Setup process for a secure workstation

Setup process for a secure workstation This is a work in progress. Version - 5/15/08 Billions of people use computers running Microsoft software. Microsoft has therefore made a quite understandable decision to set up its products so as to operate smoothly right out of the box for the majority of people. Many computer users don t know a great deal about the inner workings of computers and operating systems, nor do they need to. However, there are a few things that should be done to secure Microsoft Windows prior to putting into use. This guide is designed to let the average computer user make a home PC or personal laptop much more protected against penetration by a hacker. I have tried to make these instructions fairly comprehensive, but there is room for improvement in anything. If you have any suggestions, clarifications or corrections, please contact me at: infosec@uc.edu A few notes before we begin: Where you see (RC) it indicates that you should Right Click the indicated item vs. left clicking as usual. [#] The number in square brackets indicates the number of minutes this step took me in my trial. Your experience may differ. I do usually not give specific instruction steps for clicking Apply, Save or OK. These steps are implied by the instructions. One last thing: Remember one immutable law of security. Physical access trumps almost any technical protections you may put in place. If you have a laptop, never leave it unattended. If it is stolen, a hacker will have unlimited time to break through your security. Buy and use a locking cable. Install a strong encryption package. None of the below will protect your system or data if a technically-minded thief has possession of your computer. If you think you are safe, consider this: http://www.youtube.com/watch?v=m9sxhycp-q0&mode=related&search= That being said, let s protect your machine from other types of attacks. All the steps below, including the clean install of Windows XP, took less than 4 hours. On with the process

1. If possible start with a Clean install of Windows XP SP2. I do not recommend using any earlier version. This version fixed many significant security issues. [~70 minutes] Go to Device Manager. Two of the ways to do this are: (Start > My Computer (RC) > Properties, Hardware Tab, Device Manager Button) Note: Some systems may say View System Information instead Properties above and make sure all your devices are working properly. Anything with a yellow exclamation point should be fixed. Consult your documentation or contact support if you need help to resolve these.

2. Customize Start Menu to add System Administrative Tools. [1] To get to Customize Start Menu, Right click Start > Properties If your PC does not have Start > Properties, go to Start > Control Panel. Switch to Classic view using the link on the left panel and then select Taskbar and Start Menu If you prefer the Category View of Control Panel, Taskbar and Start Menu is under the Appearance and Themes category Go to Advanced tab Configure Start Menu Items to taste and add System Administrative Tools to your menu as shown: 3. Create a non-administrator user account for normal use. [3] Start > Control Panel > User Accounts Enter the user name you desire and press Next Set to Limited Account and Click Create

Click on the new account Add a strong password. See http://www.uc.edu/infosec/howtochooseapassword.htm for tips. 4. Go to Computer Management [3] Two ways to get to it: Click Start > My Computer (RC) > Manage Click Start > All Programs > Administrative Tools > Computer Management Secure the user accounts: Delete all unnecessary accounts (support, HelpAssistant, etc ) by right clicking each in turn and selecting Delete

The Guest account cannot be deleted, but it should already be disabled. (This is shown by the red x over the account.) Leave this account disabled. Set a strong password on all active accounts (including Administrator). For tips on how to select a strong password see: http://www.uc.edu/infosec/howtochooseapassword.htm Click Disk Management in the left pane (green arrow) and verify that all disk partitions are formatted with NTFS (indicated by red arrow)

If the disk is not NTFS and you have the option of converting it, you should do so. NTFS has many more security options than any of the FAT versions. Note: Although the chance of corruption or data loss during the conversion is minimal, it is recommended that you perform a backup of the data on the volume that you want to convert before you start the conversion. To convert an existing FAT or FAT32 volume to NTFS, follow these steps: 1. Click Start > All Programs > Accessories > Command Prompt 2. At the command prompt, type the following, where drive letter is the drive that you want to convert: convert drive letter: /fs:ntfs For example, type the following command to convert drive E to NTFS: convert e: /fs:ntfs Note: If the operating system is on the drive that you are converting, you will be prompted to schedule the task when you restart the computer because the conversion cannot be completed while the operating system is running. When you are prompted, click YES 3. When you receive the following message at the command prompt, type the volume label of the drive that you are converting, and then press ENTER: The type of the file system is FAT. Enter the current volume label for drive drive letter 4. When the conversion to NTFS is complete, you receive the following message at the command prompt: Conversion complete 5. Quit the command prompt. 5. Set a screen saver and set the system to require a password upon resume. [1] Right Click anywhere on the desktop and select Properties Select the Screen Saver tab. Select your preferred Screen Saver. Be sure to check On resume, password protect as shown 6. Open your My Documents folder, then select Tools and Folder Options [1]

Under Hidden files and folders, set Show hidden files and folders for the time being (you can set this one back to hide after we are done) Scroll to the bottom and uncheck Use simple file sharing (this one you will want to keep this way) 7. Review and modify file permissions on your hard drives. [3] Open My Computer. Right click on your main hard drive and select Properties On the Sharing tab, remove the default share by clicking Do not share this folder

On the Security tab, remove the Everyone group from file permissions by selecting it and pressing the delete key. Repeat this for any other hard drives that might be connected to your computer More permission setting advice can be found here, but this may be more detail than most users need to worry about http://www.windowsitlibrary.com/content/121/18/1.html 8. Secure and optimize the network adapters. [10] There are a number of conceptual details involved in the following that I will not explain in detail, but the main point of these steps is to allow you to have networking between computers inside your home using a different protocol than the one used by your computer to communicate with the internet. These steps dramatically improve the security of your system in several ways. Details may be had be reviewing the references below.

Install NetBEUI (This is a protocol that will be used to allow file and print sharing on your local network without exposing your files to the internet by using TCP/IP) Insert the Windows XP CD-ROM into the CD-ROM drive. Navigate to the Valueadd\MSFT\Net\NetBEUI folder. Copy NBF.SYS to the %SYSTEMROOT%\System32\Drivers directory. Copy NETNBF.INF to the %SYSTEMROOT%\Inf hidden directory. Click Start > Control Panel and double-click Network Connections Right-click the adapter where NetBEUI is to be added (Local Area Connection) then click Properties On General tab, click Install Click Protocol then click Add Select NetBEUI Protocol from the list and then click OK

Restart computer if prompted. NetBEUI should be installed and functional Select Internet Protocol (TCP/IP) and click Properties On the General tab, click Advanced On the WINS tab, click the Add button and enter the address 127.0.0.1, click Disable NetBIOS over TCP/IP, and uncheck Enable LMHOST lookup as shown (This will have to be done for each connection with TCP/IP installed) Close out of all those windows so that you are back in Start > Control Panel > Network Connections, click the Advanced menu (to the right of Tools in the button bar) and select the Advanced Settings option

In the top window, set the order of connections. You should put the connection you use most at the top. For example start with LAN, then Wireless, then others. In the bottom window, uncheck Internet Protocol (TCP/IP) infile and Printer Sharing and Client for Microsoft Networks these two functions should be bound to NetBEUI only. (The below only shows one connection, but you will need to set these bindings for all connections listed in the top window.) Configure Windows Firewall. [3] Turn the firewall on and check the don't allow exceptions option (unless there is a good reason to have an exception)

Turn on the firewall log in the Advanced tab Security Logging Settings button 9. Change workgroup name if desired. [2] Click Start > My Computer (RC) > Properties, Computer Name Tab, Change Button (green arrow)

Change the computer and workgroup name to meet your needs (red arrows) 10. NOTE For computers on your local workgroup to properly communicate, they will all need to be set up to: Have the same workgroup name Have different computer names Be setup with NetBEUI as shown in the steps above 11. Disable Bluetooth if it is not being used. [1] 12. Disable Wireless if it is not being used. [1] Note: The steps in this document will help protect your PC from attack as wireless connectivity is currently not a secure technology. It is possible to break WEP encryption (the wireless encryption still used by most wireless access points if any is used at all) in less than 15 minutes using a tool that is freely available online. So, while wireless access is incredibly useful, it is not secure. Just something of which to be aware. 13. Connect your computer to your network via the network cable or wireless adapter. [1] 14. Install a reputable Anti-Virus package like McAfee or Panda. [5] 15. Update your Anti-Virus package. [7] 16. Install Internet Explorer 7. [15] http://www.microsoft.com/windows/products/winfamily/ie/default.mspx (Requires reboot) 17. Secure Internet Explorer. [5]

Go to Internet Options Go to the Privacy tab and set cookie security to High. Once you have done this, you will need to explicitly add any site that you want to have cookies. This requires a little extra work on you part, but it will virtually eliminate the incredible proliferation of cookies that infect most computers and dramatically compromise your privacy. There are a relatively low number of sites that absolutely require cookies.

