Please report all spam threads, posts and suspicious members. We receive spam notifications and will take immediate action!
Page 6 of 7 FirstFirst ... 4567 LastLast
Results 51 to 60 of 64

Thread: HOW TO SECURE Windows 2000/XP/Server 2003 & VISTA, fully, per CIS Tool scoring




  1. #51
    Join Date
    Nov 2007
    Location
    A discrete point in the space-time continuum...
    Posts
    60

    Default The "dim beginnings" of how to Secure Windows 7 (Part #2 of 4)... apk

    (Part #2 of 4, continuing my last post above)...

    ----

    8.) I have also turned off (set disabled) the UPnP Service (don't need it here is why & UPnP has been KNOWN to have vulnerabilities over time, in OS & in routers even, which IS noted in this guide as to how/when/where/why/what can be 'dangerous' about it...)

    ----

    9.) I have also turned off (set disabled) the WinHTTP Web Proxy Auto-Discovery Service (don't need it here is why) - do NOT do this if you are part of a LAN/WAN though, you need it in those environs typically (well, in this case, POSSIBLY only).

    ----

    * THAT'S THE END OF SERVICES TRIMMINGS (more on that & a GOOD SOLID CURRENT GUIDE FOR THAT? It's in my "P.S." below... for even more speed & possible security gains you get by turning off services you do NOT need possibly, running in the background when you really do NOT need them to be, soaking up CPU cycles, memory, & other types of I/O your programs you actually USE, could use, instead! Just common-sense, imo...)

    ANYHOW - onto the LOCAL AREA NETWORK CONNECTION"

    10.) Turn off Client for Microsoft Networking, QoS, + File & Print Sharing in your LOCAL NETWORK CONNECTION (avoiding the potential for shared disk/file/folder access even more, & do this ONLY IF YOU DO NOT HAVE TO CONNECT TO A LAN/WAN (local or remote) for disk/folder/file sharing only, or if you are NOT part of a HOME or WORK LAN/WAN)... & really, any others, other than TCP/IP (this you need for online access).

    While you are there, in your LOCAL AREA CONNECTION?

    Well - Additionally, You can DISABLE TCP over NETBIOS as well in the LOCAL AREA CONNECTIONS' properties for Tcp/IP, & the ADVANCED button, then click on the WINS tab & check "DISABLE NetBIOS over TCP/IP"
    ... &, there are a few more too, read on:

    Extra protocols &/or services that Windows 7 has, such as "Link Layer Topology Discovery Mapper I/O Driver" &/or "Link Layer Discovery Responder" can also be "cranked off" & apparently to NO DETRIMENT EITHER (I have been running for weeks now without it & I am here posting, aren't I? If that doesn't say or prove it for me, not much will I guess... lol!)

    I also add in OpenDNS' servers there in the DNS tab (advanced Tcp/IP properties) & their IP addresses are:

    208.67.220.220
    208.67.200.200

    (They are a FASTER DNS system, & respond to fixes + patching faster than any other did when Mr. Dan Kaminsky found the holes & security vulnerabilities he did last yr. in the Domain Name System (DNS)).

    LASTLY (though this is more of a "speedup" than a securing tip)? Try this:

    Create/paste this into notepad.exe & save it with a .cmd extension (32/64-bit batchfile really, just ends in .cmd rather than .bat, as 16-bit command.com driven ones did in DOS & Windows too)

    @echo off
    echo Setting TCP/IP flags...
    echo -----------------------
    echo This only succeeds when run as an administrator,
    echo when run as a user it only shows the current settings.
    echo.
    pause
    echo.
    netsh int tcp set global rss=enabled
    netsh int tcp set global chimney=automatic
    netsh int tcp set global netdma=enabled
    netsh int tcp set global dca=enabled
    netsh int tcp set global autotuninglevel=normal
    netsh int tcp set global congestionprovider=ctcp
    netsh int tcp set global ecncapability=enabled
    netsh int tcp set global timestamps=disabled
    pause
    cls
    echo Current settings:
    echo -----------------
    netsh int tcp show global
    pause

    Then, lastly, run it... (create a shortcut to it, & use the ADVANCED button in the shortcut to "RUN AS ADMINISTRATOR"). This is supposed to speed up & help your IPStack perform better/faster, in Windows 7. I just tried it today, seems to work ok (no detrimental effects so far @ least that is).

    Anyhow: "Onwards & Upwards!"

    ----

    11.) IF you use a "largish" custom HOSTS file? TURN OFF THE DNS CLIENT SERVICE (which is just like the ones in Windows 2000/XP/Server 2003, which this guide covered MOSTLY as to how to secure those)... - do NOT do this if you are part of a LAN/WAN though, you need it in those environs typically, especially on an "AD Network" on a LAN/WAN (Active Directory is HEAVILY dependent on DNS is why).

    * NOW, if you do not do this (turn off the DNS cache local client service), & you use a larger HOSTS file? You will LAG, & badly... amazingly badly in fact!

    (I have written MS on this, only to have it "fall on deaf ears" really, so this IS the 'workaround' for that, rather unfortunately, because I believe it can be fixed for larger HOSTS files too, by altering how much can go into the C/C++ structure for records that DNS uses, based on reference BSD designs @ least (I don't have MS' sourcecode so... well, I can only guess on their designs, though they, like most others, tended to use the BSD model to start from @ least for TCP/IP)).

