Re: XP box maintainance and lockdown

[Jimi Thompson <jimit () myrealbox com>]

Explanation of Router vs. Firewall.

Think of a brick of modeling clay. Now start stuffing drinking straws 
through the brick. That's what your router ACL's ("rules") are like. The 
traffic just flows through the straw. If, for example, you have port 53 
open then I can send whatever I want via port 53. For example, I am 
scanning your network to see what you have, I can just scan on port 53, 
and you'll never know because your router passes all traffic from port 53.
If you have a stateful, packet inspecting firewall, you will know. The 
firewall will be looking to see if 1) a legitimate (according the 
firewall rules) machine made the request 2) that the traffic is indeed 
DNS request /answer and 3) the request is either completed or timed out 
in an appropirate amount of time.

Recommendations:

  1. Get rid of one of the antivirus software suites. Two is waay too
     many. I've seen this problems with cross-linked files that
     required reformatting of the hard drive.
  2. I would not install the second firewall either. I've seen this
     cause problems so severe that the OS had to be reinstalled to
     recover. If you want to run IDS on your box, get WinSnort.
  3. What are you doing with this box? It's very hard to assess the
     appropriate level of paranoia if you don't tell us that it's going
     to sit in a DMZ, or in front of a DMZ, or whatever. Is this a laptop?
  4. I'd suggest getting Spybot Search & Destory and running it
     periodically
  5. I'd suggest installing Spyware Blaster since it blocks a lot of
     Active X stuff from being able to install automatically
  6. I'd install the Google Toolbar since it's about the best pop up
     blocker around and it's free
  7. Depending on the level of paranoia, I'd probably be hacking the
     registry to turn off the administrative shares and such. Be
     careful because securing a Windows box in this manner can easily
     leave it inoperable (not a joke and not meant to be flame bait).
  8. Rename and the "Guest" account.
  9. Add a new "dummy" account named "Guest" with full auditing turned
     on so you'll know if anyone tries to use it. Be sure that this
     account does not have privileges to anything.
 10. Rename "Administrator" to somehting that's NOT intuititive.
 11. Add a new "dummy" account named "Administrator" with full auditing
     turned on so you'll know if anyone tries to use it. Same goes for
     the privileges. \
 12. Turn on full auditing for any privileged account.
 13. Turn on partial auditing for any unprileged account
 14. Turn off the "remote assistance" "feature" in XP
 15. Enable IPSEC
 16. Uninstall any Windows services that you don't need, if possible.
 17. Disable any unnecessary services that you cannot uninstall.

