Commonsense, common settings
Anti-Virus issues
Firewall issues
E-commerce and webmail
Backups
Disable unused features
Coping with Windoze oddities
Solution?
Install
Ubuntu
Linux (as I do at home).
| 13 Aug 08 |
Reference(s):
http://www.microsoft.com/technet/security/default.mspx
http://www.microsoft.com/technet/security/current.aspx
http://www.microsoft.com/technet/security/bulletin/advance.mspx
http://www.microsoft.com/technet/security/advisory/default.mspx
http://blogs.technet.com/msrc/
http://blogs.technet.com/swi/
BEWARE that some patches may make your machine inoperable.
BEWARE that M$ patches do not address all known vulnerabilities.
BEWARE that installing patches or upgrading M$ software may
un-install seemingly unrelated patches (e.g. the
Win98-to-XP upgrade
deletes IE6 patches).
BEWARE that installing any patches may overwrite any
customizations (may need to undo them to install the patch):
re-check and re-do all your changes as below.
BEWARE that M$ often changes the underlying patches without
updating the bulletins or KB articles, sometimes changing the file
binaries without updating version numbers.
NOTE that WinXPSP1 support ceased in Oct 06, see the
Support Lifecycle Index.
Check out the Microsoft Security Tool Kit
http://www.microsoft.com/technet/security/tools/stkintro.mspx.
Beware that
Microsoft Baseline Security Analyzer
http://www.microsoft.com/technet/security/tools/mbsahome.mspx
requires IE (with ActiveX?) and maybe other services (see
http://support.microsoft.com/kb/320454)
thus opening the machine up. Use the "original" Hfnetchk tool from
http://www.shavlik.com/hf.aspx.
Note that
Windows Update
may have difficulties identifying what patches are already installed or are
required; needs IE and ActiveX with low security settings;
may ignore your
do not install
option
... and may not know about Office or SQL. You may also need to use
Office Update and/or
Microsoft Update.
USyd users please note the site licences for MS software and the local WSUS (and old SUS) server.
| 19 May 08 |
Not all who reject IE are anti-MS zealots:
From
http://www.auscert.org.au/3680:
AusCERT sees the use of alternative browsers as the only current
effective workaround.
From
http://www.auscert.org.au/3990:
AusCERT recommends that users ... avoid completely the use of Internet
Explorer.
From
http://www.auscert.org.au/4328:
AusCERT advises users ... [to] Use a different web browser.
From
http://www.kb.cert.org/vuls/id/413886:
There are a number of significant vulnerabilities in [IE]. It is
possible to reduce exposure to these vulnerabilities by using a different
web browser.
From
http://www.smh.com.au/articles/2003/12/17/1071337004378.html:
using other browsers on Windows was one means of protection while moving
away from Windows altogether would afford a much better means of
protection.
(The uproar at the end of June 2004 e.g.
http://www.theinquirer.net/?article=16922
is just media hype: quite right, but too late; but then even
http://slate.msn.com/id/2103152/
said that Firefox trumps Internet Explorer.)
Microsoft's own security program manager uses Firefox: see
http://www.theinquirer.net/?article=18173.
Note that you still need to keep IE up-to-date with patches, and set
secure IE options (even if you do not use IE), for the many Web-enabled
applications. Windows Explorer in particular will internally handle HTTP
and FTP URLs, disregarding the "URL protocol handler" in the registry, and
is certainly unsafe without careful IE option settings. I wonder if Word
can do JavaScript or VBS in a safe way... So occasionally you will need to
rename the sofware back in place, patch
it, start it up and set secure options, then hide it again.
To set secure options, go to Tools >
Internet Options, then select Security and
Advanced tabs (in Security, set things to Custom to
have fun): see
You may also use third-party "IE hardeners":
MS has pushed IE7 as an automatic update from Nov06, see
Reference(s) (see IE history for more):
| 5 Jul 08 |
Reference(s):
| 28 Jan 06 |
Reference(s):
If you use Office XP or 2003, then beware of it sending debugging
information, containing your sensitive documents, to Microsoft. Use
regedit
to set:
for Office XP, DWNeverUpload, DWNoExternalURL, DWNoFileCollection and
DWNoSecondLevelCollection to 1 in both
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\10.0\Common] and
[HKEY_USERS\.Default\Software\Policies\Microsoft\Office\10.0\Common];
for Office 2003, QMEnable to 0 in
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\Common].
Reference(s):
Apply privacy settings, or your document will contain unwanted information.