    ----

    (End of Part #2 of 4)

    APK

    P.S.=> Part #3 of 4 is next below... apk
    Last edited by APK; 11-10-2009 at 04:42 AM.
    "I'm Reese: Sgt. TechComVN38416 assigned to protect you - You've been TARGETTED FOR TERMINATION!"

  2. #52
    Join Date
    Nov 2007
    Location
    A discrete point in the space-time continuum...
    Posts
    60

    Default The "Dim Beginnings" of how to secure Windows 7 (Part #3 of 4)... apk

    12.) USE A CUSTOM HOSTS FILE (for BOTH added SPEED, but more importantly FOR BETTER SECURITY ONLINE):

    Custom HOSTS files can literally double your speed online via blocking adbanners (good & bad ones) + having the option to "hardcode in" your favorite websites IP Addresses into a HOSTS file next to its HOSTNAME/DOMAINNAME, avoiding having to call out to remote DNS servers (many of which have been found exploitable, even the allegedly "invulnerable djbdns system", by Mr. Dan Kaminsky & others in case you are interested in specifics here on this note), saving a GOOD 30-N ms roundtrip traveltime per call to remote DNS server to resolve a URL to an IP address...

    BUT, their best benefit? Even better than "double your normal internet surfing speed online" (it will get faster, read here in fact):

    ----

    RESURRECTING THE KILLFILE:

    (by Mr. Oliver Day)

    Resurrecting the Killfile

    PERTINENT EXCERPTS/QUOTES:

    "The host file on my day-to-day laptop is now over 16,000 lines long. Accessing the Internet particularly browsing the Web is actually faster now."

    "From what I have seen in my research, major efforts to share lists of unwanted hosts began gaining serious momentum earlier this decade. The most popular appear to have started as a means to block advertising and as a way to avoid being tracked by sites that use cookies to gather data on the user across Web properties. More recently, projects like Spybot Search and Destroy offer lists of known malicious servers to add a layer of defense against trojans and other forms of malware."

    ----

    So reiterating this: Even BETTER THAN THE SPEED GAINS HOSTS FILES PROVIDE, ARE the SECURITY GAINS!

    I.E./E.G.-> I have a pal named Jack, a PI by trade & license/degree, who used to get (no joke) 200++ viruses a week... NOT ANYMORE! He is CONVINCED, as am I, that a good current HOSTS file that blocks out known BAD SERVERS is the key here... as well as his saying literally "my intenet goes TWICE AS FAST with a HOSTS file"...

    (FOR GOOD RELIABLE/REPUTABLE HOSTS FILES? There are many good ones!)

    Try here ->


    Hosts file - Wikipedia, the free encyclopedia

    & you can use sites like Mr. Dancho Danchev's security blog to update them even more for securiity (i.e. - for the latest in listings of botnet "Command & Control Servers" or bad sites with malware on them in general, here -> Dancho Danchev's Blog - Mind Streams of Information Security Knowledge )

    OR

    Just use "Spybot 'Search & Destroy'" instead, as it updates your HOSTS vs. known bad websites (& your webbrowser of choice's private block lists, such as IE "Restricted Zones" here -> HKCU,"Software\ Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 or via Internet Options in CONTROL PANEL, & others like Opera maintain private .ini files (URLFILTER.INI &/or FILTER.INI) for the same general purpose))

    E.G.-> Over the past 10 yrs. or so now, those sites have helped me build upt a custom HOSTS file version that has over 660,000++ entries in it, of KNOWN BAD SERVERS OF ALL KINDS...

    Mine COMBINES mvps.org's & the one I built up myself since 1997, alongside all those @ the wikipedia site for HOSTS files above, that is completely free of duplicate entries (via a program I wrote & posted of here, "APK Hosts File Grinder 4.0++") & uses the SMALLEST + FASTEST POSSIBLE INTERNAL FORMAT for them on Windows 2000/XP/Server 2003 (0 blocking "ip address", e.g.-> 0 www.knownbadmalwaresite.com ) OR for Windows VISTA/Server 2008/Windows 7 (using 0.0.0.0 which though larger than 0, is the only thing that still works on those most modern versions of Windows)

    (ODD THAT, that diff. in blocking IP address used, but the dual layer IPv4/IPv6 tcpip driver in VISTA onwards must have facilitated this, but it too, up until 12/09/2008 could ALSO USE THE SMALLER & FASTER 0 BLOCKING "IP ADDRESS", but after that "Patch Tuesday", even VISTA no longer could... so, I am not sure of WHY MS has pulled this though I have confronted them numerous times on it, repeatedly, & I noted it above also).

    I mean, hey - Windows VISTA/Server 2008/& Windows 7?? They're ALL/EACHl based off Windows Server 2003 code, which still can use 0 though oddly, making for smaller & faster HOSTS files - so why doesn't MS allow this now?? Boggles my mind, but worse, is the fact they have evaded answering me on it several times (on their own forums, & on ones like SLASHDOT too + more).

    ----

    PRACTICAL e.g. in the case of mine?

    a.) Using 0 gets me a 14mb sized HOSTS file, same line entries as the ones below, just using 0 as "blocking IP address" (vs. 0.0.0.0 or 127.0.0.1 which ARE larger & thus, slower to read)...

    Whereas, by way of comparison:

    b.) Using 0.0.0.0 on Windows 7 is up to 18++mb in size...

    c.) However, & WORST OF ALL for both speed & efficiency? 127.0.0.1, the default blocking address used, ends you up with a 22++mb sized HOSTS file!

