Securing Windows PART 1.pdf

Securing Microsoft

Windows

(2000/XP/2003)

by Guillaume Kaddouch, November 2006

INDEX TABLE

INTRODUCTION....................................................................................3

I – KEEPING YOUR WINDOWS UP TO DATE...........................................4

1.1. Enabling Automatic Windows Update........................................................ 4

1.2. Checking Microsoft Office updates.............................................................5

II - CONFIGURING WINDOWS SERVICES..............................................6

2.1. Disabling unneeded Windows services...................................................... 6

2.2. Setting services startup to manual............................................................ 9

III – REMOVING UNNEEDED PROGRAMS AT STARTUP........................10

IV - RUNNING EXPOSED PROGRAMS WITH RESTRICTED RIGHTS.......11

4.1. Identifying 'critical' or 'exposed' applications..........................................11

4.2. Setting restricted rights for a given program (WinXP PRO/Win2K3).......11

4.3. Setting restricted rights for a given program (WinXP Home/Win2K).......14

V - CONFIGURING FILES AND EXTENSIONS DISPLAY.........................15

VI - SETTING UP STRONG PASSWORDS..............................................16

6.1. Password complexity...............................................................................16

6.2. Password diversity.................................................................................. 16

CONCLUSION.......................................................................................18

Securing Microsoft Windows 2 / 18 Guillaume Kaddouch

INTRODUCTION

This guide is for the average user or a new user who just bought a computer, and is willing to

secure his Windows Operating System. This guide does not contain complex tips meant for

advanced users, but rather the basis of Windows security for everyday use. There is nothing

incredible or until now unknown in this guide, so if you are looking at this, you can skip it. The

purpose of this paper is to help you configuring securely your OS, and to disable some default

dangerous settings.

Lastly, I have came across badly infected computers, and some of them had at least one

antivirus, and even a firewall. Nowadays malware are more aggressive than ever, and are

more and more using user-mode rootkits to hide their files and processes, while attacking your

main security applications to disable them. Some of these infected systems were not without

any security, but the users have randomly added some security software without

understanding what they were doing. Security is not a setup executable that you can install

and forget, but instead a global process , beginning with the OS (configuring it), and requiring

understanding and awareness from the one who is securing his system.

Usually, when you first get a computer and are asking for advices to secure it, you are often

told to install various security software, such as an antivirus. However, following this way, you

are adding security on the top of something insecure by default, your Operating System.

Windows is your security foundations, if it is weak, then everything on top of it can collapse.

For instance, a malware could exploit a known Windows vulnerability in a service running by

default, to execute, but if this vulnerability is patched, and that this service is disabled, then

the malware is dead in it's track. Thus, you must take care of Windows itself first, this is as

critical as making the foundations of a building.

In what follows, we will see together how to decrease your exposure to various threats, by

disabling unneeded Windows services, configuring few Windows options, setting up updates,

controlling what is starting up, setting strong passwords, and by setting up some critical

programs rights and privileges.

This guide applies to Windows XP Home Edition and Professional Edition, Windows 2000, and

Windows 2003. However, some general advices are true for all OS, so it's still good to read this

guide even if you have Windows 98.

Securing Microsoft Windows 3 / 18 Guillaume Kaddouch

I – KEEPING YOUR WINDOWS UP TO DATE

Updating your OS and keeping it updated at any time, is the most critical step to begin with.

You can have the most secure computer of the world, if you have critical unpatched

vulnerabilities, they can be exploited against you and potentially bypass all of your security

measures. A vulnerability can be exploited either locally or remotely, and can be used to

disable some of your security software and/or to execute arbitrary codes.

1.1. Enabling Automatic Windows Update

There is different possibilities, the easiest is to set automatic updates to automatically check

updates, download them, and install them, without your intervention.

To do so, click on the Start button, launch the Configuration Panel, then click on the

“Automatic Updates” icon :

You can then select the first option, “Automatic (recommended)” :

However, I advise to configure the updates to notify you in case of new updates available,

without downloading them. Thus, you will be able to choose when downloading them, and to

uncheck updates you may not want, such as the Windows Genuine Advantage Notification

update, for instance :

Securing Microsoft Windows 4 / 18 Guillaume Kaddouch

Either way, the purpose is to apply updates as soon as available, to avoid in the wild malware

to exploit these vulnerabilities against you. Most of the exploited vulnerabilities, are,

surprisingly, already known ones for which a fix is available since a long time (sometimes more

than a year !). Some trojan and spyware are targeting patched flaws because they know some

people never update their Windows.

If you prefer to manually check for updates, you can go to :

http://windowsupdate.microsoft.com/

1.2. Checking Microsoft Office updates

If you have Microsoft Office installed, you should go there :

http://office.microsoft.com

There are often some critical flaws discovered in Microsoft Word or PowerPoint, consequently

you should keep en eye on Microsoft Office updates as well.

It goes a little beyond the “Securing Windows”, but since Microsoft Office is often part of the

default installation while buying a new computer, I think it is as important to talk about it than

Windows itself. Moreover, Microsoft Office, once installed, is integrated into the OS, and it's

vulnerabilities can hurt your whole system (e.g. Word will be the default .doc files viewer and

can be automatically triggered from your Internet browser).

While we are at it, there is a free alternative to Microsoft Office, it is OpenOffice.org. It

includes the same components corresponding to Word/Excel/PowerPoint/Access and is

compatible with Microsoft Office. While Microsoft Office 2003 Professional did suffer 15 critical

vulnerabilities in 2006 until now, OpenOffice.org 2.x only had 2 non critical ones. Of course it

could be explained because Microsoft Office is more targeted, anyone is free to interpret these

statistics.

You can grab OpenOffice.org there : http://www.openoffice.org/

Securing Microsoft Windows 5 / 18 Guillaume Kaddouch

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika: