INTRODUCTION:
(Afterwards, the actual steps to perform beyond CIS Tool suggestions (which will need you to use tools like secpol.msc, gpedit.msc, services.msc, regedit.exe, explorer.exe + more, yet, all native tools to your OS) will be listed for your reference, each in their own post reply, to avoid "clutter"):
Windows CAN be secured very well, but, you have to go thru some "GYRATIONS/EFFORT" to do it, but, it IS doable (but not to any 100% levels, because again - new holes/vulnerabilities appear in the OS & its libs + apps, but this gets you closer, if not as close as a body needs to be!).
THIS IS GEARED TO "stand-alone" systems online on the internet (However - it can be adapted for LAN/WAN office or home networked environs, BUT, pay attention to step #2's 'warnings' about pulling Client For Microsoft Networks, &/or File & printer sharing - most networks require/need this)
--------------------------------------------------------------------------------------------------------------
BACKGROUND & INFORMATION + TOOLS YOU CAN USE TO HELP YOU SECURE YOUR SYSTEM:
--------------------------------------------------------------------------------------------------------------
Here I am running Windows Server 2003 SP #2, fully current patched by MS update pages, here (I check it every 2nd Tuesday of the month of course, on "Patch Tuesday's"):
http://www.microsoft.com/downloads/Browse....rder=descending
It is a personally 'security-hardened' model I have been working on for many years, using principals I learned & used since the NT 3.5x days onward to this version of the OS: As is now?
I score an 85.760 on the CIS Tool 1.x currently as of 10/10/2007!
http://forums.techpowerup.com//attachment....mp;d=1192208359
This is up from my past score here of 76.xxx on it (default score I had prior to this security hardening via CIS TOOL & its advisements & past the 84.735 I initially hardened it up to, & later 85.185 as well), & here is how to do it!
Currently, I can go NO higher than this score of 85.760 (of 100 total) on CIS Tool 1.x for Windows, pictured here (photo proof/pictures DO say, a 1,000 words (like this post, lol)) & even IF I could get past the few areas I know are wrong (the test errs, as it does on some areas in LINUX as well), I cannot get past 88% or so, period!
============================================================================
HERE ARE LINUX SCORES FROM CIS TOOL (SuSE Enterprise Linux under VMWare):
============================================================================
HARDENED LINUX:
http://forums.techpowerup.com//attachment....mp;d=1192894351
DEFAULT LINUX:
http://forums.techpowerup.com//attachment....mp;d=1192894012
(It appears that LINUX has FAR LESS TESTED, when compared to the SIZE of the Windows tets, & Linux CAN reach 90++ scores (but there is an error in CIS TOOL preventing myself from going to a higher than 85.760 score & I have submitted the data to CIS TOOL's authors on that account WITH PROOFS, and even if I could get the few areas I am scored down on still, it would not add to past 88% or so... bug, bigtime, do the math from my score & see))
============================================================================
That is a DECENT ENOUGH score (especially considering the default score of VISTA even, is FAR BELOW THAT! Nice part is? The techniques noted here can LARGELY APPLY TO VISTA AS WELL, but afaik there is no CIS Tool version for VISTA (yet)! Still, read on...)
(For CIS Tool - There are Linux, Solaris, BSD variants, & other OS models ports (some only in .pdf security guide form though, not programmatically automated yet, like MacOS X) of this are available too by the way - not really "ports" strictly speaking, they require JAVA to run)
-------------------------------------------------------------------------------------------------------------------
DOWNLOAD URL FOR CIS TOOL (for multiple platforms), from "The Center for Internet Security" here:
-------------------------------------------------------------------------------------------------------------------
http://www.cisecurity.org/bench.html
IMPORTANT: This tool IS invaluable in guiding you to a more secure OS, on any OS platform really!
It actually makes it "FUN", in a techie/geeky/nerdy (whatever) kind of way, in that you really find out WHAT it is you know, vs. the CIS Tool results, as far as securing a Windows NT-based system. E.G./I.E,-> I've been @ this field in a professional capacity since 1994, & it taught me a "trick-or-two", let's put it THAT way.
CIS Tool = Great stuff, that makes much of this easier (what I add ontop of it is in the next steps)!
APK
P.S.=> Now that the "introductory material" (tools to use, how/why, results possible, etc. et al) has been put down? Now, here we go to the actual "meat" of the subject in my next post(s).
Also - IF you have more to add to this, OR critique of my points? Please - have @ it & let 'em rip (as we ALL can gain by for security & peace-of-mind online hopefully)
HOWEVER, please - hold off on the "English Grammar" critiques + "writing style" stuff (I did my best + refine it as I go & add more)
I would try to have made it shorter too, but it's complex material @ times, & definitely a lot of it (CIS Tool helps though)!
(So please, as to critiques - I only ask that you keep it computer security technically oriented, adding points I may have missed or supplementing those I suggest with alternates to things I Have).
Thanks! apk
Full Version: HOW TO SECURE Windows 2000/XP/Server 2003 & VISTA
Instead of putting ALL 12++ steps into a single post (which IS what this particular post in this thread was)? I have decided to break each point up into its OWN posting in this thread, for readabiliies' sake...
(Hence, the edit of THIS post)
* Enjoy!
APK
(Hence, the edit of THIS post)
* Enjoy!
APK
===============================================================================
APK 12 STEPS TO SECURE YOUR WINDOWS NT-BASED SYSTEM (2000/XP/SERVER 2003/VISTA):
===============================================================================
1.) HARDENING & SECURING SERVICES HOW-TO (longest one of the lot but, one well worth pursuing... read on):
Many services I do not need are either cut off OR secured in their logon entity to lower privilege entities (from default, near "ALL POWERFUL" SYSTEM, to lesser ones like NETWORK SERVICE or LOCAL SERVICE).
I went at ALL of the services in Windows Server 2003 (some will not be in XP for instance, & Windows 2000 has no NETWORK SERVICE or LOCAL SERVICE as far as I know, but not sure, you can always make a limited privelege user too for this on 2000 if needed)...
(The reason I mention this, is, this "technique" IS a superiority of MORE MODERN Windows NT-based OS over their ancestors (especially NT 3.x-4.0) & on par w/ how this makes your Win32 NT-based OS' like 2000 (with more work), XP, Server 2003 (VISTA too if needed), very much like how MacOS X treats its daemon processes via privelege levels, which uses the same general principals)
It works, & although many service packs for Windows OS' have changed their services (not all but many nowadays) to less than SYSTEM, my list covers those they may not have in recent service packs AND 3rd party services are listed too that you may be running possibly!
This is for SERVICES YOU ACTUALLY NEED TO RUN (many, you really don't - this has always astounded me, & MS can put out "home versions" more this way imo, for gamers especially (auto-service "lean tuned turbocharged" for performance/speed/less resources consumption)).
ON THAT NOTE (for performance AND security)? CUTTING OFF SERVICES YOU DO NOT NEED TO RUN IS POSSIBLY THE BEST METHOD OF SECURING THEM, AND GAINING SPEED - AGAIN, SIMPLY SINCE YOU ARE NOT WASTING I/O, MEMORY, or OTHER RESOURCES ON THEM, PERIOD, in doing this!
Please, if you don't do this already? Hey - do consider it, when possible! It works like NO TOMORROW...
Many guides online exist for this, & I authored one of the first "back in the day" for NTCompatible.com as "Article #1" back in 1997/1998 - 2002 (early model is in URL below, much detail on registry hacks too for speed & security in it, cited in 2002 @ NeoWin):
http://www.neowin.net/news/main/01/11/29/a...--security-text
The latest ones are even BETTER/MORE CURRENT, as there are ones that DO EXIST FOR VISTA ONLINE ALSO!
Anyhow - on the note of 3rd party services, & many native ones (for 2000/XP/Server 2003, but not fully on VISTA as I do not run it @ home or on the job)?
I did testing to see which services could be run/logged in as LOCAL SERVICE, or NETWORK SERVICE, rather than the default of LOCAL SYSTEM (which means Operating System entity level privileges - which CAN be "misused" by various spyware/malware/virus exploits.
===============================================================================
LOCAL SERVICE startable list (vs. LocalSystem Logon Default):
Acronis Scheduler 2 Service
Alerter (needs Workstation Service Running)
COM+ System Application
GHOST
Indexing Service
NVIDIA Display Driver Service
Office Source Engine
O&O Clever Cache
Remote Registry
Sandra Service
Sandra Data Service
SmartCard
Tcp/IP NetBIOS Helper
Telnet
UserProfile Hive Cleanup Service
Volume Shadowing Service
Windows UserMode Drivers
Windows Image Acquisition
WinHTTP Proxy AutoDiscovery Service
----------
NETWORK SERVICE startable list (vs. LocalSystem Logon Default):
ASP.NET State Service
Application Layer Gateway
Clipbook (needs Network DDE & Network DDE DSDM)
Microsoft Shadow Copy Provider
Executive Software Undelete
DNS Client
DHCP Client
Error Reporting
FileZilla Server
Machine Debug Manager
Merger
NetMeeting Remote Desktop Sharing Service
Network DDE
Network DDE DSDM
PDEngine (Raxco PerfectDisk)
Performance Logs & Alerts
RPC
Remote Desktop Help Session Manager Service
Remote Packet Capture Protocol v.0 (experimental MS service)
Resultant Set of Policies Provider
SAV Roam
Symantec LiveUpdate
Visual Studio 2005 Remote Debug
===============================================================================
PLEASE NOTE: Each service uses a BLANK password when reassigning their logon entity (when you change it from the default of LOCAL SYSTEM Account), because they use SID's as far as I know, not standard passwords.
WHEN YOU TEST THIS, AFTER RESETTING THE LOGON USER ENTITY EACH SERVICE USES: Just run your system awhile, & if say, Norton Antivirus refuses to update, or run right? You KNOW you set it wrong... say, if one you test that I do NOT list won't run as LOCAL SERVICE? Try NETWORK SERVICE instead... if that fails? YOU ARE STUCK USING LOCAL SYSTEM!
*****************************************************************************
If you cannot operate properly while changing the security logon entity context of a service (should NOT happen w/ 3rd party services, & this article shows you which ones can be altered safely)?
Boot to "Safe Mode", & reset that service's logon entity back to LOCAL SYSTEM again & accept it cannot do this security technique is all... it DOES happen!
If that fails (shouldn't, but IF it does)? There are commands in the "Recovery Console" (installed from your Windows installation CD as a bootup option while in Windows using this commandline -> D:\i386\winnt32.exe /cmdcons, where D is your CD-Rom driveletter (substitute in your dvd/cd driveletter for D of course)) of:
ListSvc (shows services & drivers states of stopped or started)
Enable (starts up a service &/or driver)
Disable (stops a server &/or driver)
Which can turn them back on if/when needed
(ON Virtual Disk Service being removed, specifically (because it used to be in this list)): This was done solely because, although it will run as LOCAL SERVICE, diskmgmt.msc will not be able to work! Even though the Logical Disk Manager service does not list VirtualDisk as a dependency, this occurs, so VirtualDisk service was pulled from BOTH the LOCAL SERVICE and NETWORK SERVICE lists here... apk)
===============================================================================
SECURING SERVICES @ THE ACL LEVEL VIA A SECURITY POLICY HOW-TO:
STEP #1: CONFIGURE A CUSTOM Microsoft Management Console for this!
Configuring yourself a "CUSTOM MMC.EXE (Microsoft Mgt. Console)" setup for security policy templates, here is how (these are NOT default Computer Mgt. tools, so you have to do this yourself, or run them by themselves, but this makes working w/ them convenient):
The next part's per BelArcGuy of BELARC ADVISOR's advice (pun intended):
http://forums.techpowerup.com/showthread.php?t=16097
"Security Configuration and Analysis" is an MMC snap-in. To access the MMC, type in mmc to the Windows Run.. command to pop up the console. Then use it's File|Add/Remove Snap-in... command and click the Add button on the resulting dialog. Choose both "Security Configuration and Analysis" and "Security Templates", close that dialog, and OK. You'll end up with a management console that has both of those snap-ins enabled. The whole MMC mechanism is a bit weird, but does work"
(It's easy, & it works, & is necessary for the actual steps to do this, below)
Next, is the actual "meat" of what we need to do, per Microsoft, to set ACLs!
------------------------------------------------------------
STEP #2: HOW TO: Define Security Templates By Using the Security Templates Snap-In in Windows Server 2003
http://support.microsoft.com/kb/816297
Create and Define a New Security Template
(To define a new security template, follow these steps)
1. In the console tree, expand Security Templates
2. Right-click %SystemRoot%\Security\Templates, and then click New Template
3. In the Template name box, type a name for the new template.
(If you want, you can type a description in the Description box, and then click OK)
The new security template appears in the list of security templates. Note that the security settings for this template are not yet defined. When you expand the new security template in the console tree, expand each component of the template, and then double-click each security setting that is contained in that component, a status of Not Defined appears in the Computer Setting column.
1. To define a System Services policy, follow these steps:
a. Expand System Services
b. In the right pane, double-click the service that you want to configure
c. Specify the options that you want, and then click OK.
DONE!
APK
P.S.=> Again, this is probably the MOST lengthy & hardest of the lot, so DO NOT LET IT DISCOURAGE YOU, the rest of this article is far simpler/shorter to do, & yields benefits that are as good as THIS long step, especially in combination with it (for security) & are much shorter/simpler to do... apk
APK 12 STEPS TO SECURE YOUR WINDOWS NT-BASED SYSTEM (2000/XP/SERVER 2003/VISTA):
===============================================================================
1.) HARDENING & SECURING SERVICES HOW-TO (longest one of the lot but, one well worth pursuing... read on):
Many services I do not need are either cut off OR secured in their logon entity to lower privilege entities (from default, near "ALL POWERFUL" SYSTEM, to lesser ones like NETWORK SERVICE or LOCAL SERVICE).
I went at ALL of the services in Windows Server 2003 (some will not be in XP for instance, & Windows 2000 has no NETWORK SERVICE or LOCAL SERVICE as far as I know, but not sure, you can always make a limited privelege user too for this on 2000 if needed)...
(The reason I mention this, is, this "technique" IS a superiority of MORE MODERN Windows NT-based OS over their ancestors (especially NT 3.x-4.0) & on par w/ how this makes your Win32 NT-based OS' like 2000 (with more work), XP, Server 2003 (VISTA too if needed), very much like how MacOS X treats its daemon processes via privelege levels, which uses the same general principals)
It works, & although many service packs for Windows OS' have changed their services (not all but many nowadays) to less than SYSTEM, my list covers those they may not have in recent service packs AND 3rd party services are listed too that you may be running possibly!
This is for SERVICES YOU ACTUALLY NEED TO RUN (many, you really don't - this has always astounded me, & MS can put out "home versions" more this way imo, for gamers especially (auto-service "lean tuned turbocharged" for performance/speed/less resources consumption)).
ON THAT NOTE (for performance AND security)? CUTTING OFF SERVICES YOU DO NOT NEED TO RUN IS POSSIBLY THE BEST METHOD OF SECURING THEM, AND GAINING SPEED - AGAIN, SIMPLY SINCE YOU ARE NOT WASTING I/O, MEMORY, or OTHER RESOURCES ON THEM, PERIOD, in doing this!
Please, if you don't do this already? Hey - do consider it, when possible! It works like NO TOMORROW...
Many guides online exist for this, & I authored one of the first "back in the day" for NTCompatible.com as "Article #1" back in 1997/1998 - 2002 (early model is in URL below, much detail on registry hacks too for speed & security in it, cited in 2002 @ NeoWin):
http://www.neowin.net/news/main/01/11/29/a...--security-text
The latest ones are even BETTER/MORE CURRENT, as there are ones that DO EXIST FOR VISTA ONLINE ALSO!
Anyhow - on the note of 3rd party services, & many native ones (for 2000/XP/Server 2003, but not fully on VISTA as I do not run it @ home or on the job)?
I did testing to see which services could be run/logged in as LOCAL SERVICE, or NETWORK SERVICE, rather than the default of LOCAL SYSTEM (which means Operating System entity level privileges - which CAN be "misused" by various spyware/malware/virus exploits.
===============================================================================
LOCAL SERVICE startable list (vs. LocalSystem Logon Default):
Acronis Scheduler 2 Service
Alerter (needs Workstation Service Running)
COM+ System Application
GHOST
Indexing Service
NVIDIA Display Driver Service
Office Source Engine
O&O Clever Cache
Remote Registry
Sandra Service
Sandra Data Service
SmartCard
Tcp/IP NetBIOS Helper
Telnet
UserProfile Hive Cleanup Service
Volume Shadowing Service
Windows UserMode Drivers
Windows Image Acquisition
WinHTTP Proxy AutoDiscovery Service
----------
NETWORK SERVICE startable list (vs. LocalSystem Logon Default):
ASP.NET State Service
Application Layer Gateway
Clipbook (needs Network DDE & Network DDE DSDM)
Microsoft Shadow Copy Provider
Executive Software Undelete
DNS Client
DHCP Client
Error Reporting
FileZilla Server
Machine Debug Manager
Merger
NetMeeting Remote Desktop Sharing Service
Network DDE
Network DDE DSDM
PDEngine (Raxco PerfectDisk)
Performance Logs & Alerts
RPC
Remote Desktop Help Session Manager Service
Remote Packet Capture Protocol v.0 (experimental MS service)
Resultant Set of Policies Provider
SAV Roam
Symantec LiveUpdate
Visual Studio 2005 Remote Debug
===============================================================================
PLEASE NOTE: Each service uses a BLANK password when reassigning their logon entity (when you change it from the default of LOCAL SYSTEM Account), because they use SID's as far as I know, not standard passwords.
WHEN YOU TEST THIS, AFTER RESETTING THE LOGON USER ENTITY EACH SERVICE USES: Just run your system awhile, & if say, Norton Antivirus refuses to update, or run right? You KNOW you set it wrong... say, if one you test that I do NOT list won't run as LOCAL SERVICE? Try NETWORK SERVICE instead... if that fails? YOU ARE STUCK USING LOCAL SYSTEM!
*****************************************************************************
If you cannot operate properly while changing the security logon entity context of a service (should NOT happen w/ 3rd party services, & this article shows you which ones can be altered safely)?
Boot to "Safe Mode", & reset that service's logon entity back to LOCAL SYSTEM again & accept it cannot do this security technique is all... it DOES happen!
If that fails (shouldn't, but IF it does)? There are commands in the "Recovery Console" (installed from your Windows installation CD as a bootup option while in Windows using this commandline -> D:\i386\winnt32.exe /cmdcons, where D is your CD-Rom driveletter (substitute in your dvd/cd driveletter for D of course)) of:
ListSvc (shows services & drivers states of stopped or started)
Enable (starts up a service &/or driver)
Disable (stops a server &/or driver)
Which can turn them back on if/when needed
(ON Virtual Disk Service being removed, specifically (because it used to be in this list)): This was done solely because, although it will run as LOCAL SERVICE, diskmgmt.msc will not be able to work! Even though the Logical Disk Manager service does not list VirtualDisk as a dependency, this occurs, so VirtualDisk service was pulled from BOTH the LOCAL SERVICE and NETWORK SERVICE lists here... apk)
===============================================================================
SECURING SERVICES @ THE ACL LEVEL VIA A SECURITY POLICY HOW-TO:
STEP #1: CONFIGURE A CUSTOM Microsoft Management Console for this!
Configuring yourself a "CUSTOM MMC.EXE (Microsoft Mgt. Console)" setup for security policy templates, here is how (these are NOT default Computer Mgt. tools, so you have to do this yourself, or run them by themselves, but this makes working w/ them convenient):
The next part's per BelArcGuy of BELARC ADVISOR's advice (pun intended):
http://forums.techpowerup.com/showthread.php?t=16097
"Security Configuration and Analysis" is an MMC snap-in. To access the MMC, type in mmc to the Windows Run.. command to pop up the console. Then use it's File|Add/Remove Snap-in... command and click the Add button on the resulting dialog. Choose both "Security Configuration and Analysis" and "Security Templates", close that dialog, and OK. You'll end up with a management console that has both of those snap-ins enabled. The whole MMC mechanism is a bit weird, but does work"
(It's easy, & it works, & is necessary for the actual steps to do this, below)
Next, is the actual "meat" of what we need to do, per Microsoft, to set ACLs!
------------------------------------------------------------
STEP #2: HOW TO: Define Security Templates By Using the Security Templates Snap-In in Windows Server 2003
http://support.microsoft.com/kb/816297
Create and Define a New Security Template
(To define a new security template, follow these steps)
1. In the console tree, expand Security Templates
2. Right-click %SystemRoot%\Security\Templates, and then click New Template
3. In the Template name box, type a name for the new template.
(If you want, you can type a description in the Description box, and then click OK)
The new security template appears in the list of security templates. Note that the security settings for this template are not yet defined. When you expand the new security template in the console tree, expand each component of the template, and then double-click each security setting that is contained in that component, a status of Not Defined appears in the Computer Setting column.
1. To define a System Services policy, follow these steps:
a. Expand System Services
b. In the right pane, double-click the service that you want to configure
c. Specify the options that you want, and then click OK.
DONE!
APK
P.S.=> Again, this is probably the MOST lengthy & hardest of the lot, so DO NOT LET IT DISCOURAGE YOU, the rest of this article is far simpler/shorter to do, & yields benefits that are as good as THIS long step, especially in combination with it (for security) & are much shorter/simpler to do... apk
IF you have a HOME LAN/network? You skip this/leave this alone!
(... & do not disable the SERVER service (it creates the hidden default C$ administrative share for example) in services.msc & keep 127.0.0.1 (the default lone entry it has) in your %windir%\system32\drivers\etc HOSTS file as well).
2.) Disable Microsoft "File & Print Sharing" as well as "Client for Microsoft Networks" in your LOCAL AREA CONNECTION (if you do not need them that is for say, running your home LAN)!
E.G.-> Here? I pull ANY Networking clients (Client for MS Networks/File & Printer Sharing)) &/or Protocols (QoS = just 1 example) in the Local Area Connection! You can either UNCHECK THEIR CHECKBOXES (if say, you do decide to bind this machine to a network of somekind one day, OR have to occasionally (with family/friends' PC's or LAN parties for example))... OR, wholesale uninstall them.
NOTE - sometimes, even TROJANS/SPYWARES/MALWARES HIDE HERE ALSO - the std. set is:
So, other than Tcp/IP typically, it gets removed here if I have no LAN (via either uninstall OR uncheck).
(I also disable NetBIOS over Tcp/IP in the WINS section of Tcp/IP Properties ADVANCED button section also - see, if you don't have a HOME or WORK LAN you can & go faster + be potentially more secure also. Again, for my single machine setup currently here, I certainly don't need anything more than Tcp/IP running, as I am currently @ home on a stand-alone machine that is not dependent on Microsoft's File Sharing etc. on a LAN/WAN).
Stopping the SERVER service helps here as well (no shares possible, not even the default C$ administrative share, iirc)
Also regarding the HOSTS file (which I also mention in this article as it yields HUGE security and speed benefits, more than this does by far imo)?
IF you have a LAN/WAN you use (or not), you will have to have the mandatory entry of:
127.0.0.1 localhost
In the HOSTS file, more on it below (needed for networking with a LAN/WAN - you could technically, dispense with it otherwise, but, as you can see above? It has practical uses... even SpyBot utilizes it & that is one HELL of a program, for this purpose:SECURITY!).
APK
(... & do not disable the SERVER service (it creates the hidden default C$ administrative share for example) in services.msc & keep 127.0.0.1 (the default lone entry it has) in your %windir%\system32\drivers\etc HOSTS file as well).
2.) Disable Microsoft "File & Print Sharing" as well as "Client for Microsoft Networks" in your LOCAL AREA CONNECTION (if you do not need them that is for say, running your home LAN)!
E.G.-> Here? I pull ANY Networking clients (Client for MS Networks/File & Printer Sharing)) &/or Protocols (QoS = just 1 example) in the Local Area Connection! You can either UNCHECK THEIR CHECKBOXES (if say, you do decide to bind this machine to a network of somekind one day, OR have to occasionally (with family/friends' PC's or LAN parties for example))... OR, wholesale uninstall them.
NOTE - sometimes, even TROJANS/SPYWARES/MALWARES HIDE HERE ALSO - the std. set is:
- Client For Microsoft Networks (removable via uninstall OR uncheck of checkbox if you have no LAN connectivity needs}
- File and Printer Sharing (removable via uninstall OR uncheck of checkbox if you have no LAN connectivity needs}
- QoS (removable via uninstall OR uncheck of checkbox if you have no LAN connectivity needs}
- Tcp/IP Internet Protocol (need it to get online AND for Active Directory Networks too)
So, other than Tcp/IP typically, it gets removed here if I have no LAN (via either uninstall OR uncheck).
(I also disable NetBIOS over Tcp/IP in the WINS section of Tcp/IP Properties ADVANCED button section also - see, if you don't have a HOME or WORK LAN you can & go faster + be potentially more secure also. Again, for my single machine setup currently here, I certainly don't need anything more than Tcp/IP running, as I am currently @ home on a stand-alone machine that is not dependent on Microsoft's File Sharing etc. on a LAN/WAN).
Stopping the SERVER service helps here as well (no shares possible, not even the default C$ administrative share, iirc)
Also regarding the HOSTS file (which I also mention in this article as it yields HUGE security and speed benefits, more than this does by far imo)?
IF you have a LAN/WAN you use (or not), you will have to have the mandatory entry of:
127.0.0.1 localhost
In the HOSTS file, more on it below (needed for networking with a LAN/WAN - you could technically, dispense with it otherwise, but, as you can see above? It has practical uses... even SpyBot utilizes it & that is one HELL of a program, for this purpose:SECURITY!).
APK
3.) Use IP security policies (modded AnalogX one, very good for starters, you can edit & add/remove from it as needed) - Download url link is here for that:
http://www.analogx.com/contents/articles/ipsec.htm
(Search "AnalogX Public Server IPSec Configuration v1.00 (29k zip file)" on that page & follow the directions on the page!)
NOTE: This can be 'troublesome' though, for folks that run filesharing clients though.
An alternative to this is using IP Ports Filtrations, in combination with a GOOD software firewall &/or NAT 'firewalling' (or true stateful inspection type) router. All of these work in combination w/ one another perfectly.
