http://techrepublic.com.com/5138-1009-5974945.html
After you take a look at this download, please post your feedback, ideas for improvements, or further thoughts on this topic.
Thanks,
--The TechRepublic Content Team
Discussion on:
DOWNLOAD: 10 registry hacks for hardening Windows XP security
Tags: windows, windows xp, security, registry, 10 things, deb shinder
View:
Show:
I disagree with the number 2 change. Most companies/agencies have a standard for user id's so hiding it is ineffective. More importantly, only a successful logon will change the display of the last known logon this is a good security feature to let you know if anyone else successfully logged on to your system. If you hide this data you will not easily know if someone else logged onto your system. Of course if we share our password this argument is void. I liked many of the other security suggestions. Thanks for the information.
Disabling the page file is a career limiting move. This is a brief discussion on 'hardening' with no additional information about the threats that are being protected against other than 'hacker'. If a 'hacker' has gotten that far into my network, I have way worse issues.
What are we protecting for here?
What are the threats?
We're turning knobs and there's no discussion of change management or discussion of processes.
Number 8 I'll agree with as it will kill off Win98's but the rest? Number 9... get a firewall.
This is more like a top ten list to get yourself fired and leave a system in an unsupported state. Did we learn nothing from the "buggy patch" fiasco of MS 05-051?
Let's think about what we are doing here instead of just flipping reg keys.
What are we protecting for here?
What are the threats?
We're turning knobs and there's no discussion of change management or discussion of processes.
Number 8 I'll agree with as it will kill off Win98's but the rest? Number 9... get a firewall.
This is more like a top ten list to get yourself fired and leave a system in an unsupported state. Did we learn nothing from the "buggy patch" fiasco of MS 05-051?
Let's think about what we are doing here instead of just flipping reg keys.
I am new and dumb at this computer stuff. How can I tell if someone logged on my computer. Also, how can I tell what is running on the computer when all I see is desktop and the hard drive light is on? Thanks
Configuring these settings will add some inconvenience for legitimate administrators but do not actually contribute at all to security. Let's look at the settings one at a time:
1. Disable admin shares - These are only available to administrators anyway. If you disable them, anyone who is an administrator can easily turn them right back on (yes, remotely too). In other words, all this setting does is break legitimate remote management. It does not improve security one bit.
2. Hide last logon name - First, finding a logon name for an attacker is trivial. Second, if your password is so weak that the only thing standing between you and a compromise is your logon name, you are in deep trouble.
3. Control apps users can run - The proper way to control apps users can run is with Software Restriction Policies, not with Windows 95-style reg hacks. Besides, the value here is set in HKCU. In other words, you are restricting what apps YOU can run, not what apps anyone else can run.
4. Disable DUN password - What exactly is the risk here? How is an attacker going to get this password? It is protected with DPAPI. Only the user can read it. If an attacker were able to get to DPAPI it means they are running code as you, in which case this hack is meaningless. They will have access to anything you do, including your Dial-Up password the next time you type it.
5. Hide access to drives - This is a cosmetic hack which only hides them from Explorer. Open a command prompt, or use the Open/Save dialog in Word (or any number of other apps) and they are available again. This is not a security setting at all.
6. Clear page file - What attackers are you worried about here? Unless you are trying to protect against physical attacks by a nation state it is highly unlikely that data stored in the page file is going to present a problem for you. The question you have to ask yourself is whether you really care to defend against attackers willing to dig through 2 gigabytes of binary data in the hope of finding something interesting (keep in mind, there are no labels in that file telling them where the juicy data is or even how it is formatted). This is a meaningful setting in ultra-secure environments where physical compromise of shut down systems is possible AND you have reason to believe that applications improperly store data in memory AND you routinely shut down systems, not elsewhere. Besides, most users are not willing to accept the 12-15 minute hit on shutdown time.
7. Disable access to system properties - First, setting this in HKCU disables YOUR access to system properties, not anyone elses. Second, you cannot modify anything in system properties unless you are an administrator, so all this setting would ever do is restrict administrators from doing somethign. Third, if you are an administrator, you can easily bypass this hack. Therefore, this hack is meaningless. If you want to stop users from modifying system properties, do not let them run as admins.
8. Disable LM hash - First, there are several instances post Windows 2000 where you need an LM hash. Second, this setting is thin veneer. What threat are you worried about specifically? Cracking passwords? Cracking passwords against hashes is a meaningless and unnecessary attack. Disabling LM hashes really do not add much to security these days, although it is not going to hurt anything in some instances. This is probably the one setting in the list most related to security though. If you want to find out more about why this setting is not particularly useful, and what kinds of things it breaks, go to http://www.microsoft.com/technet/community/columns/secmgmt/sm1005.mspx.
9. Restrict null sessions - First, the values you give for this hack are for Windows 2000, not Windows XP. Settings designed for one operating system are not guaranteed to work on another. Second, most null session information access is already disabled in XP by default. Third, what is the threat you are worried about? None of the information avaiable via a null session is particularly sensitive. If your security depends on keeping attackers from listing share names and user names you probably have a lot more serious problems to deal with. Fourth, if you have a firewall, this setting is moot. If you do not, you have other more serious issues to worry about.
10. Hide the security tab - This is in no way shape or form a security setting. First, it is set in HKCU, where it affects YOU not anyone else. Second, only someone who owns the object or has been granted the proper permission on it can set security. Such a user can set security in a number of ways, this just blocks one of them.
None of these settings improve actual security one bit. They are either just security theater or they attempt to solve a problem that exists elsewhere. They are pretty likely to make the system unmanageable, unsupportable, or just plain less useful though.
There are many resources to help protect Windows XP. For home users, there are four steps: Turn on the Windows Firewall, use an anti-malware program, ensure that Auto Updates are turned on, and do not run as an administrator.
If you are trying to configure security in an enterprise, and you want to maintain a supported system, go read the Windows XP Security Guide: http://go.microsoft.com/fwlink/?LinkId=14840. You may also want to look at http://www.protectyourwindowsnetwork.com for a more holistic security perspective.
1. Disable admin shares - These are only available to administrators anyway. If you disable them, anyone who is an administrator can easily turn them right back on (yes, remotely too). In other words, all this setting does is break legitimate remote management. It does not improve security one bit.
2. Hide last logon name - First, finding a logon name for an attacker is trivial. Second, if your password is so weak that the only thing standing between you and a compromise is your logon name, you are in deep trouble.
3. Control apps users can run - The proper way to control apps users can run is with Software Restriction Policies, not with Windows 95-style reg hacks. Besides, the value here is set in HKCU. In other words, you are restricting what apps YOU can run, not what apps anyone else can run.
4. Disable DUN password - What exactly is the risk here? How is an attacker going to get this password? It is protected with DPAPI. Only the user can read it. If an attacker were able to get to DPAPI it means they are running code as you, in which case this hack is meaningless. They will have access to anything you do, including your Dial-Up password the next time you type it.
5. Hide access to drives - This is a cosmetic hack which only hides them from Explorer. Open a command prompt, or use the Open/Save dialog in Word (or any number of other apps) and they are available again. This is not a security setting at all.
6. Clear page file - What attackers are you worried about here? Unless you are trying to protect against physical attacks by a nation state it is highly unlikely that data stored in the page file is going to present a problem for you. The question you have to ask yourself is whether you really care to defend against attackers willing to dig through 2 gigabytes of binary data in the hope of finding something interesting (keep in mind, there are no labels in that file telling them where the juicy data is or even how it is formatted). This is a meaningful setting in ultra-secure environments where physical compromise of shut down systems is possible AND you have reason to believe that applications improperly store data in memory AND you routinely shut down systems, not elsewhere. Besides, most users are not willing to accept the 12-15 minute hit on shutdown time.
7. Disable access to system properties - First, setting this in HKCU disables YOUR access to system properties, not anyone elses. Second, you cannot modify anything in system properties unless you are an administrator, so all this setting would ever do is restrict administrators from doing somethign. Third, if you are an administrator, you can easily bypass this hack. Therefore, this hack is meaningless. If you want to stop users from modifying system properties, do not let them run as admins.
8. Disable LM hash - First, there are several instances post Windows 2000 where you need an LM hash. Second, this setting is thin veneer. What threat are you worried about specifically? Cracking passwords? Cracking passwords against hashes is a meaningless and unnecessary attack. Disabling LM hashes really do not add much to security these days, although it is not going to hurt anything in some instances. This is probably the one setting in the list most related to security though. If you want to find out more about why this setting is not particularly useful, and what kinds of things it breaks, go to http://www.microsoft.com/technet/community/columns/secmgmt/sm1005.mspx.
