HOW TO SECURE Windows 2000/XP/Server 2003 & VISTA, fully, per CIS Tool scoring

[APK]

Microsoft missed patching a KNOWN issue on this literally BIGGEST Ms-Patch Tuesday to date on 12/09/2008 (most bugfixes issued ever by Microsoft, & to close off year), & then?

Read here below to get the details, + past that, to patch yourself easily with an easy fix I figured out:

----

Oops! Missed One Fix — Windows Attacks Under Way:

Oops! Missed One Fix — Windows Attacks Under Way

----

&

----

Microsoft warns of new Windows bug, says attacks under way
(WordPad Text Converter flaw wasn't patched in big Tuesday update):

Microsoft warns of new Windows bug, says attacks under way

----

What is below, courtesy of "yours truly", fixes it!

(Simply by altering the file association for the Explorer/IE shell from WordPad.exe to winword.exe (it's immune to this, & Ms-Word handles old Windows 3.x & NT 3.5x Ms-Write .wri files, just fine...))

.REG FILE TO USE IF YOU USE WinWord 2003/Ms-Office 2003 (easily altered for 2000/XP/2008 versions):

----

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\.wri]
@="Word.Document.8"
"Content Type"="application/msword"

[HKEY_CLASSES_ROOT\.wri\PersistentHandler]
@="{98DE59A0-D175-11CD-A7BD-00006B827D94}"

[HKEY_CLASSES_ROOT\.wri\Word.Document.8]

[HKEY_CLASSES_ROOT\.wri\Word.Document.8\ShellNew]
"FileName"="winword8.doc"

----

• 1.) Paste what is between the dashed lines only above, into notepad.exe

• 2.) Save it as TYPE "All Files", & on disk as APKMsWordPadBugFix.reg

• 3.) , & then open it using regedit.exe. It will ask if you want to merge this registry file. Do so.

(That's a fix before Ms issues a fix, because it changes the .wri file extensions' file association from opening in WordPad.exe if you click on any bogus files sent your way, hopefully not, but just in case, & the shell will spawn the process as Microsoft Word, which is immune to this in most modern versions of it, if not all versions)

A simple to do, easy fix for anyone, even before MS issues a fix...

POTENTIALLY/POSSIBLY IMPORTANT:

IF you have versions of Ms-Office (Ms-WORD specifically), other than 2003?

You MIGHT have to change "Word.Document.8", wherever it appears above, to whatever version number yours is, along with the GUID used to do the OLEServer library marshalling/summoning of Word to open .wri files with, instead of Wordpad.exe & that's found in the .doc file association under -> HKEY_CLASSES_ROOT , easily enough)...

APK

P.S.=> "We can do this... We HAVE the technology!", lol, too bad MS didn't, talk about easy, I don't see HOW they could have missed this IF it was a KNOWN issue that came up before "Patch Tuesday" 2 days ago, I thought of it in literally 2 seconds, & took maybe 2 minutes to make the file & test it, it works... apk

[APK]

Here is a PRIME example of where most folks that try this test can take the result to, scoring-wise, on the CIS Tool Security Benchmark test:



99.058/100

:)

* Not TOO shabby, eh?

(I.E.-> A NEAR 100% perfect score for a client of mine whose system I secured this week taking it from a 45/100 default score, to this one, DOUBLING its security rating per this test, & THEN some... & , in fact, it probably is a perfect score (I say that, because 4/5 things it scored me down on, I actually DID have right for this client of mine, but yet the test scores me down on them (it makes SOME errors here & there is all)))

APK

P.S.=> Placing this result here for posterities' sake and as an example of how secured a Windows system can be, per this benchmark of security test's gauge thereof... apk

[APK]

To anyone using VISTA, Windows Server 2008, or the new "Windows 7" (which rocks, especially in 64-bit form)? Don't use the point I noted as this in its first sentence:

6.) USE Tons of security & speed oriented registry hacks

Not unless you ABSOLUTELY KNOW what you're doing.

(See, the older registry .reg file 'hacks' won't work that worked FINE on Windows 2000/XP/Server 2003, albeit (not all of them @ least) with VISTA, Server 2008, or the new Windows 7. So, "Steer Clear" of those on the newer MS' OS!)