(HOWEVER - Should you choose to use it, and do filesharing programs? No problem really, because you can turn them on/off @ will using secpol.msc & the IP stack in Windows 2000/XP/Server 2003/VISTA is of "plug-N-play" design largely, & will allow it & when done? TURN THEM ON, AGAIN! These work WITH software & hardware router firewalls, IP port filtering, and security IP policies, simultaneosly/concurrently, for "layered security", no hassles!).
APK
http://www.analogx.com/contents/articles/ipsec.htm
(Search "AnalogX Public Server IPSec Configuration v1.00 (29k zip file)" on that page & follow the directions on the page!)
NOTE: This can be 'troublesome' though, for folks that run filesharing clients though.
An alternative to this is using IP Ports Filtrations, in combination with a GOOD software firewall &/or NAT 'firewalling' (or true stateful inspection type) router. All of these work in combination w/ one another perfectly.
(HOWEVER - Should you choose to use it, and do filesharing programs? No problem really, because you can turn them on/off @ will using secpol.msc & the IP stack in Windows 2000/XP/Server 2003/VISTA is of "plug-N-play" design largely, & will allow it & when done? TURN THEM ON, AGAIN! These work WITH software & hardware router firewalls, IP port filtering, and security IP policies, simultaneosly/concurrently, for "layered security", no hassles!).
APK
Port Filtering (HOW TO & WHY)
4.) Another thing I do for securing a Windows NT-based OS: IP Port Filtrations (like ip security policies (per AnalogX above), it is often called the "poor man's firewall" & works perfectly with both IPSecurity policies, hardware AND software firewalls, all in combination/simultaneously running)!
DIRECTIONS ON HOW TO IMPLEMENT THEM (very easy):
Start Menu -> Connect To Item (on the right hand side) -> Local Area Connection (whatever you called it, this is the default, iirc) open it via double click OR, right-click popup menu PROPERTIES item -> Properties button on left-hand side bottom, press/click it -> NEXT SCREEN (Local Area Connection PROPERTIES) -> "This connection uses the followng items" (go down the list, to Tcp/IP & select it & /click the PROPERTIES button there) -> Press/Click the Advanced Button @ the bottom Right-Hand Side (shows Advanced Tcp/IP Settings screen) -> OPTIONS tab, use it & Tcp IP Filtering is in the list, highlite/select it -> Beneath the Optional Settings, press/click the PROPERTIES button on the lower right-hand side -> Check the "Enable Tcp/IP Filtering (on all adapters)" selection -> In the far right, IP PROTOCOLS section, add ports 6 (tcp) & 17 (udp) -> In the far left "tcp ports" list - check off the radio button above the list titled "PERMIT ONLY", & then add ports you want to have open (all others will be filtered out, & for example, I leave port 80,8080, & 443 here open, only on my standalone, non-networked home machine (for a HOME or WORK LAN, you may need to open up ports 135/137/139/445 for a Windows based network for file & print sharing PLUS enable NetBIOS over Tcp/IP in your network connection properties & ENABLE Client for Microsoft Networks & File and Print sharing too) - you may need more if you run mail servers, & what-have-you (this varies by application)) -> I leave the UDP section "PERMIT ALL" because of ephemeral/short-lived ports usage that Windows does (I have never successfully filtered this properly but it doesn't matter as much imo, because udp does not do 'callback' as tcp does, & that is why tcp can be DDOS'd/DOS'd imo - it only sends out info., but never demands verification of delivery (faster, but less reliable)) -> DONE!
You may need a reboot & it will signal if it needs it or not (probably will, even in VISTA):
I say this, because although IP Security Policies work with the "Plug-N-Play" design of modern Windows NT-based OS' (ipsec.sys) & do NOT require a reboot to activate/deactivate them in Windows 2000/XP/Server 2003/VISTA? This is working @ a diff. level & diff. driver iirc (tcpip.sys) & level of the telecommunications stacks in this OS family & WILL require a reboot to take effect (for a more detailed read of this, see here):
----
http://www.microsoft.com/technet/community...guy/cg0605.mspx
(In THAT url above? Trust me - Enjoy the read, it is VERY informative: That article shows you how TcpIP.sys, ipnat.sys, ipsec.sys, & ipfiltdrv.sys interact, PLUS how you can use them to your advantage in security!)
----
Also, these URL's will be helpful as well, bigtime (for understanding (e.g. - knowing which IP ports you need to leave open & why (or, why not)):
IANA PROTOCOL NUMBERS LIST:
http://www.isi.edu/in-notes/iana/assignmen...rotocol-numbers
IANA PORTS LIST (well-known, registered, & dynamic/private ports):
http://www.isi.edu/in-notes/iana/assignments/port-numbers
APK
4.) Another thing I do for securing a Windows NT-based OS: IP Port Filtrations (like ip security policies (per AnalogX above), it is often called the "poor man's firewall" & works perfectly with both IPSecurity policies, hardware AND software firewalls, all in combination/simultaneously running)!
DIRECTIONS ON HOW TO IMPLEMENT THEM (very easy):
Start Menu -> Connect To Item (on the right hand side) -> Local Area Connection (whatever you called it, this is the default, iirc) open it via double click OR, right-click popup menu PROPERTIES item -> Properties button on left-hand side bottom, press/click it -> NEXT SCREEN (Local Area Connection PROPERTIES) -> "This connection uses the followng items" (go down the list, to Tcp/IP & select it & /click the PROPERTIES button there) -> Press/Click the Advanced Button @ the bottom Right-Hand Side (shows Advanced Tcp/IP Settings screen) -> OPTIONS tab, use it & Tcp IP Filtering is in the list, highlite/select it -> Beneath the Optional Settings, press/click the PROPERTIES button on the lower right-hand side -> Check the "Enable Tcp/IP Filtering (on all adapters)" selection -> In the far right, IP PROTOCOLS section, add ports 6 (tcp) & 17 (udp) -> In the far left "tcp ports" list - check off the radio button above the list titled "PERMIT ONLY", & then add ports you want to have open (all others will be filtered out, & for example, I leave port 80,8080, & 443 here open, only on my standalone, non-networked home machine (for a HOME or WORK LAN, you may need to open up ports 135/137/139/445 for a Windows based network for file & print sharing PLUS enable NetBIOS over Tcp/IP in your network connection properties & ENABLE Client for Microsoft Networks & File and Print sharing too) - you may need more if you run mail servers, & what-have-you (this varies by application)) -> I leave the UDP section "PERMIT ALL" because of ephemeral/short-lived ports usage that Windows does (I have never successfully filtered this properly but it doesn't matter as much imo, because udp does not do 'callback' as tcp does, & that is why tcp can be DDOS'd/DOS'd imo - it only sends out info., but never demands verification of delivery (faster, but less reliable)) -> DONE!
You may need a reboot & it will signal if it needs it or not (probably will, even in VISTA):
I say this, because although IP Security Policies work with the "Plug-N-Play" design of modern Windows NT-based OS' (ipsec.sys) & do NOT require a reboot to activate/deactivate them in Windows 2000/XP/Server 2003/VISTA? This is working @ a diff. level & diff. driver iirc (tcpip.sys) & level of the telecommunications stacks in this OS family & WILL require a reboot to take effect (for a more detailed read of this, see here):
----
http://www.microsoft.com/technet/community...guy/cg0605.mspx
(In THAT url above? Trust me - Enjoy the read, it is VERY informative: That article shows you how TcpIP.sys, ipnat.sys, ipsec.sys, & ipfiltdrv.sys interact, PLUS how you can use them to your advantage in security!)
----
Also, these URL's will be helpful as well, bigtime (for understanding (e.g. - knowing which IP ports you need to leave open & why (or, why not)):
IANA PROTOCOL NUMBERS LIST:
http://www.isi.edu/in-notes/iana/assignmen...rotocol-numbers
IANA PORTS LIST (well-known, registered, & dynamic/private ports):
http://www.isi.edu/in-notes/iana/assignments/port-numbers
APK
CUSTOM HOSTS FILE USAGE (for speed, AND SECURITY)
5.) The use of a CUSTOM ADBANNER BLOCKING HOSTS FILE (my personal one houses, as of this date, 90,000 known adbanner servers, OR sites known to bear malicious code & exploits (per GOOGLE mostly, from stopbadware.org))
Custom HOSTS files work in combination with Opera adbanner blocks & the usage of .PAC filering files + cascading style sheets for this purpose.
(As well as speeding up access to sites I often access - doing this, acting as my own "DNS Server" more or less, is orders of magnitude faster than calling out to my ISP/BSP DNS servers, waiting out a roundtrip return URL-> IP Address resolution. It may take some maintenance for this @ times, especially if sites change HOSTING PROVIDERS, but this is a rarity & most sites TELL YOU when they do this as well, so you can make fast edits, as needed (and, on Windows NT-based OS since 2000/XP/Server 2003 & VISTA? A reboot is NOT required upon edits & commits of changes in the new largely near fully PnP IP stacks!))
For a copy of mine, write me, here -> apk4776239@hotmail.com
And, I will send it to you in .zip or .rar format (with sped up sites # UNIX comment symbol disabled, enable the ones you use AFTER you 'ping' them first from my list, & add ones YOU PERSONALLY USE to it as needed after determining their IP address via a PING of them)
OR, JUST DOWNLOAD IT HERE:
http://forums.techpowerup.com/attachment.p...mp;d=1172567412
----
An example of WHY you'd want to use one of these for security's sake? Read here:
Why use an ADBANNER BLOCKING HOSTS file? Here is why: - techPowerUp! Forums
----
ADDITIONALLY, because on Windows Server 2003 (however, no others I have seen @ least so far), sometimes, the HOSTS file precedence vs. say, local DNS servers on a LAN, gets overridden by them? You MAY have to implement this:
How to change name resolution order on Windows 95 and Windows NT
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider]
"LocalPriority"=dword:00000005
"HostsPriority"=dword:00000006
"DnsPriority"=dword:00000007
"NetbtPriority"=dword:00000008
(LOWER NUMBERS HERE = GREATER PRIORITY)
As you can see, I give my LOCAL DNS Cache the greatest priority (because it has my HOSTS file loaded into it @ system startup (IP stack startup, actually)), & THEN, my custom adbanner blocking/speedup fav sites (which this post is showing folks how to do, & yes, it works) is next, & then my ISP/BSP's DNS servers, & lastly NetBios/WINS stuff (which I just plain do NOT use, because I have no LanManager style network running here, ONLY Tcp/IP)
----
IMPORTANT NOTE: IF your system seems to "lag" while the HOSTS file is in use (this typically does not occur with 1mb or less sized HOSTS files in my experience), especially IF it is a relatively LARGER SIZED one (in the case I saw where this happened, it was a 12mb sized one I use, & it was applied on a Windows XP Home Edition system w/ 256mb of RAM on an AMD Athlon64 3200mhz system), YOU MAY HAVE TO DISABLE YOUR DNS Client Service!
* This is achieved via going to the START button, RUN command, type in SERVICES.MSC & once it comes to the screen, find the DNS Client Service in the list of services & right-click on it (or, doubleclick) & use the PROPERTIES screen, & use the STOP button (to stop the service) & then set its startup type to DISABLED, & this 'lagging' goes away (reboot is recommended, especially on Windows 2000 systems, for the HOSTS file to reload... otherwise, changes may take up to 5 minutes to take, so reboots make that quicker & assured on ANY Ms Windows-NT based OS (2000/XP/Server 2003 & VISTA).
----
DIRECTIONS FOR USE (also in my downloadable CUSTOM HOSTS file above, with MORE on how to really use them to get even more speed than blocking adbanners mind you is in its internal documentation):
You replace your:
%windir%\system32\drivers\etc
Original version of HOSTS with this one (overwrite it, but, first copy your original OR rename it to keep it around IF ever needed), & have @ it (HBO internet, no commercials + thus MORE SPEED (and, you WILL notice it) by not calling out to ad servers, loading their data, & running it... & certainly NO possibility of being infected by adbanners that bear RBN (Russian Business Network) malware javascripted/FLASH bearing adbanners that infect you as has been seen lately/very currently in fact - between this, and stalling out Java/JavaScript + ActiveX/ActiveScripting globally in your browsers as noted in the last step & why? You are "proof" against MOST attacks today (& consider disabling IFrames too, an oft used attack today as well!)).
Now, like I do? It IS possible to alter the default location of the HOSTS file, & to take away I/O from your main disk to load it by using another one... like a 2nd HDD you may have IF you have one for example!
(E.G.-> I move mine to my CENATEK RocketDrive SSD (solid state RamDisk), for F A S T access since seek times on it are 1000's of times faster than on std. mechanical disks, & doesn't matter WHAT kind - & here I also place my pagefile.sys on its own partition (first) & then webpage caches, %temp% environmental variable ops, logging (even eventlogs, which like HOSTS file, can be moved in the registry to another disk, & applications often have the ability to move their logs in their configuration screens as well)) via this registry key, should you elect to do the same:
In regedit.exe's right-hand-side pane, follow this path:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
& in the left-hand-side pane of regedit.exe, you change the DataBasePath path value there to the disk & folder you wish to place your HOSTS file in (which makes for faster OS & IP stack initialization since it is on another drive, in my case an SSD so it is THAT MUCH QUICKER since seeks on them are so fast, to load the HOSTS data into your RAM (local DNS cache)).
APK
P.S.=> To keep "ontop of the latest spam mailers, & also known malicious sites" online? See these sites (1 I mentioned here already, this is the rest of the list I use, & others too):
Dancho Danchev (security expert) BLOG page:
Dancho Danchev's Blog - Mind Streams of Information Security Knowledge
SRI:
SRI Malware Threat Center
StopBadWare.org:
StopBadware.org - Welcome to StopBadware.org
Spamhaus (good for the mail end of things):
Lookup an IP Address in the Spamhaus DNSBLs
PHISTANK ("phunny name", pun intended) - Another really GOOD bad mailer & sites listing:
PhishTank | Join the fight against phishing
Between they, & SpyBot "Search & Destroy"? I'd say you have most of, if not ALL of what a "body needs" for these purposes... if you know of others? Please - list them, & thanks! apk
5.) The use of a CUSTOM ADBANNER BLOCKING HOSTS FILE (my personal one houses, as of this date, 90,000 known adbanner servers, OR sites known to bear malicious code & exploits (per GOOGLE mostly, from stopbadware.org))
Custom HOSTS files work in combination with Opera adbanner blocks & the usage of .PAC filering files + cascading style sheets for this purpose.
(As well as speeding up access to sites I often access - doing this, acting as my own "DNS Server" more or less, is orders of magnitude faster than calling out to my ISP/BSP DNS servers, waiting out a roundtrip return URL-> IP Address resolution. It may take some maintenance for this @ times, especially if sites change HOSTING PROVIDERS, but this is a rarity & most sites TELL YOU when they do this as well, so you can make fast edits, as needed (and, on Windows NT-based OS since 2000/XP/Server 2003 & VISTA? A reboot is NOT required upon edits & commits of changes in the new largely near fully PnP IP stacks!))
For a copy of mine, write me, here -> apk4776239@hotmail.com
And, I will send it to you in .zip or .rar format (with sped up sites # UNIX comment symbol disabled, enable the ones you use AFTER you 'ping' them first from my list, & add ones YOU PERSONALLY USE to it as needed after determining their IP address via a PING of them)
OR, JUST DOWNLOAD IT HERE:
http://forums.techpowerup.com/attachment.p...mp;d=1172567412
----
An example of WHY you'd want to use one of these for security's sake? Read here:
Why use an ADBANNER BLOCKING HOSTS file? Here is why: - techPowerUp! Forums
----
ADDITIONALLY, because on Windows Server 2003 (however, no others I have seen @ least so far), sometimes, the HOSTS file precedence vs. say, local DNS servers on a LAN, gets overridden by them? You MAY have to implement this:
How to change name resolution order on Windows 95 and Windows NT
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider]
"LocalPriority"=dword:00000005
"HostsPriority"=dword:00000006
"DnsPriority"=dword:00000007
"NetbtPriority"=dword:00000008
(LOWER NUMBERS HERE = GREATER PRIORITY)
As you can see, I give my LOCAL DNS Cache the greatest priority (because it has my HOSTS file loaded into it @ system startup (IP stack startup, actually)), & THEN, my custom adbanner blocking/speedup fav sites (which this post is showing folks how to do, & yes, it works) is next, & then my ISP/BSP's DNS servers, & lastly NetBios/WINS stuff (which I just plain do NOT use, because I have no LanManager style network running here, ONLY Tcp/IP)
----
IMPORTANT NOTE: IF your system seems to "lag" while the HOSTS file is in use (this typically does not occur with 1mb or less sized HOSTS files in my experience), especially IF it is a relatively LARGER SIZED one (in the case I saw where this happened, it was a 12mb sized one I use, & it was applied on a Windows XP Home Edition system w/ 256mb of RAM on an AMD Athlon64 3200mhz system), YOU MAY HAVE TO DISABLE YOUR DNS Client Service!
* This is achieved via going to the START button, RUN command, type in SERVICES.MSC & once it comes to the screen, find the DNS Client Service in the list of services & right-click on it (or, doubleclick) & use the PROPERTIES screen, & use the STOP button (to stop the service) & then set its startup type to DISABLED, & this 'lagging' goes away (reboot is recommended, especially on Windows 2000 systems, for the HOSTS file to reload... otherwise, changes may take up to 5 minutes to take, so reboots make that quicker & assured on ANY Ms Windows-NT based OS (2000/XP/Server 2003 & VISTA).
----
DIRECTIONS FOR USE (also in my downloadable CUSTOM HOSTS file above, with MORE on how to really use them to get even more speed than blocking adbanners mind you is in its internal documentation):
You replace your:
%windir%\system32\drivers\etc
Original version of HOSTS with this one (overwrite it, but, first copy your original OR rename it to keep it around IF ever needed), & have @ it (HBO internet, no commercials + thus MORE SPEED (and, you WILL notice it) by not calling out to ad servers, loading their data, & running it... & certainly NO possibility of being infected by adbanners that bear RBN (Russian Business Network) malware javascripted/FLASH bearing adbanners that infect you as has been seen lately/very currently in fact - between this, and stalling out Java/JavaScript + ActiveX/ActiveScripting globally in your browsers as noted in the last step & why? You are "proof" against MOST attacks today (& consider disabling IFrames too, an oft used attack today as well!)).
Now, like I do? It IS possible to alter the default location of the HOSTS file, & to take away I/O from your main disk to load it by using another one... like a 2nd HDD you may have IF you have one for example!
(E.G.-> I move mine to my CENATEK RocketDrive SSD (solid state RamDisk), for F A S T access since seek times on it are 1000's of times faster than on std. mechanical disks, & doesn't matter WHAT kind - & here I also place my pagefile.sys on its own partition (first) & then webpage caches, %temp% environmental variable ops, logging (even eventlogs, which like HOSTS file, can be moved in the registry to another disk, & applications often have the ability to move their logs in their configuration screens as well)) via this registry key, should you elect to do the same:
In regedit.exe's right-hand-side pane, follow this path:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
& in the left-hand-side pane of regedit.exe, you change the DataBasePath path value there to the disk & folder you wish to place your HOSTS file in (which makes for faster OS & IP stack initialization since it is on another drive, in my case an SSD so it is THAT MUCH QUICKER since seeks on them are so fast, to load the HOSTS data into your RAM (local DNS cache)).
APK
P.S.=> To keep "ontop of the latest spam mailers, & also known malicious sites" online? See these sites (1 I mentioned here already, this is the rest of the list I use, & others too):
Dancho Danchev (security expert) BLOG page:
Dancho Danchev's Blog - Mind Streams of Information Security Knowledge
SRI:
SRI Malware Threat Center
StopBadWare.org:
StopBadware.org - Welcome to StopBadware.org
Spamhaus (good for the mail end of things):
Lookup an IP Address in the Spamhaus DNSBLs
PHISTANK ("phunny name", pun intended) - Another really GOOD bad mailer & sites listing:
PhishTank | Join the fight against phishing
Between they, & SpyBot "Search & Destroy"? I'd say you have most of, if not ALL of what a "body needs" for these purposes... if you know of others? Please - list them, & thanks! apk
6.) USE Tons of security & speed oriented registry hacks (reconfiging the OS basically - stuff like you might do in etc / conf in UNIX/LINUX I suppose)
WARNING: DO NOT USE THESE ON VISTA, Windows Server 2008, or Windows 7 (unless you KNOW exactly what you're doing on them though, & know which are safe there (they ARE safe on Windows 2000/XP/Server 2003 though & VERY "generic" - I recommend you get my 'latest set' directly from MYSELF though, & my email for that is below, thank you))
Download them from here @ SOFTPEDIA (where they are rated 4/5, but, the HOSTS file here is way outdated, use the one I suggest in steps below this present one instead)):
http://www.softpedia.com/get/Tweak/System-...up-Guides.shtml
OR
Read many of them here online:
=================================
APK "A to Z" Internet Speedup & Security Text!
=================================
http://www.neowin.net/news/main/01/11/29/a...--security-text
=================================
OR, just email me here for them -> apk4776239@hotmail.com
(The email option's the best, because I also have these PREBUILT, in .reg files, mind you, available by email, BUT, the ones I can mail ARE FULLY INTERNALLY DOCUMENTED!)
They are FULLY documented internally, with link url's to the Microsoft pages they came from, inside the .reg files, so YOU can look at what the hack does inside them, verify this @ MS, & know what the valid parameters are as well!
(This? It took me FOREVER a year or so ago to do this, but worth it!)
The urls, or downloadable .mht files, outline it all (as do my prebuilt .reg files, probably the BEST choice of the lot imo), as to what you can ".reg file hack" for better SPEED, and SECURITY online, in a modern Windows 2000/XP/Server 2003 OS & has references from Microsoft in it for each setting plus their definitions & parameters possible!
APK
WARNING: DO NOT USE THESE ON VISTA, Windows Server 2008, or Windows 7 (unless you KNOW exactly what you're doing on them though, & know which are safe there (they ARE safe on Windows 2000/XP/Server 2003 though & VERY "generic" - I recommend you get my 'latest set' directly from MYSELF though, & my email for that is below, thank you))
Download them from here @ SOFTPEDIA (where they are rated 4/5, but, the HOSTS file here is way outdated, use the one I suggest in steps below this present one instead)):
http://www.softpedia.com/get/Tweak/System-...up-Guides.shtml
OR
Read many of them here online:
=================================
APK "A to Z" Internet Speedup & Security Text!
=================================
http://www.neowin.net/news/main/01/11/29/a...--security-text
=================================
OR, just email me here for them -> apk4776239@hotmail.com
(The email option's the best, because I also have these PREBUILT, in .reg files, mind you, available by email, BUT, the ones I can mail ARE FULLY INTERNALLY DOCUMENTED!)
They are FULLY documented internally, with link url's to the Microsoft pages they came from, inside the .reg files, so YOU can look at what the hack does inside them, verify this @ MS, & know what the valid parameters are as well!
(This? It took me FOREVER a year or so ago to do this, but worth it!)
The urls, or downloadable .mht files, outline it all (as do my prebuilt .reg files, probably the BEST choice of the lot imo), as to what you can ".reg file hack" for better SPEED, and SECURITY online, in a modern Windows 2000/XP/Server 2003 OS & has references from Microsoft in it for each setting plus their definitions & parameters possible!
APK
7.) USE General LOCAL security policies (in gpedit.msc/secpol.msc - afaik though, these are NOT in XP "Home" edition, sorry)), these are VALUABLE tools (and will be needed & suggestions for it will be told to you by the CIS Tool noted above - great stuff!) and regedit.exe!
(Newly added - regedit.exe use is for registry ACL permissions, via its EDIT menu, PERMISSIONS submenu item (to add/remove users that have rights to regisry hives/values, & to establish their rights levels therein))
ALSO NEWLY ADDED - Explorer.exe "right-click" on drive letters/folders/files (for file access ACL permissions hardening) using its popup menu selection of "PROPERTIES", & in the next screen, the SECURITY tab (to add/remove users that have rights to said items, & to establish their rights levels therein), also - this is another requirement of CIS Tool 1.x & its suggestions for better security.
HOWEVER: Here, you may not be able to see the SECURITY TAB mentioned above. This is why (AND, HOW TO FIX THAT & straight from the horses mouth @ MS):
http://support.microsoft.com/kb/304040
==========
Turning on and turning off Simple File Sharing
Simple File Sharing is always turned on in Windows XP Home Edition-based computers. By default, the Simple File Sharing UI is turned on in Windows XP Professional-based computers that are joined to a workgroup. Windows XP Professional-based computers that are joined to a domain use only the classic file sharing and security interface. When you use the Simple File Sharing UI (that is located in the folder's properties), both share and file permissions are configured.
If you turn off Simple File Sharing, you have more control over the permissions to individual users. However, you must have advanced knowledge of NTFS and share permissions to help keep your folders and files more secure. If you turn off Simple File Sharing, the Shared Documents feature is not turned off.
To turn Simple File Sharing on or off in Windows XP Professional, follow these steps:
1. Double-click My Computer on the desktop.
2. On the Tools menu, click Folder Options.
3. Click the View tab, and then select the Use Simple File Sharing
(Recommended) check box to turn on Simple File Sharing. (Clear this check box to turn off this feature.)
==========
* That turns the ability to see the NTFS ACL SECURITY TAB, back on in Explorer.exe, for YOUR usage here, in the capacity of security-hardening your machine!
APK
(Newly added - regedit.exe use is for registry ACL permissions, via its EDIT menu, PERMISSIONS submenu item (to add/remove users that have rights to regisry hives/values, & to establish their rights levels therein))
ALSO NEWLY ADDED - Explorer.exe "right-click" on drive letters/folders/files (for file access ACL permissions hardening) using its popup menu selection of "PROPERTIES", & in the next screen, the SECURITY tab (to add/remove users that have rights to said items, & to establish their rights levels therein), also - this is another requirement of CIS Tool 1.x & its suggestions for better security.
HOWEVER: Here, you may not be able to see the SECURITY TAB mentioned above. This is why (AND, HOW TO FIX THAT & straight from the horses mouth @ MS):
http://support.microsoft.com/kb/304040
==========
Turning on and turning off Simple File Sharing
Simple File Sharing is always turned on in Windows XP Home Edition-based computers. By default, the Simple File Sharing UI is turned on in Windows XP Professional-based computers that are joined to a workgroup. Windows XP Professional-based computers that are joined to a domain use only the classic file sharing and security interface. When you use the Simple File Sharing UI (that is located in the folder's properties), both share and file permissions are configured.
If you turn off Simple File Sharing, you have more control over the permissions to individual users. However, you must have advanced knowledge of NTFS and share permissions to help keep your folders and files more secure. If you turn off Simple File Sharing, the Shared Documents feature is not turned off.
To turn Simple File Sharing on or off in Windows XP Professional, follow these steps:
1. Double-click My Computer on the desktop.
2. On the Tools menu, click Folder Options.
3. Click the View tab, and then select the Use Simple File Sharing
(Recommended) check box to turn on Simple File Sharing. (Clear this check box to turn off this feature.)
==========
* That turns the ability to see the NTFS ACL SECURITY TAB, back on in Explorer.exe, for YOUR usage here, in the capacity of security-hardening your machine!
APK
8.) KEEP UP ON PATCHES FROM MICROSOFT, for your OS & Microsoft Office Apps, & IE, etc., HERE (ordered by release date) and run AntiVirus/AntiSpyware/AntiRootkit tools (& yes, keep them updated/current)!
http://www.microsoft.com/downloads/Browse....rder=descending
Again, keep up on antivirus/antispyware/antirootkit AND Java runtimes updates!
(Done either automatically via their services, or manually)
Download them manually & install them yourself (OR just let "Windows Automatic Updates" run)
ALSO - do the use of the "std. security stuff", like:
AntiVirus Programs (NOD32 latest 2.7x - "best" one there is, all-around (best speed/efficiency, less "moving parts" in drivers (kernelmode-RPL0-Ring 0 portion) & services/gui usermode-RPL2-Ring3 sections + great consistent showings in detect rates, especially heuristics), & that is not only MY opinion after testing it vs. my former fav. NAV Corporate 10.2 (it is lighter in RAM & resource uses than NAV Corporate even, finds more virus' than others, & uses less "moving parts" (in the way of services componentry, than most do, & certainly less than NAV))
Proof? See here -> http://www.eset.com/products/compare.php
(That's a single source, there are others, such as av-comparatives.org, which also test & compare AntiVirus products out there as well on many levels (mostly detection rates). The URL above goes into more than that, such as program speed/efficiency/throughput, & the fact NOD32 is written almost TOTALLY in pure Assembler language (when, if coupled with a solid fast algorithm/engine, is untouchable even by C/C++ or Delphi even for that)).
+
SpyBot (Ad-Aware is another option) as my resident antispyware tool running in the background!
This tool in SPYBOT also installs & runs PERFECTLY in safemode (combined with ComboFix &/or SmitfraudFix, you can "burn out" just about ANY spyware/malware infestation in 30-60 minutes, depending on level of infection, speed of your disks/CPU/RAM, & amount of files on your disks - A good antivirus (See NOD32 above, best there is on speed/efficiency, resource consumption, & accuracy) alongside it plus vendor specialized "removal tools" is all a body needs (mostly) when infected.
AntiRootkit tools are another one to be conscious of nowadays, now that such machinations are available for Windows (they originated, afaik, in the UNIX world though).
The "best ones" (AntiRootkit scanners) & their download URL links are:
AVG AntiRootkit (no longer supported OR updated by AVG, credits to NightHawk (member of xtremepccentral.com))
BitDefender AntiRootkit
GMER
Rootkit Revealer
PrevX AntiRootkit
Rootkit Hook Analyzer
Sophos AntiRootkit
F-Secure Blacklight
Gromozon Rootkit Removal Tool
KLister
McAfee Rootkit Detective
PatchFinder
RogueRemover
VICE
System Virginity Verifier for Windows 2000/XP/2003
That is a list for you all to choose from, look them up on GOOGLE to download them from their homepages, as they all do a decent enough job though, & are 100% FREE - SO, DO use them!
APK
http://www.microsoft.com/downloads/Browse....rder=descending
Again, keep up on antivirus/antispyware/antirootkit AND Java runtimes updates!
(Done either automatically via their services, or manually)
Download them manually & install them yourself (OR just let "Windows Automatic Updates" run)
ALSO - do the use of the "std. security stuff", like:
AntiVirus Programs (NOD32 latest 2.7x - "best" one there is, all-around (best speed/efficiency, less "moving parts" in drivers (kernelmode-RPL0-Ring 0 portion) & services/gui usermode-RPL2-Ring3 sections + great consistent showings in detect rates, especially heuristics), & that is not only MY opinion after testing it vs. my former fav. NAV Corporate 10.2 (it is lighter in RAM & resource uses than NAV Corporate even, finds more virus' than others, & uses less "moving parts" (in the way of services componentry, than most do, & certainly less than NAV))
Proof? See here -> http://www.eset.com/products/compare.php
(That's a single source, there are others, such as av-comparatives.org, which also test & compare AntiVirus products out there as well on many levels (mostly detection rates). The URL above goes into more than that, such as program speed/efficiency/throughput, & the fact NOD32 is written almost TOTALLY in pure Assembler language (when, if coupled with a solid fast algorithm/engine, is untouchable even by C/C++ or Delphi even for that)).
+
SpyBot (Ad-Aware is another option) as my resident antispyware tool running in the background!
This tool in SPYBOT also installs & runs PERFECTLY in safemode (combined with ComboFix &/or SmitfraudFix, you can "burn out" just about ANY spyware/malware infestation in 30-60 minutes, depending on level of infection, speed of your disks/CPU/RAM, & amount of files on your disks - A good antivirus (See NOD32 above, best there is on speed/efficiency, resource consumption, & accuracy) alongside it plus vendor specialized "removal tools" is all a body needs (mostly) when infected.
AntiRootkit tools are another one to be conscious of nowadays, now that such machinations are available for Windows (they originated, afaik, in the UNIX world though).
The "best ones" (AntiRootkit scanners) & their download URL links are:
AVG AntiRootkit (no longer supported OR updated by AVG, credits to NightHawk (member of xtremepccentral.com))
BitDefender AntiRootkit
GMER
Rootkit Revealer
PrevX AntiRootkit
Rootkit Hook Analyzer
Sophos AntiRootkit
F-Secure Blacklight
Gromozon Rootkit Removal Tool
KLister
McAfee Rootkit Detective
PatchFinder
RogueRemover
VICE
System Virginity Verifier for Windows 2000/XP/2003
That is a list for you all to choose from, look them up on GOOGLE to download them from their homepages, as they all do a decent enough job though, & are 100% FREE - SO, DO use them!
APK
9.) It is also possible, for webbrowsers &/or email clients, to create a "VISTA LIKE IE 7 Protected Mode"-like type scenario, isolating them into their own spaces in memory, here are 2 methods, how (not needed on VISTA though, afaik):
IE6/7 & FF + OPERA AS WELL (as noted by A/C slashdot poster in reply to my methods, both his & my own work well, & are listed here @ /. (slashdot)) on modern NT-based OS "how-to":
http://it.slashdot.org/comments.pl?sid=236...mp;cid=19310513
MY METHOD for RUNNING IE in a "runas limited user class" sandbox effect:
"It is actually possible to run IE securely: just create a throwaway restricted user account for IE use alone. The restricted account user can't install software and can't access files of other users, so even if IE autoexecutes any nastiness, it can't do any damage.
Of course, it's a hassle to log in as a different user just to browse the web. So we'd want to use "runas" to run just IE as a different user.
Unfortunately, MS has made running IE as a different user a little harder than necessary. Rightclicking and using "Run as" doesn't seem to work. What did work for me was the following.
Say the limited account is called "IEuser". Then create a shortcut to "runas /user:IEuser cmd". on your desktop. Double-clicking this will open a command prompt that runs as IEuser. Now you can manually start IE with "start iexplore". Or create a batchfile c:windowsie.bat that just contains the line "start iexplore" and you can start IE by just typing "ie". Remove all shortcuts to IE from you normal desktop and only run it from the restricted account. This way you can use IE without worry about any IE exploits"
---------
ANOTHER, VERY QUITE POSSIBLY SUPERIOR METHOD:
http://theinvisiblethings.blogspot.com/200...-every-day.html
See section: Do-It-Yourself: Implementing Privilege Separation. Using the psexec tool as described results in a "clean" process tree where iexplore.exe will show up directly under the root avoiding beeing a child process.
Note - The "invisible thing"? She's "Yuriko DeathStrike" as far as I am concerned... Joanna Rutkowska, my fellow "Polish Person" & she's a regular "wonder" in the security/hacking/cracking world!
This is my runopera.bat which runs opera as user internet:
psexec.exe -d -u internet -p p4ssw0rd "cmd" "/d /D /c start /b Opera.exe"
PLUS, Windows Server 2003 has a hardened IE6/7 by default (which can be duplicated on other Win32 OS versions, because it mainly just does what I have been doing for a long time & noted by myself earlier, in stuff like turning off ActiveX & scripting + JAVA online on the public internet, of all types by default, & I do this in ALL of my browsers (IE, FF, & Opera) & only make exceptions for CERTAIN sites)
---------
ANOTHER ALTERNATIVE THAT A USER SUGGESTED ADDON TO AUTOMATE THIS STUFF ON ISOLATION OF IE:
(Per "OILY 17" (TPU forums user) suggestion, to aid in automating this (a tool)):
http://forums.techpowerup.com/showthread.p...0284#post500284
"For running IE,Firefox etc as a throw away account has anyone tried this app out yet.Recently came across it, but have not tried it out yet.
Anyone any views?
http://www.sandboxie.com/
As the name suggests runs IE etc in a sand box effect."
Thanks oily (apk) - RECENT UPDATE: I've tried "sandboxie" & understand the layered filtering driver it employs for writes (ignores reads from main HDD) & it IS a great idea, + it works!
---------
ALSO - Microsoft puts out a tool for users for 2000/XP/Server 2003 called "DropMyRights" which also works, albeit on a diff. principal than SANDBOXIE DOES (via running like VISTA UAC does, dropping user priveleges to various areas of your system). It is downloadable here:
DROPMYRIGHTS DOWNLOAD URL:
http://msdn2.microsoft.com/en-us/library/ms972827.aspx
DropMyRights commandline (for shortcuts/icons on desktop properties menu via rightclick usage on them etc.) usage is in a nutshell, structured like this, using IE as an example:
"C:\Documents and Settings\Administrator\My Documents\MSDN\DropMyRights\DropMyRights.exe" "C:\Program Files\Internet Explorer\iexplore.exe" -extoff
---------
AND, keep in mind: even XP webbrowers have a "safemode option" (like the default one of Windows Server 2003) that doesn't allow bad plugins/addons (or any) to run. Common commandlines for your shortcuts for that are:
INTERNET EXPLORER:
"C:\Program Files\Internet Explorer\iexplore.exe"-extoff
NETSCAPE NAVIGATOR/FIREFOX:
"C:\Program Files\Netscape\Navigator 9\navigator.exe"-safe-mode
APK
IE6/7 & FF + OPERA AS WELL (as noted by A/C slashdot poster in reply to my methods, both his & my own work well, & are listed here @ /. (slashdot)) on modern NT-based OS "how-to":
http://it.slashdot.org/comments.pl?sid=236...mp;cid=19310513
MY METHOD for RUNNING IE in a "runas limited user class" sandbox effect:
"It is actually possible to run IE securely: just create a throwaway restricted user account for IE use alone. The restricted account user can't install software and can't access files of other users, so even if IE autoexecutes any nastiness, it can't do any damage.
Of course, it's a hassle to log in as a different user just to browse the web. So we'd want to use "runas" to run just IE as a different user.
Unfortunately, MS has made running IE as a different user a little harder than necessary. Rightclicking and using "Run as" doesn't seem to work. What did work for me was the following.
Say the limited account is called "IEuser". Then create a shortcut to "runas /user:IEuser cmd". on your desktop. Double-clicking this will open a command prompt that runs as IEuser. Now you can manually start IE with "start iexplore". Or create a batchfile c:windowsie.bat that just contains the line "start iexplore" and you can start IE by just typing "ie". Remove all shortcuts to IE from you normal desktop and only run it from the restricted account. This way you can use IE without worry about any IE exploits"
---------
ANOTHER, VERY QUITE POSSIBLY SUPERIOR METHOD:
http://theinvisiblethings.blogspot.com/200...-every-day.html
See section: Do-It-Yourself: Implementing Privilege Separation. Using the psexec tool as described results in a "clean" process tree where iexplore.exe will show up directly under the root avoiding beeing a child process.
Note - The "invisible thing"? She's "Yuriko DeathStrike" as far as I am concerned... Joanna Rutkowska, my fellow "Polish Person" & she's a regular "wonder" in the security/hacking/cracking world!
This is my runopera.bat which runs opera as user internet:
psexec.exe -d -u internet -p p4ssw0rd "cmd" "/d /D /c start /b Opera.exe"
PLUS, Windows Server 2003 has a hardened IE6/7 by default (which can be duplicated on other Win32 OS versions, because it mainly just does what I have been doing for a long time & noted by myself earlier, in stuff like turning off ActiveX & scripting + JAVA online on the public internet, of all types by default, & I do this in ALL of my browsers (IE, FF, & Opera) & only make exceptions for CERTAIN sites)
---------
ANOTHER ALTERNATIVE THAT A USER SUGGESTED ADDON TO AUTOMATE THIS STUFF ON ISOLATION OF IE:
(Per "OILY 17" (TPU forums user) suggestion, to aid in automating this (a tool)):
http://forums.techpowerup.com/showthread.p...0284#post500284
"For running IE,Firefox etc as a throw away account has anyone tried this app out yet.Recently came across it, but have not tried it out yet.
Anyone any views?
http://www.sandboxie.com/
As the name suggests runs IE etc in a sand box effect."
Thanks oily (apk) - RECENT UPDATE: I've tried "sandboxie" & understand the layered filtering driver it employs for writes (ignores reads from main HDD) & it IS a great idea, + it works!
---------
ALSO - Microsoft puts out a tool for users for 2000/XP/Server 2003 called "DropMyRights" which also works, albeit on a diff. principal than SANDBOXIE DOES (via running like VISTA UAC does, dropping user priveleges to various areas of your system). It is downloadable here:
DROPMYRIGHTS DOWNLOAD URL:
http://msdn2.microsoft.com/en-us/library/ms972827.aspx
DropMyRights commandline (for shortcuts/icons on desktop properties menu via rightclick usage on them etc.) usage is in a nutshell, structured like this, using IE as an example:
"C:\Documents and Settings\Administrator\My Documents\MSDN\DropMyRights\DropMyRights.exe" "C:\Program Files\Internet Explorer\iexplore.exe" -extoff
---------
AND, keep in mind: even XP webbrowers have a "safemode option" (like the default one of Windows Server 2003) that doesn't allow bad plugins/addons (or any) to run. Common commandlines for your shortcuts for that are:
INTERNET EXPLORER:
"C:\Program Files\Internet Explorer\iexplore.exe"-extoff
NETSCAPE NAVIGATOR/FIREFOX:
"C:\Program Files\Netscape\Navigator 9\navigator.exe"-safe-mode
APK
10.) Plus good email client practices like using .txt mail only, no RTF or HTML mail, not opening or allowing attachments unless I know the person & even THEN, scan it with an antivirus (still gets email scanned though by your resident antivirus email scan component (use AntiVirus programs with these, OR, manually scan ANY attachments before opening them (if you get Microsoft Office .doc, .xls, .ppt etc. files uncompressed? HOLD DOWN THE SHIFT KEY AS YOU OPEN THEM - this stops macros from running & macros are the avenue utilized using VBA script to infect you))
APK
APK
11.) I also use a LinkSys/CISCO BEFSX41 "NAT" true firewalling CISCO technology-based router (with cookie & scripting filtering built-in @ the hardware level), these are excellent investments for security.
BY THE WAY, IF YOU OWN A ROUTER? TURN OFF THE UPNP FEATURES IN IT!
Why?
Take a read:
Most Home Routers Vulnerable to Flash UPnP Attack:
http://it.slashdot.org/it/08/01/14/1319256.shtml
* Just to be safe...
APK
BY THE WAY, IF YOU OWN A ROUTER? TURN OFF THE UPNP FEATURES IN IT!
Why?
Take a read:
Most Home Routers Vulnerable to Flash UPnP Attack:
http://it.slashdot.org/it/08/01/14/1319256.shtml
* Just to be safe...
APK
12.) Windows Server 2003's SCW was run over it FIRST (this only exists on Windows Server 2003, not on 2000/XP or VISTA (you have to install this, it does NOT install by default) first to help security it (SCW = security configuration wizard, & it's pretty damn good believe-it-or-not, (@ least, as as starting point))...
Directions for its installation are as follows:
Start the Add or Remove Programs Control Panel applet.
Click Add/Remove Windows Components.
On the Windows Components Wizard screen, select the "Security Configuration Wizard" check box, as the figure shows. Click Next.
The Windows Components Wizard builds a list of files to be copied and finishes installing SCW. Click Finish.
DONE! Now, run it...
It is very simple to use, and will help even TRIM services you do not need running (which saves Memory, other resources, & I/O to cpu/ram/disk etc. AS WELL AS PROVIDING SECURITY should any services you disable turn up vulnerabilities (this has happened before)).
ALSO, per TPU forums user (username "xvi") @ techpowerup.com forums (software section): Use Microsoft Baseline Security Advisor, a free download from Microsoft as well to check your system for security holes, patch updates, etc. (be wary of the fact it does require various services running though, iirc, Terminal Server Services Client - I do NOT keep that running here anymore, & this program failed on me because of that (would not initialize @ all))
APK
Directions for its installation are as follows:
Start the Add or Remove Programs Control Panel applet.
Click Add/Remove Windows Components.
On the Windows Components Wizard screen, select the "Security Configuration Wizard" check box, as the figure shows. Click Next.
The Windows Components Wizard builds a list of files to be copied and finishes installing SCW. Click Finish.
DONE! Now, run it...
It is very simple to use, and will help even TRIM services you do not need running (which saves Memory, other resources, & I/O to cpu/ram/disk etc. AS WELL AS PROVIDING SECURITY should any services you disable turn up vulnerabilities (this has happened before)).
ALSO, per TPU forums user (username "xvi") @ techpowerup.com forums (software section): Use Microsoft Baseline Security Advisor, a free download from Microsoft as well to check your system for security holes, patch updates, etc. (be wary of the fact it does require various services running though, iirc, Terminal Server Services Client - I do NOT keep that running here anymore, & this program failed on me because of that (would not initialize @ all))
APK
AN IMPORTANT SET OF POINTS TO SECURE YOUR WEBBROWSER, EMAIL PROGRAMS, & MORE:
STOP JAVASCRIPT USAGE IN YOUR BROWSERS (along with ActiveX & JAVA) On the PUBLIC internet, PERIOD (well, with SOME exceptions on sites that demand you use it, OR those that cannot function properly without it, some examples below)!
Why? Well, read on:
Fact is, that today? Well... Javascript's dangerous & can be used AGAINST you, as well as help you... it truly is, or can be, a 'double-edged sword'...
(For example - if you follow security related news, you will see that JavaScript is the key avenue being used against you in today's attacks (even thru adbanners!)). Some examples:
http://www.wired.com/techbiz/media/news/2007/11/doubleclick
&
http://apcmag.com/5382/microsoft_apologise...re_to_customers
If you MUST use Javascript (for instance, on a particular site like banking or shopping oriented ones)?
Try "NoScript" (the .xpi addon for FireFox/Mozilla/NetScape 9 etc.) & let it let YOU decide sites to use it on, & then DISABLE JAVA/JAVASCRIPT globally...
(& if you use IE, trying to do the same can be a nightmare (as IE will "nag you to death" if you turn off javascript on sites that use it)).
Opera has similar functionality, ALBEIT, built into it by default as a NATIVE tool!
I.E.-> The ability to GLOBALLY block scripting tools like Javascript, BUT... to also allow it for sites you MUST use it on as exceptions to the GLOBAL rule set in Tools, Preferences menus it has on its menubar.
Opera has the NATIVE BUILT IN ABILITY to allow you to use it on sites you visit IF you must, via rightclicks on the page & "EDIT SITE PREFERENCES" popup menu submenu item that appears.
Either way? It works, & I STRONGLY recommend this.
----
DISABLE INDISCIMINATE USE OF ADOBE FLASH:
From Mike567 (giving credit, where credit's due):
http://forums.windowsforum.org/index.php?s...33716&st=20
&, he's right... I "overlooked/omitted" that much!
Why is this important?? Well, take a peek here (very recent, 05/28/2008, as of the date of this posting):
Adobe Flash Zero-Day Attack Underway:
http://it.slashdot.org/article.pl?sid=08/0...47&from=rss
----
I also recommend Opera for these reasons (less security holes period, & the 1 it had yesterday? Patched yesterday too... fast!)
=====
SECUNIA DATA ON BROWSER SECURITY (dated 06/26/2008):
=====
Opera 9.27-9.50 (new release) security advisories @ SECUNIA (0% unpatched):
http://secunia.com/product/10615/?task=advisories
----
FireFox 3.x security advisories @ SECUNIA (100% unpatched):
http://secunia.com/product/19089/
----
IE 7 (latest cumulative update from MS) security advisories @ SECUNIA (37% unpatched):
http://secunia.com/product/12366/
----
Those %'s are the latest for FireFox 2.0.0.14, Netscape 9.0.0.6, IE7 after last "patch Tuesday" from MS with the "CUMULATIVE IE UPDATES" they have (see the security downloads URL I post in the 12 steps above to secure yourself), & Opera 9.27... all latest/greatest models.
So, as you can see?
Well, NOT ONLY IS OPERA MORE SECURE/BEARING LESS SECURITY VULNERABILITIES?
It's faster too, on just about ANYTHING a browser does, & is probably the MOST standards compliant browser under the sun (not counting HTML dev tools). This is borne out in these tests:
http://www.howtocreate.co.uk/browserSpeed.html
AND, yes others (most recently in Javascript parsing speeds, oddly enough, lol... given the topic of my post here that is), right here:
http://nontroppo.org/timer/kestrel_tests/
NEW NEWS/NEWSFLASH: FF3 is "king of the heap" here now, in javascript parsing speeds, but of what gain is this? Security risks abound in running javascript on "every site under the sun"... limiting it to sites you absolutely NEED it for is the way, IF you wish to stay safer online that is.
Opera's just more std.'s compliant - for example, having passed all the ACID (2/3 before anyone on the latter & one of the first for the former no less), plus it's faster + MULTIPLATFORM, & more secure than the others out there - thus, it's an "all-around" overall best solution!
QUESTION - So, "where do you want to go today?"...
ANSWER = Opera (if you're into speed, security, & std.'s compliance + using a webbrowser that runs on most any platform out there for computing is where).
----
ALSO - HOW TO SET THE "KILL BIT" ON ACTIVEX CONTROLS:
(I.E.-> This is how to stop an ActiveX control from running in Internet Explorer)
http://support.microsoft.com/kb/240797
In case you have "problematic" or security vulnerable ActiveX controls, per this RealPlayer example thereof:
http://service.real.com/realplayer/securit...1007_player/en/
APK
STOP JAVASCRIPT USAGE IN YOUR BROWSERS (along with ActiveX & JAVA) On the PUBLIC internet, PERIOD (well, with SOME exceptions on sites that demand you use it, OR those that cannot function properly without it, some examples below)!
Why? Well, read on:
Fact is, that today? Well... Javascript's dangerous & can be used AGAINST you, as well as help you... it truly is, or can be, a 'double-edged sword'...
(For example - if you follow security related news, you will see that JavaScript is the key avenue being used against you in today's attacks (even thru adbanners!)). Some examples:
http://www.wired.com/techbiz/media/news/2007/11/doubleclick
&
http://apcmag.com/5382/microsoft_apologise...re_to_customers
If you MUST use Javascript (for instance, on a particular site like banking or shopping oriented ones)?
Try "NoScript" (the .xpi addon for FireFox/Mozilla/NetScape 9 etc.) & let it let YOU decide sites to use it on, & then DISABLE JAVA/JAVASCRIPT globally...
(& if you use IE, trying to do the same can be a nightmare (as IE will "nag you to death" if you turn off javascript on sites that use it)).
Opera has similar functionality, ALBEIT, built into it by default as a NATIVE tool!
I.E.-> The ability to GLOBALLY block scripting tools like Javascript, BUT... to also allow it for sites you MUST use it on as exceptions to the GLOBAL rule set in Tools, Preferences menus it has on its menubar.
Opera has the NATIVE BUILT IN ABILITY to allow you to use it on sites you visit IF you must, via rightclicks on the page & "EDIT SITE PREFERENCES" popup menu submenu item that appears.
Either way? It works, & I STRONGLY recommend this.
----
DISABLE INDISCIMINATE USE OF ADOBE FLASH:
From Mike567 (giving credit, where credit's due):
http://forums.windowsforum.org/index.php?s...33716&st=20
QUOTE (Mike567 @ Jun 12 2008, 11:28) 
You need to disable the plugins, where flash is located.
&, he's right... I "overlooked/omitted" that much!
Why is this important?? Well, take a peek here (very recent, 05/28/2008, as of the date of this posting):
Adobe Flash Zero-Day Attack Underway:
http://it.slashdot.org/article.pl?sid=08/0...47&from=rss
----
I also recommend Opera for these reasons (less security holes period, & the 1 it had yesterday? Patched yesterday too... fast!)
=====
SECUNIA DATA ON BROWSER SECURITY (dated 06/26/2008):
=====
Opera 9.27-9.50 (new release) security advisories @ SECUNIA (0% unpatched):
http://secunia.com/product/10615/?task=advisories
----
FireFox 3.x security advisories @ SECUNIA (100% unpatched):
http://secunia.com/product/19089/
----
IE 7 (latest cumulative update from MS) security advisories @ SECUNIA (37% unpatched):
http://secunia.com/product/12366/
----
Those %'s are the latest for FireFox 2.0.0.14, Netscape 9.0.0.6, IE7 after last "patch Tuesday" from MS with the "CUMULATIVE IE UPDATES" they have (see the security downloads URL I post in the 12 steps above to secure yourself), & Opera 9.27... all latest/greatest models.
So, as you can see?
Well, NOT ONLY IS OPERA MORE SECURE/BEARING LESS SECURITY VULNERABILITIES?
