11CE-A49E-444553540000}
> // AnchorClick DHTML Behavior
> {8856F961-340A-11D0-A96B-00C04FD705A2}
> // Image Control 1.0 (uses asycpict.dll)
> {D4A97620-8E8F-11CF-93CD-00AA00C08FDF}
> // DHTML Editing Control
> {2D360201-FFF5-11D1-8D03-00A0C959BC0A}
>
>
> PREVENT AIM EXPLOIT: Disable the AIM URL protocol handler.
>
> This solution prevents the use of the AIM URL protocol by replacing the
> insecure ActiveX GUID with a harmless substitute, in this case the HTML
> Help GUID is used. The AIM URL protocol is not required for normal
> operation and does not affect AOL Instant Messaging.
>
> The registry key is ?HKCR\PROTOCOLS\Handler\aim?.
> The registry value is ?CLSID?.
>
> PREVENT ANONYMOUS ACCOUNTS: Prevent anonymous accounts.
>
> This solution prevents the use anonymous sessions by setting the registry
> value ?HKLM\System\CurrentControlSet\Control\Lsa\restrictanonymous? to
> true. This setting will not become active until the machine is rebooted.
> As such, ?The new configuration will require a reboot? will be displayed
> when this setting is altered in Samurai.
>
> DISABLE AUTO FILE OPEN: Disable automatic file open from explorer.
>
> This solution prevents Explorer from opening files without first prompting
> the user. This is accomplished by masking all auto open bits in EditFlags
> values of registry keys located in HKLM\Software\Classes,
> HKLM\Software\Classes\Shell\Open, HKLM\Software\Classes\CLSID,
> HKCU\Software\Classes, HKCU\Software\Classes\Shell\Open and
> HKCU\Software\Classes\CLSID.
>
> STOP BIT SERVICE: Stop the Background Intelligent Transfer Service.
>
> This solution stops the Background Intelligent Transfer Service. This
> service is not required for normal operation and can be abused to allow
> full control of a host machine from a remote computer.
>
> DISABLE URL PROTOCOLS: Disable dangerous URL protocols.
>
> This solution disables the use of insecure URL types "ms-its?, "ms-itss",
> "its", "mk" and "local" by removing the type entries from the
> ?HKLM\Software\Classes\Protocols\Handler? and ?HKCR\Protocols\Handler?
> registry keys.
>
> DISABLE DYNAMIC ICONS: Disable insecure job icon handlers.
>
> This solution disables dynamic icon handlers for (.job) JobObject files by
> removing the "IconHandler" keys from "HKCR\JobObject\shellex" and
> "HKLM\SOFTWARE\Classes\JobObject\shellex". Dynamic job icon handlers are
> not required for normal operation and can be abused to allow full control
> of a host machine from a remote computer.
>
> SECURE EXPLORER ZONE 0: Set and secure "My Computer" zone.
>
> This solution secures ?My Computer Zone? by resetting the values of the
> registry key ?SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
> Settings\Zones\0?. These special settings prevent many vulnerabilities
> including MS05-001, MS05-008 and MS05-014. The settings are:
>
> 1001 Download signed ActiveX controls Disable
> 1004 Download unsigned ActiveX controls Disable
> 1200 Run ActiveX controls and plug-ins Prompt
> 1201 Initialize and script ActiveX controls not marked as safe Disable
> 1400 Active Scripting Allow
> 1402 Scripting of Java applets Disable
> 1405 Script ActiveX controls marked as safe for scripting Allow
> 1406 Access data sources across domains Disable
> 1407 Allow paste operations via script Disable
> 1601 Submit non-encrypted form data Disable
> 1604 Font Download Disable
> 1605 Run Java Disable
> 1606 User Data persistence Disable
> 1607 Navigate sub-frames across different domains Disable
> 1608 Allow META REFRESH Disable
> 1609 Display mixed content Disable
> 1800 Installation of desktop items Disable
> 1802 Drag and drop or copy and paste of files Allow
> 1803 File Download Disable
> 1804 Launching programs and files in an IFRAME Disable
> 1E05 Software channel permissions 196608
>
> DISABLE GRP ASSOCIATION: Disable dangerous .grp file conversions.
>
> This solution disables the insecure association between ?.grp? files and
> ?MSProgramGroup? by deleting both registry keys from HKCR.
>
> DISABLE GUEST ACCOUNT: Disable the Guest Account.
>
> This solution disables the guest account by removing account registry keys
> ?V? and ?F? from ?SAM\SAM\Domains\Account\Users\000001F5?. The guest
> account is not required for normal operation and can be used by privilege
> escalation exploits to gain full administrative control of a machine.
>
> DISABLE HTML APP TYPE: Disable the HTML Application MIME type.
>
> This solution disables the HTML application type by removing the
> ?application/hta? registry key from both ?HKCR\MIME\Database\Content Type?
> and ?HKLM\SOFTWARE\Classes\MIME\Database\Content Type?.
>
> PREVENT HTML FRAME EXPLOIT: Check FRAME/IFRAME NAME field.
>
> This solution registers an HTML filter that checks for FRAME and IFRAME
> tags with overly long NAMEs. The filter removes overly long names from the
> HTML stream to prevent a well-publicized buffer overflow. This can only be
> accomplished with the Samurai HIPS.
>
> SECURE HTTP SETTINGS: Secure HTTP configuration parameters.
>
> This solution adjusts registry values under the ?HKLM\
> System\CurrentControlSet\Services\\HTTP\Parameters? key to secure HTTP
> from many common vulnerabilities. The settings are:
>
> "AllowRestrictedChars" 0
> "EnableNonUTF8" 1
> "FavorUTF8" 1
> "MaxConnections" 0x7fffffff
> "MaxEndpoints" 0
> "MaxFieldLength" 16384
> "MaxRequestBytes" 16384
> "PercentUAllowed" 1
> "UrlSegmentMaxCount" 255
> "UriEnableCache" 1
> "UriMaxUriBytes" 262144
> "UriScavengerPeriod" 120
> "UrlSegmentMaxLength" 260
>
> PREVENT IMAGE EXPLOITS: Check image files for correctness.
>
> This solution hooks various system calls to block Animated Cursor (.ANI)
> and GDI+ (.JPG) files containing buffer overflow exploits. Only files with
> embedded buffer overflows will be blocked from image processing. Properly
> formatted ANI and JPG files will not be affected by this solution. This
> can only be accomplished with the Samurai HIPS.
>
> STOP INDEX SERVICE: Stop the Windows Indexing Service.
>
> This solution stops the Windows Indexing Service. This service is not
> required for normal operation and can be abused to allow full control of a
> host machine from a remote computer.
>
> SECURE LICENSE LOGGING: Disable null session License Logging.
>
> This solution disables insecure nullSession license logging by removing
> "LLSRPC" from the ?NullSessionPipes? value of the
> ?HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters? registry
> key.
>
> PREVENT LSASS EXPLOIT: Prevent LSASS (Sasser based) exploits.
>
> This solution repairs a well-known LSASS vulnerability by setting the
> LSASS dcpromo.log file to ?read only?. The dcpromo.log file can be found
> in the system directory under the ?debug? directory.
>
> STOP MESSAGE SERVICE: Stop the Windows Messaging Service.
>
> This solution stops the Windows Messaging Service. This service is not
> required for normal operation and can be abused to allow full control of a
> host machine from a remote computer. This solution does not affect Instant
> Messaging services.
>
> STOP NET DDE SERVICE: Stop the Net DDE Service.
>
> This solution stops the Network Dynamic Data Exchange Service. This
> service is not required for normal operation and can be abused to allow
> full control of a host machine from a remote computer.
>
> DISABLE PCT SERVICE: Disable the Private Communication Transport.
>
> This solution disables the PCT protocol by disabling both the ?Client? and
> ?Server? registry keys under
>
?HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT
> 1.0?. The PCT protocol is not required for normal operation and can be
> abused to allow full control of a host machine from a remote computer.
>
> DISABLE UPNP SERVICE: Disable the Universal Plug and Play Service.
>
> This solution stops the Simple Service Discovery Protocol, which disables
> Universal Plug and Play. The SSDP service is not required for normal
> operation and can be abused to allow full control of a host machine from a
> remote computer. This solution does not affect local Plug and Play
> operation.
>
> DISABLE RDS: Disable the Remote Data Services Datafactory.
>
> This solution disables 3 insecure RDS datafactory objects;
> RDSServer.DataFactory, AdvancedDataFactory and VbBusObj.VbBusObjCls by
> removing the corresponding registry keys from
> ?HKLM\System\CurrentControlSet\Services\W3SVC\Parameters\ADCLaunch?. These
> objects are not used in normal operation and will not affect other Remote
> Data Services.
>
> STOP REMOTE REGISTRY SERVICE: Stop the Remote Registry Service.
>
> This solution stops the Remote Registry Service. This service is not
> required for normal operation and can be used to remotely reconfigure a
> host machine from a remote computer.
>
> DISABLE ROOTKITS: Clear existing rootkits and prevent future loading.
>
> This solution hooks system calls to prevent the loading of rootkits and
> refreshes the kernel?s system call table to clear existing rootkits. This
> solution also contains a user interface that informs the operator when
> attempts are made to load device drivers during normal operation. This can
> only be accomplished with the Samurai HIPS.
>
> DISABLE RPC-DCOM: Disable RPC based DCOM.
>
> This solution disables the DCOM client protocol of the Remote Procedure
> Call protocol by setting ?HKLM\Software\Microsoft\OLE\EnableDCOM? to ?N?
> and removing any data in ?HKLM\Software\Microsoft\Rpc\DCOM Protocols?. The
> Client DCOM portion of RPC is not required for normal operation and can be
> abused to allow full control of a host machine from a remote computer.
> This setting will not become active until the machine is rebooted. As
> such, ?The new configuration will require a reboot? will be displayed when
> this setting is altered in Samurai.
>
> DELETE SAM FILE: Delete the backup password file.
>
> Many Windows operating systems save a backup copy of the SAM file in the
> repair directory under the system directory. This file contains SMB
> username and password data that can be decoded by utilities such as
> JohnTheRipper to retrieve valid login information. The backup file is only
> used for emergency backup and is not required for normal operation.
>
> DISABLE SHELL URL: Disable the Shell URL protocol handler.
>
> The solution disables the Shell protocol handler by replacing the insecure
> ActiveX GUID found at ?HKCR\PROTOCOLS\Handler\shell\CLSID? with a harmless
> substitute, in this case the HTML Help GUID. The Shell URL protocol is not
> required for normal operation and can be abused to allow full control of a
> host machine from a remote computer.
>
> BLOCK SYN ATTACKS: Prevent TCP/IP SYN attacks.
>
> This solution helps to prevent SYN Flood Attacks from disabling TCP/IP by
> setting the "SynAttackProtect" value of the
> "HKLM\SYSTEM\CurrentControlSet\Services\TcpIp\Parameters" registry key.
> The value is set to 2, which adds additional delays to connection
> indications and allows TCP connection requests to quickly timeout when a
> SYN attack is in progress.
>
> DISABLE WWW DAV: Disable Distributed Web Authoring.
>
> This solution disables the Distributed Web Authoring service by setting
> the "DisableWebDAV" value of the
> "HKLM\System\CurrentControlSet\Services\W3SVC\Parameters" registry key.
> This service is not required for normal operation and can be abused to
> allow full control of a host machine from a remote computer.
>
> DISABLE WIN SERVICE: Disable the Windows Internet Naming Service.
>
> This solution disables the Windows Internet Naming Service. This service
> is not required for normal operation and can be abused to allow full
> control of a host machine from a remote computer.
>
> I hope this helps,
> TurboTramp