Thanks!

APK

P.S.=> On that "note"? I like Windows 7, very much (again, especially in its 64-bit build), & it amazes me how F A S T it is, even with its large number of services resident + running, by default - &, when you "trim them down" even more? You get THAT MUCH FASTER! The services are now also secured better, by using "lesser privelege" user SID entities "built-in" types vs. LOCAL SYSTEM, such as NETWORK SERVICE or LOCAL SERVICE which I go into HOW TO DO IT on Windows 2000/XP/Server 2003 here (Server 2003 has much of it, as does XP, after MS did service packs + hotfixes, & Windows 2000 lacks a few "built in" entities, but you can "mock up" a lesser priveleged one easily enough to do that there also - this has put Windows on level with the likes of the BSD based MacOS X in that respect, which is GOOD!

Now, IF only MS would fix up HOSTS files being unable to use the FAR MORE EFFICIENT & FASTER "0 ip address" (pings resolve it back to 0.0.0.0 though on Windows 2000 (after service packs though, MS put it in there around SP#1-4 somewhere, so it was seen as a GOOD THING by them, because the original OEM version did not allow that, & only allowed as good as using 0.0.0.0 in a HOSTS file (which IS better than 127.0.0.1 by 2 bytes per line) but, using 0 beats them both, by large margins (making for a faster load up into RAM (be that the local DNS cache (disable that on larger HOSTS files), or, the local diskcache kernel mode subsystem)?

Windows 7 would be THAT MUCH BETTER, for both security and speed!

Well, in this case, ONLY for those that have the good sense to use a HOSTS file for added speed & security!

(FOR SPEED? BLOCK ADBANNERS (they too have been found to have malware in them for years now), & "hardcode" in your fav sites IP Address-to-DomainName/HOSTName? Well, doing that, you avoid calling out to potentially downed or compromised DNS servers (see Dan Kaminsky online for the latter, the Domain Name System has problems, even the "allegedly invulnerable" DJBDNS was found to have holes in it for security this year in fact))!

Thus, saving you between 30-x ms queries to those remote DNS servers (which CAN be logged no less as well), & instead using the speed of MEMORY/RAM (many, Many, MANY orders of magnitude faster) once the HOST file is loaded (which still occurs faster, because it would be using diskspeeds of today, which are 3-10 or more orders of magnitude faster than calling out to remote DNS servers). HOSTS use no CPU cycles, vs. DNS programs + they are EASILY EDITED vs. even other filters like IPTables in Linux (easier in notepad imo & ANYONE can do it, we all have text editors is why on ANY OS), & cost you NOTHING (many good sources for good ones too, like -> Hosts file - Wikipedia, the free encyclopedia for starters, or SpyBot "Search & Destroy" for updates to it that block out KNOWN bad malscripted sites, or bad servers used to control "botnets" too! I could go on & on on MORE of the benefits of HOSTS, but that'll do, for now (I hope MS fixes this removal of 0, as a blocking "ip" in HOSTS in Windows 7 @ least, because it is more efficient & faster).

What worries me some though even more on SECURITY though?

This, on Windows VISTA, Server 2008, & Windows 7's Firewall:

rootkit.com

PERTINENT EXCERPT/QUOTE:

"BTW, the firewalls based on NDIS v6, which was introduced in Windows Vista, are much easier to unhook and bypass."

That was a DIRECT QUOTE from said URL I just posted from rootkit.com ... & it 'worries me' some. I have confronted MS tech people & mgt. on this, to no avail... I don't know WHY they won't answer either - I am only asking WHY the thing with HOSTS was done, no answers, & pointed out to them what ROOTKIT.COM said above, many times (on MSDN, @ INTEL, @ /. with a user there named "Fordecker" who is a senior MS development mgr. for Windows no less, & also on the "Engineering Windows 7" blog by S. Sinofsky, a "Big Man" @ MS on Windows no less)... apk

[APK]

Worried about being 1 of the 7++ million PC's infected/infested by the "CONFICKER" worm, per this article today @ /. (SLASHDOT)?

----

After 1 Year, Conficker Infects 7M Computers:

Slashdot | After 1 Year, Conficker Infects 7M Computers

----

Ok then, so you are apparently concerned, if you have read this far already!

Well, then here is a way to test yourself to see if you are infected/infested. Click on the URL below, & just literally see for yourself, here:

----

http://www.confickerworkinggroup.org...feyechart.html

----

(And, good luck, hope you're not infested/infected (I wasn't thank goodness!)).

APK

P.S.=> ... & it truly is, as EASY as it gets (it's called the "conficker eye chart", & IF you can see all 6 pictures, then you are NOT infected, but if you cannot? It means it is quite possible you have been infected by this machination known as "conficker")... apk

[APK]

NOW, if you cannot reach that site (which has happened to folks today per this exchange I had on another forums -> HOW TO SECURE Windows 2000/XP/Server 2003 & VISTA - AT Forums )

It only means that the testing site has been "/.'d" (too many requests by users to that server, it happens, almost like a DOS/DDOS really, every website server has limits, which yes, can be RAISED by most site admins in fact, in the board engine's config files (usually)).

Still, if you show up "infested" Guys, there are cures, such as this list:

"Conficker" and "removal tool" - Google Search

:)

* Hope you're not, & hope if you are, you can remove it via said lists of removal tools is all!

APK

P.S.=> Onwards & upwards... apk

[kally]

Thanks again man, I know they're called double quotes, I looked it up on google before posting, cause I wasn't sure, beside I didn't wanted to refer to them as 'quotes' to prevent myself to send the wrong message (again), I was not quoting, and I found the were called either double quotes or single quotes.
PS: the 'simple' instead of 'single' was my bad, none parallel meaning behind it lol
_____________________________________________
alias seasons 1-5 dvd boxset
army wives dvd for sale

[APK]

Quote:

Originally Posted by kally

Thanks again man]

Oh, "You're welcome", I suppose... just not sure what you mean next though:

Quote:

Originally Posted by kally

, I know they're called double quotes, I looked it up on google before posting, cause I wasn't sure, beside I didn't wanted to refer to them as 'quotes' to prevent myself to send the wrong message (again), I was not quoting, and I found the were called either double quotes or single quotes.
PS: the 'simple' instead of 'single' was my bad, none parallel meaning behind it lol

No offense taken (as I am NOT really SURE what you are speaking of, in regards to quotation marks etc. et al, but... no problem).

AND, I don't perceive any "double entendre" on your part (like trying to "rib on me", via some double meaning, so... there ya are!).

:)

* Anyhow/anyways - guys, DO read my last 3 posts & possibly especially the P.S. in my 1st of the last 3, in regards to ROOTKIT.COM's findings ESPECIALLY!

Then, offer your thoughts (or not), but DO check yourselves vs. this Conficker malware (it's a bad one, & it's NOT just some "chump script kiddie" infestor either)...

Only way I have seen to detect it, is to either D/L tools that do so, & remove it (per the URL for that above), OR, the simple "visual test" above also.

I.E.-> This Conficker thing?

Hey - It was written by a REAL PRO, because the ******* is incredible @ covering its own tracks (& opens the hole it uses (+ then later even shuts it))...

SUPER-CLEVER design, imo (speaking as someone who's been @ this stuff, professionally, @ both a networking + coding level for 15++ yrs. now as a pro (inclusive of being multiply internationally published on my part 10x now or more)).

APK

P.S.=> Not meaning to "toot my own horn" on that last account, but, it's just how it has been for me (& there are guys out there a LOT better/stronger @ this field than I am - I can "get the job done" is all I feel, & I have a LOT more to learn & try to do so, everyday, so I can get better @ it too))... apk

[APK]

I HAD A GOOD QUESTION FROM A USER TODAY, & HERE WAS MY ANSWER, IN CASE YOU CANNOT REACH THIS SITE TO CHECK YOURSELF (as it may be blocked by a malware, or even yourself, via various means, instead of just being flooded by users requesting on it, effectively "slashdotting" (almost DOS/DDOS'ing) said site to check yourself vs. CONFICKER)

So... he we go as to the possibles!

FROM -> http://www.hftonline.com/forum/showthread....6049#post116049

--------------------

Quote:

Originally Posted by kulich

I did try, and failed to even generate a 404 ... so I'm happy that it wasn't something at my end.

P

HOPEFULLY, it isn't, because there IS A POSSIBILITY that the site to check yourself I noted? IS BLOCKED, & blocked in your HOSTS file (make sure this is ALWAYS "READ ONLY" (write protected) attributes applied) OR via bad browser addons, or in browser filtering lists (internal to individual browsers)...

So, check it for that site being in there/those, blocked as follows (a few possibles):

I strongly DOUBT you did any of these, yourself, but... one never knows, so, here goes:

=====

POSSIBLE #1 - That the site to check yourself, is actually BLOCKED in YOUR HOSTS FILE

That file typically found under %Windir%\System32\drivers\etc, or if you moved it, check the registry for the value here ->

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\servic es\Tcpip\Parameters & check the DataBasePath value

(That STRING VALUE SZ stores your HOSTS file location, TRUE ONE your system will be using & you CAN move it if you like... but, so can malwares):

0 www.confickerworkinggroup.org
0.0.0.0 www.confickerworkinggroup.org
127.0.0.1 www.confickerworkinggroup.org

(ANY OF THOSE WILL BLOCK OUT SITES, GOOD SITES, or KNOWN BAD ONES, so, check your HOSTS file, first! Conficker MIGHT ACTUALLY TRY TO PULL THIS LITTLE TRICK, mind you!)

=====

POSSIBLE #2 - bad "hardcode" of a site address (which a malware might do, or, it just 'went stale' & the website found a NEW "hosting provider" & their IP addy changed - & YES: Sites DO, do this, simply because they found better prices on hosting their sites for example, OR better services, but, they usually let you know when they do)

See if you, yourself, "hardcoded it as a favorite" (which you CAN DO, to speed up access to your fav sites by avoiding the 30-x ms traveltime for resolution of domainnames/hostnames to IP addresses with remote or local DNS servers)?

Your "hardcode for speed" (as well as reliability IF a dns server you use goes down OR is poisoned (see Dan Kaminsky on this online in regards to this)), well... it can 'go stale' or change (because the website found a new hosting provider for instance, because they're cheaper or better etc. et al as noted above earlier)...

(I.E.-> You CAN "mess this up", esepcially over time, with the wrong IP address (yours may vary on what you get as a return IP address from your DNS server too, than my example here is, be aware of that too)):

----

A.) E.G.-> RIGHT IP ADDRESS EQUATION FOR HARDCODE (for me, not same for you possibly - remove any hardcodes, if any in your HOSTS file, reload it (edit & save it in Windows XP/2000/Server 2003/VISTA/Server 2008/Windows 7 since they have a "dynamic PNP" loaded IP Stack) or reboot (you MUST in Windows 2000 - IP stack FULLY LOADED prior to bootup is why ONLY, not only when users request on it like in later Windows' versions)):

149.20.20.82 www.confickerworkinggroup.org

B.) E.G.-> WRONG IP ADDRESS EQUATION (something CONFICKER Might actually do in fact, IF you are "hit" by it/victim to it OR if the site you hardcoded changed hosting providers etc.):

10.1.1.1 www.confickerworkinggroup.org

(10.x.x.x, & iirc, 172.x.x.x ESPECIALLY WILL NOT GO "OUTBOUND" TO THE INTERNET, & ARE MUCH LIKE 192.168.x.x is... only for internal networks/LANS & DHCP on the last one, the others are for static internal addresses!)


HOW TO GET THE RIGHT IP ADDRESS FOR YOU, FROM YOUR DNS SERVERS YOU USE? PING THE SITE FROM A DOS CMD.EXE WINDOW PROMPT/TTY CONSOLE!

E.G.->

C:\> ping Technology content trusted by users all around the world :: TweakTown

BUT, only after you remove it from a HOSTS file & save it to reload it (or reboot after edit + save, on Windows 2000 & below). That command WILL return the correct IP address, once it is not found in your HOSTS file (IF it is @ all that is).

----

(These (POSSIBLE #1, & POSSIBLE #2A & #2B)? THEY are the ONLY 'downsides' of using a HOSTS file, it CAN be "used against you too", by malwares... so, be aware of this little tidbit too!)

=====

POSSIBLE #3 - in BROWSER INTERNAL BLOCKLISTS THEMSELVES (this too can be "misused" by malwares against you, OR, it can help you too (spybot s&d populates these along with HOSTS for example, for "the good"):

NOW, if it is NOT blocked there/THOSE above?

1.) Check your IE "restricted sites" list (IE 7-8 have easy facilities for this, in "INTERNET OPTIONS" or MSCONFIG (iirc on the latter here), & IE6 you have to search the registry for here -> HKCU,"Software\ Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4

2.) Opera has its FILTER.INI &/or URLFILTER.INI which can do the same (block sites, ONLY @ THE BROWSER (opera) level though, not globally like HOSTS do or can)

3.) FireFox/Mozilla variants also have "internal to FF/Mozilla only" blocked lists-restricted sites as well.

Any of these also can "go stale" due to sites changing hosting providers, OR, due to a malware 'bushwhacking' them...

4.) AND, CHECK YOUR IE "browser addons" (possibly even FF ones too) that are malwares possibly, because THEY CAN "intercept" calls to GOOD SECURITY SITES TOO, so check your addons for bogus ones in your webbrowsers too!

5.) ONCE ALL OF THAT IS CHECKED (hosts, browser addons, & browser block lists/restricted zones)?

CLEAR YOUR LOCAL WEBBROWSER CACHE, RELOAD YOUR HOSTS (if you use it & editing it + saving it will do that on Windows XP/Server 2003/VISTA/Server 2008/Windows 7 or, a reboot after edit will on Windows 2000), & try the site again, once ALL OF THOSE AREAS "CHECK 'ALL CLEAR'"...

====

SO - be aware of ALL of the above, & their mechanics involved. Malware makers are, & so should you be, as a "security conscious" user of Windows systems @ least! With that all above? You SHOULD be, on this account.

Good luck!

APK

P.S.=> Odds are though, they've been "SLASHDOTTED" by too many users requesting on them, because /. is such a HEAVILY travelled/used website... especially if "NONE OF THE ABOVE", holds true... apk

[APK]

A possible point noted by another user @ another forums, for those interested in securing their Windows NT-based OS PC:

FROM -> http://www.pcreview.co.uk/forums/showthrea...41#post13641341

----

Quote:Originally Posted by Srivas
Btw. CIS tool is not a freeware, is there any other program to benchmark your level of security?

----

It used to be free, I guess it's not now (I am taking this gent @ his word, I have not tested this by going to the download site in years, but still)... as alternates, you may use/can try:

====

1.) BELARC ADVISOR (free, & works VERY well) -> Belarc Advisor - Free Personal PC Audit

or

----

2.) "SCW" (security configuration wizard) which is an addon for Windows Server 2003, possibly VISTA, & for sure Windows 7 (you add it in CONTROL PANEL, Add-remove WINDOWS components).

OR

----

3.) Microsoft ALSO OFFERS "Microsoft Baseline Security ADVISOR" ->

For Windows 2000/XP/Server 2003 (32 & 64-bit downloads are there):

http://www.microsoft.com/downloads/details...;displaylang=en

For Windows 7 & Server 2008 R2 (32 &64-bit downloads are there):

http://www.microsoft.com/downloads/details...;displaylang=en

====


... but, iirc, the latter in #3 depends on various services running!

(I am no longer EXACTLY sure which services those are anymore, but iirc, they are one that use NTLM networking based or AD services based (e.g.-> lanman/netbios type sharing being working & Client for MS networks active in your network connection, + File & printer sharing AND server service + workstation service active & POSSIBLY the NetBIOS over TCP/IP helper service as well - but, don't "quote me" on this, I just know it will not run IF you trimmed off various services...))

APK

P.S.=> ALSO, IN THIS THREAD? Well - I believe I noted SCW, but only for Windows Server 2003 earlier in this post (I did) but it exists for Windows 7 now, standard, apparently (I installed it on Windows 7 64 bit pro so it does exist for it too)...

So, there are some "alternate options/tools" to use for better security online (and speed too, especially from SCW)... apk

[APK]

OK, for those of you that have "moved on" to VISTA (or Windows Server 2008 & Windows 7), as I have recently, in my now using Windows 7 64-bit here?

(For around 2++ weeks now or so, in using Windows 7 here, & doing well thusfar, @ least)

WELL - here is what I have done so far to help secure Windows 7 more:

BACKGROUND: Since this guide was originally intended for folks with a SINGLE SYSTEM online (or many via a router, but NOT "networked together" via Active Directory (or, otherwise) for File/Folder & Print Sharing for example/for instance), this too is intended for that SAME kind of "audience", albeit, in regards to Windows 7 (again - I use the 64-bit model of Windows 7 here, but this ought to be fine for 32-bit users as well)

====

Start up SERVICES.MSC (You will need this for turning on/off various services is why)

1.) Turn off the SERVER service (this also aids in making you less vulnerable to the CONFICKER bug out there too, because this service "publishes" shares on your system) - in turn in making you more secure, this also lessens another service that you DO NOT NEED TO BE RUNNING, period, when you are a "standalone single machine @ home connected to the Internet" - do NOT do this if you are part of a LAN/WAN though, you need it in those environs typically

... I also run this .cmd "batch file" on Windows 7 @ my startup (via a shortcut that loads it & runs it minimized):

echo off
NET SHARE C$ /DELETE
NET SHARE B$ /DELETE
NET SHARE D$ /DELETE
NET SHARE E$ /DELETE
NET SHARE F$ /DELETE
NET SHARE G$ /DELETE
C:
NET SHARE ADMIN$ /DELETE
NET SHARE IPC$ /DELETE
NET SHARE DFS$ /DELETE
NET SHARE COMCFG$ /DELETE
NET USE * /DELETE :REM last line is to force complete read of HOSTS file into RAM, that domainname/hostname is the last line in it... apk
ping zzzz.hostindianet.com

That removes shares (just in case, overkill yes, but still, just being safe) & FORCES my system to load my HOSTS file in its entirety too (into my local diskcache kernel mode subsystem's arrays/buffers/structures, because that is the last entry in it & pinging it SHOULD force my system to look into that HOSTS file of mine (more on THAT below, lots more) & since it is the LAST ENTRY, it will read the entire file into RAM @ that point, to do so, effectively caching my HOSTS file, right then & there) - do NOT do this if you are part of a LAN/WAN though, you need it in those environs typically

----

2.) Turn off the TCP/IP over NetBIOS service (this is not needed by a person who does not have a home LAN either, or needs to share his files/folders/disks out to others remote to the system in question also, much like SERVER service above) - do NOT do this if you are part of a LAN/WAN though, you need it in those environs typically

----

3.) I have also been able to turn off the WORKSTATION service as well on Windows 7, albeit, ONLY AFTER I BOOTUP & LOGON in test so far, not sure if you can DISABLE it & still logon, so... keep that in mind!

(This service deals in SMB (server message block iirc) networking)

Turning it off, like any service you don't really need, results in YOUR saving more CPU cycles, RAM, & other forms of I/O also, + even electric power really... as you're not running a program & using power, just like ANY of the above or below recommendations for turning off programs of most anykind really do (albeit, this isn't as much of a "security gain" as the top 2 above are imo) - do NOT do this if you are part of a LAN/WAN though, you need it in those environs typically.

----

4.) I have also turned off (set disabled) the SSDP Discovery Service (don't need it here is why)

----

5.) I have also turned off (set disabled) the Function Discovery Provider Host Service (don't need it here is why) - do NOT do this if you are part of a LAN/WAN though, you need it in those environs typically (well, in this case, POSSIBLY only).

----

6.) I have also turned off (set disabled) the Net.Tcp Port Sharing Service (don't need it here is why & this MIGHT be somewhat of a 'security risk' too, imo @ least, in leaving it "on" & running 24x7) - do NOT do this if you are part of a LAN/WAN though, you need it in those environs typically (well, in this case, POSSIBLY only).

----

7.) I have also turned off (set disabled) the SSDP Service (don't need it here is why & it "ties in" with UPnP below (read that one))

(End of PART #1 of 2 - this forums only allows 10,000 chars per post, so, my next post concludes this)

APK

P.S.=> Parts #2-#4 continue on next page, as to "How to Secure Windows 7"... apk