RE: XP box maintainance and lockdown

["Shawn Jackson" <sjackson () horizonusa com>]

        Switch to SuSE? ;-)! Looks like you pretty much got it covered.
Did you check you logs? Lock down and set some policies via gpedit?
Adaware is not that good; there is one out there that Adaware took the
engine from, that's the one you want to use. Adaware misses some
registry bound bugs.

        Keep the personal firewall, (I like ZoneAlarm PRO myself, works
great). Get SpamBayes and forget about that opt-out crap, I don't trust
it as far as I can throw it. Get a good popup blocker, or use Mozilla
and that will fix your IE security problems and Popups for good.

        Don't forget to grab a PGP program to keep your data secure, if
you want. gPGP has some good for Windows now and some tools to interface
with popular email programs. I use PGP8 for windows and gPGP for my SuSE
desktop.

Shawn Jackson
Systems Administrator
Horizon USA
1190 Trademark Dr #107
Reno NV 89521
www.horizonusa.com
 
Email: sjackson () horizonusa com
Phone: (775) 858-2338
       (800) 325-1199 x338

-----Original Message-----
From: J. Yoon [mailto:supercool9000 () hotmail com] 
Sent: Tuesday, December 30, 2003 11:30 AM
To: security-basics () securityfocus com
Subject: XP box maintainance and lockdown

I'm doing a routine maintainance and locking down an XP box
Please advise if there's anything I've missed.

Preliminaries : run a simple disk cleanup, spyware scan, and a quick
virus 
scan

Hardware Drivers.
- Update all Drivers for
soundcard/diskcontrollers/videocards/usb/etc/...
- Update BIOS and do a new flash if needed.
- Update Router firmware

Software Patches
- download latest XP patches from windowsupdate.microsoft.com
- download latest virus definitions
(I'm using 2 virus scanners, Grisoft AVG
http://www.grisoft.com   and Norton Antivirus
)

- download latest updates for your IDS or software Firewall
(such as Sygate Personal Firewall from
http://smb.sygate.com/support/documents/spf/spf_download.htm
)

(By the way, is there any significant benefit in using a software
firewall 
if i already have a router.. other than it working like an IDS)?

- latest updates for Ad-Aware
(a spyware removal software from
www.lavasoft.de/software/adaware/
)


Scan / Fix
(Unplug computer from internet at this point in time)
- run a full system cleanup and get rid of all cookies/temp files/junk/
etc
- run a full spyware scan using "deep scan"
- run virus scan to check for ALL files with heuristics (and/or
'houndog') 
turned on,
- run scandisk or diskdoctor of some sort
- run a full defragmentation using defrag/speedisk/diskkeeper of some
sort

Account configuration
- change all passwords so that it has a combination of upper/lowercase 
letters, numbers,
and does not use any words from the dictionary from any language
- create a user account for yourself and others
so that you don't get in the habit of using the administrator account
all 
the time.

Router Configuration
- take care of any license issues
- disable all ports/services (so that we can enable services on a 
"need"-only basis)
- Refer to history/log of applications that has been running
to obtain protocol, local port, remote port, and IP address needed to
grant 
access.
- If additional security is needed, assign to mac address instead of IP

For Sygate Personal Firewall only :
- Enable intrusion detection, port scan detection, anti-mac spoofing, 
anti-ip spoofing
- Enable driver level protection, OS fingerprint masquerading
- configure so that it blocks all traffic when service not loaded
- enable stealth mode browsing but disable this if too much problem
seems to 
occur.
- Enable DLL authentitation and check automatically allow known DLL's
- enable smart DNS, smart DHCP, and SmartNETBIOS
- Automatically block attackers IP for.. a number of seconds
- you may also want to set it so that it notifies you via email of any 
attacks.

Browser Configuration
- disable all scripting, java, flash, active-x, and plug-ins and enable
only 
as needed
- delete all existing cookies
- disable 3rd-party cookies and/or set cookie policy according to
privacy 
settings
- configure popup window blocking feature if needed
- use encryption when storing sensitive data
- configure so that it warns you if you're entering/leaving unecrypted
page
- configure client certificate selection and CRL/OCSP (certificate
status 
protocol) as needed

Mail Configuration
- set any POP/Mail clients to use encryption/ SSL so that passwords are
not 
sent unencrypted
- disable cookies in Mail and Newsgroups
- disable defaut viewing of images as they can be used for tracking
purposes 
by spammers
- set a filter so that any email address that does not contain the @ "at

sign" and . "dot" are automatically rejected.
- you may also wish to set a filter so that if your own email address
does 
not appear in the "To:" or "CC:" field, the email be considered as spam.

Access Control
- set and verify folders that need to have access restrictions
- enable ecryption on private files if necessary

Recovery Disk
- make a boot disk from your Operating System
- make a password recovery disk
- make a virus boot disk as well
now you have 3 ways to get back on your feet in case something happens

Test
- Run a port scanner such as Blue Globe Software, for example, offers a 
program called Port Scanner
(www.islandnet.com/~cliffmcc/portscanner.html)
Raw Logic Software's NetView Scanner (www.rawlogic.com/products.html) 
provides details about vulnerable ports and additional tools for
detecting 
network clients that have Windows file and print sharing enabled
I've heard that Nessus is also great. i suppose you can use others such
as 
Insecure.org's NMAP
(www.insecure.com/nmap) and cotse but i don't know if they work on XP.

Backup
- locate and backup private keys and additional configuration files
- backup all the latest drivers you've downloaded so far
- make a full backup to a removable storage

Opt-Out / Proactive Privacy protection
- goto www.doubleclick.com and search for a link where you can tell them
not 
to track or abuse your personal information
- not posting private email or personal information when posting to
online 
newsgroups
or mailing lists may also help
- not sure if they are still in effect but the national donotcall
registry 
might help reduce some unwanted spams

_________________________________________________________________
Enjoy a special introductory offer for dial-up Internet access - limited

time only! http://join.msn.com/?page=dept/dialup


------------------------------------------------------------------------
---
------------------------------------------------------------------------
----


---------------------------------------------------------------------------
----------------------------------------------------------------------------