Go to the Security Tab and set to High for the Internet zone as shown. On the same tab, click the trusted Sites (green checkmark). Click the Sites button (red arrow) On the resulting screen, uncheck Require https (at the bottom) and then enter the following URLs as shown above. These will be required to run Windows update in the next step. update.microsoft.com *.update.microsoft.com download.windowsupdate.com windowsupdate.microsoft.com 18. Run Windows Update. [45] Click Start > All Programs > Windows Update You will be taken to the windows update website. Run the Express update. The first run will require a reboot. You will need to run the Windows Update again after the reboot. And perhaps a third time if some of the updates fail.

19. Set advanced security on your processor if available (http://www.grc.com/securable.htm) 20. Install ZoneAlarm. [4] ZoneAlarm is a free bi-directional firewall that is consistently one of the best reviewed and secure personal firewalls on the market. http://download.zonealarm.com/bin/free/1025_update/zasetup_en.exe 21. Install any utilities that you may wish. [variable] Some of my favorites are: Eraser - http://www.heidi.ie/eraser/download.php TrueCrypt - http://www.truecrypt.org/ WinRAR - http://www.rarlab.com/download.htm CurrPorts - http://www.nirsoft.net/utils/cports.html 22. Install & Configure an alternative browser if desired. (Firefox, Opera, etc.) [10] 23. Configure Local Security Policies. [15] Click Start > All Programs > Administrative Tools > Local Security Policies In the Account Policies > Password Policy section, set: Minimum password length - 10 Password must meet complexity requirements - Enable Store password in reversible encryption - Disable Set Account Lockout Policy Duration 60 minutes Threshold 5 attempts Reset lockout counter 60 min

Set Local Policies > Audit Policy as shown Under Security Options do the following. Accounts: Guest account Disable Accounts: Rename administrator account Rename this to something else. I chose HighLevel Accounts: Rename guest account Rename this to something else. I chose DoNotUse Domain member: Require strong (Windows 2000 or later) session key Enabled Interactive logon: Do not display last user name Enabled Interactive logon: Do not require CTRL+ALT+DEL Disabled Set a logon message if desired (Like This computer is the property of company X. Authorized use only. etc ) 1. Interactive logon: Message text for users attempting to log on 2. Interactive logon: Message title for users attempting to log on Microsoft network client: Send unencrypted password to third-party SMB servers Disabled Network access: Allow anonymous SID/Name translation Disabled Network access: Do not allow anonymous enumeration of SAM accounts Enabled Network access: Do not allow anonymous enumeration of SAM accounts and shares Enabled Network access: Do not allow storage of credentials or.net Passports for network authentication Enabled Network access: Let Everyone permissions apply to anonymous users Enabled These next three settings should have all their entries removed to prevent Null Session attacks: 1. Network access: Named Pipes that can be accessed anonymously 2. Network access: Remotely accessible registry path

3. Network access: Shares that can be accessed anonymously These are the default values for the above three keys. I am including them here in case you need them for future reference: o Named Pipes COMNAP,COMNODE,SQL\QUERY,SPOOLSS,LLSRPC,browser o Remotely accessible registry path System\CurrentControlSet\Control\ProductOptions,System\CurrentControlSet\Control\Print\Printers,System\CurrentControlSe t\control\server Applications,System\CurrentControlSet\Services\Eventlog,Software\Microsoft\OLAP Server,Software\Microsoft\Windows NT\CurrentVersion,System\CurrentControlSet\Control\ContentIndex,System\CurrentControlSet\Control\Terminal Server,System\CurrentControlSet\Control\Terminal Server\UserConfig,System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration o Shares that can be accessed anonymously COMCFG,DFS$ Network access: Sharing and security model for local accounts Classic Network security: Do not store LAN Manager hash value on next password change Enabled Network security: LAN Manager authentication level Send NTLMv2 response only\refuse LM & NTLM Network security: Minimum session security for NTLM SSP based (including secure RPC) clients Check Require NTLMv2 and Require 128-bit encryption Network security: Minimum session security for NTLM SSP based (including secure RPC) servers Check Require NTLMv2 and Require 128-bit encryption Recovery console: Allow automatic administrative logon Disabled In User Rights Assignment, set the following. You will sometimes be removing groups (like Everyone ) and adding others (like SYSTEM ). Access this computer from the network Administrators (remove everyone and other groups) Bypass traverse checking Administrators, SERVICE, power users, users Deny access to this computer from the network ANONYMOUS LOGON Deny logon locally Guest Deny logon through terminal services Everyone Log on as a batch job <remove all> Log on as a service <remove all> Log on locally <remove Guest> 24. Registry Changes. [2] Open Notepad Paste the following text into Notepad Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters] "AutoShareServer"=dword:00000000 "AutoShareWks"=dword:00000000 "enablesecuritysignature"=dword:00000001 "requiresecuritysignature"=dword:00000001 "Lmannounce"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters] "AutoShareServer"=dword:00000000 "AutoShareWks"=dword:00000000 "enableplaintextpassword"=dword:00000000 "enablesecuritysignature"=dword:00000001 "requiresecuritysignature"=dword:00000001

Save the file as SecuritySettings.reg Run SecuritySettings.reg by double clicking it and confirming. This file sets a few security items that were not done by the settings above. It removes default administrative shares and requires security signatures 25. Shutdown and disable Services that are not required. [15] Start Services manager in one of two ways: Click Start > All Programs > Administrative Tools > Services Click Start > Settings > Control Panel > Services To stop a service: Select the service you want to modify (green arrow) Click the Stop button (red arrow) To set a service to Manual or Disable it: Double click the service you want to modify Stop the service (there are a few that will not stop until you reboot) Select Disabled or Manual under Startup Type Click Apply and OK Go through the Services manager and set the following services like this:

Alerter This service is only needed for sending administrative alerts. Used to notify admins when a server is in trouble. Set to Manual or Disable on a home PC. Application Layer Gateway Provides support for 3rd party plug-ins for Internet Connection Sharing/Internet Connection Firewall. Required if using Internet Connection Sharing/Internet Connection Firewall to connect to the internet. Automatic if using ICS, Disabled if not. Clipbook This service is a relic of NT3.x. Used to support Clipbook Viewer which allows remote viewing of the clipbook. Default for workstation is manual. Ensure it is set to manual or disabled. Com + System Disable. Computer Browser The browser service is used to maintain the list of PCs you see in Network Neighborhood. This is normally a server function. A home user can set this to Manual. Distributed Link Tracking Client Distributed Link Tracking Client sends notifications of files moving between NTFS volumes in a network domain. Disable on a home computer. Distributed Transaction Coordinator Coordinates transactions that are distributed across two or more databases, message queues, file systems, or other transaction-protected resource managers. Manual. DNS Client Resolves and caches Domain Name System (DNS) names. This is normally provided by your ISP. Disable and if you have name resolution problems, return it to Automatic. Error Reporting Disable. Fax Service Set to Manual if you don't need fax services. Indexing Fastfind functionality. Improves text searches. For day to day performance, disable it. Internet Connection Sharing If you are want to share an Internet connection for your home network, then set this to Automatic. If not, leave this set to Manual. MSFTPSVC FTP Service. Disable this if you see it and are not running an FTP server. Messenger This service can be used to send messages. You have email for that now Disable. Net Logon Supports pass-through authentication of account logon events for computers in a domain. Logging onto a domain? Leave it. Otherwise set it to Manual. Network DDE Supports network transport of DDE (Dynamic Data Exchange) connections. Such connectivity is mostly a relic from the NT 3.x days. QoS RSVP Provides network signaling and local traffic control setup functionality for QoS-aware programs and control applets. A home user can set this to Manual. Remote Access Connection Manager Only needed if you are configuring a new network connection. Keep Disabled normally. Remote Desktop Help Session Manager Manages and controls Remote Assistance. If this service is stopped, Remote Assistance will be unavailable. Remote Registry Allows remote registry manipulation. A home user can set this to Manual. Routing and Remote Access Offers routing services to businesses in local area and wide area network environments. A home user can set this to Manual. RPC Manual. Runas Enables starting processes under alternate credentials. A home user can set this to Manual. Secondary Logon Manual. Security Accounts Manager Stores security information for local user accounts. A home user can set this to Manual unless you are using Local Security Policy Editor. Server Disable this service unless you are sharing files on your hard drive or your printer. Hackers will get nowhere if you do. Simple Mail Transport Protocol (SMTP) Not available on Windows XP Home. Not installed by default on Windows XP Pro. Transports e-mail across the network. Disable if you see it. SSDP Part of UpnP. Disable. TCP/IP NetBIOS Helper Provides support for name resolution via a lookup of the LMHosts file. If you are not using LMHOSTS name resolution, you can set it to Manual.

Telephony Provides Telephony API (TAPI) support for programs that control telephony devices and IP based voice connections on the local computer and, through the LAN, on servers that are also running the service. Normally set to Manual on workstations. Leave it on Manual. Telnet Allows a remote user to log on to the system and run programs using the command line. Disable! Terminal Services Disable unless you need it. Universal Plug and Play Device Host Provides support to host Universal Plug and Play devices. Disable unless installing new hardware. WebClient Provides HTTP services for applications on the Windows platform. Required if you are running a web server. Most common entry point for hackers! Disable it. Workstation Creates and maintains client network connections to remote servers. If this service is stopped, these connections will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. Set this to Manual. May normally be left stopped. Reactivating Services If you want to run certain functions of Windows, you will have to turn some services back on: Enable local workgroup networking Workstation (set to auto) to be visible on local network Server (set to auto) to see others on local network Computer Browser (set to auto) If you install software that needs telephony, like Skype, you may need to re-enable Telephony and perhaps Remote Access Connection Manager. Test this by trying the software first and then enabling first one then the other. Others? 26. Disable Dump File Creation A dump file can be a useful troubleshooting tool when either the system or application crashes and causes the infamous "Blue Screen of Death". However, they also can provide a hacker with potentially sensitive information such as application passwords. You can disable the dump file by going to the My Computer (RC) > Properties, Advanced Tab > Startup and Recovery > Settings Change the options for Write Debugging Information" (bottom 1/3 of the page) to None.

If you need to troubleshoot unexplained crashes at a later date, you can re-enable this option until the issue is resolved but be sure to disable it again later and delete any stored dump files 27. Run GRC security tests. [5] http://www.grc.com/freepopular.htm UnPlug n Pray Shoot the Messager Leak Test MouseTrap SocketLock 28. Set up software restriction policies. [5] Click Start > My Computer (RC) > Manage Click Software Restriction Policies, click Action, click Create New Policy Double click on Enforcement and set it to All software files (vs not on libraries) Double click on Trusted Publishers and set it to Local computer administrators 29. Set up a share folder if desired If you want to share files with other computers on your home network you will need to set up a shared folder. Create a new folder for this purpose, then right click on it and click Properties. On the Sharing tab, click Share this folder. Provide the name of the share ( Share below). I recommend that you limit the number of computers that can connect to your computer to a realistic number for you network. I put 2 in the example below. Once that is set, click the Permissions button. On the Permissions for Share screen, remove the Everyone group and replace it with Authenticated Users. Finally, add the ANONYMOUS LOGON group and set all permissions for it to Deny as shown.

30. Install and run Microsoft Baseline Security Analyzer. [10] https://www.microsoft.com/technet/security/tools/mbsahome.mspx Take action on the results This step is incomplete: If the program won t download the update automatically, download it from http://go.microsoft.com/fwlink/?linkid=74689 and then place it in C:\Documents and Settings\<username>\Local Settings\Application Data\Microsoft\MBSA\2.1\Cache 31. Test your security. [4] Run GRC Sheilds-Up! found at http://www.grc.com/default.htm If available, scan your system with a vulnerability scanner such as Nessus, ISS or NexPose 32. Change your boot sequence and set bios passwords. [6] Refer to your system documentation for instructions on how to do this Change the boot sequence to start with your hard drive For the slightly more paranoid, you can set the bios password so that the computer cannot be even started without entering a password. This will require you to enter two passwords to start up your system (bios and windows) and is normally not required. 33. Post Config Clean-up If desired, you may hide your Hidden files again. Open your My Documents folder, then select Tools and Folder Options Under Hidden files and folders, set Do not show hidden files and folders

To reset security if something gets fouled up (Reference - http://support.microsoft.com/kb/313222) To reset Security Policies secedit /configure/cfg C:\WINDOWS\repair\secsetup.inf /areas securitypolicy /db secsetup.sdb /verbose To reset Services secedit /configure/cfg C:\WINDOWS\repair\secsetup.inf /areas services /db secsetup.sdb /verbose To reset User Rights secedit /configure/cfg C:\WINDOWS\repair\secsetup.inf /areas user_rights /db secsetup.sdb /verbose To reset All secedit /configure/cfg C:\WINDOWS\repair\secsetup.inf /db secsetup.sdb /verbose References General http://labmice.techtarget.com/articles/winxpsecuritychecklist.htm http://www.windowsitlibrary.com/content/121/18/1.html Services http://www.tweakhound.com/xp/security/page_3.htm http://www.ntsvcfg.de/ntsvcfg_eng.html Registry http://www.windowsitlibrary.com/content/121/18/1.html Local Security Settings http://support.microsoft.com/kb/823659 Networking http://www.grc.com/su-bondage.htm & http://www.grc.com/su-rebindingnt.htm) http://www.windowsnetworking.com/articles_tutorials/install-microsoft-loopback-adapter-windows-xp.html http://www.windowsnetworking.com/articles_tutorials/optimize-network-connections-windows-xp.html http://support.microsoft.com/default.aspx?scid=kb;en-us;894564 Folder and File Permissions http://www.windowsitlibrary.com/content/121/18/1.html