    So, as you can see? I save 30% or so using 0 vs. 0.0.0.0 (have to use THIS latter one though, on VISTA/WinSrv2k8/Windows 7 though, what a shame) in filesize & thus loadspeed of my HOSTS file, AND approximately ALMOST 50% in size vs. using 127.0.0.1 - to any "naysayers" on this account, I can only say:

    "Argue with the numbers", & GOOD LUCK (you'll need it, more like a miracle really).

    ----

    (This turning away of being able to use 0 in a HOSTS in VISTA onwards (again, wasn't always this way in VISTA mind you) is "bloated", because 0 &/or 0.0.0.0 do the same valuable blocking, & are smaller + faster to load because of the size diff.... so, "do the math" yourself, & realize also that smaller files load & parse faster (line by line, in a WHILE loop, with each line terminating in a CR+LF (carriage return + linefeed/enter keypress), & eventually when the "EOF" (end-of-file trailer record-marker) is hit signalling the end of the file & thus the read loop in the File Open/Read-Write/Flush-Close I-O cycle)...

    Funniest part of all, is this: Windows 2000 didn't have 0 as a legit blocking IP address in its ORIGINAL DISTRO on CD from MS: They added it LATER... & kept it all the way into VISTA, until 12/09/2008 MS "patch tuesday"... why change it now, especially when it does a GOOD THING for a great thing (hosts files)?

    APK

    P.S.=> Final part is next below... apk
    Last edited by APK; 11-10-2009 at 04:50 AM.
    "I'm Reese: Sgt. TechComVN38416 assigned to protect you - You've been TARGETTED FOR TERMINATION!"

  3. #53
    Join Date
    Nov 2007
    Location
    A discrete point in the space-time continuum...
    Posts
    60

    Default The "Dim Beginnings" of how to secure Windows 7 (Part #4 of 4)... apk

    13.) Look @ your TCP/IP rules "INBOUND" tables in the "ADVANCED FIREWALL CONNECTIONS" section of your Windows Firewall (Run this command for a quick link to it -> %windir%\system32\WF.msc )

    There?

    Well, I have personally successfully turned off /BLOCKED an ENTIRE ARRAY OF DEFAULT ALLOWABLE PROTOCOLS I JUST PERSONALLY DO NOT NEED & I am again, here posting, just fine (after reboots & all mind you).

    (ALSO - this section here? WELL - This may vary by what you yourself need to do though, so bear that in mind)...

    PERSONALLY - I only left the "Core Networking" sections/lines as ALLOWED IN (& I am certain I can block out a couple of those too, but this is all what I have done "so far", successfully, only... more will come in the future I am sure on this one from myself, or others too).

    ----

    14.) A good run of secpol.msc (using its Account Policies &/or Local Policies Left-Hand Side tree items/folders).

    (& on secpol.msc, I applied "AnalogX's IP Security Policy", in the IP Security Policies section also (which I mention in this guide here earlier, & in AnalogX, & WHERE TO GET IT, with directions to install it (cake-easy) & it works great still, too!)

    PLUS I added myself as an ADMINISTRATOR user to nearly EVERY category in "User Rights Assignment"! I removed AND DENIED out the following users/groups in my DENY sections (the toughest ones really) in the secpol SECURITY OPTIONS section:

    DIALUP
    TERMINAL SERVER USER/GROUP (I don't use OR allow this here, you may)
    GUEST
    ANONYMOUS LOGON (especially this one)
    Remote Desktop Users (I don't use OR allow that here either)
    REMOTE INTERACTIVE LOGON
    IIS Users (I don't host a website here is why on this note)

    (STEER CLEAR OF THE DCOM RELATED SETTINGS GUYS - I DID THAT & CAUSED MYSELF A LOT OF "PAIN" (not really - Windows7 recovery bootup from install DVD or System Repair CD let me restore from a Restore Point perfectly once, & a System Image once, & those are the only other times I redid or had to redo this system on Windows 7, which happened the first day, while I was learning more (during tuning tests like these, or checking which boards/cards still worked for me here on Windows 7)... I'd try to help YOU avoid that, though it was not bad!

    I do this, this way, here... simply because I have run for the past 15++ yrs. now that way (beyond "STD. ADMINISTRATOR" or "SYSTEM" level rights even)... I do so, successfully!

    & despite the 'common belief' it's 'dangerous to do'? Well... I do that, & have not gotten infested/infected since, oh, around 1996-1997 that I know of @ least, but then I know to avoid using the "main malware delivery tools" in IFRAMES + JAVASCRIPT mostly, online, & also what sites I use that have proven reputable too (which some of you may or MAY NOT wish to elect to do on the elevated ADMIN/SYSTEM-LIKE rights assigned to yourself... &, epsecially if you believe in & espouse the UAC "least privelege principal", because its theory is SOUND, but it's not always that way in practice (per folks still getting infested in VISTA, & of course, the antivirus-antispyware test I note here in THIS POST, too))

    E.G.-> There, in the I gave myself every right possible under the sun almost (those who believe in the principal of "least privelege is safer" disregard this, & it's so UAC keeps "protecting you" (though it's not that great vs today's threats, it did stop 3/10 of the ones thrown @ it here -> Slashdot | Test of 16 Anti-Virus Products Says None Rates "Very Good" , it's still NO "Cure" for a user that does not give a hoot & just downloads + opens/runs any email attachment or binary executable from online that he finds, either)

    ----

    15.) GET MICROSOFT SECURITY ESSENTIALS (especially if you do not have a Windows 7 compliant/compatible antispyware + antivirus program)... it has been rated + reviewed VERY WELL online in antivirus/antispyware competitions-contests/ratings, & I have been using it and it is fair FAST @ scanning files/folders plus, it is VERY LIGHT & operates QUITE "transparently" too... not much lag, IF any, is perceptiable from it & it updates, daily too AND IS 100% FREE and WORKS!

    ----

    16.) Do the "FileSystem" & "Registry Hives" ACL security tip I noted here, adding yourself + SYSTEM (& any user groups YOU are part of, & removing other users that do NOT need to be there right out)... it works for security too.

    ----

    17.) Doing the above, on Windows? Between ALL THAT ABOVE should "do the job" & between that + running a tool like Microsoft Baseline Security Analyzer 2.1.1 (there are 32 &/or 64 bit models out there now mind you too + I posted the download links to them above here earlier a couple posts up from this one)!

    ====

    Doing ALL that to a Windows 7 System that is a "stand-alone" single system hooked to the internet only (not a LAN/WAN or home network)? You SHOULD be "OK"/Fine, for now @ least, on a secured Windows 7 setup...

    (NICE PART IS, imo thusfar @ least? Well, that is that it really SEEMS you do not have to do NEARLY ANYWHERE AS MUCH as what you had to do for Windows 2000/XP/Server 2003 though really, for security)

    ... Especially since MS has really, REALLY done a GOOD JOB of securing services for instance, so you don't really have to do that step anymore as I outlined in this guide early on, for securing services & for Windows 2000/XP/Server 2003 for the "utmost in security" even @ the services level, like MacOS X has for example... especially since MS has even helped THOSE older models of Windows do better there, via service packs + hotfixes for them altering the "logon SID entity indentifier" services use (LOCAL SYSTEM, vs. LOCAL SERVICE or the least priveleged in NETWORK SERVICE).

    ANYHOW/ANYWAYS: Well - That's my "Top 17", so far @ least, for Windows 7, for now... IF I find more?

    I'll put them up for your reference (and do pay attention to points in this guide too, as more than a few STILL APPLY to Windows VISTA, Windows Server 2008, & yes, Windows 7 still too)...

    APK

    P.S.=> NOW - For even MORE "speed-enhancing" services tunings (the above are for SECURITY mostly, but also help you gain speed by plain jane just not running them (pretty common-sense nowadays, & generally accepted as OK, even since the days when I authored what is probably the FIRST publicly noted guide for "Speedup & Securing Windows NT-based OS'" over @ NTCompatible.com as their "Article #1", which Neowin noted back in 2001 when they finally "got wind of it", here -> APK "A to Z" Internet Speedup & Security Text! & they rated it very well also))?

    Well, you may wish to check out "BLACK VIPER'S GUIDE", here:

    Windows 7 Service Configurations by Black Viper

    It's GOOD, & VERY CURRENT + ACCURATE (& flexible)!

    Amazes me, that ENTIRE SITES 'sprang up' out of the guide I did ages ago & based on the SAME PREMISE as my original guide was @ NTCompatible.com (circa 1997-2002) for NTCompatible.com as their "Article #1"....

    ... & I am glad because spreading good information around that makes the world a better place it is just fine by me @ least... (& Black Viper's is particularly OUTSTANDING in this regards, & he "kept up on it", keeping his website running & chock full of CURRENT INFORMATION on this topic, on more current OS (I stopped doing those around the time Windows VISTA came out is why, because it has a LARGELY "self-tuning IP stack" (when I did tunings for TCP/IP networking) & by that point, I had moved onto other areas (programming MOSTLY, vs. networking/tech stuff))... apk
    Last edited by APK; 11-10-2009 at 04:58 AM.
    "I'm Reese: Sgt. TechComVN38416 assigned to protect you - You've been TARGETTED FOR TERMINATION!"

  4. #54
    Join Date
    Nov 2007
    Location
    A discrete point in the space-time continuum...
    Posts
    60

    Default A single bug has surfaced on Windows 7 & Windows Server 2008: Here is the workaround

    Per this security notification from SECUNIA.COM:

    Microsoft Windows SMB Response Denial of Service Vulnerability - Secunia Advisories - Vulnerability Information - Secunia.com

    Microsoft Windows SMB Response Denial of Service Vulnerability

    PERTINENT QUOTE/EXCERPT:

    ----

    "Description:

    Laurent Gaffié has discovered a vulnerability in Microsoft Windows, which can be exploited by malicious people to cause a DoS (Denial of Service).

    The vulnerability is caused due to an error when processing SMB packets received from an SMB server.

    This can be exploited to hang an affected system by tricking a user into connecting to a malicious SMB server via e.g. a specially crafted web site opened in Internet Explorer.

    The vulnerability is confirmed on a fully patched Microsoft Windows 7 and reported in Microsoft Windows Server 2008 R2."

    AND:

    'Solution:

    Block outbound connections to untrusted SMB servers via a firewall."

    ----

    So, that evidence as "said & aside"? Well...

    THIS OUGHT TO SERVE, "in the meantime @ least" (until a patch from MS is issued next "Microsoft Patch Tuesday" I suppose) to "FIX" that problem:

    (If it works, it's by pure luck & I posted it above as more of a "speed boost" by not running a service you do NOT really need (as a 'standalone single system logged into the internet only' but not attached to a home or work LAN/WAN), but the WORKSTATION service does function to provide SMB services, & cutting it off SHOULD technically "do the job here" to protect one's self vs. this "bug/possible exploit"....