It's faster too, on just about ANYTHING a browser does, & is probably the MOST standards compliant browser under the sun (not counting HTML dev tools). This is borne out in these tests:
http://www.howtocreate.co.uk/browserSpeed.html
AND, yes others (most recently in Javascript parsing speeds, oddly enough, lol... given the topic of my post here that is), right here:
http://nontroppo.org/timer/kestrel_tests/
NEW NEWS/NEWSFLASH: FF3 is "king of the heap" here now, in javascript parsing speeds, but of what gain is this? Security risks abound in running javascript on "every site under the sun"... limiting it to sites you absolutely NEED it for is the way, IF you wish to stay safer online that is.
Opera's just more std.'s compliant - for example, having passed all the ACID (2/3 before anyone on the latter & one of the first for the former no less), plus it's faster + MULTIPLATFORM, & more secure than the others out there - thus, it's an "all-around" overall best solution!
QUESTION - So, "where do you want to go today?"...
ANSWER = Opera (if you're into speed, security, & std.'s compliance + using a webbrowser that runs on most any platform out there for computing is where).
----
ALSO - HOW TO SET THE "KILL BIT" ON ACTIVEX CONTROLS:
(I.E.-> This is how to stop an ActiveX control from running in Internet Explorer)
http://support.microsoft.com/kb/240797
In case you have "problematic" or security vulnerable ActiveX controls, per this RealPlayer example thereof:
http://service.real.com/realplayer/securit...1007_player/en/
APK
Better, Safer, & F A S T E R DNS Servers
DO NOT USE THIS WITH A HOME or BUSINESS LAN THAT HAS ActiveDirectory going (because, for example - it will mess up things like FULL Outlook binding to EXCHANGE SERVER for instance, because of INTERNAL DNS SERVER dependencies AD has (ActiveDirectory is HEAVILY dependent on DNS resolutions is why)
That said & aside?
I found something VERY cool, as regards online security, that I stumbled onto during my meanderings online today!
ScrubItDNS:
http://www.scrubit.com
* GREAT IDEA, & it WORKS, painlessly... AND F A S T, too! OpenDNS is yet another alternate that offers analogous functions (mostly for speed, but ScrubIT DNS is superior in blocking content that may be offensive to adults, especially those with children & imo @ least, easier to implement THAT function for, by all means, vs. OpenDNS (both are GREAT though & free)).
APK
P.S.=> Take a read of what it does, how EASY it is to implement (lol, they even give a GUI to do the job for you, because digging into your network connection MIGHT be a "bit much" for some folks, to make it easy for anyone really... 2 clicks!) & YOU DECIDE...
I have tried it, & it DOES work, by filtering off sites thru it that are 'dangerous' OR 'offensive' (like ones you might find that are involved with the above exploit, or others like GOOGLE + SPYBOT Search & Destroy help you with) - PLUS, Pr0n sites (some of you, lol, may NOT like that "feature" though).
Still, bottom-line - For layered security? This is a GOOD idea, this "scrubit" DNS server... imo, so far @ least... apk
DO NOT USE THIS WITH A HOME or BUSINESS LAN THAT HAS ActiveDirectory going (because, for example - it will mess up things like FULL Outlook binding to EXCHANGE SERVER for instance, because of INTERNAL DNS SERVER dependencies AD has (ActiveDirectory is HEAVILY dependent on DNS resolutions is why)
That said & aside?
I found something VERY cool, as regards online security, that I stumbled onto during my meanderings online today!
ScrubItDNS:
http://www.scrubit.com
* GREAT IDEA, & it WORKS, painlessly... AND F A S T, too! OpenDNS is yet another alternate that offers analogous functions (mostly for speed, but ScrubIT DNS is superior in blocking content that may be offensive to adults, especially those with children & imo @ least, easier to implement THAT function for, by all means, vs. OpenDNS (both are GREAT though & free)).
APK
P.S.=> Take a read of what it does, how EASY it is to implement (lol, they even give a GUI to do the job for you, because digging into your network connection MIGHT be a "bit much" for some folks, to make it easy for anyone really... 2 clicks!) & YOU DECIDE...
I have tried it, & it DOES work, by filtering off sites thru it that are 'dangerous' OR 'offensive' (like ones you might find that are involved with the above exploit, or others like GOOGLE + SPYBOT Search & Destroy help you with) - PLUS, Pr0n sites (some of you, lol, may NOT like that "feature" though).
Still, bottom-line - For layered security? This is a GOOD idea, this "scrubit" DNS server... imo, so far @ least... apk
HOW TO REMOVE MALWARE - INTRODUCTION (using 110% free tools, OR ones you have in your OS already natively, to remove malware infestations of ANY kind HOW TO):
NOW, after ALL of the above? IF you do find yourself "infested" though, one day??
(Which is going to RARE (if @ all) - Usually, after the above set of steps you can use to secure yourselves, the ONLY way you usually can be reinfected, is to click & run a bogus email attachment, OR, by turning on Javascript & IFrames for instance! (or, allowing shockwave or a bum ActiveX control to run) OR, via a vulnerability in your applications OR Operating System that needs patching (I note this in the init. post of this thread in fact in this latter point now)).
YES - It happens! Far more rarely than it had before (using a buddy of mine Jack as an example in fact - I chose him as a tester because he was nearly constantly infested is why & this all worked for he, until he violated javascript usage rules I mentioned above).
E.G.-> I have had users violate that/those "rule(s)" from above & that was how they were reinfected - BUT, one tester of mine DEFINITELY gets infected FAR LESS than he used to, by applying the above... this is certain!
I.E.-> I have had this setup running Windows Server 2003 (SP#2, fully hotfix patched & hardened per the above as of this date) since early 2003, running "110% bulletproof & bugfree" because of following the rules & suggestions noted above!
ANYHOW - Malware infested? TRY THIS SET OF TOOLS & TECHNIQUES:
How to clean yourself up?
This "toolkit" & process has helped me get thru over a 1,000 spyware/virus clean up calls, & hopefully? It will yourself, as well, so... here goes:
==========
1.) Reboot your system to F8 @ startup "Windows Advanced Options" bootup menu that stops you during the boot sequence.
----
2.) There, choose "safemode with networking" (via the "Windows Advanced Options" menu you get presented with while tapping the F8 key repeatedly @ system startup).
----
3.) Once in safemode with networking Windows, download/install & RUN these tools (they are not much to look at, BUT, they do work on MOST threats today & get regularly updated):
a. Run IE, use its TOOLS menu, Manage Addons Submenu, & turn off ANY BHO etc. objects that you do NOT absolutely NEED, or know what they are (many malwares in the form of bogus toolbars or BHO (browser helper objects) often hide here).
ALSO, GREAT NEW POINT EDITED IN NOW (01/13/2008) per Delightus14 @ Neowin forums: ALSO CLEAN OUT YOUR WEBBROWER CACHES & %temp/tmp% temp. ops locations so no maladies exist there also awaiting re-awakening by accident
You do this via Internet Explorer (using IE as an example, it is the same idea in Opera/FireFox/Netscape/Mozilla etc. too) via its Tools menu, Internet Options submenu, & on IE options screen, use the "Browsing History" group in IE7, & delete things as necessary from IE's browser caches etc. & for OS + app level %temp% & %tmp% environmental values' areas? Type SET @ a DOS prompt to see where you located those, & burn their contents via DEL commands, OR via explorer.exe/MyComputer filemanagement.
b. Run msconfig.exe, & stall out ANY apps you do NOT absolutely NEED to run (many malware start here in fact). If you do NOT know the name of the program & what it does? Look it up on GOOGLE... same with BHO's above in IE.
c. DOWNLOAD & INSTALL SpyBot 1.51x
d. DOWNLOAD (OPTIONAL - use ONLY if Spybot for example, cannot remove a malware) ComboFix (don't run it yet - there is no installer, it IS its own install + run package)
COMBOFIX MAY HAVE SOME "MINOR SIDE EFFECTS" though, & here are 3 I have noted, & HOW to fix them:
1.) IE homepage: No big deal to "fix this". You go to Start Button -> CONTROL PANEL (use CLASSIC VIEW, it's easier imo) -> Internet Options -> General Tab & HOMEPAGE (here is where you change that).
2.) System Time (rightclick on timeclock in lower righthand side of your screen, & from its POPUP menu, use the Date/Time tool)
3.) Desktop wallpaper (easy to fix: Rightclick on Desktop, use properties menu, & the desktop tab, change your background wallpaper there)
e. DOWNLOAD (OPTIONAL - use ONLY if Spybot for example, cannot remove a malware) SmitFraudFix (which also has its own LSP (layered service provider fix I have heard tell), BUT, againL Don't run it yet - as AGAIN -> there is no installer, it IS its own install + run package)
An alternate here, is LSPFix.exe...
----
4.) Clean out your rig, running SpyBot, first (most of the threats today are SPYWARE related, or TROJANS, more than std. typical traditional viruses by the way).
----
5.) Then, run ComboFix (this will reset your webbrowser homepage & background desktop wallpaper, you will have to reset these, & possibly your date/time clock in Windows too).
(OPTIONAL - use ONLY if Spybot for example, cannot remove a malware)
----
6.) Then, run SmitFraudFix (or, as an alternate, LSPFix)
(OPTIONAL - use ONLY if Spybot for example, cannot remove a malware)
----
7.) Reboot to "normal Windows" (no F8 stuff this round) - it MAY hesitate/be slower this bootup though, because SpyBot/ComboFix/SmitFraud do a 2nd look type check on bootup many times... so, be prepared for this part.
----
8.) Then, once in normal Windows again, scan with your AntiVirus solution (now fully updated hopefully & if not, do update it first & then scan).
Good suggested FREE one, is AVG AntiVirus (I suggest this one, because it is free + complete w/ mail protection too that's decent enough, & just in case your antivirus solution is expired... if it is not expired, update the one you use. Keeping another around for a "2nd Dr.'s Opinion" is NOT a bad idea, BUT: ONLY RUN 1 OF THEM, "resident" (meaning runnings its background application & file scanning engine, usually implemented as a service + trayicon app). IMO, NOD32 is the best performer all-around in terms of antivirus programs. av-comparatives & vb100 tend to 2nd me here as well.
* @ that point? You probably will have 'caught the culprits', OR, @ least have the name + location of any threats they could NOT eliminate... & here is where it gets REALLY "fun"...
==========
NOW, when you CAN'T remove a virus using "script kiddie automated tools" like those noted above (not putting them down calling them that because they ARE somebody's hard work & freely given time as well... but, they ARE that, because they're only automating what YOU can do, yourself, with other tools like msconfig/IE manage addons, & more tools like Process Explorer + regedit & explorer.exe (OR even Recovery Console) can allow YOU to do, yourself, albeit slower... the nice part about the automated killers like the tools I mention above, is that they operate FAR FASTER than human beings do).
ANYHOW - IF you can get its name, & location on disk say, via a report from AVG or other programs you use for this?
Boot your system from the OS install CD, & go to RECOVERY CONSOLE!
There, switch to the folder that houses it using CD (almost like DOS one, but uses .. ONLY, to switch to ancestor folder roots really (instead of \ etc. et al))!
Then, once you are in its folder, fry it then (nothing will be loading & thus, locking it, there) using the DEL command -> DEL filename.
****
It's THAT, or using Process Explorer in UserMode/Ring 3/RPL3 operation...
You would do a suspending the calling process via right click popup menu options for this it offers! Once the calling process is suspended (& many times, also the called or DLL injected library as well), you can delete ANY potential offending injected DLL/lib virus-trojan-spyware-malware being called by said parent process, on disk.
(This ia assuming this is a lib loaded virus/spyware/trojan/malware etc., not a standalone .exe type)
That's done via watching loaded DLL's that ANY app may have loaded presently (For that, you would have to use ProExp's CTRL+D keystroke shortcut, with the lower pane view present/visible, & set like that) IF there is one and this thing doesn't launch by itself from one of the registry RUN areas or startup groups that is...
Using Process Explorer can help!
(Again, especially if this is being run by "DLL Injection" (like an OLEServer being injected into a process via CLSIDs, shell extensions, or being run by rundll32.exe OR svchost.exe, process hosting executables that can spawn either .exe OR .dll/lib based ones)).
****
The easier/simpler route?
My first suggestion:
Use Recovery Console, once you have its name & location on disk... DEL command will take care of it, lickety-split, no-$heet.
APK
P.S.=> Rootkits & how to blow THOSE out? Guess what your "best pal" is, yet again?? Ah, you guessed it - RECOVERY CONSOLE & FixMBR command!
HOWEVER - FixMBR ONLY works on (only) BOOTSECTOR ORIGINATED TYPES though...
There are other kinds (driven by drivers &/or kernel mode API 'hooking' & more)... Soon, & I am NOT the only person theorizing this (because I saw BIOS flash code @ rootkit.com over more than a year back no less & IMMEDIATELY said "oh boy, here comes bios flashing malware")??
Soon you'll have BIOS flashing attacks via malwares (virus/trojans/spywares) & rootkits too (as rootkits typically ride "under the OS" or make themselves invisible to it, via interception of even kernel mode API calls, doing something called "hooking')...
How so??
Well, an example (a legit program I built this year for the fine Sci-Fi series from the BBC in the UK, called "Dr. Who" (longest running Sci-Fi show there is, huge fan here since the 1970's in fact)):
----------------------------------------------------------------------
APK Doctor Who ScreenSaver 2008++ version 1.0:
----------------------------------------------------------------------
http://www.drwhodaily.com/community/index.php?showtopic=386
----------------------------------------------------------------------
I store its .avi it plays back, INSIDE of the .scr executable, as a 'resource' I point to & playback from RAM, not disk, via a child thread (it's multithreaded design)...
That said - now, consider this:
Since ASUS & GIGABYTE have tools that 'flash' your BIOS, that now operate inside Windows itself?
Well, what is stopping a "blended/combined package" threat malware from using not only "std. attack methods" but, also using rootkit techniques too!
(Once more - means a "malware type" that literally "rides beneath the OS" literally, from out of the BIOS, or from a bootsector spawning (only kind I know how to kill in fact, via Recovery Console FixMBR) or, via kernelmode API intercept hooking (ability to 'fake out' what API's do or report back to you in laymen's terms))
What is stopping malware makers from doing the SAME thing I do in that program above to 'disguise' their evil machinations? Well... Not much!
Especially considering you can not only store .avi files, but pretty much anything, including a BIOS IMG file & a "Plug-N-Play" driver to make this happen!
(PnP drivers = A driver that can start from usermode/Ring3/RPL3 where you run programs from, vs. Ring 0/RPL0/kernelmode where most drivers traditionally run from)...
Food for thought... you get one of these types (afaik not here YET)? OR, rootkits of other kinds (not bootsector killable, but instead memory resident)?? Backup your data, & "repave" is the typical recommendation... I have no idea how I would kill one, & afaik? Nobody else does either, aside from starting fresh, OR trying to "overwrite" your current setup w/ a backup (assuming it is clean too, & that might NOT be a good assumption)... apk
NOW, after ALL of the above? IF you do find yourself "infested" though, one day??
(Which is going to RARE (if @ all) - Usually, after the above set of steps you can use to secure yourselves, the ONLY way you usually can be reinfected, is to click & run a bogus email attachment, OR, by turning on Javascript & IFrames for instance! (or, allowing shockwave or a bum ActiveX control to run) OR, via a vulnerability in your applications OR Operating System that needs patching (I note this in the init. post of this thread in fact in this latter point now)).
YES - It happens! Far more rarely than it had before (using a buddy of mine Jack as an example in fact - I chose him as a tester because he was nearly constantly infested is why & this all worked for he, until he violated javascript usage rules I mentioned above).
E.G.-> I have had users violate that/those "rule(s)" from above & that was how they were reinfected - BUT, one tester of mine DEFINITELY gets infected FAR LESS than he used to, by applying the above... this is certain!
I.E.-> I have had this setup running Windows Server 2003 (SP#2, fully hotfix patched & hardened per the above as of this date) since early 2003, running "110% bulletproof & bugfree" because of following the rules & suggestions noted above!
ANYHOW - Malware infested? TRY THIS SET OF TOOLS & TECHNIQUES:
How to clean yourself up?
This "toolkit" & process has helped me get thru over a 1,000 spyware/virus clean up calls, & hopefully? It will yourself, as well, so... here goes:
==========
1.) Reboot your system to F8 @ startup "Windows Advanced Options" bootup menu that stops you during the boot sequence.
----
2.) There, choose "safemode with networking" (via the "Windows Advanced Options" menu you get presented with while tapping the F8 key repeatedly @ system startup).
----
3.) Once in safemode with networking Windows, download/install & RUN these tools (they are not much to look at, BUT, they do work on MOST threats today & get regularly updated):
a. Run IE, use its TOOLS menu, Manage Addons Submenu, & turn off ANY BHO etc. objects that you do NOT absolutely NEED, or know what they are (many malwares in the form of bogus toolbars or BHO (browser helper objects) often hide here).
ALSO, GREAT NEW POINT EDITED IN NOW (01/13/2008) per Delightus14 @ Neowin forums: ALSO CLEAN OUT YOUR WEBBROWER CACHES & %temp/tmp% temp. ops locations so no maladies exist there also awaiting re-awakening by accident
You do this via Internet Explorer (using IE as an example, it is the same idea in Opera/FireFox/Netscape/Mozilla etc. too) via its Tools menu, Internet Options submenu, & on IE options screen, use the "Browsing History" group in IE7, & delete things as necessary from IE's browser caches etc. & for OS + app level %temp% & %tmp% environmental values' areas? Type SET @ a DOS prompt to see where you located those, & burn their contents via DEL commands, OR via explorer.exe/MyComputer filemanagement.
b. Run msconfig.exe, & stall out ANY apps you do NOT absolutely NEED to run (many malware start here in fact). If you do NOT know the name of the program & what it does? Look it up on GOOGLE... same with BHO's above in IE.
c. DOWNLOAD & INSTALL SpyBot 1.51x
d. DOWNLOAD (OPTIONAL - use ONLY if Spybot for example, cannot remove a malware) ComboFix (don't run it yet - there is no installer, it IS its own install + run package)
COMBOFIX MAY HAVE SOME "MINOR SIDE EFFECTS" though, & here are 3 I have noted, & HOW to fix them:
1.) IE homepage: No big deal to "fix this". You go to Start Button -> CONTROL PANEL (use CLASSIC VIEW, it's easier imo) -> Internet Options -> General Tab & HOMEPAGE (here is where you change that).
2.) System Time (rightclick on timeclock in lower righthand side of your screen, & from its POPUP menu, use the Date/Time tool)
3.) Desktop wallpaper (easy to fix: Rightclick on Desktop, use properties menu, & the desktop tab, change your background wallpaper there)
e. DOWNLOAD (OPTIONAL - use ONLY if Spybot for example, cannot remove a malware) SmitFraudFix (which also has its own LSP (layered service provider fix I have heard tell), BUT, againL Don't run it yet - as AGAIN -> there is no installer, it IS its own install + run package)
An alternate here, is LSPFix.exe...
----
4.) Clean out your rig, running SpyBot, first (most of the threats today are SPYWARE related, or TROJANS, more than std. typical traditional viruses by the way).
----
5.) Then, run ComboFix (this will reset your webbrowser homepage & background desktop wallpaper, you will have to reset these, & possibly your date/time clock in Windows too).
(OPTIONAL - use ONLY if Spybot for example, cannot remove a malware)
----
6.) Then, run SmitFraudFix (or, as an alternate, LSPFix)
(OPTIONAL - use ONLY if Spybot for example, cannot remove a malware)
----
7.) Reboot to "normal Windows" (no F8 stuff this round) - it MAY hesitate/be slower this bootup though, because SpyBot/ComboFix/SmitFraud do a 2nd look type check on bootup many times... so, be prepared for this part.
----
8.) Then, once in normal Windows again, scan with your AntiVirus solution (now fully updated hopefully & if not, do update it first & then scan).
Good suggested FREE one, is AVG AntiVirus (I suggest this one, because it is free + complete w/ mail protection too that's decent enough, & just in case your antivirus solution is expired... if it is not expired, update the one you use. Keeping another around for a "2nd Dr.'s Opinion" is NOT a bad idea, BUT: ONLY RUN 1 OF THEM, "resident" (meaning runnings its background application & file scanning engine, usually implemented as a service + trayicon app). IMO, NOD32 is the best performer all-around in terms of antivirus programs. av-comparatives & vb100 tend to 2nd me here as well.
* @ that point? You probably will have 'caught the culprits', OR, @ least have the name + location of any threats they could NOT eliminate... & here is where it gets REALLY "fun"...
==========
NOW, when you CAN'T remove a virus using "script kiddie automated tools" like those noted above (not putting them down calling them that because they ARE somebody's hard work & freely given time as well... but, they ARE that, because they're only automating what YOU can do, yourself, with other tools like msconfig/IE manage addons, & more tools like Process Explorer + regedit & explorer.exe (OR even Recovery Console) can allow YOU to do, yourself, albeit slower... the nice part about the automated killers like the tools I mention above, is that they operate FAR FASTER than human beings do).
ANYHOW - IF you can get its name, & location on disk say, via a report from AVG or other programs you use for this?
Boot your system from the OS install CD, & go to RECOVERY CONSOLE!
There, switch to the folder that houses it using CD (almost like DOS one, but uses .. ONLY, to switch to ancestor folder roots really (instead of \ etc. et al))!
Then, once you are in its folder, fry it then (nothing will be loading & thus, locking it, there) using the DEL command -> DEL filename.
****
It's THAT, or using Process Explorer in UserMode/Ring 3/RPL3 operation...
You would do a suspending the calling process via right click popup menu options for this it offers! Once the calling process is suspended (& many times, also the called or DLL injected library as well), you can delete ANY potential offending injected DLL/lib virus-trojan-spyware-malware being called by said parent process, on disk.
(This ia assuming this is a lib loaded virus/spyware/trojan/malware etc., not a standalone .exe type)
That's done via watching loaded DLL's that ANY app may have loaded presently (For that, you would have to use ProExp's CTRL+D keystroke shortcut, with the lower pane view present/visible, & set like that) IF there is one and this thing doesn't launch by itself from one of the registry RUN areas or startup groups that is...
Using Process Explorer can help!
(Again, especially if this is being run by "DLL Injection" (like an OLEServer being injected into a process via CLSIDs, shell extensions, or being run by rundll32.exe OR svchost.exe, process hosting executables that can spawn either .exe OR .dll/lib based ones)).
****
The easier/simpler route?
My first suggestion:
Use Recovery Console, once you have its name & location on disk... DEL command will take care of it, lickety-split, no-$heet.
APK
P.S.=> Rootkits & how to blow THOSE out? Guess what your "best pal" is, yet again?? Ah, you guessed it - RECOVERY CONSOLE & FixMBR command!
HOWEVER - FixMBR ONLY works on (only) BOOTSECTOR ORIGINATED TYPES though...
There are other kinds (driven by drivers &/or kernel mode API 'hooking' & more)... Soon, & I am NOT the only person theorizing this (because I saw BIOS flash code @ rootkit.com over more than a year back no less & IMMEDIATELY said "oh boy, here comes bios flashing malware")??
Soon you'll have BIOS flashing attacks via malwares (virus/trojans/spywares) & rootkits too (as rootkits typically ride "under the OS" or make themselves invisible to it, via interception of even kernel mode API calls, doing something called "hooking')...
How so??
Well, an example (a legit program I built this year for the fine Sci-Fi series from the BBC in the UK, called "Dr. Who" (longest running Sci-Fi show there is, huge fan here since the 1970's in fact)):
----------------------------------------------------------------------
APK Doctor Who ScreenSaver 2008++ version 1.0:
----------------------------------------------------------------------
http://www.drwhodaily.com/community/index.php?showtopic=386
----------------------------------------------------------------------
I store its .avi it plays back, INSIDE of the .scr executable, as a 'resource' I point to & playback from RAM, not disk, via a child thread (it's multithreaded design)...
That said - now, consider this:
Since ASUS & GIGABYTE have tools that 'flash' your BIOS, that now operate inside Windows itself?
Well, what is stopping a "blended/combined package" threat malware from using not only "std. attack methods" but, also using rootkit techniques too!
(Once more - means a "malware type" that literally "rides beneath the OS" literally, from out of the BIOS, or from a bootsector spawning (only kind I know how to kill in fact, via Recovery Console FixMBR) or, via kernelmode API intercept hooking (ability to 'fake out' what API's do or report back to you in laymen's terms))
What is stopping malware makers from doing the SAME thing I do in that program above to 'disguise' their evil machinations? Well... Not much!
Especially considering you can not only store .avi files, but pretty much anything, including a BIOS IMG file & a "Plug-N-Play" driver to make this happen!
(PnP drivers = A driver that can start from usermode/Ring3/RPL3 where you run programs from, vs. Ring 0/RPL0/kernelmode where most drivers traditionally run from)...
Food for thought... you get one of these types (afaik not here YET)? OR, rootkits of other kinds (not bootsector killable, but instead memory resident)?? Backup your data, & "repave" is the typical recommendation... I have no idea how I would kill one, & afaik? Nobody else does either, aside from starting fresh, OR trying to "overwrite" your current setup w/ a backup (assuming it is clean too, & that might NOT be a good assumption)... apk
As regards the "Russian Business Network" (RBN) who has been @ the heart of MANY online
attacks (or, things like Zlob trojan & IDTheft related attacks, etc. et al)? Use this information to protect yourselves, from them.
(RELIABLE/REPUTABLE SOURCE USED = http://www.spamhaus.org/rokso/evidence.las...okso_id=ROK7465
----
FIRST OF ALL - Note, I use "0.0.0.0" vs. "127.0.0.1"
(That is simply because iirc, the zero's based one leads to a NULL port type of request, rather than your "loopback adapter" (i.e.-> YOUR OWN MACHINE fielding requests) for a couple of reasons (which it took me some time to come up w/ & testing as to which is "better" to use)).
SECONDLY, 0.0.0.0 is SMALLER than 127.0.0.1, & thus, parses + loads FAR faster, & is smaller on disk is why - AND, in RAM once loaded: THUS, I am logically concluding that 0.0.0.0 is better to use period for HOSTS file blocks - same function, & @ LESSER cost, nearly all the way around (less diskspace, faster loadspeed, less memory occupancy, & etc. et al). A MORE EFFICIENT STRUCTURE!
