Linked by Eugenia Loli on Sun 13th Nov 2005 06:38 UTC, submitted by DKR
Windows This guide contains the practical security measures to secure your Windows desktop at home. This guide is not necessarily intended for business or enterprise use, but it might come in handy for some.
Permalink for comment 59686
To read all comments associated with this story, please click here.
Insufficient article
by netpython on Sun 13th Nov 2005 08:19 UTC
netpython
Member since:
2005-07-06

In princype any article regarding security tends to be in complete.But this article is really too short in my opinion.

1)First point to start with are the file permissions

A good tool to check those is AccessEnum from Sysinternals:http://www.sysinternals.com/SecurityUtilities.html

"This simple yet powerful security tool shows you who has what access to directories, files and Registry keys on your systems. Use it to find holes in your permissions."

You select any directory or registry hive and press scan.

In just a matter of seconds you get the overall file permissons picture.If you want to stay on the safe side but yet intend to secure the system more change at least all the "by everyone" accessible files and uncheck all their permissions.The last step is adding each time you remove the "everyone" group the local "users" instead with just the same permissions as each member of the "everyone" group had.

2)right click on My computer and go to properties
disable remote access

3)go to control panel ---> network connections
right click your network connection and go to properties and disable all unnecessary protocols such as: a)windows networks
b) file sharing
The only protocol needed to connect to the internet and lan is: TCP/IP

4)Disable unecessary services such as messenger,remote registry,upload manager,webclient,


5)download kafu from C't (www.heise.de)

Give any regular user-account you desire to protect temporarily admin rights.Open the cmd-prompt and run kafu

The result is every registry setting that's known to enable spyware to nest their loads is now access denied.runonce,startup,etc...

Take away admin rights.

-----------PS
If you have the professional edition you could enter mmc at the command prompt and load the high secure workstation policy.In addition to that it's wise to go to administrative settings ----> local security policy
and disable the support help desk from being ebable to launch a batch job,set deny access to this computer to at least everyone (better would be adding all groups avaible).

Edit the dcomserver settings by uncheck everything that's "remote".

Delete the everyone group from the permission to bypass traverse checking,

I could go on and on....


At last install a firewall and a virusscanner,and spyware scanner.

A good firewall would be visnetic (deerfield) or Tiny firewall.

Tiny firewall (for at least the amd64 version) has binairy (md5 checksum integrity) protection,monitors everything inbound/outbound,has a IDS,is a great tool but not very comfortable ( a lot of options!)

And this is only 5% of the overall XP security process.

Reply Score: 3