9. Restrict null sessions - First, the values you give for this hack are for Windows 2000, not Windows XP. Settings designed for one operating system are not guaranteed to work on another. Second, most null session information access is already disabled in XP by default. Third, what is the threat you are worried about? None of the information avaiable via a null session is particularly sensitive. If your security depends on keeping attackers from listing share names and user names you probably have a lot more serious problems to deal with. Fourth, if you have a firewall, this setting is moot. If you do not, you have other more serious issues to worry about.
10. Hide the security tab - This is in no way shape or form a security setting. First, it is set in HKCU, where it affects YOU not anyone else. Second, only someone who owns the object or has been granted the proper permission on it can set security. Such a user can set security in a number of ways, this just blocks one of them.
None of these settings improve actual security one bit. They are either just security theater or they attempt to solve a problem that exists elsewhere. They are pretty likely to make the system unmanageable, unsupportable, or just plain less useful though.
There are many resources to help protect Windows XP. For home users, there are four steps: Turn on the Windows Firewall, use an anti-malware program, ensure that Auto Updates are turned on, and do not run as an administrator.
If you are trying to configure security in an enterprise, and you want to maintain a supported system, go read the Windows XP Security Guide: http://go.microsoft.com/fwlink/?LinkId=14840. You may also want to look at http://www.protectyourwindowsnetwork.com for a more holistic security perspective.
On a scale of 1-10 this one is 0-10
unable to detect a benefit,you appear to be creating more problems, not solving them.
unable to detect a benefit,you appear to be creating more problems, not solving them.
I was just reading responses to this article.
Some good ones for sure.
I thought after first reading the article that some were pretty good ideas. But after reading the posts which pretty much agree that these hacks are rudamentary at best or totally useless, I gotta wonder, what is this kind of info doing here?
Aren't places like TechRep supposed to be the "experts". Hmmmm. I think they were maybe targetting the semi-concerned, semi-techi home user looking for a way to quickly stop his 16 yr old from doing certain things; as one of the examples touched on.
Either way, hey techrepublic writers, what do you have to say about the comments in these posts bashing this article? Or any other that gets beat up like this?
Some good ones for sure.
I thought after first reading the article that some were pretty good ideas. But after reading the posts which pretty much agree that these hacks are rudamentary at best or totally useless, I gotta wonder, what is this kind of info doing here?
Aren't places like TechRep supposed to be the "experts". Hmmmm. I think they were maybe targetting the semi-concerned, semi-techi home user looking for a way to quickly stop his 16 yr old from doing certain things; as one of the examples touched on.
Either way, hey techrepublic writers, what do you have to say about the comments in these posts bashing this article? Or any other that gets beat up like this?
I have been reading the whole of this article, and at first believed that it was trying to help secure computers against hacking. But now I'm not so sure!!!!
IT GIVES LINKS TO ALL THE NECESSARY CRACKING TOOLS AVAILABLE ON THE NET AND EVEN GIVES STEP BY STEP INSTRUCTIONS ON HOW TO USE THEM!!!! UNBELIEVABLE.
IT EVEN MENTIONS THEIR FAVOURITE CRACKING TOOL;
"Our favourite is John the Ripper...a dictionary only cracker...available at...extremely fast and free..."
WHAT THE ****???
This is surely a con trying to make computers LESS secure??!!
IT GIVES LINKS TO ALL THE NECESSARY CRACKING TOOLS AVAILABLE ON THE NET AND EVEN GIVES STEP BY STEP INSTRUCTIONS ON HOW TO USE THEM!!!! UNBELIEVABLE.
IT EVEN MENTIONS THEIR FAVOURITE CRACKING TOOL;
"Our favourite is John the Ripper...a dictionary only cracker...available at...extremely fast and free..."
WHAT THE ****???
This is surely a con trying to make computers LESS secure??!!
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\lanmanager\parameters doesn't exist in XP home - there's HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver and HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation
- Keyboard Shortcuts:
- Prev
- Next
- Toggle