    So, quoting myself from above:

    Quote Originally Posted by APK View Post
    OK, for those of you that have "moved on" to VISTA (or Windows Server 2008 & Windows 7), as I have recently, in my now using Windows 7 64-bit here?

    ====

    Start up SERVICES.MSC (You will need this for turning on/off various services is why)

    3.) I have also been able to turn off the WORKSTATION service as well on Windows 7, albeit, ONLY AFTER I BOOTUP & LOGON in test so far, not sure if you can DISABLE it & still logon, so... keep that in mind!

    (This service deals in SMB (server message block iirc) networking)

    Turning it off, like any service you don't really need, results in YOUR saving more CPU cycles, RAM, & other forms of I/O also, + even electric power really...

    As you're not running a program & using power, just like ANY of the above or below recommendations for turning off programs of most anykind really do (albeit, this isn't as much of a "security gain" as the top 2 above are imo) - do NOT do this if you are part of a LAN/WAN though, you need it in those environs typically.
    I guess, now, in this case, vs. this "bug?" Well, it IS a security patch too, & not just a "speed booster"... per the bolding I just did above, where I said it's really only a 'speed boost'.

    So give this a go, alongside the firewall rules table vs. outbound SMB connections, for now @ least until MS patches it, for securing AND SPEEDING UP, a Windows 7 system!

    (Once more -I did WORKSTATION SERVICE stalling, albeit, only for speed, but I wager, again, by luck, it should work vs. this bug also, just because of what WORKSTATION service provides (i.e.- SMB services)).

    APK

    P.S.=> Some work in IE may be needed also, but, this is all I have, for now, vs. this exploit possibility thusfar, so 'turn off' WORKSTATION SERVICE (once you have logged on that is, because I am NOT 110% sure you can & still logon to your Windows 7 systems is all) & do a firewall rule for outbound SMB connectivity...

    (Albeit @ this point, I am NOT sure if you can do that AND still LOGON to Windows, so only turn it off in services.msc once you have logged yourself in, & DO PAY ATTENTION TO CREATING A FIREWALL RULE FOR OUTBOUND SMB BASED CONNECTIONS, BLOCKING THEM FROM GOING "OUTBOUND" FROM YOUR SYSTEMS TOO)... apk
    Last edited by APK; 11-14-2009 at 09:30 PM.
    "I'm Reese: Sgt. TechComVN38416 assigned to protect you - You've been TARGETTED FOR TERMINATION!"

  5. #55
    Join Date
    Nov 2007
    Location
    A discrete point in the space-time continuum...
    Posts
    60

    Default Good news on setting WORKSTATION SERVICE to manual, in SERVICE.MSC vs. SMB FLAW in W7

    Good news on setting WORKSTATION SERVICE to manual, in SERVICE.MSC, vs. this new flaw in Windows VISTA/Server 2008/VISTA:

    (Albeit @ this point, I am NOT sure if you can do that AND still LOGON to Windows, so only turn it off in services.msc once you have logged yourself in, & DO PAY ATTENTION TO CREATING A FIREWALL RULE FOR OUTBOUND SMB BASED CONNECTIONS, BLOCKING THEM FROM GOING "OUTBOUND" FROM YOUR SYSTEMS TOO)... apk
    Well, good news:

    Upon testing this here, & on Windows 7? You CAN still logon to your system, even IF WORKSTATION SERVICE is set to "MANUAL" startup type in SERVICES.MSC (this also holds true all the way down to Windows 2000 SP #4, as I had my pal Jack the PI test it for me upon my request, & he too can logon to his Windows 2000 rig no problems, with WORKSTATION effectively disabled (via MANUAL, not DISABLED setting, for startup type on said service)).

    Thus, again, since WORKSTATION SERVICE provides & manages SMB (server message block iirc, as to this acronym's expansion) services, & the single flaw in Windows 7 &/or Windows Server 2008 are exploited thus by a flaw in SMB? This SHOULD "take care of that too", lickety-split, no "SHEET"...

    APK

    P.S.=> Well, now that that's been "said & aside"? 'Onwards & UPWARDS!"... OH - & again: This is for machines that are "standalone systems" hooked to the internet via a DSL or Cable router (or even dialup), or thru a home Router/modem, that are NOT "ACTIVE DIRECTORY" or otherwise (SMB/NetBIOS/LanMan networking or NetBEUI even (or otherwise)) system: You will need to keep WORKSTATION service up & running in those environs, especially for shared disk/folder/file access in LAN/WAN environs... apk
    "I'm Reese: Sgt. TechComVN38416 assigned to protect you - You've been TARGETTED FOR TERMINATION!"

  6. #56
    Join Date
    Nov 2007
    Location
    A discrete point in the space-time continuum...
    Posts
    60

    Default Credit goes, where credit is due (a good idea, one I "overlooked" (well for Win7 @))

    Another great point by another user from another forums today, for Windows 7 folks (VISTA too, & of course, Windows Server 2008), from a fellow named "AlphaAlien" here -> HOW TO SECURE Windows 2000/XP/Server 2003 & VISTA even (& make it fun to do) - Page 7 - HardwareGeeks.com A Community For the Sophisticated Geek or Geekette

    (LOL! Oddly, it's one I overlooked from my OWN GUIDE here, that I applied to Windows 2000/XP/Server 2003, but had "overlooked" in my tips about Windows 7 just above, specifically... &, it IS a good idea, + one I ended up "expanding on" so, I have to thank AlphaAlien for "getting the ball rolling" in my brain here, lol, once more so I could suggest his point (one I suggested here again, no less, for the OLDER MS' OS of Windows NT-based ancestry) & expand on it even more... probably wouldn't have done it w/out he, so, credit goes, where credit is due imo).

    This is a good point too, so... here goes:

    Open up gpedit.msc (you can do this from the "Windows Start button" (is it STILL called that now, in Windows 7/VISTA etc. I wonder?) & the RUN or search command). In it, follow its left-hand side pane's tree items down THIS path:

    Computer Configuration
    Administrative Templates
    Network
    Network Connections
    Windows Firewall
    Domain Profile (only use this one IF you are not part of a LAN/WAN or connect to them, & you don't need to do some of what is suggested to turn off there - & you can though, if you don't need to do the stuff we're going to 'crank off' here, especially if you are a single system home user)
    Local Profile (this one users with a single system @ home that's not part of a home LAN should do)

    NOW, once there? Use the RIGHT-HAND SIDE PANE items of (now quoting our exchange from the URL above, saves me time, & I have programming assignments in JAVA to do so, excuse the use of this DIRECT quote from the URL above):

    Prevents administrative remote management services.


    Looks good to me, especially for most folks (which, face it, most folks don't have home "LAN/WAN" setups (mainly people who are way, Way, WAY "into computing" do imo & experience)).

    Since they're mainly single system users, & @ home (which I found professionally on a job in 2006 that they're the most "abused" typically as well by malware etc. et al) - they're the folks I put this out for mostly, if they want to take the initiative & time to do it is all. They need it the most, from what I've seen, so... here 'tis.

    As long as you don't perform remote administration tasks? You should probably turn the ability for "remote administration" off as AlphaAlien points out.

    I'd have to add this point of AlphaAlien's now though: This same idea/technique/tip/trick can also be done for the DOMAIN and LOCAL profiles there too, and, it also points out a couple others to remove, possibly too (such as UPnP, Remote File & Printer Access, Remote Desktop, setting them as DISABLED there, & possibly to even ICMP also (ping basically))

    The PING & UDP ones may affect other wares though, so, test @ your leisure on those 2.

    (Sounds like a good move, as imo @ least, it really supplements cutting off:

    A.) Server (allows shares) + Workstation (provides SMB services, in services.msc (& an outbound BLOCK rule in the firewall vs. TCP/UDP for PORTS 139 & 445 (this one mainly, will stall this newly surfaced "bug" noted above in Windows 7 & Server 2008))
    B.) Terminal Services/Remote Desktops
    C.) Cutting out Client for MS Networks + File & Print Sharing in your local area network connection (clients & protocols sections) & also NetBIOS over TCP/IP in the WINS section of the local area connection too.
    D.) Disabling TCP/IP over NetBIOS in services.msc as well
    E.) "Stalling out share$", via a batch or .cmd file (possibly even a powershell script as well) & I mean, any shares: Even default ones like in the batch above
    F.) Setting secured ACL's on the filesystem + registry as well via explorer.exe OR cacls possibly, & regedit.exe

    (Then, your firewall can do the rest, as far as "inbound intrusion attempts" - I don't think there's much other than that to "get ahold of", & even a nullsession attempt ought to be stalled between this, & the secpol.msc work (plus HOSTS & AnalogX's IP Security Policy as well)))

    Thanks for the solid point AlphaAlien: It got my "wheels rolling" on a couple of others in gpedit.msc (which I did suggest for Windows 2000/XP/Server 2003 already earlier in this guide), but, I overlooked here, so I added on the rest.

    APK

    P.S.=> Oh, AlphaAlien: I am going to credit you with this & put your points out, in your name of course, in regards to this setting in Group Policy Editor on the other 20 or so forums I can still edit this post on as well, hope you don't mind (it's a good solid point, & I do credit others where/when/how/why credit is due they, for solid points) - I am not sure if linking to your photo will work or not (depending on where YOU store it that is), so I may have to "expand" the tree items in gpedit.msc manually in text, so... in any event, there you are... apk
    "I'm Reese: Sgt. TechComVN38416 assigned to protect you - You've been TARGETTED FOR TERMINATION!"

  7. #57
    Join Date
    Nov 2007
    Location
    A discrete point in the space-time continuum...
    Posts
    60

    Default New IE6/IE7 bug + workaround/fix... apk

    Microsoft Security Advisory: Vulnerability in Internet Explorer could allow remote code execution:

    Microsoft Security Advisory: Vulnerability in Internet Explorer could allow remote code execution

    The new bug in IE6 & IE7 can be patched above (allowing IE6/7 to "opt-in" to DEP (data execution prevention)) using the "FIX IT" button noted there (which applies a database of apps to support DEP apparently, inclusive of IE variants).

    The original article explaining the nature of the attack is here:

    Microsoft Security Advisory (977981): Vulnerability in Internet Explorer Could Allow Remote Code Execution

    As well as it listing what Operating System versions are affected adversely thus, there.

    APK

    P.S. => This is the 2nd URL's list of affected IE versions, & on which Windows NT-based OS variants also:

    PERTINENT EXCERPT:

    Microsoft is investigating new public reports of a vulnerability in Internet Explorer. This advisory contains information about which versions of Internet Explorer are vulnerable as well as workarounds and mitigations for this issue.