----
USING NOTEPAD.EXE
ADD THIS LIST TO YOUR CUSTOM HOSTS FILE (usually located in %windir%\system32\drivers\etc subfolder-subdirectory):
# === START OF KNOWN RUSSIAN BUSINESS NETWORK/RBN MAPPINGS + AFFILIATED KNOWN SERVERS ===
0.0.0.0 rxpharmacy-support.com
0.0.0.0 ns3.cnmsn.com
0.0.0.0 thecanadianmeds.com
0.0.0.0 officialmedicines.com
0.0.0.0 psxshop.com
0.0.0.0 10000xing.cn
0.0.0.0 222360.com
0.0.0.0 adslooks.info
0.0.0.0 bnably.com
0.0.0.0 eqcorn.com
0.0.0.0 familypostcards2008.com
0.0.0.0 freshcards2008.com
0.0.0.0 happy2008toyou.com
0.0.0.0 happysantacards.com
0.0.0.0 hellosanta2008.com
0.0.0.0 hohoho2008.com
0.0.0.0 kqfloat.com
0.0.0.0 ltbrew.com
0.0.0.0 mymetavids.com
0.0.0.0 obebos.cn
0.0.0.0 parentscards.com
0.0.0.0 postcards-2008.com
0.0.0.0 ptowl.com
0.0.0.0 qavoter.com
0.0.0.0 santapcards.com
0.0.0.0 santawishes2008.com
0.0.0.0 siski.cn
0.0.0.0 snbane.com
0.0.0.0 snlilac.com
0.0.0.0 tibeam.com
0.0.0.0 tushove.com
0.0.0.0 wxtaste.com
0.0.0.0 yxbegan.com
0.0.0.0 iframedollars.biz
0.0.0.0 NS1.RBNNETWORK.COM
0.0.0.0 NS1.4USER.NET
0.0.0.0 NS1.EEXHOST.COM
0.0.0.0 NS1.AKIMON.COM
0.0.0.0 NAME1.AKIMON.COM
0.0.0.0 NS2.RBNNETWORK.COM
0.0.0.0 NS2.4USER.NET
0.0.0.0 NS2.AKIMON.COM
0.0.0.0 NS2.EEXHOST.COM
0.0.0.0 NAME2.AKIMON.COM
0.0.0.0 RUSOUVENIRS.COM
0.0.0.0 RBNNETWORK.COM
0.0.0.0 NS1.INFOBOX.ORG
0.0.0.0 NS2.INFOBOX.ORG
0.0.0.0 NS1.RUSOUVENIRS.COM
0.0.0.0 NS2.RUSOUVENIRS.COM
0.0.0.0 NS1.RUSOUVENIRS.NET
0.0.0.0 NS2.RUSOUVENIRS.NET
0.0.0.0 SBTTEL.COM
0.0.0.0 AKIMON.COM
0.0.0.0 AKIMON.NET
0.0.0.0 EEXHOST.COM
0.0.0.0 NS1.EEXHOST.COM
0.0.0.0 NS2.EEXHOST.COM
0.0.0.0 NS1.4USER.NET
0.0.0.0 NS1.AKIMON.COM
0.0.0.0 NS1.EEXHOST.COM
0.0.0.0 NAME1.AKIMON.COM
0.0.0.0 NS1.RBNNETWORK.COM
0.0.0.0 NS2.4USER.NET
0.0.0.0 NS2.AKIMON.COM
0.0.0.0 NAME2.AKIMON.COM
0.0.0.0 NS2.RBNNETWORK.COM
0.0.0.0 NS2.EEXHOST.COM
0.0.0.0 VALUEDOT.NET
0.0.0.0 ns0.valuedot.net
0.0.0.0 ns1.valuedot.net
0.0.0.0 1000WATT.BIZ
0.0.0.0 2SOVKA.NET
0.0.0.0 AIDEN-GROUP.COM
0.0.0.0 AKIMON.COM
0.0.0.0 ALEKC.NET
0.0.0.0 ANDREY-STUDIO.INFO
0.0.0.0 AUTOKUBAN.INFO
0.0.0.0 AVIATRAVELAGENCY.COM
0.0.0.0 AVTOMOBILEY.NET
0.0.0.0 BAGATITSA.COM
0.0.0.0 BAIKERGROUP.COM
0.0.0.0 BALTICDOORS.COM
0.0.0.0 BALTMONOLIT.COM
0.0.0.0 BRIGADA-EL.COM
0.0.0.0 CARPRIVOZ.COM
0.0.0.0 CHILLERU.COM
0.0.0.0 CVETOVODSTVO.COM
0.0.0.0 E-GOLD-CHANGER.COM
0.0.0.0 ELECTRONOV.NET
0.0.0.0 FASHIONER.BIZ
0.0.0.0 FFFFFF.ORG
0.0.0.0 FIFACUP06.INFO
0.0.0.0 FISHTORG.COM
0.0.0.0 FKGARANT.COM
0.0.0.0 FOTORETUSH.COM
0.0.0.0 FREGATSOFT.COM
0.0.0.0 FROLROMANOFF.COM
0.0.0.0 FULLVER.INFO
0.0.0.0 GAKKEL.COM
0.0.0.0 GARANTSERVICE.ORG
0.0.0.0 GDEDENGI.INFO
0.0.0.0 GLAZKI.NET
0.0.0.0 GOLD-DRAGON.INFO
0.0.0.0 GORODM.COM
0.0.0.0 GRAYZI.NET
0.0.0.0 GRIFFINFLY.COM
0.0.0.0 HEAT-ENERGO.COM
0.0.0.0 HITEMA.NET
0.0.0.0 HYIPREVIEW.INFO
0.0.0.0 HYIPSMAP.COM
0.0.0.0 ILOXX.ORG
0.0.0.0 IMYA.INFO
0.0.0.0 INFODOSKA.COM
0.0.0.0 INTERNETWORLDBOOK.COM
0.0.0.0 KLIMATA.NET
0.0.0.0 KOMOV.NET
0.0.0.0 KOSMETICHKA.NET
0.0.0.0 LIDTRADE.COM
0.0.0.0 LIFE-RU.ORG
0.0.0.0 LPSPB.COM
0.0.0.0 M-OST.NET
0.0.0.0 M-UNLOCK.COM
0.0.0.0 MAMRU.COM
0.0.0.0 MAPSERV.COM
0.0.0.0 MASTERDOKS.COM
0.0.0.0 MIRMED.COM
0.0.0.0 MOOSEMUSE.COM
0.0.0.0 MOREPRODUCT.NET
0.0.0.0 MUSEMOOSE.COM
0.0.0.0 NESTRONICS.COM
0.0.0.0 NESTRONICS.NET
0.0.0.0 NOFUN.INFO
0.0.0.0 OIL-GAS-MINERALS.COM
0.0.0.0 OKOSHKA.NET
0.0.0.0 OPTIMUS.BIZ
0.0.0.0 OTKRITKI.NET
0.0.0.0 OTKRITOK.NET
0.0.0.0 PARALLELSIXTY.COM
0.0.0.0 PASSOMONTANO.COM
0.0.0.0 PETROBALT.NET
0.0.0.0 PHARMACY-MD.COM
0.0.0.0 PISKUNOV.NET
0.0.0.0 POIGRAI.INFO
0.0.0.0 PROETCONTRA.ORG
0.0.0.0 PSOLAO.ORG
0.0.0.0 ROSEL.INFO
0.0.0.0 SBTTEL.COM
0.0.0.0 SECONDAPPROACH.COM
0.0.0.0 SMARTSOFTLINE.COM
0.0.0.0 SMESHNOY.COM
0.0.0.0 SQUAREDREAM.COM
0.0.0.0 STROIINFORM.COM
0.0.0.0 STROYBRIGADA.COM
0.0.0.0 TANK-HOBBY.COM
0.0.0.0 TECHNONORDIC.COM
0.0.0.0 TELEUNITED.NET
0.0.0.0 TEPLOCOM.COM
0.0.0.0 THERMOCAUTERY.COM
0.0.0.0 TIARU.COM
0.0.0.0 TRADEFINANS.COM
0.0.0.0 TRADEFINANS.NET
0.0.0.0 TRAININGS-TRIUMPH.ORG
0.0.0.0 TSAR-SUVENIR.COM
0.0.0.0 UEFACUP08.INFO
0.0.0.0 UMNIKSOFT.COM
0.0.0.0 UNDERCOOLED.NET
0.0.0.0 VALIDBIT.COM
0.0.0.0 VERESC.ORG
0.0.0.0 VOROLAIN.COM
0.0.0.0 WHITENIGHTSHOSTELS.COM
0.0.0.0 WORLDFONDS.NET
0.0.0.0 XRUST.NET
0.0.0.0 YAHOCHU.COM
0.0.0.0 Z-GROUP.INFO
0.0.0.0 ZDRAV.INFO
0.0.0.0 ZHESTOV.NET
0.0.0.0 ZOOSPB.COM
0.0.0.0 goldenpiginvest.com
0.0.0.0 goldenpiginvest.net
0.0.0.0 pharmacy-viagra.net
# === END OF KNOWN RUSSIAN BUSINESS NETWORK/RBN MAPPINGS + AFFILIATED KNOWN SERVERS ===
Also - You can (AND SHOULD) verify your HOSTS file location, because it CAN be moved (& some virus/spywares do so, like QHosts) by using regedit.exe
& going here:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
& checking to see it has NOT been misdirected from C:\WINDOWS\SYSTEM32\DRIVERS\etc
(Unless you KNOW that YOU move it, as I do!)
I move mine INTENTIONALLY to another disk here that is less used & faster on seeks!
That is just so it init.'s faster since the HDD is not contending with other programs loading etc.
or data loading etc. - mine's on an SSD (solid-state ramdisk, for access-seek gains for example).
----
FOR FIREWALL BLOCKING RULES (or IE "restricted zones" lists (in IE options), OR possibly IP Security Policies usage):
I.P. address block for Russian Business Network:
81.95.144.0/20 #SBL43489
(81.95.144.0 - 81.95.159.255)
And the address blocks for its equally corrupt cousins at Intercage, Inhoster, and Nevacon:
85.255.112.0/20 #SBL36702
(85.255.112.0 - 85.255.127.255)
69.50.160.0/19
(69.50.160.0 - 69.50.191.255)
194.146.204.0/22 #SBL51152
(194.146.204.0 - 194.146.207.255)
Lastly/Optionally - You should block all IPs starting with these if you do not care about Russia and China:
193.
194.
195.
213.
217.
62.64.
62.76.
(AND, A few major Internet providers that provide services to RBN including)
Tiscali.uk
SBT Telecom
Aki Mon Telecom
Nevacon LTD
Frame Cash
76service
Noc4Hosts
APK
attacks (or, things like Zlob trojan & IDTheft related attacks, etc. et al)? Use this information to protect yourselves, from them.
(RELIABLE/REPUTABLE SOURCE USED = http://www.spamhaus.org/rokso/evidence.las...okso_id=ROK7465
----
FIRST OF ALL - Note, I use "0.0.0.0" vs. "127.0.0.1"
(That is simply because iirc, the zero's based one leads to a NULL port type of request, rather than your "loopback adapter" (i.e.-> YOUR OWN MACHINE fielding requests) for a couple of reasons (which it took me some time to come up w/ & testing as to which is "better" to use)).
SECONDLY, 0.0.0.0 is SMALLER than 127.0.0.1, & thus, parses + loads FAR faster, & is smaller on disk is why - AND, in RAM once loaded: THUS, I am logically concluding that 0.0.0.0 is better to use period for HOSTS file blocks - same function, & @ LESSER cost, nearly all the way around (less diskspace, faster loadspeed, less memory occupancy, & etc. et al). A MORE EFFICIENT STRUCTURE!
----
USING NOTEPAD.EXE
ADD THIS LIST TO YOUR CUSTOM HOSTS FILE (usually located in %windir%\system32\drivers\etc subfolder-subdirectory):
# === START OF KNOWN RUSSIAN BUSINESS NETWORK/RBN MAPPINGS + AFFILIATED KNOWN SERVERS ===
0.0.0.0 rxpharmacy-support.com
0.0.0.0 ns3.cnmsn.com
0.0.0.0 thecanadianmeds.com
0.0.0.0 officialmedicines.com
0.0.0.0 psxshop.com
0.0.0.0 10000xing.cn
0.0.0.0 222360.com
0.0.0.0 adslooks.info
0.0.0.0 bnably.com
0.0.0.0 eqcorn.com
0.0.0.0 familypostcards2008.com
0.0.0.0 freshcards2008.com
0.0.0.0 happy2008toyou.com
0.0.0.0 happysantacards.com
0.0.0.0 hellosanta2008.com
0.0.0.0 hohoho2008.com
0.0.0.0 kqfloat.com
0.0.0.0 ltbrew.com
0.0.0.0 mymetavids.com
0.0.0.0 obebos.cn
0.0.0.0 parentscards.com
0.0.0.0 postcards-2008.com
0.0.0.0 ptowl.com
0.0.0.0 qavoter.com
0.0.0.0 santapcards.com
0.0.0.0 santawishes2008.com
0.0.0.0 siski.cn
0.0.0.0 snbane.com
0.0.0.0 snlilac.com
0.0.0.0 tibeam.com
0.0.0.0 tushove.com
0.0.0.0 wxtaste.com
0.0.0.0 yxbegan.com
0.0.0.0 iframedollars.biz
0.0.0.0 NS1.RBNNETWORK.COM
0.0.0.0 NS1.4USER.NET
0.0.0.0 NS1.EEXHOST.COM
0.0.0.0 NS1.AKIMON.COM
0.0.0.0 NAME1.AKIMON.COM
0.0.0.0 NS2.RBNNETWORK.COM
0.0.0.0 NS2.4USER.NET
0.0.0.0 NS2.AKIMON.COM
0.0.0.0 NS2.EEXHOST.COM
0.0.0.0 NAME2.AKIMON.COM
0.0.0.0 RUSOUVENIRS.COM
0.0.0.0 RBNNETWORK.COM
0.0.0.0 NS1.INFOBOX.ORG
0.0.0.0 NS2.INFOBOX.ORG
0.0.0.0 NS1.RUSOUVENIRS.COM
0.0.0.0 NS2.RUSOUVENIRS.COM
0.0.0.0 NS1.RUSOUVENIRS.NET
0.0.0.0 NS2.RUSOUVENIRS.NET
0.0.0.0 SBTTEL.COM
0.0.0.0 AKIMON.COM
0.0.0.0 AKIMON.NET
0.0.0.0 EEXHOST.COM
0.0.0.0 NS1.EEXHOST.COM
0.0.0.0 NS2.EEXHOST.COM
0.0.0.0 NS1.4USER.NET
0.0.0.0 NS1.AKIMON.COM
0.0.0.0 NS1.EEXHOST.COM
0.0.0.0 NAME1.AKIMON.COM
0.0.0.0 NS1.RBNNETWORK.COM
0.0.0.0 NS2.4USER.NET
0.0.0.0 NS2.AKIMON.COM
0.0.0.0 NAME2.AKIMON.COM
0.0.0.0 NS2.RBNNETWORK.COM
0.0.0.0 NS2.EEXHOST.COM
0.0.0.0 VALUEDOT.NET
0.0.0.0 ns0.valuedot.net
0.0.0.0 ns1.valuedot.net
0.0.0.0 1000WATT.BIZ
0.0.0.0 2SOVKA.NET
0.0.0.0 AIDEN-GROUP.COM
0.0.0.0 AKIMON.COM
0.0.0.0 ALEKC.NET
0.0.0.0 ANDREY-STUDIO.INFO
0.0.0.0 AUTOKUBAN.INFO
0.0.0.0 AVIATRAVELAGENCY.COM
0.0.0.0 AVTOMOBILEY.NET
0.0.0.0 BAGATITSA.COM
0.0.0.0 BAIKERGROUP.COM
0.0.0.0 BALTICDOORS.COM
0.0.0.0 BALTMONOLIT.COM
0.0.0.0 BRIGADA-EL.COM
0.0.0.0 CARPRIVOZ.COM
0.0.0.0 CHILLERU.COM
0.0.0.0 CVETOVODSTVO.COM
0.0.0.0 E-GOLD-CHANGER.COM
0.0.0.0 ELECTRONOV.NET
0.0.0.0 FASHIONER.BIZ
0.0.0.0 FFFFFF.ORG
0.0.0.0 FIFACUP06.INFO
0.0.0.0 FISHTORG.COM
0.0.0.0 FKGARANT.COM
0.0.0.0 FOTORETUSH.COM
0.0.0.0 FREGATSOFT.COM
0.0.0.0 FROLROMANOFF.COM
0.0.0.0 FULLVER.INFO
0.0.0.0 GAKKEL.COM
0.0.0.0 GARANTSERVICE.ORG
0.0.0.0 GDEDENGI.INFO
0.0.0.0 GLAZKI.NET
0.0.0.0 GOLD-DRAGON.INFO
0.0.0.0 GORODM.COM
0.0.0.0 GRAYZI.NET
0.0.0.0 GRIFFINFLY.COM
0.0.0.0 HEAT-ENERGO.COM
0.0.0.0 HITEMA.NET
0.0.0.0 HYIPREVIEW.INFO
0.0.0.0 HYIPSMAP.COM
0.0.0.0 ILOXX.ORG
0.0.0.0 IMYA.INFO
0.0.0.0 INFODOSKA.COM
0.0.0.0 INTERNETWORLDBOOK.COM
0.0.0.0 KLIMATA.NET
0.0.0.0 KOMOV.NET
0.0.0.0 KOSMETICHKA.NET
0.0.0.0 LIDTRADE.COM
0.0.0.0 LIFE-RU.ORG
0.0.0.0 LPSPB.COM
0.0.0.0 M-OST.NET
0.0.0.0 M-UNLOCK.COM
0.0.0.0 MAMRU.COM
0.0.0.0 MAPSERV.COM
0.0.0.0 MASTERDOKS.COM
0.0.0.0 MIRMED.COM
0.0.0.0 MOOSEMUSE.COM
0.0.0.0 MOREPRODUCT.NET
0.0.0.0 MUSEMOOSE.COM
0.0.0.0 NESTRONICS.COM
0.0.0.0 NESTRONICS.NET
0.0.0.0 NOFUN.INFO
0.0.0.0 OIL-GAS-MINERALS.COM
0.0.0.0 OKOSHKA.NET
0.0.0.0 OPTIMUS.BIZ
0.0.0.0 OTKRITKI.NET
0.0.0.0 OTKRITOK.NET
0.0.0.0 PARALLELSIXTY.COM
0.0.0.0 PASSOMONTANO.COM
0.0.0.0 PETROBALT.NET
0.0.0.0 PHARMACY-MD.COM
0.0.0.0 PISKUNOV.NET
0.0.0.0 POIGRAI.INFO
0.0.0.0 PROETCONTRA.ORG
0.0.0.0 PSOLAO.ORG
0.0.0.0 ROSEL.INFO
0.0.0.0 SBTTEL.COM
0.0.0.0 SECONDAPPROACH.COM
0.0.0.0 SMARTSOFTLINE.COM
0.0.0.0 SMESHNOY.COM
0.0.0.0 SQUAREDREAM.COM
0.0.0.0 STROIINFORM.COM
0.0.0.0 STROYBRIGADA.COM
0.0.0.0 TANK-HOBBY.COM
0.0.0.0 TECHNONORDIC.COM
0.0.0.0 TELEUNITED.NET
0.0.0.0 TEPLOCOM.COM
0.0.0.0 THERMOCAUTERY.COM
0.0.0.0 TIARU.COM
0.0.0.0 TRADEFINANS.COM
0.0.0.0 TRADEFINANS.NET
0.0.0.0 TRAININGS-TRIUMPH.ORG
0.0.0.0 TSAR-SUVENIR.COM
0.0.0.0 UEFACUP08.INFO
0.0.0.0 UMNIKSOFT.COM
0.0.0.0 UNDERCOOLED.NET
0.0.0.0 VALIDBIT.COM
0.0.0.0 VERESC.ORG
0.0.0.0 VOROLAIN.COM
0.0.0.0 WHITENIGHTSHOSTELS.COM
0.0.0.0 WORLDFONDS.NET
0.0.0.0 XRUST.NET
0.0.0.0 YAHOCHU.COM
0.0.0.0 Z-GROUP.INFO
0.0.0.0 ZDRAV.INFO
0.0.0.0 ZHESTOV.NET
0.0.0.0 ZOOSPB.COM
0.0.0.0 goldenpiginvest.com
0.0.0.0 goldenpiginvest.net
0.0.0.0 pharmacy-viagra.net
# === END OF KNOWN RUSSIAN BUSINESS NETWORK/RBN MAPPINGS + AFFILIATED KNOWN SERVERS ===
Also - You can (AND SHOULD) verify your HOSTS file location, because it CAN be moved (& some virus/spywares do so, like QHosts) by using regedit.exe
& going here:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
& checking to see it has NOT been misdirected from C:\WINDOWS\SYSTEM32\DRIVERS\etc
(Unless you KNOW that YOU move it, as I do!)
I move mine INTENTIONALLY to another disk here that is less used & faster on seeks!
That is just so it init.'s faster since the HDD is not contending with other programs loading etc.
or data loading etc. - mine's on an SSD (solid-state ramdisk, for access-seek gains for example).
----
FOR FIREWALL BLOCKING RULES (or IE "restricted zones" lists (in IE options), OR possibly IP Security Policies usage):
I.P. address block for Russian Business Network:
81.95.144.0/20 #SBL43489
(81.95.144.0 - 81.95.159.255)
And the address blocks for its equally corrupt cousins at Intercage, Inhoster, and Nevacon:
85.255.112.0/20 #SBL36702
(85.255.112.0 - 85.255.127.255)
69.50.160.0/19
(69.50.160.0 - 69.50.191.255)
194.146.204.0/22 #SBL51152
(194.146.204.0 - 194.146.207.255)
Lastly/Optionally - You should block all IPs starting with these if you do not care about Russia and China:
193.
194.
195.
213.
217.
62.64.
62.76.
(AND, A few major Internet providers that provide services to RBN including)
Tiscali.uk
SBT Telecom
Aki Mon Telecom
Nevacon LTD
Frame Cash
76service
Noc4Hosts
APK
So you all know WHY I put up info. on the "RBN" (Russian Business Network) in my last post above?
Well, I strongly suspect "they're @ it again" & here is why:
Cyber-attack launched from 10,000 web pages:
http://itnews.com.au/News/71994,cyberattac...-web-pages.aspx
"A single entity is likely to be behind this attack, since the malicious code on all these pages came from the same server in China."
(AND, the "RBN" is KNOWN to 'hop between' China & Russia regularly, as needed, & I suspect they are the ones behind this, but the article offers NO discrete IP Address ranges or IP's so, we have to wait on the specifics, but it is a GOOD guess based on their prior track record w/ Zlob, which I see nearly every day @ times on the job)...
APK
Well, I strongly suspect "they're @ it again" & here is why:
Cyber-attack launched from 10,000 web pages:
http://itnews.com.au/News/71994,cyberattac...-web-pages.aspx
"A single entity is likely to be behind this attack, since the malicious code on all these pages came from the same server in China."
(AND, the "RBN" is KNOWN to 'hop between' China & Russia regularly, as needed, & I suspect they are the ones behind this, but the article offers NO discrete IP Address ranges or IP's so, we have to wait on the specifics, but it is a GOOD guess based on their prior track record w/ Zlob, which I see nearly every day @ times on the job)...
APK
"New NEWS": Well, it appears I was correct in my "assumption/guess" above (about my suspecting the "RBN being @ it again") 2 posts up, which are NOW verified, per this quote from the above source:
SECOND MASS HACK EXPOSED:
http://www.itnews.com.au/News/72214,second...ck-exposed.aspx
AND, the source I used for this list:
http://ddanchev.blogspot.com/2008/03/more-...ame-attack.html
And, the salient portion that notes that my suspicion was correct:
"if you look at the IPs used in the IFRAMEs, these are the front-end to rogue anti virus and anti spyware tools that were using RBN's infrastructure before it went dark, and continue using some of the new netblocks acquired by the RBN"
So, with that said? Here are those URL's from the list above, albeit altered to 0.0.0.0 equations, for your CUSTOM HOSTS FILE, that shuts out RBN (these appear to be their newly acquired domains list) & the servers they use:
START OF LIST TO ADD TO YOUR CUSTOM HOSTS FILE FOR BLOCKING OUT BAD SITEs/ADBANNERS THAT MAY BE INFECTED ETC.:
0.0.0.0 do-t-h-e.com
0.0.0.0 rx-pharmacy.cn
0.0.0.0 m5b.info
0.0.0.0 hotpornotube08.com
0.0.0.0 hot-pornotube-2008.com
0.0.0.0 hot-pornotube08.com
0.0.0.0 adult-tubecodec2008.com
0.0.0.0 adulttubecodec2008.com
0.0.0.0 hot-tubecodec20.com
0.0.0.0 media-tubecodec2008.com
0.0.0.0 porn-tubecodec20.com
0.0.0.0 scanner.spyshredderscanner.com
0.0.0.0 xpantivirus2008.com
0.0.0.0 xpantivirus.com
0.0.0.0 bestsexworld.info
0.0.0.0 requestedlinks.com
END OF LIST TO ADD TO YOUR CUSTOM HOSTS FILE FOR BLOCKING OUT BAD SITEs/ADBANNERS THAT MAY BE INFECTED ETC.:
FOR THOSE INTERESTED (or, those that need actual IP addresses to add to firewall rules tables OR IE restricted zones etc.), here are the actual IP addresses of the bogus servers:
do-t-h-e.com (69.50.167.166)
rx-pharmacy.cn (82.103.140.65)
m5b.info (124.217.253.6)
hotpornotube08.com (206.51.229.67)
hot-pornotube-2008.com (206.51.229.67)
hot-pornotube08.com (206.51.229.67)
adult-tubecodec2008.com (195.93.218.43)
adulttubecodec2008.com (195.93.218.43)
hot-tubecodec20.com (195.93.218.43)
media-tubecodec2008.com (195.93.218.43)
porn-tubecodec20.com (195.93.218.43)
scanner.spyshredderscanner.com (77.91.229.106)
xpantivirus2008.com (69.50.173.10)
xpantivirus.com (72.36.198.2)
bestsexworld.info (72.232.224.154)
requestedlinks.com (216.255.185.82)
Also - These you won't be able to block via HOSTS file filtering methods, but still can be blocked via other means (IE restricted zones, firewall rules tables, etc. et al):
89.149.243.201
89.149.243.202
72.232.39.252
195.225.178.21
* Enjoy, stay safe, & keep surfing!
