HOW TO SECURE Windows 2000/XP/Server 2003 & VISTA, fully, per CIS Tool scoring

[APK]

For users of Adobe Reader:

Since it has been attacked so much recently (via its ability to place javascripting into its .pdf document format, & javascript that bears "ill will" no less)? Well, update to the latest/greatest version...

HOWEVER, if you don't trust that, as I do not, FULLY?

(Simply because browser makers have been trying that left & right since "time immemorial" online, & more of those types of attacks pop up of differing nature that evades new patches vs. it, keep popping up regardless of the patches!)

Plus, like I had stated earlier in this guide?

I suggested turning off using javascript for EVERY SITE online, in your webbrowser (& only keep it for ones that demand it (or, become useless w/out it, like many shopping &/or banking sites - this lessens the possibility of being poisoned by bad adbanner OR site code & also lessens the attack surface area + limits the possibles to the sites you left javascript on for, ONLY))??

Try this:

TURN OFF JAVASCRIPT USAGE IN ADOBE ACROBAT READER to be safe vs. attacks in it that are javascript-based in nature!

EDIT menu

PREFERENCES submenu

Javascript section (in left-hand side column of options), & uncheck "Enable Acrobat Javascript" in the right-hand side option for that.

APK

P.S.=> That assures you are "proofed" vs. Adobe Acrobat malware/bad javascript containing contaminated .pdf documents via bogus javascript in them... apk

[APK]

More security tools/info. (04/28/2008), for APPLICATION LEVEL SECURITY:

(I.E.-> For checking for apps you have that may be security vulnerable OR have been patched vs. said vulnerabilities, etc.):

----

SECUNIA PSI (checks for outdated OR apps that are known to be insecure):



https://psi.secunia.com/

NEW VERSION (released very recently too).

A good program, by a trusted & WELL-KNOWN security-oriented website online (I tried version 1 earlier on last year, it needed work. This one is solid though, so far @ least, imo!)

(It works, & sometimes catches things FILEHIPPO UPDATE CHECKER below, won't - good "2nd Doctor's opinion" etc.)

----

FileHippo's Update Checker (checks for outdated OR apps that are known to be insecure, supplement's PSI above):



FileHippo.com Update Checker - FileHippo.com

Decent program as well, & good to use as a supplement to the SECUNIA PSI Tool as well (from a well-known file downloads site also in filehippo).

(It works, & sometimes catches things SECUNIA PSI above, won't - good "2nd Doctor's opinion" etc.)

----

Windows Vulnerability Scanner:



Protector Plus - Windows Vulnerability Scanner - Proland Software

Nice program for checking Microsoft Operating Systems &/or Ms-Office versions vs. missing security patches, & it works, very well!

----

APK Registry Cleaning Engine 2002++ SR-7:



techPowerUp! :: Download APK Registry Cleaning Engine 2002++ SR-7

:)

* Yes, "shameless plug" on MY part on the last one, but, it does have "security benefits"...

(& more than potentially useful forensics ones, because it shows you what files a user calls upon via its lists (it does check recently used filelists, but, will also list those files the user attempted to delete (this assumes he may have been attempting to hide them)))... it is 100% proven SAFE on all 32-bit versions of Windows (see its description & feedback by users on the download page) 9x-VISTA as well)).

APK

[APK]

A great site that Mr. Dancho Danchev "turned me onto", for making additions to your CUSTOM HOSTS FILE (mentioned earlier on in this guide in STEP # 5) via his security blog... how/why?

SRI Malware Threat Center

:)

* Well - it keeps an updated listing of sites & servers that are KNOWN TO BE MALICIOUS!

APK

[APK]

Conclusion

To all interested/reading:

I think this is it guys, I know of NO MORE to secure a Windows System... & again - IF any of you have ponits to add, please do so, but, I only ask that you keep it @ a technical computer security level (per my 1st initial post here's "P.S." section @ its termination).