...also realize that unfortunately their still are vulnerabilities in MS
products that MS has not gotten around to fixing. At least pay attention to
these so you can better construct your security policies to protect
yourself...*Don't* leave it up to Microsoft...

-Im

Karl Levinson, mvp
07-09-2005, 11:53 PM
"Alun Jones [MSFT]" <alunj@online.microsoft.com> wrote in message
news:uNl3zPRbFHA.3328@TK2MSFTNGP09.phx.gbl...

> Note that the second step above - keeping up with patches - renders
several
> of your settings unnecessary, as they appear designed to address known -
and
> fixed - flaws of some significant age.

Well, yes and no. It is true that most of these technologies mentioned do
have time-tested patches for the currenly known vulnerabilities in them.
Disabling these things proactively, however, would have protected you
between the time the vulnerability was released and the time Microsoft
released a patch, and/or between the time the vulnerability was released and
your large enterprise had the ability to patch all systems. Also, often
there are rogue systems that, once configured, don't get patched for one
reason or another. Doing these things can also make patching less urgent
and frenzied, which is not without benefit.

Imhotep
07-09-2005, 11:53 PM
Karl Levinson, mvp wrote:

>
> "Alun Jones [MSFT]" <alunj@online.microsoft.com> wrote in message
> news:uNl3zPRbFHA.3328@TK2MSFTNGP09.phx.gbl...
>
>> Note that the second step above - keeping up with patches - renders
> several
>> of your settings unnecessary, as they appear designed to address known -
> and
>> fixed - flaws of some significant age.
>
> Well, yes and no. It is true that most of these technologies mentioned do
> have time-tested patches for the currenly known vulnerabilities in them.
> Disabling these things proactively, however, would have protected you
> between the time the vulnerability was released and the time Microsoft
> released a patch, and/or between the time the vulnerability was released
> and
> your large enterprise had the ability to patch all systems. Also, often
> there are rogue systems that, once configured, don't get patched for one
> reason or another. Doing these things can also make patching less urgent
> and frenzied, which is not without benefit.

...good advice.

-Im


Thirty steps to PC security