    Our investigation so far has shown that Internet Explorer 5.01 Service Pack 4 and Internet Explorer 8 on all supported versions of Microsoft Windows are not affected, and that Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6 and Internet Explorer 7 on supported editions of Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008 are affected.

    The vulnerability exists as an invalid pointer reference of Internet Explorer. It is possible under certain conditions for a CSS/Style object to be accessed after the object is deleted. In a specially-crafted attack, Internet Explorer attempting to access a freed object can lead to running attacker-supplied code.

    At this time, we are aware of no attacks attempting to use this vulnerability against Internet Explorer 6 Service Pack 1 and Internet Explorer 7. We will continue to monitor the threat environment and update this advisory if this situation changes. On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs.

    We are actively working with partners in our Microsoft Active Protections Program (MAPP) and our Microsoft Security Response Alliance (MSRA) programs to provide information that they can use to provide broader protections to customers. In addition, we’re actively working with partners to monitor the threat landscape and take action against malicious sites that attempt to exploit this vulnerability.

    Microsoft continues to encourage customers to follow the "Protect Your Computer" guidance of enabling a firewall, applying all software updates and installing anti-virus and anti-spyware software. Additional information can be found at Security at home.

    Mitigating Factors:

    • Internet Explorer 8 is not affected.
    • Protected Mode in Internet Explorer 7 in Windows Vista limits the impact of the vulnerability.
    • In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker’s Web site.
    • An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.
    • By default, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode that is known as Enhanced Security Configuration. This mode sets the security level for the Internet zone to High. This is a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone.
    • By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML e-mail messages in the Restricted sites zone. The Restricted sites zone helps mitigate attacks that could try to exploit this vulnerability by preventing Active Scripting and ActiveX controls from being used when reading HTML e-mail messages. However, if a user clicks a link in an e-mail message, the user could still be vulnerable to exploitation of this vulnerability through the Web-based attack scenario.

    General Information
    Overview

    Purpose of Advisory: To provide customers with initial notification of the publicly disclosed vulnerability. For more information see the Mitigating Factors, Workarounds, and Suggested Actions sections of this security advisory.

    Advisory Status: The issue is currently under investigation.

    Recommendation: Review the suggested actions and configure as appropriate.References Identification

    CVE Reference
    CVE-2009-3672

    Microsoft Knowledge Base Article
    977981

    ----

    This advisory discusses the following software.Affected Software

    Windows XP Service Pack 2

    Windows XP Service Pack 3

    Windows XP Professional x64 Edition Service Pack 2

    Windows Server 2003 Service Pack 2

    Windows Server 2003 x64 Edition Service Pack 2

    Windows Server 2003 with SP2 for Itanium-based Systems

    Windows Vista

    Windows Vista Service Pack 1 and Service Pack 2

    Windows Vista x64 Edition

    Windows Vista x64 Edition Service Pack 1 and Service Pack 2

    Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2

    Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service pack 2

    Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2

    Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4

    Internet Explorer 6 for Windows XP Service Pack 2, Windows XP Service Pack 3, and Windows XP Professional x64 Edition Service Pack 2

    Internet Explorer 6 for Windows Server 2003 Service Pack 2, Windows Server 2003 with SP2 for Itanium-based Systems, and Windows Server 2003 x64 Edition Service Pack 2

    Internet Explorer 7 for Windows XP Service Pack 2 and Windows XP Service Pack 3, and Windows XP Professional x64 Edition Service Pack 2

    Internet Explorer 7 for Windows Server 2003 Service Pack 2, Windows Server 2003 with SP2 for Itanium-based Systems, and Windows Server 2003 x64 Edition Service Pack 2

    Internet Explorer 7 in Windows Vista, Windows Vista Service Pack 1 and Windows Vista Service Pack 2, and Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2

    Internet Explorer 7 in Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2

    Internet Explorer 7 in Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2

    Internet Explorer 7 in Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2

    Non-Affected Software:

    Internet Explorer 5.01 Service Pack 4 for Microsoft Windows 2000 Service Pack 4

    Internet Explorer 8 for Windows XP Service Pack 2 and Windows XP Service Pack 3, and Windows XP Professional x64 Edition Service Pack 2

    Internet Explorer 8 for Windows Server 2003 Service Pack 2 and Windows Server 2003 x64 Edition Service Pack 2

    Internet Explorer 8 in Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2, and Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2

    Internet Explorer 8 in Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2

    Internet Explorer 8 in Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2

    Internet Explorer 8 in Windows 7 for 32-bit Systems

    Internet Explorer 8 in Windows 7 for x64-based Systems

    Internet Explorer 8 in Windows Server 2008 R2 for x64-based Systems

    Internet Explorer 8 in Windows Server 2008 R2 for Itanium-based Systems

    ----

    ... apk
    "I'm Reese: Sgt. TechComVN38416 assigned to protect you - You've been TARGETTED FOR TERMINATION!"

  8. #58
    Join Date
    Nov 2007
    Location
    A discrete point in the space-time continuum...
    Posts
    60

    Default IMPORTANT NEW PATCH FOR IE 5-8, see inside/below

    I picked up on some information that you guys MAY wish to know about (especially IF you use Internet Explorer (all models/versions)):

    GET THE PATCH FOR IE 5.01 - IE 8.0 (on ALL Windows versions of NT-based origins (2000/XP/Server 2003/Server 2008/VISTA/Windows 7)) FOLKS!