Reference(s):
| 18 Apr 05 |
Need to set my Samba server not to accept an LM hash ("lanman auth = no" in smb.conf; check also "min protocol"). This does not buy much per se: if the attacker has the LM hash, then he could crack the password and win; or he could replay the NTLM hash as he is likely to also have that. As the user is likely to have the same password elsewhere, we should protect against crackable LM hashes even if we are vulnerable to NTLM hash replays. Configure clients so they never send an LM hash; by hacking Samba to actively reject users who send an LM hash, clients can be forced to update their settings. - Samba 3.0.5 supports NTLMv2 but not message encryption (Samba 2.2.8a does not support either).
To use NTLMv2 authentication on Win9x, you need to install the Directory Services Client (in Clients\Win9x\Dsclient.exe on the Windows2000 Server CD). You can then un-install this client: the NTLMv2 support files will stay behind. - Seems that Win9x can only do LM or NTLMv2, and cannot do NTLM authentication (which makes sense as the only allowed values of LMCompatibility are 0 or 3). (Samba 2.2.8a and Win9x cannot communicate securely.)
Use regedit to:
Reference(s):
| 19 Jan 06 |
My WinXP home computer happily survives with just
My WinXP work PC (hanging off a Samba PDC) has (excessive, unsafe?)
Ensure all un-trusted connections have
Ensure all un-trusted connections have
Use regedit to set:
Reference(s):
Am I now safe even without
ms03-026,
ms03-039,
ms03-049,
ms04-011
or
ms04-012
patches in place? My home PC has survived Blaster, Welchia and Sasser;
my office machine is behind a firewall, so has not been tested.
My home PCs have only a few ports open:
TaskManager shows (among others):
The line
The line
The connections shown by netstat do not change when I dial-up connect.
My work PC has open:
Check the registry for processes started at boot or login time, ensure
all are legitimately needed.
Reference(s):
I wonder if it would be possible or useful to set
Reference(s):
Services setup
Disable the services you do not need in
My Computer (right-click) >
Manage >
Services and Applications >
Services.
Name Status Startup Type
Application Management Disabled
COM+ Event System Started Manual
DHCP Client Started Automatic
DNS Client Started Automatic
Event Log Started Automatic
Human Interface Device Access Disabled
LexBce Server Started Automatic (my Lexmark printer?)
Messenger Disabled
Network Connections Started Manual
Network Location Awareness (NLA) Started Manual
Plug and Play Started Automatic
Print Spooler Started Automatic
Protected Storage Started Automatic
Remote Access Connection Manager Started Manual
Remote Procedure Call (RPC) Started Automatic
Routing and Remote Access Disabled
Security Accounts Manager Started Automatic
Server Started Automatic
SSDP Discovery Service Disabled
System Event Notification Started Manual
Task Scheduler Disabled
Telephony Started Manual
Terminal Services Started Manual
Windows Audio Started Automatic
Windows Management Instrumentation Started Manual
Workstation Started Automatic
(rest are manual startup and not running).
Name Status Startup Type
Alerter Started Automatic
Application Layer Gateway Service Started Manual
Automatic Updates Disabled
Background Intelligent Transfer Serv Disabled
ClipBook Disabled
COM+ Event System Started Manual
Computer Browser Started Automatic
DCOM Server Process Launcher Started Automatic
DHCP Client Started Automatic
DNS Client Disabled
Error Reporting Service Disabled
Event Log Started Automatic
Help and Support Disabled
HID Input Service Started Automatic
Messenger Started Automatic
MS Software Shadow Copy Provider Disabled
Net Logon Started Automatic
NetMeeting Remote Desktop Sharing Disabled
Network Connections Started Manual
Network DDE Disabled
Network DDE DSDM Disabled
Network Location Awareness (NLA) Started Manual
Performance Logs and Alerts Disabled
Plug and Play Started Automatic
Print Spooler Started Automatic
Protected Storage Started Automatic
Remote Access Auto Connection Manager Disabled
Remote Access Connection Manager Disabled
Remote Procedure Call (RPC) Started Automatic
Routing and Remote Access Disabled
Secondary Logon Started Automatic
Security Accounts Manager Started Automatic
Security Center Automatic
Server Started Automatic
Shell Hardware Detection Started Automatic
Smart Card Disabled
SoundMAX Agent Service Started Automatic
SSDP Discovery Service Disabled
System Event Notification Started Automatic
System Restore Service Disabled
Telnet Disabled
Terminal Services Started Manual
Themes Started Automatic
User Profile Hive Cleanup Started Automatic
Volume Shadow Copy Disabled
WebClient Started Automatic
Windows Audio Started Automatic
Windows Firewall/ICS Started Automatic
Windows Management Instrumentation Started Manual
Windows Time Started Automatic
WinMonitor Started Automatic (home-grown management)
Wireless Zero Configuration Disabled
Workstation Started Automatic
(rest are manual startup and not running).
Network setup
Find your network connections (devices, interfaces) in
Start Menu >
[ Settings or Control Panel ? ] >
Network and Dial-up Connections
and
their properties in
Local Area Connection >
Properties or
Dial-up >
Properties >
Networking.
Completely disable unused network interfaces, particularly wireless
interfaces on itinerant laptops.
Decide if any are "trusted" networks: your dial-up internet connection
is certainly un-trusted. My home PCs trust the LAN interface: my other PC
(only) is on that network, and I want them to share everything.
File and printer sharing for Microsoft Networks
disabled. You should only have
Client for Microsoft Networks and
Internet Protocol (TCP/IP)
listed among the protocols/services used. My home PCs show:
Dial-up, Properties, Networking, "... uses the following items":
[x] Internet Protocol (TCP/IP)
[ ] File and Printer Sharing for Microsoft Networks
[x] Client for Microsoft Networks
Local Area Connection, Properties, "... uses the following items":
[x] Client for Microsoft Networks
[x] File and Printer Sharing for Microsoft Networks
[x] Internet Protocol (TCP/IP)
while my work PC has
Local Area Connection, Properties, "... uses the following items":
[x] Client for Microsoft Networks
[x] Internet Protocol (TCP/IP)
You should enable File and printer sharing on trusted networks only,
and only if you really intend to let anyone see (and delete or change) your
files. (It may be possible to have sharing with controls on who can do
what, but is beyond my abilities.) You may un-install File and printer
sharing if no network interfaces need it. Do not delete Client for
Microsoft Networks as some dial-up features rely on it.
Disable NetBIOS over TCP/IP
selected in
Internet Protocol (TCP/IP) >
Properties >
Advanced >
WINS.
My home PCs have more-or-less:
Dial-up, Properties, Networking, Internet Protocol (TCP/IP), Properties,
(Automatic IP and DNS), Advanced, WINS: "Disable NetBIOS over TCP/IP".
Local Area Connection, Properties, Internet Protocol (TCP/IP), Properties,
Advanced:
IP 192.168.111.112, netmask 255.255.255.0
Gateway (none)
DNS server 192.168.111.111
WINS server 192.168.111.111
Enable NetBIOS over TCP/IP
while my work PC has
Local Area Connection, Properties, Internet Protocol (TCP/IP), Properties,
(Automatic IP and DNS), Advanced, WINS: "Use NetBIOS setting from DHCP server".
Registry setup
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\LmCompatibilityLevel=3
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\NoLMHash
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RestrictAnonymous=0 (could be 1?)
HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\MaxWorkItems=256
HKLM\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\SmbDeviceEnabled=0
HKLM\SYSTEM\CurrentControlSet\Services\Rpc\Linkage\Bind=(empty, REG_MULTI_SZ or REG_SZ)
HKLM\SYSTEM\CurrentControlSet\Services\RpcSs\ListenOnInternet=N
HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM=N
HKLM\SOFTWARE\Microsoft\Rpc\DCOM Protocols=(not including ncacn_ip_tcp)
Denial of Service Attack on Port 445 May Cause Excessive CPU Use (Q320751)
http://support.microsoft.com/kb/320751
Attacking Automatic Wireless Network Selection
http://www.securityfocus.com/archive/1/422250
Breaking into a laptop via Wi-Fi
http://news.com.com/Breaking+into+a+laptop+via+Wi-Fi/2100-7349_3-6101523.html
"Evil Twin" Public WiFi threat
https://www.sans.org/newsletters/newsbites/newsbites.php?vol=8&issue=65#sID318
Ports open
C:\> netstat -ano
Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING 4
TCP 192.168.111.112:139 0.0.0.0:0 LISTENING 4
UDP 0.0.0.0:1029 *:* 796
UDP 192.168.111.112:137 *:* 4
UDP 192.168.111.112:138 *:* 4
(On Win2k use just netstat -an , or
TCPView
from
http://www.sysinternals.com/
to show process IDs.)
Image Name PID User Name
SVCHOST.EXE 796 NETWORK SERVICE
System 4 SYSTEM
TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING 4
is due to the Remote Access Connection Manager service; you
need it for dial-up connections (set it to disabled and reboot to see
the port go away, along with your dial-up settings).
This port seems harmless, not actually open as
telnet localhost 1026
fails, same as any other non-open port.
(Using
hping
also confirms the port is not open.)
Surely it is a bug in System:4 that it opens
but forgets to close the port.
UDP 0.0.0.0:1029 *:* 796
seems to appear some minutes after boot only.
C:\>netstat -an
Active Connections
Proto Local Address Foreign Address State
TCP 129.78.94.2:139 0.0.0.0:0 LISTENING
UDP 129.78.94.2:137 *:*
UDP 129.78.94.2:138 *:*
Maybe all those are needed...
Further checks
Submerged Subkeys in W2K
http://archives.neohapsis.com/archives/ntbugtraq/2004-q2/0064.html
http://archives.neohapsis.com/archives/ntbugtraq/2004-q2/0074.html
Get a Load of the W2K Run line!
http://archives.neohapsis.com/archives/ntbugtraq/2004-q3/0037.html
CWS = Crummy Windows Security
http://archives.neohapsis.com/archives/ntbugtraq/2004-q3/0256.html
DisableIPSourceRouting=2
EnableDeadGWDetect=0
EnableICMPRedirect=0
EnablePMTUDiscovery=0
NoNameReleaseOnDemand=1
PerformRouterDiscovery=0
SynAttackProtect=2
in both
HKLM\System\CurrentControlSet\Services\AFD\Parameters
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters
| 16 May 08 |
Still, you should not normally log in as Administrator, but as some
low-level user; and should protect the machine from low-level users, e.g.
with sensible file and registry permissions. Then malware will not be able
to install themselves as system services (foiling a number of viruses):
see e.g.
Browsing the Web and Reading E-mail Safely as an Administrator
http://msdn.microsoft.com/library/en-us/dncode/html/secure11152004.asp
http://msdn.microsoft.com/library/en-us/dncode/html/secure01182005.asp
(Power users getting admin is a "known bug" http://support.microsoft.com/kb/825069 .)
Reference(s):
Reference(s):
| 24 Jul 08 |
Maths users can get Firefox 3.0.1 and Thunderbird 2.0.0.16 via Samba from \\rome\sms\win\sfwinst\DataOnly.
Reference(s):
Netscape Navigator has reached End of Support and they recommend to use Firefox.
Or you may want to use Opera or Safari (both have security problems, I just do not keep track of those).
| 4 Jul 08 |
Maths users please get 9.0 via Samba from \\rome\sms\win\sfwinst\, or see http://www.adobe.com/products/acrobat/readstep2_allversions.html.
BEWARE: PDF files may carry active content, so are also dangerous. In Edit > Preferences disable (un-check, do not allow):
Reference(s):
| 12 Jun 07 |
With its penchant to pre-extract attachments, Eudora is a prime carrier to inject arbitrary code into IE's fatuously trusted zone of local files.
The "file URL buffer overflow" bug (exploitable to execute arbitrary
code, verified on versions 5.2.1, 6.0.3 and 6.1) seems fixed since 6.1.1.
The "long spoofed attachment name" buffer overflow (exploitable to
execute arbitrary code in versions 5.2.1 and 6.0) seems fixed in 6.0.1 and
6.0.3, was un-fixed (exploitable) in 6.1, then seems fixed again since
6.1.1.
The X - X.exe dichotomy issue seemed fixed in 6.0 to 6.1 (though
LaunchProtect worked within the attach folder
only), was un-fixed (broken) in 6.1.1, then seems fixed again since 6.1.2.
Eudora 5.2.1 was vulnerable to the "evil IMAP server" exploit: connect
to trusted servers only. Do not know if this was fixed in 6.0.
If you still insist on using Eudora, you must disable both Allow executables in HTML content and Use Microsoft's viewer in Tools > Options > Viewing Mail; you may also want to disable Automatically download HTML graphics in Tools > Options > Display. I am not sure if setting the attachment directory to be non-executable is useful.
Reference(s):
| 26 Jul 08 |
The list here is not exhaustive but only the common software I knew about; and is not in order of importance. Some third party software (IE, Firefox, MSWord, Acrobat, Eudora) singled out elsewhere.
There are vulnerabilities in AIM (AOL Instant Messenger).
Reference(s):
Do not use MSN Messenger as it has privacy problems (combine that with
cross-site-scripting problems on MS sites...); servers are misconfigured;
and it can be hijacked.
Reference(s):
Need to update YIM.
Reference(s):
Need to update ICQ.
Reference(s):
Need to update mIRC.
Reference(s):
Vulnerabilities have been found in
Skype,
and you should update the software.
Reference(s):
Vulnerabilities have been found in
RealPlayer,
and you should update the software.
Reference(s):
AIM Local File Display in Notification Window
http://www.securityfocus.com/archive/1/479435
CORE-2006-0322: Multiple vulnerabilities in ICQ Toolbar 1.3 for Internet Explorer
http://www.securityfocus.com/archive/1/445515