APK
SECOND MASS HACK EXPOSED:
http://www.itnews.com.au/News/72214,second...ck-exposed.aspx
AND, the source I used for this list:
http://ddanchev.blogspot.com/2008/03/more-...ame-attack.html
And, the salient portion that notes that my suspicion was correct:
"if you look at the IPs used in the IFRAMEs, these are the front-end to rogue anti virus and anti spyware tools that were using RBN's infrastructure before it went dark, and continue using some of the new netblocks acquired by the RBN"
So, with that said? Here are those URL's from the list above, albeit altered to 0.0.0.0 equations, for your CUSTOM HOSTS FILE, that shuts out RBN (these appear to be their newly acquired domains list) & the servers they use:
START OF LIST TO ADD TO YOUR CUSTOM HOSTS FILE FOR BLOCKING OUT BAD SITEs/ADBANNERS THAT MAY BE INFECTED ETC.:
0.0.0.0 do-t-h-e.com
0.0.0.0 rx-pharmacy.cn
0.0.0.0 m5b.info
0.0.0.0 hotpornotube08.com
0.0.0.0 hot-pornotube-2008.com
0.0.0.0 hot-pornotube08.com
0.0.0.0 adult-tubecodec2008.com
0.0.0.0 adulttubecodec2008.com
0.0.0.0 hot-tubecodec20.com
0.0.0.0 media-tubecodec2008.com
0.0.0.0 porn-tubecodec20.com
0.0.0.0 scanner.spyshredderscanner.com
0.0.0.0 xpantivirus2008.com
0.0.0.0 xpantivirus.com
0.0.0.0 bestsexworld.info
0.0.0.0 requestedlinks.com
END OF LIST TO ADD TO YOUR CUSTOM HOSTS FILE FOR BLOCKING OUT BAD SITEs/ADBANNERS THAT MAY BE INFECTED ETC.:
FOR THOSE INTERESTED (or, those that need actual IP addresses to add to firewall rules tables OR IE restricted zones etc.), here are the actual IP addresses of the bogus servers:
do-t-h-e.com (69.50.167.166)
rx-pharmacy.cn (82.103.140.65)
m5b.info (124.217.253.6)
hotpornotube08.com (206.51.229.67)
hot-pornotube-2008.com (206.51.229.67)
hot-pornotube08.com (206.51.229.67)
adult-tubecodec2008.com (195.93.218.43)
adulttubecodec2008.com (195.93.218.43)
hot-tubecodec20.com (195.93.218.43)
media-tubecodec2008.com (195.93.218.43)
porn-tubecodec20.com (195.93.218.43)
scanner.spyshredderscanner.com (77.91.229.106)
xpantivirus2008.com (69.50.173.10)
xpantivirus.com (72.36.198.2)
bestsexworld.info (72.232.224.154)
requestedlinks.com (216.255.185.82)
Also - These you won't be able to block via HOSTS file filtering methods, but still can be blocked via other means (IE restricted zones, firewall rules tables, etc. et al):
89.149.243.201
89.149.243.202
72.232.39.252
195.225.178.21
* Enjoy, stay safe, & keep surfing!
APK
The "RBN"'s still @ it (per earlier in this guide/last page)
&
Gaining more servers to attack folks with online!
(Per my earlier posts on how to add to a HOSTS file & their IP addresses above - this gent is whom I got this info. from & he's a fairly noted security researcher + ontop of them & their activities online it seems, use him for a resource, excellent so far (proved me right in my guess above too, albeit far later than I guessed it was they, lol (pretty obvious if you follow security trends & news though to be honest)):
http://ddanchev.blogspot.com/
He has more servers there (updated list is why) vs. my own above... if you're into your online security? Refer to it & add his lists to your HOSTS file too (or, email me for mine to save time if you wish, many have).
APK
&
Gaining more servers to attack folks with online!
(Per my earlier posts on how to add to a HOSTS file & their IP addresses above - this gent is whom I got this info. from & he's a fairly noted security researcher + ontop of them & their activities online it seems, use him for a resource, excellent so far (proved me right in my guess above too, albeit far later than I guessed it was they, lol (pretty obvious if you follow security trends & news though to be honest)):
http://ddanchev.blogspot.com/
He has more servers there (updated list is why) vs. my own above... if you're into your online security? Refer to it & add his lists to your HOSTS file too (or, email me for mine to save time if you wish, many have).
APK
For users of Adobe Acrobat Reader (of any version or patch level today - safety hint):
Since it has been attacked so much recently (via its ability to place javascripting into its .pdf document format, & javascript that bears truly "ill will")?
Well, update to the latest/greatest version... HOWEVER, if you don't trust that, as I do not, FULLY?
(I say this, & simply because browser makers have been trying that left & right since "time immemorial" online, & more of those types of attacks pop up of differing nature that evades new patches vs. it, keep popping up regardless of the patches!)
Plus, like I had stated earlier in this guide?
I suggested turning off using javascript for EVERY SITE online, in your webbrowser (& only keep it for ones that demand it (or, become useless w/out it, like many shopping &/or banking sites - this lessens the possibility of being poisoned by bad adbanner OR site code & also lessens the attack surface area + limits the possibles to the sites you left javascript on for, ONLY))??
Try this FOR ADOBE ACROBAT READER ALSO:
TURN OFF JAVASCRIPT USAGE IN ADOBE ACROBAT READER!
Simply to be safe vs. attacks in it that are javascript-based in nature!
----
Use Adobe Acrobat's EDIT menu
PREFERENCES submenu
Javascript section (in left-hand side column of options)
& uncheck "Enable Acrobat Javascript" in the right-hand side option for that.
----
What boggles MY mind, moreso in webbrowsers &/or email programs though (as far as javascript is concerned)? Browser makers are working on speeding up its processing, first, rather than securing its weak/exploitable DOM (document object model) behind it.
Speeding up javascript in webbrowser programs, for example?
WELL - That's only speeding up how FAST you can be infected by misuse of javascript then, really, & this is all (not good!).
(AND, anyone reading here now can simply take a read over @ SECUNIA.COM &/or SECURITYFOCUS.COM & see that a GOOD 95% of today's attacks are hitting users via the indiscriminate use of javascript (misuse of it) on every website they go to).
----
Imo @ least, but, one based on the data in this guide (plus that from security websites I noted above)?
Javascript should be turned off by DEFAULT in a webbrowser!
Why??
Well, because most times, if a site needs it???
The site errs out & signals the user javascript is required. Turn it on @ that point, IF you absolutely NEED it to be running (& only then, for useful tasks you wish to perform online, such as data access like you see on shopping &/or banking websites)
I mean, hey: Even adbanners have been abused this way & proofs of that abound in this guide no less.
In fact, when I noted this over @ slashdot?
I was "modded down" for it, & just for telling the truth to javascript (& other scripting languages) developers... just for telling the truth! Boggles the mind. Secure that DOM behind javascript first, for security, AND ONLY THEN, work on speeding it up afterwards. That's not how it's being done though, unfortunately.
----
10 Forces Guiding the Future of Scripting:
http://developers.slashdot.org/comments.pl...mp;cid=25362703
----
Another bonus (for speed this time though, not security), also exists in turning off javascript processing in webbrowsers: Speed.
I.E.-> You're not using CPU cycles processing scripts that you probably don't actively directly use, yourself (such as ARE needed on e-commerce/shopping + banking websites, where you DO need it mostly to do actual useful tasks), & you're also not "hauling in" data from other servers (slowing you down even moreso, if not compromising your system (such as have been seen the past 4++ yrs. now or so, in bad adbanners that house javascript misuse)) that you don't really need, or want, around on your webpages you view...
APK
P.S.=> That assures you are "bullet-proofed" vs. Adobe Acrobat malware/bad javascript containing contaminated .pdf documents via bogus javascript in them for exploiting you online today!
NOW - the only hassle here is that SOMETIMES, there is so much javascript in them, ADOBE MAY "nag" a lot about it, & should have a feature to turn that off (imo @ least)...
So, evidence as to WHY one should do this to Adobe Acrobat Reader (until it's patched vs. this type of thing):
Critical Vulnerability In Adobe Reader:
http://it.slashdot.org/article.pl?sid=08/11/05/2042211
(Dated 11/06/2008, 8 months after I noted this here no less - if/when Adobe secures THIS particular exploit in their program? Turning off javascript processing (enabled by DEFAULT in that program no less, mind you) can help protect vs. other exploits like this one, in the future, that misuse javascript)...
----
Turning off javascript in this program, & also webbrowsers + email programs simply assures you that you are "bullet-proofed" vs. Adobe Acrobat malware/bad javascript containing contaminated .pdf documents via bogus javascript in them for exploiting you online today!
NOW - the only hassle here is that SOMETIMES, there is so much javascript in them, ADOBE MAY "nag" a lot about it, & should have a feature to turn that off (imo @ least)... apk
Since it has been attacked so much recently (via its ability to place javascripting into its .pdf document format, & javascript that bears truly "ill will")?
Well, update to the latest/greatest version... HOWEVER, if you don't trust that, as I do not, FULLY?
(I say this, & simply because browser makers have been trying that left & right since "time immemorial" online, & more of those types of attacks pop up of differing nature that evades new patches vs. it, keep popping up regardless of the patches!)
Plus, like I had stated earlier in this guide?
I suggested turning off using javascript for EVERY SITE online, in your webbrowser (& only keep it for ones that demand it (or, become useless w/out it, like many shopping &/or banking sites - this lessens the possibility of being poisoned by bad adbanner OR site code & also lessens the attack surface area + limits the possibles to the sites you left javascript on for, ONLY))??
Try this FOR ADOBE ACROBAT READER ALSO:
TURN OFF JAVASCRIPT USAGE IN ADOBE ACROBAT READER!
Simply to be safe vs. attacks in it that are javascript-based in nature!
----
Use Adobe Acrobat's EDIT menu
PREFERENCES submenu
Javascript section (in left-hand side column of options)
& uncheck "Enable Acrobat Javascript" in the right-hand side option for that.
----
What boggles MY mind, moreso in webbrowsers &/or email programs though (as far as javascript is concerned)? Browser makers are working on speeding up its processing, first, rather than securing its weak/exploitable DOM (document object model) behind it.
Speeding up javascript in webbrowser programs, for example?
WELL - That's only speeding up how FAST you can be infected by misuse of javascript then, really, & this is all (not good!).
(AND, anyone reading here now can simply take a read over @ SECUNIA.COM &/or SECURITYFOCUS.COM & see that a GOOD 95% of today's attacks are hitting users via the indiscriminate use of javascript (misuse of it) on every website they go to).
----
Imo @ least, but, one based on the data in this guide (plus that from security websites I noted above)?
Javascript should be turned off by DEFAULT in a webbrowser!
Why??
Well, because most times, if a site needs it???
The site errs out & signals the user javascript is required. Turn it on @ that point, IF you absolutely NEED it to be running (& only then, for useful tasks you wish to perform online, such as data access like you see on shopping &/or banking websites)
I mean, hey: Even adbanners have been abused this way & proofs of that abound in this guide no less.
In fact, when I noted this over @ slashdot?
I was "modded down" for it, & just for telling the truth to javascript (& other scripting languages) developers... just for telling the truth! Boggles the mind. Secure that DOM behind javascript first, for security, AND ONLY THEN, work on speeding it up afterwards. That's not how it's being done though, unfortunately.
----
10 Forces Guiding the Future of Scripting:
http://developers.slashdot.org/comments.pl...mp;cid=25362703
----
Another bonus (for speed this time though, not security), also exists in turning off javascript processing in webbrowsers: Speed.
I.E.-> You're not using CPU cycles processing scripts that you probably don't actively directly use, yourself (such as ARE needed on e-commerce/shopping + banking websites, where you DO need it mostly to do actual useful tasks), & you're also not "hauling in" data from other servers (slowing you down even moreso, if not compromising your system (such as have been seen the past 4++ yrs. now or so, in bad adbanners that house javascript misuse)) that you don't really need, or want, around on your webpages you view...
APK
P.S.=> That assures you are "bullet-proofed" vs. Adobe Acrobat malware/bad javascript containing contaminated .pdf documents via bogus javascript in them for exploiting you online today!
NOW - the only hassle here is that SOMETIMES, there is so much javascript in them, ADOBE MAY "nag" a lot about it, & should have a feature to turn that off (imo @ least)...
So, evidence as to WHY one should do this to Adobe Acrobat Reader (until it's patched vs. this type of thing):
Critical Vulnerability In Adobe Reader:
http://it.slashdot.org/article.pl?sid=08/11/05/2042211
(Dated 11/06/2008, 8 months after I noted this here no less - if/when Adobe secures THIS particular exploit in their program? Turning off javascript processing (enabled by DEFAULT in that program no less, mind you) can help protect vs. other exploits like this one, in the future, that misuse javascript)...
----
Turning off javascript in this program, & also webbrowsers + email programs simply assures you that you are "bullet-proofed" vs. Adobe Acrobat malware/bad javascript containing contaminated .pdf documents via bogus javascript in them for exploiting you online today!
NOW - the only hassle here is that SOMETIMES, there is so much javascript in them, ADOBE MAY "nag" a lot about it, & should have a feature to turn that off (imo @ least)... apk
USE YOUR "ADD-REMOVE" CONTROL PANEL APPLET!
This is important - as MANY 'malware/trojans' actually DO use since they realize folks do NOT regularly check this area.
IF you don't recognize a ware?
Look it up on GOOGLE (or altavista/yahoo, etc.) to find out if it is MALWARE or not, &/or IF you need it @ all (if you don't? It's "dead weight" & taking up space on your disks & slowing you down only).
APK
This is important - as MANY 'malware/trojans' actually DO use since they realize folks do NOT regularly check this area.
IF you don't recognize a ware?
Look it up on GOOGLE (or altavista/yahoo, etc.) to find out if it is MALWARE or not, &/or IF you need it @ all (if you don't? It's "dead weight" & taking up space on your disks & slowing you down only).
APK
SECURING THE TELNET SERVICE & USER GROUPS:
And, a Mr. Markuss Jansson on his point on TELNET service (tlntsrv.exe iirc).
http://www.markusjansson.net/exp.html
Turn Telnet NTLM logings off
-> Run: telnet.exe
--> Type (and press enter): unset ntlm
He also has more on things like "EFS" (encrypting filesystem) which I omitted, & both Mr. J.'s site & the GOVERNMENT ones I note, also cover it too (or, supplement points I made with more alternatives etc.).
APK
P.S.=> I list MORE security techniques for securing telnet, here (did this years ago circa 1997-2002, & it's cited in 2001 here @ Neowin, by searching TELNET on that page) to supplement this technique:
=================================
APK "A to Z" Internet Speedup & Security Text!
=================================
http://www.neowin.net/news/main/01/11/29/a...--security-text
=================================
Which goes into that point on TELNET & many others (including more speed tuneups, services cutoffs for speed + security in DETAIL & far more also to supplement this post here)... apk
And, a Mr. Markuss Jansson on his point on TELNET service (tlntsrv.exe iirc).
http://www.markusjansson.net/exp.html
Turn Telnet NTLM logings off
-> Run: telnet.exe
--> Type (and press enter): unset ntlm
He also has more on things like "EFS" (encrypting filesystem) which I omitted, & both Mr. J.'s site & the GOVERNMENT ones I note, also cover it too (or, supplement points I made with more alternatives etc.).
APK
P.S.=> I list MORE security techniques for securing telnet, here (did this years ago circa 1997-2002, & it's cited in 2001 here @ Neowin, by searching TELNET on that page) to supplement this technique:
=================================
APK "A to Z" Internet Speedup & Security Text!
=================================
http://www.neowin.net/news/main/01/11/29/a...--security-text
=================================
Which goes into that point on TELNET & many others (including more speed tuneups, services cutoffs for speed + security in DETAIL & far more also to supplement this post here)... apk
I also "took the liberty" of contacting a well-known "security-pro" (in Don Parker of "SecurityFocus.com" fame, whom I post with @ Security Forums online with whose URL is below & I referred he to it, as it is the same content as the one here)!
This is in regards to my outline/article/guide here, & here were HIS thoughts/opinions on its content @ this point:
**********
Hello apk,
I don't see any real downsides to what you posted. The only thing is that
you need to remember the audience that it is you are trying to reach. If
your goal was to hit the newbies as it were then you may have missed the
mark a bit. Beyond that, it looks fine to me.
--Don
**********
Still, that's not enough, just some "ok" from somebody with a certification is all... & to myself @ least, certs are NOT the same as actual degrees + years to decades of "hands-on experience in the trenches"... anyone into music for instance, can tell you that knowing tablature is NOT the same as being able to read music, for instance... so, DO test for yourselves, using CIS Tool as your guide!
--------------
Also - Do please check this page out, for even more security points:
http://csrc.nist.gov/itsec/download_WinXP_Home.html
Especially the downloadable guide for security there to supplement this one's points, it is named -> SP800-69.pdf
----
The PDF file guide above from NIST (in association w/ the U.S. Gov't. on securing PC's no less), like my guide here also?
That also lists a "6.32 Removing Malware" section as well!
So, that is in response to 'my naysayers' from various forums that cricized me for listing such a guide here!
(In fact, many of them were MS-MVP mods too no less, but many on many forums would NOT cite "why" or yield specifics I asked for as to WHY I SHOULD NOT LIST SUCH A GUIDE in this article's content... well, experts in this area appear to agree with myself, as it IS part of "securing a computer" in knowing HOW TO REMOVE INFESTATIONS, as I do, like THEY do as well!)
Anyhow/anyways - The .pdf guide from NIST either tend to reinforce my own, OR, go beyond in some cases!
E.G.->
APK
This is in regards to my outline/article/guide here, & here were HIS thoughts/opinions on its content @ this point:
**********
Hello apk,
I don't see any real downsides to what you posted. The only thing is that
you need to remember the audience that it is you are trying to reach. If
your goal was to hit the newbies as it were then you may have missed the
mark a bit. Beyond that, it looks fine to me.
--Don
**********
Still, that's not enough, just some "ok" from somebody with a certification is all... & to myself @ least, certs are NOT the same as actual degrees + years to decades of "hands-on experience in the trenches"... anyone into music for instance, can tell you that knowing tablature is NOT the same as being able to read music, for instance... so, DO test for yourselves, using CIS Tool as your guide!
--------------
Also - Do please check this page out, for even more security points:
http://csrc.nist.gov/itsec/download_WinXP_Home.html
Especially the downloadable guide for security there to supplement this one's points, it is named -> SP800-69.pdf
----
The PDF file guide above from NIST (in association w/ the U.S. Gov't. on securing PC's no less), like my guide here also?
That also lists a "6.32 Removing Malware" section as well!
So, that is in response to 'my naysayers' from various forums that cricized me for listing such a guide here!
(In fact, many of them were MS-MVP mods too no less, but many on many forums would NOT cite "why" or yield specifics I asked for as to WHY I SHOULD NOT LIST SUCH A GUIDE in this article's content... well, experts in this area appear to agree with myself, as it IS part of "securing a computer" in knowing HOW TO REMOVE INFESTATIONS, as I do, like THEY do as well!)
Anyhow/anyways - The .pdf guide from NIST either tend to reinforce my own, OR, go beyond in some cases!
E.G.->
- Securing wireless networks
- Securing MS-Office apps better
- Script file extensions associations with notepad.exe for instance (for safety vs. scripted attacks)
- More on email & webbrowser security
- The SIGVERIFY utility (file signature checker)
- Disabling unneeded accounts
APK
http://img297.imageshack.us/img297/2240/52041100vo6.png
That's an example of where your score (for users on Windows XP SP #2 no less fully hotfix patched as of this date) can be @ scoring-wise, on the CIS Tool benchmark test gauge of Windows Security, after following its suggestions for security-hardening your systems.
A 90.112 score... & that was AlexStarFire's score from the 3dguru.com forums, once he applied it to his home system ("stand-alone", non-HOME or WORK-LAN system, online on the public internet), which is way, Way, WAY up from its initial default score of 46.xxx/100...
* Here is an example of a user named Thronka, who employed it to security-harden the endpoints on his LAN/WAN setup @ work, who is also enjoying it successfully as well, albeit this time, in a BUSINESS environs (as I have it as well, for both HOME standalone machine online today, & also on the job):
http://www.xtremepccentral.com/forums/showthread.php?t=28430
APK
P.S.=> I hope you guys also employ it thus as well - it starts with reaching just 1 person, & then, by example? Others start to apply it also, & then things start to change "for the better", because by securing yourself, & maybe even setting up your pals & families machines' this way? You lessen the possibility of "spreading the diseases" out there online today... apk
That's an example of where your score (for users on Windows XP SP #2 no less fully hotfix patched as of this date) can be @ scoring-wise, on the CIS Tool benchmark test gauge of Windows Security, after following its suggestions for security-hardening your systems.
A 90.112 score... & that was AlexStarFire's score from the 3dguru.com forums, once he applied it to his home system ("stand-alone", non-HOME or WORK-LAN system, online on the public internet), which is way, Way, WAY up from its initial default score of 46.xxx/100...
* Here is an example of a user named Thronka, who employed it to security-harden the endpoints on his LAN/WAN setup @ work, who is also enjoying it successfully as well, albeit this time, in a BUSINESS environs (as I have it as well, for both HOME standalone machine online today, & also on the job):
http://www.xtremepccentral.com/forums/showthread.php?t=28430
APK
P.S.=> I hope you guys also employ it thus as well - it starts with reaching just 1 person, & then, by example? Others start to apply it also, & then things start to change "for the better", because by securing yourself, & maybe even setting up your pals & families machines' this way? You lessen the possibility of "spreading the diseases" out there online today... apk
TEST (retesting edits of old posts, I keep seeing IPS Driver error - LATER EDITING, the "IPS DRIVER ERROR" is gone now, as of 06/18/2008 edits I have performed - thanks Mr. Mark Causa &/or Mr. Kevin Hazard)... apk
To all interested/reading:
I think this is it guys, I know of NO MORE to secure a Windows System... & again - IF any of you have ponits to add, please do so, but, I only ask that you keep it @ a technical computer security level (per my 1st initial post here's "P.S." section @ its termination).
* ENJOY A FASTER & SAFER Windows based system of modern variety (2000/XP/Server 2003 & even VISTA) online today (especially TODAY!)...
APK
P.S.=> In other words, please - no "grammar & spelling" English "writing style" critiques, as they do NOT help to secure a system further... I did try to keep it as SHORT as possible, & to have folks use the CIS Tool to help make it easier + more fun. HOWEVER, @ times, the material is complex & I could not "shorten/condense it" anymore w/ out losing critical details & such! Please bear with that much, & gain by this thread by getting those 90++ scores on CIS Tool, surfing safely & F A S T E R online as a bonus once you apply the points I layered ontop of CIS Tool's guidance points (based on "industry best practices" & such)... thanks! apk
I think this is it guys, I know of NO MORE to secure a Windows System... & again - IF any of you have ponits to add, please do so, but, I only ask that you keep it @ a technical computer security level (per my 1st initial post here's "P.S." section @ its termination).
* ENJOY A FASTER & SAFER Windows based system of modern variety (2000/XP/Server 2003 & even VISTA) online today (especially TODAY!)...
APK
P.S.=> In other words, please - no "grammar & spelling" English "writing style" critiques, as they do NOT help to secure a system further... I did try to keep it as SHORT as possible, & to have folks use the CIS Tool to help make it easier + more fun. HOWEVER, @ times, the material is complex & I could not "shorten/condense it" anymore w/ out losing critical details & such! Please bear with that much, & gain by this thread by getting those 90++ scores on CIS Tool, surfing safely & F A S T E R online as a bonus once you apply the points I layered ontop of CIS Tool's guidance points (based on "industry best practices" & such)... thanks! apk
More security tools/info. (04/28/2008), for APPLICATION LEVEL SECURITY:
(I.E.-> For checking for apps you have that may be security vulnerable OR have been patched vs. said vulnerabilities, etc.):
----
SECUNIA PSI (checks for outdated OR apps that are known to be insecure):
https://psi.secunia.com/
NEW VERSION (released very recently too).
A good program, by a trusted & WELL-KNOWN security-oriented website online (I tried version 1 earlier on last year, it needed work. This one is solid though, so far @ least, imo!)
(It works, & sometimes catches things FILEHIPPO UPDATE CHECKER below, won't - good "2nd Doctor's opinion" etc.)
----
FileHippo's Update Checker (checks for outdated OR apps that are known to be insecure, supplement's PSI above):
http://filehippo.com/updatechecker/
Decent program as well, & good to use as a supplement to the SECUNIA PSI Tool as well (from a well-known file downloads site also in filehippo).
(It works, & sometimes catches things SECUNIA PSI above, won't - good "2nd Doctor's opinion" etc.)
----
Windows Vulnerability Scanner:
http://www.pspl.com/download/winvulscan.htm
Nice program for checking Microsoft Operating Systems &/or Ms-Office versions vs. missing security patches, & it works, very well!
----
APK Registry Cleaning Engine 2002++ SR-7:
http://www1.techpowerup.com//downloads/389...ooglehappy.html
* Yes, "shameless plug" on MY part on the last one, but, it does have "security benefits"...
(& more than potentially useful forensics ones, because it shows you what files a user calls upon via its lists (it does check recently used filelists, but, will also list those files the user attempted to delete (this assumes he may have been attempting to hide them)))... it is 100% proven SAFE on all 32-bit versions of Windows (see its description & feedback by users on the download page) 9x-VISTA as well)).
APK
(I.E.-> For checking for apps you have that may be security vulnerable OR have been patched vs. said vulnerabilities, etc.):
----
SECUNIA PSI (checks for outdated OR apps that are known to be insecure):
https://psi.secunia.com/
NEW VERSION (released very recently too).
A good program, by a trusted & WELL-KNOWN security-oriented website online (I tried version 1 earlier on last year, it needed work. This one is solid though, so far @ least, imo!)
(It works, & sometimes catches things FILEHIPPO UPDATE CHECKER below, won't - good "2nd Doctor's opinion" etc.)
----
FileHippo's Update Checker (checks for outdated OR apps that are known to be insecure, supplement's PSI above):
http://filehippo.com/updatechecker/
Decent program as well, & good to use as a supplement to the SECUNIA PSI Tool as well (from a well-known file downloads site also in filehippo).
(It works, & sometimes catches things SECUNIA PSI above, won't - good "2nd Doctor's opinion" etc.)