    It was issued "Out-Of-Band" (meaning MS didn't wait for "Patch Tuesday" to roll around again (2nd Tuesday of every month)).

    (&, you can do that via "Windows Update" of course, but that takes MORE TIME for that to "take" typically, than nabbing it directly, here would do for you, since you can install it yourselves, directly & immediately):

    http://www.microsoft.com/technet/sec.../ms10-jan.mspx

    :)


    This isn't a joke people & it's NOT THE SAME BUG IN MY LAST POST ABOUT IE EITHER!

    So, please... See here:

    Widespread attacks exploit newly patched IE bug:

    Widespread attacks exploit newly patched IE bug | ITworld

    It's seriously being exploited, & that's only what they KNOW about.

    APK

    P.S.=> AND, "there ya are" - Enjoy!... So, after all? It's YOUR MONEY & TIME folks! (that's all)... apk
    "I'm Reese: Sgt. TechComVN38416 assigned to protect you - You've been TARGETTED FOR TERMINATION!"

  9. #59
    Join Date
    Nov 2007
    Location
    A discrete point in the space-time continuum...
    Posts
    60

    Default IF you had trouble finding the download link for the IE 5-8 security fix? See below!

    IF you are having trouble FINDING the link to the download for this IE 5-8 patch, for most ALL Windows NT-based OS' by Microsoft?

    Try this:

    MS10-002 Cumulative Security Update for Internet Explorer (978207)

    Look for THAT on the page...

    (There you go, per FloppyBootStomp, a moderator @ this website -> HOW TO SECURE Windows 2000/XP/Server 2003 & even VISTA, + make it "fun to do" - Page 7 where this security guide is also hosted, who had noted it was a bit difficult to find there, per the IE security vulnerability I noted above in my last post...)

    APK

    P.S.=> Well, to save you time? The DIRECT linkage is here -> http://www.microsoft.com/technet/sec.../ms10-002.mspx so, "have @ it" folks, & enjoy... apk
    "I'm Reese: Sgt. TechComVN38416 assigned to protect you - You've been TARGETTED FOR TERMINATION!"

  10. #60
    Join Date
    Nov 2007
    Location
    A discrete point in the space-time continuum...
    Posts
    60

    Default Newly discovered security vulnerability in Windows NT-based OS' 16-bit DOS subsystems

    A security vulnerability exists in, and has existed in since 1992-1993, the emulation subsystems for DOS &/or Win16 applications under 32-bit versions of Windows NT-based OS:

    Microsoft Security Advisory (979682)

    Vulnerability in Windows Kernel Could Allow Elevation of Privilege:


    http://www.microsoft.com/technet/sec...ry/979682.mspx

    ----

    THE "FIX":

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Session Manager\SubSystems

    (via removing support for said subsystems by blanking out the files they point to.)

    These excerpts will help you identify each component used:

    The NTVDM:

    16 bit DOS and older 16 bit windows applications are supported by the NT virtual DOS machine (NTVDM) which runs in the Client/Server Runtime (CSR) subsystem. Since each copy of the NTVDM is given its own thread of execution, if it fails, it will not affect the operating system or other programs.

    The following components support the NTVDM:

    NTVDM.EXE - Starts the NTVDM and emulated the DOS environment.

    NTIO.SYS - Emulates the DOS IO.SYS system file.

    NTDOS.SYS - Emulates the DOS.SYS file.

    Virtual Device Driver (VDD) - Used to allow DOS to interface with system devices on various ports such as the mouse, keyboard, serial ports, parallel ports, and video devices. This component is required since DOS expects to access hardware devices directly, but cannot do so when running on Windows NT.

    VDMREDIR.DLL - Redirects file system input/output requests to the Win32 subsystem.

    AUTOEXEC.NT - Replacement for AUTOEXEC.BAT.

    CONFIG.NT - Replacement for CONFIG.SYS.

    NT always loads a PIF for MS-DOS based applications. You can create a PIF to define requirements of the DOS application such as memory needs. In Windows NT 4.0, the PIF settings can be accessed by right clicking on the DOS executable file and selecting properties. On RISC based systems, an instruction execution unit (IEU) works with the NTDVM to emulate I383 Intel processor instruction sets.

    ----

    What this "fix" (hopefully only needed temporarily) does, is remove the subsystem for DOS/Win16 applications.

    It is the ONLY "work-around" I am aware of for this until it is fixed, IF ever, and it is very similar to a recommendation that others "tear out" the POSIX subsystem for the same potential reasons: Security vulnerabilities issues.

    (The only people that need to be concerned here, are those running 32-bit versions of Windows NT-based OS (NT 3.x, NT 3.5x, NT 4.0, Windows 2000/XP/Server 2003/VISTA/Server 2008/7), because 64-bit versions of Windows OS do not have a 16-bit subsystem emulator present in them)

    APK

    P.S.=> Many, if not MOST, people today can do without these entries, UNLESS they have legacy applications from DOS or 16-bit Windows applications they need for "mission critical" purposes... those folks will have to leave these in place until a fix is created by Microsoft (the same can go for those who don't need this as well, but you "take your chances" until MS fixes this)... apk
    Last edited by APK; 01-28-2010 at 07:10 PM. Reason: Pulling Win16 "WOW" emulation subsystem data (unnecessary I think here)
    "I'm Reese: Sgt. TechComVN38416 assigned to protect you - You've been TARGETTED FOR TERMINATION!"

Page 6 of 7 FirstFirst ... 4567 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •