"Deep in the sea are riches beyond compare.
But if you seek safety, it is on the shore."

How to secure Windows2000 / XP: Part Three

Warnings!

Before you do ANY alterations to your system...As sayed earlier, these settings work like dream for me and most 2k / XP users too, but not with all of them. The best option would be to either make and "image" of your C-drive or write down your original settings before you start implementing these settings. The problems that might occur are mostly related to network connections / internet access. You can also troubleshoot the problems using the Windows Help and Support while going throught the settings to see what needs perhaps to be enabled.

And if the worst happens...And you just cant revert the changes you made, run "repair install" using your Win2k/XP cdrom. It will keep all the programs etc. but restore regular settings. Remember to update and patch your software after this "repair install".

Network - lets secure it first
This example is about when you are using LAN based connection but it pretty much applies to other connections aswell. As you can see from the first picture, I have disabled Client for Microsoft Networks and other stuff aswell...because I dont need them! Try out if you need them or not and if you dont...rip them off! The second picture is about disabling Netbios which is something you should REALLY concider doing too due to security vulnerabilities that may rise from it. Again, if your connection doesnt work, restore it the way it was. There is no reason keep anything in here you dont need. You may need to reboot to apply the changes.

Also, we can tweak your connection a bit to give it some protection against DoS attacks in Windows2000. Open up your registry editor (regedit) and commit the following keys:
HKLM/SYS/CCS/Services...
- Tcip/Parameters/SynAttackProtect (value 2 gives best protection but might cause some problems with connections)
- Tcip/Parameters/EnableDeadGWDetect (value 0 makes sure attacker cannot force you to move onto he's chosen gateway)
- Tcip/Parameters/EnablePMTUDiscovery (value 0 makes sure that 576byte Maximum Transmission Units are always used which makes it harder to attacker to DoS the system)
- Tcip/Parameters/KeepAliveTime (value 300000 is recommend)
- Tcip/Parameters/Interfaces//NoNameReleaseOnDemand (value 0 protects against name release attacks)
- Tcip/Parameters/Interfaces//PerformRouterDiscovery (value 0 prevents spoofing)

Security settings
Now, go to "Administrator tools" and "Local Security Policy" These are the very hearth of Windows2k/XP security settings! Here you should enforce password security, enable strong crypto and so on. Also you can disable Guest account which is recommend. Again, these security guidelines are based on NSA security guidelines for Windows2000 but I have added few tweaks and made them a bit more compatible with WindowsXP. If you are not running a server or anything, then these are just fine for you.

Please notice that if you have multiple user accounts, you might need to add to security settings those accounts too inorder to be able to use them. Be very careful however what you allow others than administrators to do on your system.

Services - what about them?
Then its time to rip off some services, go to "Administrator Tools" / "Services". Please note that if you are using some "weird" network systems link ICS or similiar, you should check the "dependecies" upon each of the items you disable, or your internet connection might freeze. If it happens, you can also try to enable services one by one to see what caused it. By default, Windows 2k/XP has DOZENS of services set to start. 80% of them are useless for normal users and usage and not only can but also should be disabled for security and performance reasons. There is no reason to have "remote registry" or "Telnet" running! They are like invitations for hackers to test and perhaps breach your system. Then there are annoying services like "indexing service" which creates a log file on files on your computer and stores it in "\system volume information" directory.

Please notice that if you are using DSL connection or similiar, you might need to set to "Automatic" services like "Remote Access Auto Connection Manager" and "Remote Access Connection Manager".

EFS certificate
If something bad happens, like you have to reformat your partition / reinstall Windows or similiar, you can still decrypt your files (unless you formatted the partition where the files where ofcourse) if you have exported your EFS certificate in safe place. The exported certificate can and should be passphrase protected, but honestly, I dont believe the passphrase protection in it is any good...I recommend that you, instead, use PGP to create a self-decrypting archive from it and use a good passphrase to protect it. Then all you need to do is to import that certificate and you can decrypt the files again.

Run "mmc.exe" and add a snap-in called "Certificates". Then select your certificate and export it. Remember to include private key in export and DO NOT delete private key if export was succesfull!

Syskey etc.
Lets make Syskey to make it a bit more difficult for anyone else starting your computer [run "syskey.exe" + and press "Update"]. Syskey encrypts the SAM database. Nobody can try to break your Windows passphrases if you have syskey set to diskette or password protected...but again, remember that that is not needed to boot the computer as administrator in Win2k. You might concider not using the floppy disk, but I recommend you do. In the floppy disk, there is then a file called "StartKey.key"...you can copy it to any floppy you want. I suggest you make atleast one backup copy of it. Then we should also disable remote connections / assistance [Control Panel / System]. If you need them, you can always later turn them on.

-Markus Jansson