----
Windows Vulnerability Scanner:
http://www.pspl.com/download/winvulscan.htm
Nice program for checking Microsoft Operating Systems &/or Ms-Office versions vs. missing security patches, & it works, very well!
----
APK Registry Cleaning Engine 2002++ SR-7:
http://www1.techpowerup.com//downloads/389...ooglehappy.html
* Yes, "shameless plug" on MY part on the last one, but, it does have "security benefits"...
(& more than potentially useful forensics ones, because it shows you what files a user calls upon via its lists (it does check recently used filelists, but, will also list those files the user attempted to delete (this assumes he may have been attempting to hide them)))... it is 100% proven SAFE on all 32-bit versions of Windows (see its description & feedback by users on the download page) 9x-VISTA as well)).
APK
A great site that Mr. Dancho Danchev "turned me onto", for making additions to your CUSTOM HOSTS FILE (mentioned earlier on in this guide in STEP # 5) via his security blog... why & how?
Well - it keeps an updated listing of sites & servers that are KNOWN TO BE MALICIOUS!
http://mtc.sri.com/
* Again - Enjoy a F A S T E R, and S A F E R online experience via this guide, by all means!
APK
Well - it keeps an updated listing of sites & servers that are KNOWN TO BE MALICIOUS!
http://mtc.sri.com/
* Again - Enjoy a F A S T E R, and S A F E R online experience via this guide, by all means!
APK
Very nice! I don't know how I haven't seen this thread all this time! 
QUOTE (markcausa @ May 17 2008, 10:31 PM)
Very nice!
Thank-You!
QUOTE (markcausa @ May 17 2008, 10:31 PM)
I don't know how I haven't seen this thread all this time!
Well, "think positive"/"look @ the 'bnght-side'", lol:
Now you have!
So far, since Dec 2007 (when I posted it across 20 forums online, so others could gain by it, since my "New Year's Resolution" was "DO A GOOD DEED")?
It's been made either an "ESSENTIAL GUIDE", or "STICKY/PINNED THREAD", &/or "5/5 STAR RATED" (even making its way into the "TOP MOST VIEWS OF ALL TIME" on many of those forums (it's LITERALLY 100,000 views strong across those forums by this point & short timeframe already!
Heck - & it even got me paid (I did not expect it though - I had NO IDEA they did that there) from PCPitstop, where it won the $100 prize in January 2008 for "best posts" etc. et al)).
... & thus, since it is now updted here? Maybe it's for the best... why?
Well, now YOU get to apply it, in a more refined form is all, if you like (both CIS Tool, & the added layered security measures it does not account for that I note in this thread)...
(& THIS IS THE NEWLY EDITED ONE, lots more detail to help you out on various points, especially the ones on HOSTS files &/or Ports Filtering)...
Especially on the points on Ports Filtering (IANA port #'s & IP Ports data for your reference, point #5 iirc here)
&
Also for the point on HOSTS FILES USAGE for speed, & SECURITY!
(This latter one notes a possible registry hack that I have ONLY seen Windows Server 2003 users complain about & have to apply, albeit ONLY in LAN/WAN ActiveDirectory environs mostly though)
Funny part is - I use it myself (Win2k3 Server - according to "ThreatFire's" analysis, it's the MOST SECURE Windows NT-based OS there is, based on patch data frequency & need, vs. Windows 2000/XP & even VISTA) & to be blunt about it? Personally, I HAVE YET TO RUN INTO IT, & have to use the hack!
However - it's reg hack data is now in place, here, in case others do, for HOSTS files vs. Local DNS Cache, vs. ISP/BSP DNS Servers taking precedence over one another, etc.))...
* Anyhow/anyways - Enjoy!
APK
P.S.=> Get those 90++/100 scores on CIS Tool & beyond (because this post of mine covers things even CIS Tool does not account for, for additional "layered security")... apk
TESTING posting, I keep seeing IPS Driver error, click this link here (I get nothing from it, I don't use javascript)... Specific errmsg/abend is this:
IPS Driver Error
There appears to be an error with the database.
You can try to refresh the page by clicking here
APK
P.S.=> ERROR IS GONE NOW, EDITING IS POSSIBLE AGAIN (thank you Mark Causa &/or Kevin Hazard!)... apk
IPS Driver Error
There appears to be an error with the database.
You can try to refresh the page by clicking here
APK
P.S.=> ERROR IS GONE NOW, EDITING IS POSSIBLE AGAIN (thank you Mark Causa &/or Kevin Hazard!)... apk
All those are only the official solutions. in reality it has never been possible to secure a windows server fully
QUOTE (lxp85 @ Jun 17 2008, 07:11 PM)
All those are only the official solutions.
Some of them are, per CIS Tool (which uses "industry best practices" - which DO work, by the by), others are not!
SOME "e.g."'s, in things I suggest, that are NOT "std. security practices", but DO work? ->
- A custom hosts file
- Cutting out the "indiscriminate & global usage" of things like javascript or javascript + IFrames exploits via cutting off their usage on "every site there is online"
- Cutting off their abilities for abusing security vulnerabilities in Adobe FLASH
- Cutting off bad ActiveX controls
- Not every security guide for Windows lists "port filtering" either
- Not every security guide for Windows lists "securing services" either
- Not every security guide for Windows lists IP Security Policies usage either
- Not every security guide for Windows lists registry &/or filesystem ACL usage/control either
- Not every security guide for Windows lists "webbrowser isolation" techniques either
* So, you are NOT correct on that account/in your statement, & are not "standard security practices" (yet, afaik), but DO work to help secure folks better online, today (things that 'cut out the "root causes"', such as javascript, iframes usage, bad activex controls, &/or addons/browser plugins): HOWEVER, the tips/tricks/techniques & others suggestions I note, DO WORK!
(... & on a simple principal: "Don't go into the kitchen, you can't get burned", basically!)
Especially since MOST of the threats being used against you today come thru your OWN PROGRAMS YOU USE, via their own security vulnerabilities present, or in the addons they use... (NOT THE OS ITSELF!)
Most guides (IF any) do NOT suggest that, but, these tools &/or addons to your browser are the culprits being used against you, period... & any security-oriented website can show anyone that much (try SECUNIA for instance, which showcases known application level vulnerabilities).
QUOTE (lxp85 @ Jun 17 2008, 07:11 PM)
in reality it has never been possible to secure a windows server fully
See the 4th line of my first post in this thread, first of all: & I do NOT agree with your statements here (totally), per what I wrote above... but as long as Microsoft does THEIR end of things (patching the OS & their apps, & other application makers do as well? It's NOT impossible, in the long run, in theory @ least, as far as binary application & OS security - but, as to today's threats in javascript + iframe, activex, or flash misuse as some examples?? It is possible, easily!)
(& secondly, all I can say is - I set this system up in late 2005 & am yet to be infected/infested... (& I am QUITE capable of detecting whether this system is infected/infested or not. The System I setup prior to this one still runs to this day, bugfree & bulletproof as well, & that was initially setup in 2003, albeit "the old-school way", manually hacking the registry etc. et al & more + my apps, not using CIS Tool guidance though - again, that's for end users to learn about this, via an "almost fun to do" guide in CIS Tool, a security 'benchmark')).
----
AS TO TODAY'S THREATS ONLINE IN SAY, bad adbanners or sites that use bogus javascript? It IS absolutely doable, by cutting out the "root causes" (javascript usage indiscriminately, activex control usage indiscriminately, iframes usage indiscriminately, & flash usage indiscriminately - on "every site there is", instead of JUST ONES YOU ABSOLUTELY NEED IT FOR, to get things done on THE SITE IN QUESTION, only - otherwise? Turn them off!)
This is possible to do, vs. TODAY'S ONLINE THREATS, & IS SUCCESSFUL (& is NOT considered "std. practice" by 'security experts' out there in their guides/articles typically) vs. the main threats &/or tools being used against you, the end user, online today!
I.E.-> By simply by cutting off the "ROOT CAUSES" (bad javasc ript, javascript + Iframes, & activex controls, + browse addons/plugins (if not adobe flash usage))?
The techniques/tips/tricks noted in this article do seem to work, FULLY, vs. what you said initially (which I quoted FIRST, above)!
APK
P.S.=> Question(s) to yourself now though:
1.) How does your statement help secure others' better?
(You have 1 whole post here... what was your motivation for this statement, in that it got you to post here just once, & then be incorrect (per my first quote))??
Fact is - The ONLY people I have seen make statements like yours, or "bitch" about this article/guide's content, were usually either:
- Those that "skimmed" the article & missed points I made, AS YOU HAVE
- Those who are javascript programmers (whom I feel for, it's NOT the fault of legit ones that cause poisoned adbanners for instance) or webmasters who stood to lose by the cut off of java/javascript OR flash (as in adbanners using them but again, SOME get 'bushwhacked' by hacker/crackers the past few years now)
- Malware makers in general, period
- OR, believe-it-or-not?? Security pros that felt I was "giving away the whole ball of wax" on how to secure a system, to those NOT aware of how to do so... this could affect their income, admittedly, adversely (because it is NOT "rocket science" period, & they know it)
EDITING IN THANKS TO THE MODERATORS/ADMINISTRATORS/SUPER-ADMINS here - Mr. Mark Causa &/or Mr. Kevin Hazard: EDITS WORK NOW, no more "IPS Driver Error" upon edits... good job guys, & thanks! apk
For those of you interested in using custom HOSTS files (for BOTH added security & added speed online)?
"APK Hosts File Grinder 4.0++"
http://www.thenewtech.com/forums/attachmen...mp;d=1214726022
(Sorry, this board does NOT allow "dynamic image tags" so, if you wish to see a screenshot of it, where I documented its development? See here -> http://www.thenewtech.com/forums/chit-chat....html#post16080 )
----
The application above has been built by myself, for folks just like YOU, & of course, myself!
----
It allows you the end-user, the ability to:
It has allowed me to:
A.) Take valid HOSTS file data EVERY known & respected HOSTS file there is (noted from the wikipedia link above, & also from SRI, Shadowserver, Dancho Dancheve's Blog, SpyBot S&D, Spamhaus, Phishtank, + others also, such as my own research into this area), & integrate them FIRST into a HUGE 20mb file, & then via normalization, reducing its size to 12mb on disk (removing repeats which they will have between one another & sometimes inside of themselves even), reduce its size that way (1/2 the intial size almost from all that date), first...
B.) It has also made a 12mb SUPER-COMPREHENSIVE custom HOSTS file out of an intially 20++ mb sized one, from the sources above... allowing the SAME function as they offer (because their HOSTS FILES' many times using 127.0.0.1, or, 0.0.0.0 formats, instead into a MORE EFFICIENT ONE, of 0<singlespace>URL<cr+lf>)... thus, MASSIVELY reducing its size on disk & in RAM once loaded into your local DNS cache, yet offering the SAME function!
C.) Create a CUSTOM HOSTS FILE loaded with FULLY alphabetized entries into your HOSTS file (so it is easy to search thru, even via notepad.exe).
-----
* It can do the same for you as well, should you be interested in such a tool... if you are? Email me, here:
apk4776239@hotmail.com
APK
P.S.=> General statistics on its, while in operation:
700k-5900k memory occupancy prior to load of HOSTS file data...
( & up to 167mb IF a "huge" hosts file (like 1 million++ line entries) is used)
Its runtimes (noted above) will vary, depending on the size of the HOSTS file being processed (should NOT exceed 3 hrs (&, for most folks, since they do NOT have files of such size in their HOSTS file? Heh, it will be the "blink of an eye" on most all sections (scrub, add/remove entries - validate entries, normalization-removal of repeated items, & save to disk) up to 2 minutes or so)
PLUS - It was built in the MOST efficient & fastest code combination I know of (Borland Delphi 7.x, Win32 API, & Inline Assembler code)
(Especially for this type of string processing (of which Delphi alone in math & strings often MORE THAN DOUBLED (sometimes, tripled) the speed of both MSVB & MSVC++ in, in (of all places) Visual Basic Programmer's Journal Sept./Oct. 1997 issue "INSIDE THE VB COMPILER" issue))
+
A truly "SUPER-EFFICIENT" algorithm, on each area of processing (especially normalization, taken down from DAYS time over 1 million++ records, to only 3 hours time max, if no repeats exist... if repeats? Far, FAR faster!)
Which speaks worlds alone right there... this app makes FAR shorter work of this, than does using ping.exe (for speedup of sites), MsAccess (via SQL Select Distinct queries work, & the potential import/export hassles it can have (leaving trailing spaces &/or quotes for example, bloating files on export)), & notepad.exe (good luck normalizing one using its Edit-Replace menus is all I can say... especially IF you have a BIG hosts file)... apk
"APK Hosts File Grinder 4.0++"
http://www.thenewtech.com/forums/attachmen...mp;d=1214726022
(Sorry, this board does NOT allow "dynamic image tags" so, if you wish to see a screenshot of it, where I documented its development? See here -> http://www.thenewtech.com/forums/chit-chat....html#post16080 )
----
The application above has been built by myself, for folks just like YOU, & of course, myself!
----
It allows you the end-user, the ability to:
- 1.) DO very EASY Integrating the HOSTS files of others, such as MVPS.ORG & others noted @ wikipedia, here -> http://en.wikipedia.org/wiki/Hosts_file (even if in other internal line-by-line formats) "scrubbed into" the MOST EFFICIENT format there is (allowing less memory &/or disk space occupancy for loading, of 0<singlespace>URL<cr+lf> ), first, & then...
- 2.) Speed up access to your fav sites, via 1st pinging them (so their IP Address IS up-to-date/current), & adding them to the normalized non-repeat line items list on the right above
- 3.) Add/remove sites from a hosts file, but by first checking for their pre-existence inside the HOSTS file on ADDS, & rejecting if there already (& adding if NOT present)
- 4.) Lastly, it will FULLY NORMALIZE (accurately 110%) a HOSTS file (normalize = removal of duplicates)...leaving you with one in the MOST efficient format line-wise there is (noted above, which consumes less memory & faster loadtime from disk)
It has allowed me to:
A.) Take valid HOSTS file data EVERY known & respected HOSTS file there is (noted from the wikipedia link above, & also from SRI, Shadowserver, Dancho Dancheve's Blog, SpyBot S&D, Spamhaus, Phishtank, + others also, such as my own research into this area), & integrate them FIRST into a HUGE 20mb file, & then via normalization, reducing its size to 12mb on disk (removing repeats which they will have between one another & sometimes inside of themselves even), reduce its size that way (1/2 the intial size almost from all that date), first...
B.) It has also made a 12mb SUPER-COMPREHENSIVE custom HOSTS file out of an intially 20++ mb sized one, from the sources above... allowing the SAME function as they offer (because their HOSTS FILES' many times using 127.0.0.1, or, 0.0.0.0 formats, instead into a MORE EFFICIENT ONE, of 0<singlespace>URL<cr+lf>)... thus, MASSIVELY reducing its size on disk & in RAM once loaded into your local DNS cache, yet offering the SAME function!
C.) Create a CUSTOM HOSTS FILE loaded with FULLY alphabetized entries into your HOSTS file (so it is easy to search thru, even via notepad.exe).
-----
* It can do the same for you as well, should you be interested in such a tool... if you are? Email me, here:
apk4776239@hotmail.com
APK
P.S.=> General statistics on its, while in operation:
700k-5900k memory occupancy prior to load of HOSTS file data...
( & up to 167mb IF a "huge" hosts file (like 1 million++ line entries) is used)
Its runtimes (noted above) will vary, depending on the size of the HOSTS file being processed (should NOT exceed 3 hrs (&, for most folks, since they do NOT have files of such size in their HOSTS file? Heh, it will be the "blink of an eye" on most all sections (scrub, add/remove entries - validate entries, normalization-removal of repeated items, & save to disk) up to 2 minutes or so)
PLUS - It was built in the MOST efficient & fastest code combination I know of (Borland Delphi 7.x, Win32 API, & Inline Assembler code)
(Especially for this type of string processing (of which Delphi alone in math & strings often MORE THAN DOUBLED (sometimes, tripled) the speed of both MSVB & MSVC++ in, in (of all places) Visual Basic Programmer's Journal Sept./Oct. 1997 issue "INSIDE THE VB COMPILER" issue))
+
A truly "SUPER-EFFICIENT" algorithm, on each area of processing (especially normalization, taken down from DAYS time over 1 million++ records, to only 3 hours time max, if no repeats exist... if repeats? Far, FAR faster!)
Which speaks worlds alone right there... this app makes FAR shorter work of this, than does using ping.exe (for speedup of sites), MsAccess (via SQL Select Distinct queries work, & the potential import/export hassles it can have (leaving trailing spaces &/or quotes for example, bloating files on export)), & notepad.exe (good luck normalizing one using its Edit-Replace menus is all I can say... especially IF you have a BIG hosts file)... apk
Researcher to demonstrate attack code for Intel chips:
http://www.infoworld.com/article/08/07/14/...el_chips_1.html
SALIENT/PERTINENT EXCERPT:
----------------------------------------------------
"Kaspersky says CPU bugs are a growing threat, with malware being written that targets these vulnerabilities... Security researcher and author Kris Kaspersky plans to demonstrate how an attacker can target flaws in Intel's microprocessors to remotely attack a computer using JavaScript or TCP/IP packets, regardless of what operating system the computer is running."
----------------------------------------------------
* Now can anyone see WHY I recommended turning off Java/Javascript (& other browser addons/extension languages) for "every site you use under the sun" + IFrames etc.? Personally, this one's pretty bad, worse than what is out there/here now, worse than rootkits even in some ways...
However, I also think worse are on the way even moreso...
(... & I mentioned the architecture they could possibly use, quite "terminator-like", for rootkit delivery systems & such here earlier. Especially ones that can flash your BIOS, &/or other updateable PROMS (mainly because if usermode tools from vendors like ASUS + GIGABYTE & doubtless others can do it, from inside Windows, so can malwares & same way (via drivers & bios img files))
APK
P.S.=> There are more examples inside this guide, & of this SAME type of idea (crank off the java/javascript etc. et al & ONLY keep it active on sites you ABSOLUTELY need it for, to have the site function properly - lessening your potentially attackable surface online basically).. heck, even adbanners have exploits of this nature in them lately...
The examples I put in this guide ARE far older too, dating back 1-3 yrs. but the point is only here, again, & moreso (far more dangerous this time, imo @ least)... apk
http://www.infoworld.com/article/08/07/14/...el_chips_1.html
SALIENT/PERTINENT EXCERPT:
----------------------------------------------------
"Kaspersky says CPU bugs are a growing threat, with malware being written that targets these vulnerabilities... Security researcher and author Kris Kaspersky plans to demonstrate how an attacker can target flaws in Intel's microprocessors to remotely attack a computer using JavaScript or TCP/IP packets, regardless of what operating system the computer is running."
----------------------------------------------------
* Now can anyone see WHY I recommended turning off Java/Javascript (& other browser addons/extension languages) for "every site you use under the sun" + IFrames etc.? Personally, this one's pretty bad, worse than what is out there/here now, worse than rootkits even in some ways...
However, I also think worse are on the way even moreso...
(... & I mentioned the architecture they could possibly use, quite "terminator-like", for rootkit delivery systems & such here earlier. Especially ones that can flash your BIOS, &/or other updateable PROMS (mainly because if usermode tools from vendors like ASUS + GIGABYTE & doubtless others can do it, from inside Windows, so can malwares & same way (via drivers & bios img files))
APK
P.S.=> There are more examples inside this guide, & of this SAME type of idea (crank off the java/javascript etc. et al & ONLY keep it active on sites you ABSOLUTELY need it for, to have the site function properly - lessening your potentially attackable surface online basically).. heck, even adbanners have exploits of this nature in them lately...
The examples I put in this guide ARE far older too, dating back 1-3 yrs. but the point is only here, again, & moreso (far more dangerous this time, imo @ least)... apk
what about server 08 ;o
QUOTE (CrimsonRealm @ Aug 10 2008, 02:59 AM)
what about server 08 ;o
I don't list it in this guide, because it did NOT exist yet ("for the masses/general consumption") by users @ the time of this guide's creation... & the fact that I also do NOT use it myself (@ home OR on the job)...
HOWEVER, since it's a Windows NT-based OS' descendant/variant?
MUCH of this (if not nearly all) still applies!
I.E.-> It's not THAT "radically different" from Windows 2000/XP/Server 2003 & especially VISTA (it's immediate forebear in the latter)... whereas for say, MS' upcoming R&D stage "SINGULARITY" OS, I have NO CLUE/IDEA (since it sounds VERY different vs. these in this list I just noted, from what I have read)>
(Albeit/ALSO - I am NOT sure if there is a CIS Tool that is prepared (YET) for that variant of this OS family though. For instance, the last time I looked for a variant of the CIS Tool that was for VISTA (around 1/2 a yr. ago) I didn't see/find one (then again, i do not use VISTA @ home either (or, on the job, other than supporting the occasional user who has it))).
As to SPECIFIC points that SHOULD still apply to it from this guide, that you can STILL most likely use?
Probably these (by number, from this guide's points - however, you most likely HAVE TO LOGON AS ADMINISTRATOR USER to make the alterations required for them on VISTA &/or Windows Server 2008):
===============================
#1 - SECURING SERVICES (but, I do not think the Microsoft Managment Console snapins end in ".msc" anymore on VISTA or Win2k8 Server, this you have to find out yourself) - this may mean some testing though, because for example? VISTA adds a truckload of services its forebears did NOT have @ all, period.
--------------------------------------------------------
#2 - Disable Microsoft "File & Print Sharing" as well as "Client for Microsoft Networks" in your LOCAL AREA CONNECTION (if you do not need them that is for say, running your home LAN)! SO - check your network connections in Win2k8 server for this, via its properties.
--------------------------------------------------------
#3 - Use IP security policies (this probably STILL exists on Win2k8 server, but, as to implementing them? You may have to do it "totally by hand" on Win2k8 server, via its version of secpol.msc (or global AD oriented versions of said tool)).
--------------------------------------------------------
#4 - Another thing I do for securing a Windows NT-based OS: IP Port Filtrations - This most likely still exists, but I wager you HAVE to logon as an ADMINISTRATOR user(s) (since some users you have may be of ADMIN levels) to make alterations here.
--------------------------------------------------------
#5 - The use of a CUSTOM ADBANNER BLOCKING HOSTS FILE (this I KNOW, for a fact, you have to logon as ADMINISTRATOR privelege user(s) for this to happen, as I have applied it to VISTA, & thus, it will probably be the same for Win2k8 server).
THIS IS USEFUL IN CASES OF THE DNS VULNERABILITY, that although patched recently? Is NOT 100% fully effective, per this latest news (10 hrs to hack/crack thru it, where it was said to take weeks initially per the Dan Kaminsky discovery of said vulnerability):
BIND Still Susceptible To DNS Cache Poisoning:
http://tech.slashdot.org/tech/08/08/09/123222.shtml
Because, after all - if you DON'T call out to DNS servers for IP-to-URL resolutions? You should still be safe (OpenDNS may help SOME here, as the DNS server you use, but it too, still is vulnerable apparently to some extent - hardcoding your fav. IP-to-URL equations for your fav. websites help here... & blocking out KNOWN bad sites &/or adbanners servers defintely does)).
--------------------------------------------------------
#6 - USE Tons of security & speed oriented registry hacks (reconfiging the OS basically - stuff like you might do in etc / conf in UNIX/LINUX I suppose) - this may be the "biggest variance" between Win2k8 server & VISTA, vs. Windows 2000/XP/Server 2003 - since registry entries sometimes are "deprecated" (no longer useful/obsolete) after even OS service packs &/or patches sometimes (when they become 'legacy entries')... you'll have to test, but even if they are no longer useful, no real harm is done usually (since the entries do not take effect or change the way some subsystems parameterize & initialize).
--------------------------------------------------------
#7 - USE General LOCAL security policies - this is doubtless STILL going to be OK & work right, with some variations, because ActiveDirectory is still part of that OS as well as local-to-system user policies.
--------------------------------------------------------
#8 - KEEP UP ON PATCHES FROM MICROSOFT - THIS GOES WITHOUT SAYING ON ANY MICROSOFT OS (or any other even).
--------------------------------------------------------
#9 - It is also possible, for webbrowsers &/or email clients, to create a "VISTA LIKE IE 7 Protected Mode"-like type scenario, isolating them into their own spaces in memory, here are 2 methods, how (not needed on VISTA though, afaik): SAME AS VISTA HERE (already has a "sandboxed IE", built in (however, recently, some security researchers have figured out a way around ASRL & DEP in VISTA via Java/ActiveX controls &/or .NET libs so you know, rendering VISTA security quite useless... see URL next -> )
Vista's Security Rendered Completely Useless:
http://it.slashdot.org/article.pl?sid=08/08/08/1155208
--------------------------------------------------------
#10 - Plus good email client practices like using .txt mail only, no RTF or HTML mail, not opening or allowing attachments unless I know the person & even THEN, scan it with an antivirus (this defintely still holds true)
--------------------------------------------------------
#11 - I also use a LinkSys/CISCO BEFSX41 "NAT" true firewalling CISCO technology-based router (THIS DEFINITELY STILL HOLDS TRUE)
--------------------------------------------------------
#12 - Windows Server 2003's SCW was run over it FIRST (This still "holds true", IF there is an "SCW" (server configuration wizard) for Win2k8 Server as there is for Win2k3 Server)
--------------------------------------------------------
& LASTLY? THIS DEFINITELY MOST LIKELY STILL HOLDS TRUE AS WELL:
AN IMPORTANT SET OF POINTS TO SECURE YOUR WEBBROWSER, EMAIL PROGRAMS, & MORE:
STOP JAVASCRIPT USAGE IN YOUR BROWSERS (along with ActiveX & JAVA) On the PUBLIC internet, PERIOD (well, with SOME exceptions on sites that demand you use it, OR those that cannot function properly without it, some examples below)!
ESPECIALLY PER POINT #9 ABOVE, & the recent "bypass" of IE protections on VISTA (& others also)...
===============================
* THERE YOU GO - but, remember: I did not list Windows Server 2008, because it did NOT exist per the time of this guide's creation, however, it is "VISTA-LIKE" in its "foundations/underpinnings" so, that list SHOULD be ok (even if only for the most part).
APK
P.S.=> IF I made any "mistakes" here, or missed an "important detail" for doing this in VISTA &/or Windows Server 2008? Please DO note them... for the good of others, IF you attempt to apply these points yourself to your Windows 2008 Server setup... & thank! apk
Well, @ this point?
I think this guide's PRETTY SOLID, because nobody has been able to "add points" to it, from across 27 other forums online (many are "serious geek" oriented sites too)!
THUS/In any event?
@ People Reading:
This IS your "Iron Man Armor Online"!
So, have @ it ('snap it on') - & enjoy a F A S T E R, & FAR MORE S E C U R E online setup on your Windows NT-based OS' of today (Windows 2000/XP/Server 2003 & yes, even VISTA to a good extent) via applying CIS Tools' suggestions & my own that "layer ontop of it"...
* I am FAIRLY certain it's done (& yes, I've been looking in the interim period from the init. post date of this guide, up to today/currently, & have not found anything more pertinent to add here) - So, as I can't think of any more points & methods to secure your Windows NT-based rigs, & thus, I close this post off... she's all done as far as I am concerned... this same message will go across ALL others like it that I am still able to edit/add to online, @ some point today in fact.
APK
P.S.=> Sorry for the 'closing note' but, if anyone's interested, this is the "final model" of this guide & its points... enjoy (& IF you find things I did not or omitted, please/again - feel free to add on to this posting)! apk
I think this guide's PRETTY SOLID, because nobody has been able to "add points" to it, from across 27 other forums online (many are "serious geek" oriented sites too)!
THUS/In any event?
@ People Reading:
This IS your "Iron Man Armor Online"!
So, have @ it ('snap it on') - & enjoy a F A S T E R, & FAR MORE S E C U R E online setup on your Windows NT-based OS' of today (Windows 2000/XP/Server 2003 & yes, even VISTA to a good extent) via applying CIS Tools' suggestions & my own that "layer ontop of it"...
* I am FAIRLY certain it's done (& yes, I've been looking in the interim period from the init. post date of this guide, up to today/currently, & have not found anything more pertinent to add here) - So, as I can't think of any more points & methods to secure your Windows NT-based rigs, & thus, I close this post off... she's all done as far as I am concerned... this same message will go across ALL others like it that I am still able to edit/add to online, @ some point today in fact.
APK
P.S.=> Sorry for the 'closing note' but, if anyone's interested, this is the "final model" of this guide & its points... enjoy (& IF you find things I did not or omitted, please/again - feel free to add on to this posting)! apk
Great Post
Though I am trying to remember a quote I once heard, I think it might have been Steve Jobs
"The only way to ensure a computer is secure is to make sure there are no wires attached to it"
Though I am trying to remember a quote I once heard, I think it might have been Steve Jobs
"The only way to ensure a computer is secure is to make sure there are no wires attached to it"
QUOTE (joec@home @ Nov 4 2008, 09:28 PM)
Great Post
Thank you, & above ALL else? I hope you employ + understand CIS Tool's points, & others I "layered ontop of them", for BOTH better security & speed (as a nice 'side-effect/bonus', which does result here) online, today... & that you spread it to others once you master it/them + adhere to the simple rules noted w/ in this 'guide'... because it really, truly, works - especially in today's online world ('wild west' is more like it, lol).
QUOTE (joec@home @ Nov 4 2008, 09:28 PM)
Though I am trying to remember a quote I once heard, I think it might have been Steve Jobs "The only way to ensure a computer is secure is to make sure there are no wires attached to it"
As Russell Crowe said in the film "A Beautiful Mind" while portraying the great Mr. John Nash (in regards to Adam Smith's economic theories):
"Incomplete!"
I'd add on, "Yes, that is true: BUT, then you don't get much done either, or @ least, as easily..."
Anyhow/anyways? Good luck, enjoy the material & I hope you employ it to your benefit, if not that of others you know as well!
(Because, that's the MAIN idea here - put out the word, get the idea out, on what really works nowadays online... to keep one's self safe ( r ) )"
Because, vs. today's myriad "blended threats"... well, the 'BIG NAME' security suites are clearly failing (recent proof from SECUNIA.COM & COMPUTERWORLD to evidence this, for me):
----
Top security suites fail exploit tests (COMPUTERWORLD):
http://www.computerworld.com/action/articl...rc=news_ts_head
&/or
Top security suites fail exploit tests (SECUNIA):
http://secunia.com/blog/29/
----
HOWEVER, by contrast? This guide & it's points for "layered security" for a Windows (or even various *NIX distro users mind you)??
They DO not fail, & work... simply by following & adhering to a few simple rules + a pinch of common-sense on the part of the end user!
APK
best way to secure Vista is to remove it from your system, put the disc back in the box, and lock it away in the closet...
Microsoft missed patching a KNOWN issue on this literally BIGGEST Ms-Patch Tuesday to date on 12/09/2008 (most bugfixes issued ever by Microsoft, & to close off year), & then?
Read here below to get the details, + past that, to patch yourself easily with an easy fix I figured out:
----
Oops! Missed One Fix — Windows Attacks Under Way:
http://it.slashdot.org/comments.pl?sid=105...mp;cid=26072169
----
&
----
Microsoft warns of new Windows bug, says attacks under way
(WordPad Text Converter flaw wasn't patched in big Tuesday update):
http://www.computerworld.com/action/articl...ticleId=9123100
----
What is below, courtesy of "yours truly", fixes it!
(Simply by altering the file association for the Explorer/IE shell from WordPad.exe to winword.exe (it's immune to this, & Ms-Word handles old Windows 3.x & NT 3.5x Ms-Write .wri files, just fine...))
.REG FILE TO USE IF YOU USE WinWord 2003/Ms-Office 2003 (easily altered for 2000/XP/2008 versions):
----
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\.wri]
@="Word.Document.8"
"Content Type"="application/msword"
[HKEY_CLASSES_ROOT\.wri\PersistentHandler]
@="{98DE59A0-D175-11CD-A7BD-00006B827D94}"
[HKEY_CLASSES_ROOT\.wri\Word.Document.8]
[HKEY_CLASSES_ROOT\.wri\Word.Document.8\ShellNew]
"FileName"="winword8.doc"
----
(That's a fix before Ms issues a fix, because it changes the .wri file extensions' file association from opening in WordPad.exe if you click on any bogus files sent your way, hopefully not, but just in case, & the shell will spawn the process as Microsoft Word, which is immune to this in most modern versions of it, if not all versions)
A simple to do, easy fix for anyone, even before MS issues a fix...
POTENTIALLY/POSSIBLY IMPORTANT:
IF you have versions of Ms-Office (Ms-WORD specifically), other than 2003?
You MIGHT have to change "Word.Document.8", wherever it appears above, to whatever version number yours is, along with the GUID used to do the OLEServer library marshalling/summoning of Word to open .wri files with, instead of Wordpad.exe & that's found in the .doc file association under -> HKEY_CLASSES_ROOT , easily enough)...
APK
P.S.=> "We can do this... We HAVE the technology!", lol, too bad MS didn't, talk about easy, I don't see HOW they could have missed this IF it was a KNOWN issue that came up before "Patch Tuesday" 2 days ago, I thought of it in literally 2 seconds, & took maybe 2 minutes to make the file & test it, it works... apk
Read here below to get the details, + past that, to patch yourself easily with an easy fix I figured out:
----
Oops! Missed One Fix — Windows Attacks Under Way:
http://it.slashdot.org/comments.pl?sid=105...mp;cid=26072169
----
&
----
Microsoft warns of new Windows bug, says attacks under way
(WordPad Text Converter flaw wasn't patched in big Tuesday update):
http://www.computerworld.com/action/articl...ticleId=9123100
----
What is below, courtesy of "yours truly", fixes it!
(Simply by altering the file association for the Explorer/IE shell from WordPad.exe to winword.exe (it's immune to this, & Ms-Word handles old Windows 3.x & NT 3.5x Ms-Write .wri files, just fine...))
.REG FILE TO USE IF YOU USE WinWord 2003/Ms-Office 2003 (easily altered for 2000/XP/2008 versions):
----
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\.wri]
@="Word.Document.8"
"Content Type"="application/msword"
[HKEY_CLASSES_ROOT\.wri\PersistentHandler]
@="{98DE59A0-D175-11CD-A7BD-00006B827D94}"
[HKEY_CLASSES_ROOT\.wri\Word.Document.8]
[HKEY_CLASSES_ROOT\.wri\Word.Document.8\ShellNew]
"FileName"="winword8.doc"
----
- 1.) Paste what is between the dashed lines only above, into notepad.exe
- 2.) Save it as TYPE "All Files", & on disk as APKMsWordPadBugFix.reg
- 3.) , & then open it using regedit.exe. It will ask if you want to merge this registry file. Do so.
(That's a fix before Ms issues a fix, because it changes the .wri file extensions' file association from opening in WordPad.exe if you click on any bogus files sent your way, hopefully not, but just in case, & the shell will spawn the process as Microsoft Word, which is immune to this in most modern versions of it, if not all versions)
A simple to do, easy fix for anyone, even before MS issues a fix...
POTENTIALLY/POSSIBLY IMPORTANT:
IF you have versions of Ms-Office (Ms-WORD specifically), other than 2003?
You MIGHT have to change "Word.Document.8", wherever it appears above, to whatever version number yours is, along with the GUID used to do the OLEServer library marshalling/summoning of Word to open .wri files with, instead of Wordpad.exe & that's found in the .doc file association under -> HKEY_CLASSES_ROOT , easily enough)...
APK
P.S.=> "We can do this... We HAVE the technology!", lol, too bad MS didn't, talk about easy, I don't see HOW they could have missed this IF it was a KNOWN issue that came up before "Patch Tuesday" 2 days ago, I thought of it in literally 2 seconds, & took maybe 2 minutes to make the file & test it, it works... apk
Here is a PRIME example of where most folks that try this test can take the result to, scoring-wise, on the CIS Tool Security Benchmark test:
http://www.thenewtech.com/forums/attachmen...mp;d=1234540101
99.058/100
* Not TOO shabby, eh?
(I.E.-> A NEAR 100% perfect score for a client of mine whose system I secured this week taking it from a 45/100 default score, to this one, DOUBLING its security rating per this test, & THEN some... & , in fact, it probably is a perfect score (I say that, because 4/5 things it scored me down on, I actually DID have right for this client of mine, but yet the test scores me down on them (it makes SOME errors here & there is all)))
APK
P.S.=> Placing this result here for posterities' sake and as an example of how secured a Windows system can be, per this benchmark of security test's gauge thereof... apk
http://www.thenewtech.com/forums/attachmen...mp;d=1234540101
99.058/100
* Not TOO shabby, eh?
(I.E.-> A NEAR 100% perfect score for a client of mine whose system I secured this week taking it from a 45/100 default score, to this one, DOUBLING its security rating per this test, & THEN some... & , in fact, it probably is a perfect score (I say that, because 4/5 things it scored me down on, I actually DID have right for this client of mine, but yet the test scores me down on them (it makes SOME errors here & there is all)))
APK
P.S.=> Placing this result here for posterities' sake and as an example of how secured a Windows system can be, per this benchmark of security test's gauge thereof... apk
QUOTE
#3 - Use IP security policies (this probably STILL exists on Win2k8 server, but, as to implementing them? You may have to do it "totally by hand" on Win2k8 server, via its version of secpol.msc (or global AD oriented versions of said tool)).
Help! I did a stupid thing, i went to create an IPSEC policy (see tutorial below) for my terminal service port, and now i'm locked out of my server! I can't connect to RDP even after assigning Assigning Client (respond only) using gpedit.msc on my client PC.
http://support.microsoft.com/kb/816521
http://www.msterminalservices.org/faq/Wind...ervices/?page=7
QUOTE (visualtron @ Aug 16 2009, 11:50 AM)
Help! I did a stupid thing, i went to create an IPSEC policy (see tutorial below) for my terminal service port, and now i'm locked out of my server! I can't connect to RDP even after assigning Assigning Client (respond only) using gpedit.msc on my client PC.
http://support.microsoft.com/kb/816521
http://www.msterminalservices.org/faq/Wind...ervices/?page=7
http://support.microsoft.com/kb/816521
http://www.msterminalservices.org/faq/Wind...ervices/?page=7
It happens (it did to me, as well, the 1st time I tried this almost a decade ago now) - have you tried using an F8 "Safe Mode" bootup, to undo what you did?
NOW - IF that doesn't "do it for you"?
You could, in theory, bootup via RECOVERY CONSOLE, & use its LISTSVC command to get the IP Security Policy service name (IPSEC) & then, use the DISABLE command on it, to make it NOT RUN... & therefore, you would be able to "get in", because IP Security Policies NEVER TOOK EFFECT... in theory, @ least.
APK
P.S.=> This is the "why" of WHY I recommended starting out w/ "Analog X's" IP Security Policy (for starters @ least), because it's proven, it works, & is a GOOD "startup model" to work from... &, you can customize it later, for your own UNIQUE needs! STILL - I hope my suggestion above helps... apk
QUOTE (APK @ Aug 16 2009, 12:18 PM)
It happens (it did to me, as well, the 1st time I tried this almost a decade ago now) - have you tried using an F8 "Safe Mode" bootup, to undo what you did?
NOW - IF that doesn't "do it for you"?
You could, in theory, bootup via RECOVERY CONSOLE, & use its LISTSVC command to get the IP Security Policy service name (IPSEC) & then, use the DISABLE command on it, to make it NOT RUN... & therefore, you would be able to "get in", because IP Security Policies NEVER TOOK EFFECT... in theory, @ least.
APK
P.S.=> This is the "why" of WHY I recommended starting out w/ "Analog X's" IP Security Policy (for starters @ least), because it's proven, it works, & is a GOOD "startup model" to work from... &, you can customize it later, for your own UNIQUE needs! STILL - I hope my suggestion above helps... apk
NOW - IF that doesn't "do it for you"?
You could, in theory, bootup via RECOVERY CONSOLE, & use its LISTSVC command to get the IP Security Policy service name (IPSEC) & then, use the DISABLE command on it, to make it NOT RUN... & therefore, you would be able to "get in", because IP Security Policies NEVER TOOK EFFECT... in theory, @ least.
APK
P.S.=> This is the "why" of WHY I recommended starting out w/ "Analog X's" IP Security Policy (for starters @ least), because it's proven, it works, & is a GOOD "startup model" to work from... &, you can customize it later, for your own UNIQUE needs! STILL - I hope my suggestion above helps... apk
That's. It's a hosted server on parallels, but luckily, i got a backup, which was before the security setup of two dozen steps! Setting up security for a newbie is risky biz, i had to revert to backup 3 times and i'm only halfway through.
Is it really necessary to use IPSEC for RDP? My understanding is that RDP itself has some sort of encoding? or not?
For now, I think I will just change RDP listening port as a security measure.
http://support.microsoft.com/kb/187623
Changing the listening port from 3389 (Citrix products default to the same, after all, it is who MS licensed the tech from anyhow & changed it SLIGHTLY for (depends on your POV, as to 'slightly', though really)) is a decent idea!
That, ALONG WITH PATCHING (Ms has, or HAD, a "known issue" with RDP, might have been patched this last past "Patch Tuesday"), because I am fairly certain, MS may have patched the hassle noted here -> http://secunia.com/advisories/15605/ already...
ON "Remote Desktop Protocol" (Terminal Services subset really)? It has a form of encryption, you might want to read more on it, here: http://en.wikipedia.org/wiki/Remote_Desktop_Protocol TLS & 128-bit encryption, using the RC4 encryption algorithm are what to search there... no, it's not FIPS 140 (gov't. std. afaik) but, it does the job.
(Heh, & to think I used to be "Citrix Trained", circa 1996 for Bell South for their Olympics "workforce @ home" program (& later on another contract by a Mr. Tony Woo (Citrix expert, good guy & GOOD TRAINER (former MS & Citrix man), met him in person in Atlanta Ga. in 1997 later after the Bell South Cellular project)))
That project for the Olympics & Bell South Cellular was done so their workers could work from home via special laptops we had for them, to avoid traffic, which is BAD in Atlanta, even w/out the Olympics being in town that year.
(The machines used, back then? Don't laugh - Pentium I 133mhz + 32mb RAM, which believe it or not? Back in 1996 was a "POWER HOUSE MACHINE" & just enough to do modem dialins to work via an ASCEND router gateway... but, as to specifics on Citrix (which is what we used then), or TS? Sometimes, those "elude me", unless I re-research them - so, hence, the URL I gave you instead for your reference!)
APK
P.S.=> Good job on your "work-around", it is "a way"... you mention "parallels", that's MacOS X stuff, right? apk
That, ALONG WITH PATCHING (Ms has, or HAD, a "known issue" with RDP, might have been patched this last past "Patch Tuesday"), because I am fairly certain, MS may have patched the hassle noted here -> http://secunia.com/advisories/15605/ already...
ON "Remote Desktop Protocol" (Terminal Services subset really)? It has a form of encryption, you might want to read more on it, here: http://en.wikipedia.org/wiki/Remote_Desktop_Protocol TLS & 128-bit encryption, using the RC4 encryption algorithm are what to search there... no, it's not FIPS 140 (gov't. std. afaik) but, it does the job.
(Heh, & to think I used to be "Citrix Trained", circa 1996 for Bell South for their Olympics "workforce @ home" program (& later on another contract by a Mr. Tony Woo (Citrix expert, good guy & GOOD TRAINER (former MS & Citrix man), met him in person in Atlanta Ga. in 1997 later after the Bell South Cellular project)))
That project for the Olympics & Bell South Cellular was done so their workers could work from home via special laptops we had for them, to avoid traffic, which is BAD in Atlanta, even w/out the Olympics being in town that year.
(The machines used, back then? Don't laugh - Pentium I 133mhz + 32mb RAM, which believe it or not? Back in 1996 was a "POWER HOUSE MACHINE" & just enough to do modem dialins to work via an ASCEND router gateway... but, as to specifics on Citrix (which is what we used then), or TS? Sometimes, those "elude me", unless I re-research them - so, hence, the URL I gave you instead for your reference!)
APK
P.S.=> Good job on your "work-around", it is "a way"... you mention "parallels", that's MacOS X stuff, right? apk
To anyone using VISTA, Windows Server 2008, or the new "Windows 7" (which rocks, especially in 64-bit form)? Don't use the point I noted as this in its first sentence:
6.) USE Tons of security & speed oriented registry hacks
Not unless you ABSOLUTELY KNOW what you're doing.
(See, the older registry .reg file 'hacks' won't work that worked FINE on Windows 2000/XP/Server 2003, albeit (not all of them @ least) with VISTA, Server 2008, or the new Windows 7. So, "Steer Clear" of those on the newer MS' OS!)
Thanks!
APK
P.S.=> On that "note"? I like Windows 7, very much (again, especially in its 64-bit build), & it amazes me how F A S T it is, even with its large number of services resident + running, by default - &, when you "trim them down" even more? You get THAT MUCH FASTER! The services are now also secured better, by using "lesser privelege" user SID entities "built-in" types vs. LOCAL SYSTEM, such as NETWORK SERVICE or LOCAL SERVICE which I go into HOW TO DO IT on Windows 2000/XP/Server 2003 here (Server 2003 has much of it, as does XP, after MS did service packs + hotfixes, & Windows 2000 lacks a few "built in" entities, but you can "mock up" a lesser priveleged one easily enough to do that there also - this has put Windows on level with the likes of the BSD based MacOS X in that respect, which is GOOD!
Now, IF only MS would fix up HOSTS files being unable to use the FAR MORE EFFICIENT & FASTER "0 ip address" (pings resolve it back to 0.0.0.0 though on Windows 2000 (after service packs though, MS put it in there around SP#1-4 somewhere, so it was seen as a GOOD THING by them, because the original OEM version did not allow that, & only allowed as good as using 0.0.0.0 in a HOSTS file (which IS better than 127.0.0.1 by 2 bytes per line) but, using 0 beats them both, by large margins (making for a faster load up into RAM (be that the local DNS cache (disable that on larger HOSTS files), or, the local diskcache kernel mode subsystem)?
Windows 7 would be THAT MUCH BETTER, for both security and speed!
Well, in this case, ONLY for those that have the good sense to use a HOSTS file for added speed & security!
(FOR SPEED? BLOCK ADBANNERS (they too have been found to have malware in them for years now), & "hardcode" in your fav sites IP Address-to-DomainName/HOSTName? Well, doing that, you avoid calling out to potentially downed or compromised DNS servers (see Dan Kaminsky online for the latter, the Domain Name System has problems, even the "allegedly invulnerable" DJBDNS was found to have holes in it for security this year in fact))!
Thus, saving you between 30-x ms queries to those remote DNS servers (which CAN be logged no less as well), & instead using the speed of MEMORY/RAM (many, Many, MANY orders of magnitude faster) once the HOST file is loaded (which still occurs faster, because it would be using diskspeeds of today, which are 3-10 or more orders of magnitude faster than calling out to remote DNS servers). HOSTS use no CPU cycles, vs. DNS programs + they are EASILY EDITED vs. even other filters like IPTables in Linux (easier in notepad imo & ANYONE can do it, we all have text editors is why on ANY OS), & cost you NOTHING (many good sources for good ones too, like -> http://en.wikipedia.org/wiki/Hosts_file for starters, or SpyBot "Search & Destroy" for updates to it that block out KNOWN bad malscripted sites, or bad servers used to control "botnets" too! I could go on & on on MORE of the benefits of HOSTS, but that'll do, for now (I hope MS fixes this removal of 0, as a blocking "ip" in HOSTS in Windows 7 @ least, because it is more efficient & faster).
What worries me some though even more on SECURITY though?
This, on Windows VISTA, Server 2008, & Windows 7's Firewall:
http://www.rootkit.com/newsread.php?newsid=952
PERTINENT EXCERPT/QUOTE:
"BTW, the firewalls based on NDIS v6, which was introduced in Windows Vista, are much easier to unhook and bypass."
That was a DIRECT QUOTE from said URL I just posted from rootkit.com ... & it 'worries me' some. I have confronted MS tech people & mgt. on this, to no avail... I don't know WHY they won't answer either - I am only asking WHY the thing with HOSTS was done, no answers, & pointed out to them what ROOTKIT.COM said above, many times (on MSDN, @ INTEL, @ /. with a user there named "Fordecker" who is a senior MS development mgr. for Windows no less, & also on the "Engineering Windows 7" blog by S. Sinofsky, a "Big Man" @ MS on Windows no less)... apk
6.) USE Tons of security & speed oriented registry hacks
Not unless you ABSOLUTELY KNOW what you're doing.
(See, the older registry .reg file 'hacks' won't work that worked FINE on Windows 2000/XP/Server 2003, albeit (not all of them @ least) with VISTA, Server 2008, or the new Windows 7. So, "Steer Clear" of those on the newer MS' OS!)
Thanks!
APK
P.S.=> On that "note"? I like Windows 7, very much (again, especially in its 64-bit build), & it amazes me how F A S T it is, even with its large number of services resident + running, by default - &, when you "trim them down" even more? You get THAT MUCH FASTER! The services are now also secured better, by using "lesser privelege" user SID entities "built-in" types vs. LOCAL SYSTEM, such as NETWORK SERVICE or LOCAL SERVICE which I go into HOW TO DO IT on Windows 2000/XP/Server 2003 here (Server 2003 has much of it, as does XP, after MS did service packs + hotfixes, & Windows 2000 lacks a few "built in" entities, but you can "mock up" a lesser priveleged one easily enough to do that there also - this has put Windows on level with the likes of the BSD based MacOS X in that respect, which is GOOD!
Now, IF only MS would fix up HOSTS files being unable to use the FAR MORE EFFICIENT & FASTER "0 ip address" (pings resolve it back to 0.0.0.0 though on Windows 2000 (after service packs though, MS put it in there around SP#1-4 somewhere, so it was seen as a GOOD THING by them, because the original OEM version did not allow that, & only allowed as good as using 0.0.0.0 in a HOSTS file (which IS better than 127.0.0.1 by 2 bytes per line) but, using 0 beats them both, by large margins (making for a faster load up into RAM (be that the local DNS cache (disable that on larger HOSTS files), or, the local diskcache kernel mode subsystem)?
Windows 7 would be THAT MUCH BETTER, for both security and speed!
Well, in this case, ONLY for those that have the good sense to use a HOSTS file for added speed & security!
(FOR SPEED? BLOCK ADBANNERS (they too have been found to have malware in them for years now), & "hardcode" in your fav sites IP Address-to-DomainName/HOSTName? Well, doing that, you avoid calling out to potentially downed or compromised DNS servers (see Dan Kaminsky online for the latter, the Domain Name System has problems, even the "allegedly invulnerable" DJBDNS was found to have holes in it for security this year in fact))!
Thus, saving you between 30-x ms queries to those remote DNS servers (which CAN be logged no less as well), & instead using the speed of MEMORY/RAM (many, Many, MANY orders of magnitude faster) once the HOST file is loaded (which still occurs faster, because it would be using diskspeeds of today, which are 3-10 or more orders of magnitude faster than calling out to remote DNS servers). HOSTS use no CPU cycles, vs. DNS programs + they are EASILY EDITED vs. even other filters like IPTables in Linux (easier in notepad imo & ANYONE can do it, we all have text editors is why on ANY OS), & cost you NOTHING (many good sources for good ones too, like -> http://en.wikipedia.org/wiki/Hosts_file for starters, or SpyBot "Search & Destroy" for updates to it that block out KNOWN bad malscripted sites, or bad servers used to control "botnets" too! I could go on & on on MORE of the benefits of HOSTS, but that'll do, for now (I hope MS fixes this removal of 0, as a blocking "ip" in HOSTS in Windows 7 @ least, because it is more efficient & faster).
What worries me some though even more on SECURITY though?
This, on Windows VISTA, Server 2008, & Windows 7's Firewall:
http://www.rootkit.com/newsread.php?newsid=952
PERTINENT EXCERPT/QUOTE:
"BTW, the firewalls based on NDIS v6, which was introduced in Windows Vista, are much easier to unhook and bypass."
That was a DIRECT QUOTE from said URL I just posted from rootkit.com ... & it 'worries me' some. I have confronted MS tech people & mgt. on this, to no avail... I don't know WHY they won't answer either - I am only asking WHY the thing with HOSTS was done, no answers, & pointed out to them what ROOTKIT.COM said above, many times (on MSDN, @ INTEL, @ /. with a user there named "Fordecker" who is a senior MS development mgr. for Windows no less, & also on the "Engineering Windows 7" blog by S. Sinofsky, a "Big Man" @ MS on Windows no less)... apk
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.