HTH,

Jimi

6) Depending on the ans

J. Yoon wrote:

> I'm doing a routine maintainance and locking down an XP box
> Please advise if there's anything I've missed.
>
> Preliminaries : run a simple disk cleanup, spyware scan, and a quick 
> virus scan
>
> Hardware Drivers.
> - Update all Drivers for soundcard/diskcontrollers/videocards/usb/etc/...
> - Update BIOS and do a new flash if needed.
> - Update Router firmware
>
> Software Patches
> - download latest XP patches from windowsupdate.microsoft.com
> - download latest virus definitions
> (I'm using 2 virus scanners, Grisoft AVG
> http://www.grisoft.com and Norton Antivirus
> )
>
> - download latest updates for your IDS or software Firewall
> (such as Sygate Personal Firewall from
> http://smb.sygate.com/support/documents/spf/spf_download.htm
> )
>
> (By the way, is there any significant benefit in using a software 
> firewall if i already have a router.. other than it working like an IDS)?
>
> - latest updates for Ad-Aware
> (a spyware removal software from
> www.lavasoft.de/software/adaware/
> )
>
>
> Scan / Fix
> (Unplug computer from internet at this point in time)
> - run a full system cleanup and get rid of all cookies/temp 
> files/junk/ etc
> - run a full spyware scan using "deep scan"
> - run virus scan to check for ALL files with heuristics (and/or 
> 'houndog') turned on,
> - run scandisk or diskdoctor of some sort
> - run a full defragmentation using defrag/speedisk/diskkeeper of some 
> sort
>
> Account configuration
> - change all passwords so that it has a combination of upper/lowercase 
> letters, numbers,
> and does not use any words from the dictionary from any language
> - create a user account for yourself and others
> so that you don't get in the habit of using the administrator account 
> all the time.
>
> Router Configuration
> - take care of any license issues
> - disable all ports/services (so that we can enable services on a 
> "need"-only basis)
> - Refer to history/log of applications that has been running
> to obtain protocol, local port, remote port, and IP address needed to 
> grant access.
> - If additional security is needed, assign to mac address instead of IP
>
> For Sygate Personal Firewall only :
> - Enable intrusion detection, port scan detection, anti-mac spoofing, 
> anti-ip spoofing
> - Enable driver level protection, OS fingerprint masquerading
> - configure so that it blocks all traffic when service not loaded
> - enable stealth mode browsing but disable this if too much problem 
> seems to occur.
> - Enable DLL authentitation and check automatically allow known DLL's
> - enable smart DNS, smart DHCP, and SmartNETBIOS
> - Automatically block attackers IP for.. a number of seconds
> - you may also want to set it so that it notifies you via email of any 
> attacks.
>
> Browser Configuration
> - disable all scripting, java, flash, active-x, and plug-ins and 
> enable only as needed
> - delete all existing cookies
> - disable 3rd-party cookies and/or set cookie policy according to 
> privacy settings
> - configure popup window blocking feature if needed
> - use encryption when storing sensitive data
> - configure so that it warns you if you're entering/leaving unecrypted 
> page
> - configure client certificate selection and CRL/OCSP (certificate 
> status protocol) as needed
>
> Mail Configuration
> - set any POP/Mail clients to use encryption/ SSL so that passwords 
> are not sent unencrypted
> - disable cookies in Mail and Newsgroups
> - disable defaut viewing of images as they can be used for tracking 
> purposes by spammers
> - set a filter so that any email address that does not contain the @ 
> "at sign" and . "dot" are automatically rejected.
> - you may also wish to set a filter so that if your own email address 
> does not appear in the "To:" or "CC:" field, the email be considered 
> as spam.
>
> Access Control
> - set and verify folders that need to have access restrictions
> - enable ecryption on private files if necessary
>
> Recovery Disk
> - make a boot disk from your Operating System
> - make a password recovery disk
> - make a virus boot disk as well
> now you have 3 ways to get back on your feet in case something happens
>
> Test
> - Run a port scanner such as Blue Globe Software, for example, offers 
> a program called Port Scanner 
> (www.islandnet.com/~cliffmcc/portscanner.html)
> Raw Logic Software's NetView Scanner (www.rawlogic.com/products.html) 
> provides details about vulnerable ports and additional tools for 
> detecting network clients that have Windows file and print sharing 
> enabled
> I've heard that Nessus is also great. i suppose you can use others 
> such as Insecure.org's NMAP
> (www.insecure.com/nmap) and cotse but i don't know if they work on XP.
>
> Backup
> - locate and backup private keys and additional configuration files
> - backup all the latest drivers you've downloaded so far
> - make a full backup to a removable storage
>
> Opt-Out / Proactive Privacy protection
> - goto www.doubleclick.com and search for a link where you can tell 
> them not to track or abuse your personal information
> - not posting private email or personal information when posting to 
> online newsgroups
> or mailing lists may also help
> - not sure if they are still in effect but the national donotcall 
> registry might help reduce some unwanted spams
>
> _________________________________________________________________
> Enjoy a special introductory offer for dial-up Internet access — 
> limited time only! http://join.msn.com/?page=dept/dialup
>
>
> --------------------------------------------------------------------------- 
>
> ---------------------------------------------------------------------------- 


---------------------------------------------------------------------------
----------------------------------------------------------------------------