:)

----------

MODS/ADMINS: Thanks for making this a "STICKY/PINNED THREAD", it's very cool to see & let's me know this IS working well for folks online (my "New Year's Resolution" for 2008 was "DO A GOOD DEED" & I think this qualifies, lol)

Anyhow... this is the 15th forum it has "made-the-grade" on since Dec. 2007 (in 5 months) to the tune of over 100,000 views across 20 forums online, & usually it made an "ESSENTIAL GUIDE", or "STICKY/PINNED THREAD" (as it did here), &/or it was rated "5/5 STARS"... & that's all a guy could hope for! Again - Gracias!

----------

* To all readers - ENJOY A FASTER & SAFER Windows based system of modern variety (2000/XP/Server 2003 & even VISTA) online today (especially TODAY!)...

APK

P.S.=> In other words, please - no "grammar & spelling" English "writing style" critiques, as they do NOT help to secure a system further... I did try to keep it as SHORT as possible, & to have folks use the CIS Tool to help make it easier + more fun.

HOWEVER, @ times, the material is complex & I could not "shorten/condense it" anymore w/ out losing critical details & such! Please bear with that much...

I hope readers gain by this thread by getting those 90++ scores on CIS Tool, surfing safely & F A S T E R online as a bonus once you apply the points I layered ontop of CIS Tool's guidance points (based on "industry best practices" & such)... thanks! apk

[APK]

Testing Signature

[APK]

For those of you interested in using custom HOSTS files (for BOTH added security & added speed online)?

"APK Hosts File Grinder 4.0++"

Today ! - Page 33 - The New Tech



:)

----

The application above has been built by myself, for folks just like YOU, & of course, myself!

----

It allows you the end-user, the ability to:

• 1.) DO very EASY Integrating the HOSTS files of others, such as MVPS.ORG & others noted @ wikipedia, here -> Hosts file - Wikipedia, the free encyclopedia (even if in other internal line-by-line formats) "scrubbed into" the MOST EFFICIENT format there is (allowing less memory &/or disk space occupancy for loading, of 0URL ), first, & then...

• 2.) Speed up access to your fav sites, via 1st pinging them (so their IP Address IS up-to-date/current), & adding them to the normalized non-repeat line items list on the right above

• 3.) Add/remove sites from a hosts file, but by first checking for their pre-existence inside the HOSTS file on ADDS, & rejecting if there already (& adding if NOT present)

• 4.) Lastly, it will FULLY NORMALIZE (accurately 110%) a HOSTS file (normalize = removal of duplicates)...leaving you with one in the MOST efficient format line-wise there is (noted above, which consumes less memory & faster loadtime from disk)

----

It has allowed me to:

A.) Take valid HOSTS file data EVERY known & respected HOSTS file there is (noted from the wikipedia link above, & also from SRI, Shadowserver, Dancho Dancheve's Blog, SpyBot S&D, Spamhaus, Phishtank, + others also, such as my own research into this area), & integrate them FIRST into a HUGE 20mb file, & then via normalization, reducing its size to 12mb on disk (removing repeats which they will have between one another & sometimes inside of themselves even), reduce its size that way (1/2 the intial size almost from all that date), first...

B.) It has also made a 12mb SUPER-COMPREHENSIVE custom HOSTS file out of an intially 20++ mb sized one, from the sources above... allowing the SAME function as they offer (because their HOSTS FILES' many times using 127.0.0.1, or, 0.0.0.0 formats, instead into a MORE EFFICIENT ONE, of 0URL)... thus, MASSIVELY reducing its size on disk & in RAM once loaded into your local DNS cache, yet offering the SAME function!

C.) Create a CUSTOM HOSTS FILE loaded with FULLY alphabetized entries into your HOSTS file (so it is easy to search thru, even via notepad.exe).

-----

* It can do the same for you as well, should you be interested in such a tool... if you are? Email me, here:

apk4776239@hotmail.com

APK

P.S.=> General statistics on its, while in operation:

700k-5900k memory occupancy prior to load of HOSTS file data...

( & up to 167mb IF a "huge" hosts file (like 1 million++ line entries) is used)\

Its runtimes (noted above) will vary, depending on the size of the HOSTS file being processed (should NOT exceed 3 hrs (&, for most folks, since they do NOT have files of such size in their HOSTS file? Heh, it will be the "blink of an eye" on most all sections (scrub, add/remove entries - validate entries, normalization-removal of repeated items, & save to disk) up to 2 minutes or so)

PLUS - It was built in the MOST efficient & fastest code combination I know of (Borland Delphi 7.x, Win32 API, & Inline Assembler code)

(Especially for this type of string processing (of which Delphi alone in math & strings often MORE THAN DOUBLED (sometimes, tripled) the speed of both MSVB & MSVC++ in, in (of all places) Visual Basic Programmer's Journal Sept./Oct. 1997 issue "INSIDE THE VB COMPILER" issue))

+

A truly "SUPER-EFFICIENT" algorithm, on each area of processing (especially normalization, taken down from DAYS time over 1 million++ records, to only 3 hours time max, if no repeats exist... if repeats? Far, FAR faster!)

Which speaks worlds alone right there... this app makes FAR shorter work of this, than does using ping.exe (for speedup of sites), MsAccess (via SQL Select Distinct queries work, & the potential import/export hassles it can have (leaving trailing spaces &/or quotes for example, bloating files on export)), & notepad.exe (good luck normalizing one using its Edit-Replace menus is all I can say... especially IF you have a BIG hosts file)... apk

[APK]

Researcher to demonstrate attack code for Intel chips:

Researcher to demonstrate attack code for Intel chips | InfoWorld | News | 2008-07-14 | By Sumner Lemon, IDG News Service

SALIENT/PERTINENT EXCERPT:
----------------------------------------------------
"Kaspersky says CPU bugs are a growing threat, with malware being written that targets these vulnerabilities... Security researcher and author Kris Kaspersky plans to demonstrate how an attacker can target flaws in Intel's microprocessors to remotely attack a computer using JavaScript or TCP/IP packets, regardless of what operating system the computer is running."
----------------------------------------------------

* Now can anyone see WHY I recommended turning off Java/Javascript (& other browser addons/extension languages) for "every site you use under the sun" + IFrames etc.? Personally, this one's pretty bad, worse than what is out there/here now, worse than rootkits even in some ways...

However, I also think worse are on the way even moreso...

(... & I mentioned the architecture they could possibly use, quite "terminator-like", for rootkit delivery systems & such here earlier. Especially ones that can flash your BIOS, &/or other updateable PROMS (mainly because if usermode tools from vendors like ASUS + GIGABYTE & doubtless others can do it, from inside Windows, so can malwares & same way (via drivers & bios img files))

APK

P.S.=> There are more examples inside this guide, & of this SAME type of idea (crank off the java/javascript etc. et al & ONLY keep it active on sites you ABSOLUTELY need it for, to have the site function properly - lessening your potentially attackable surface online basically).. heck, even adbanners have exploits of this nature in them lately...

The examples I put in this guide ARE far older too, dating back 1-3 yrs. but the point is only here, again, & moreso (far more dangerous this time, imo @ least)... apk

[APK]

Well, @ this point?

I think this guide's PRETTY SOLID, because nobody has been able to "add points" to it, from across 27 other forums online (many are "serious geek" oriented sites too)!

(... & the fact that some folks from "THE PLANET" (a large website & hosting provider online) offered to hire me on as a remote security specialist @ this point (pretty cool) for Win2k3 servers they use, as well as what appears to be their personally managed or owned sites also (KTInteractive)).

In any event?

@ People Reading:

This IS your "Iron Man Armor Online"!



So, have @ it ('snap it on') - & enjoy a F A S T E R, & FAR MORE S E C U R E online setup on your Windows NT-based OS' of today (Windows 2000/XP/Server 2003 & yes, even VISTA to a good extent) via applying CIS Tools' suggestions & my own that "layer ontop of it"...

:)

* I am FAIRLY certain it's done - As I can't think of any more points & methods to secure your Windows NT-based rigs, & thus, I close this post off... she's all done as far as I am concerned... this same message will go across ALL others like it that I am still able to edit/add to online, @ some point today in fact.

APK

P.S.=> Sorry for the 'closing note' but, if anyone's interested, this is the "final model" of this guide & its points... enjoy! apk