System (Windows) settings are only one set
of the many settings that are important for
Internet security. Make sure you're using
the right browser and email client settings as well.
Windows is "too smart for its own good."
It trys to be all things to all people. There
are too many useless (for most people) processes
running in the background, and a few of them
create most of the serious security holes.
Windows 98 was bad enough, Bill went completely
overboard with XP.
Disable printer and file sharing
If you want to protect what's on your computer,
the most important thing you can do -- after
installing a firewall -- is make sure "Printer and File Sharing"
is disabled. That is, unless you need to
share printers or files over a local network. If that's the case, see below.
Windows XP: Most new computers will already have "Print
and File Sharing" "disabled".
To check yours: [Click Start
Panel > click "Switch
View" over in the left hand
you're not already there. (you
switch back later).
Right-click each Internet connection that
you use (you may only use one) in turn, and
select "Properties". Go to the
Networking tab in the properties dialog,
and check to see that File and Printer Sharing for Microsoft Networks is not checked (uncheck if it is). Most
users can also uncheck Client for Microsoft Networks.
Windows 98: Click Start > point at Settings >
click Control Panel > double-click the
Network icon. In the dialog box that opens,
scan the list of installed network components
for "File and Printer Sharing for Microsoft Networks." If this item is present, highlight
it and then click the Remove button.
Windows 95: Click Start > point at Settings >
click Control Panel > click (double-click?)
the "File and Print Sharing..." button. In the dialog box that opens,
make sure both boxes are not checked (if checked, click to uncheck).
http://www.usask.ca/its/help_desk/cpusecurity/nosharing.html -- alternate instructions for disabling
Print and File Sharing.
If you must share
If you must share files or printers in a
local network (don't even try it over the
Internet), read about what you can do about it at GRC.com. And if you want do a little
extra to make your network more secure, start here.
Disable Universal Plug & Play
This security hole is so big
that the FBI
issued a warning about closing
it. They later
reversed their opinion, but they
It's a big problem.
Method 1: Disable the service named "SSDP
Discovery Service". Click Start >
All Programs > Administrative Services
> Services. Go to "SSDP Discovery Service" > click "Stop the service" if it's running > right-click the
service > select Properties > set "Startup Type" to "Disabled".
Method 2: Go to Steve Gibson's site. Look around until you find "UnPlug
n' Pray". Download the file and run
it, following his instructions. Use Google and do a "domain search"
for the term if you can't find it any other
NetBIOS Null Sessions (Windows XP/2000 only
-- does not apply to 95, 98, Me.)
You've seen how they hack into computers
on TV and in the movies. Usually it's a hokie simulation, but the key step is getting
past the first layer of defense. NetBIOS
Null Sessions make this easy. The first step
is to identify the accounts on your computer.
For example, did you know that your computer
has a "guest" account? Once account
names are known, password guessing can begin.
Disabling those pesky null sessions
Method 1: If you have a good firewall this
method could be easy. If you're a belt and
suspenders kind of person you can combine
this method with one of the others below.
Just block the following ports with your firewall. That will prevent Null Sessions (and block
other attacks that use NetBIOS as well).
I've tried the built in firewall in Windows
XP (ICF) and it blocks all these ports just fine.
You should always test your firewall from time to time just to be sure, especially
after applying -- strangely enough -- any
Port -- Related Service
135 -- TCP DCE/RPC Portmapper
137 -- TCP/UDP NetBIOS Name Service
138 -- TCP/UDP NetBIOS Datagram Service
139 -- TCP NetBIOS Session Service
445 -- TCP Microsoft-DS (Windows 2000 CIFS/SMB)
Method 2: Read about the problem and use
the script (200 KB) from Brown University -- direct link to download the script.
Method 3: Edit the Registry: Set the following
Registry key (if you don't know how to edit
the Registry you'd best not mess with it):
Method 4: For Windows XP Professional Edition
only -- read about how to do it on the NetBIOS page at Brown University.
Disable Windows Scripting Host
Unless you use (unlikely) Windows Scripting
Host (WSH) you may want to disable it. (Some
antivirus programs and firewalls already
protect you from this hazard.) If you're
not sure, read this. There are many ways to do it. I recommend that you use Symantec's
"Noscript.exe" program, because you can easily re-enable
WSH if you need it temporarily. Put a shortcut on your Desktop or in your
Start > Programs folder to make it easier.
Bogus file extensions
The default Windows setting, "Hide extensions
for known file types..." , of course
makes it impossible to see what a file type
really is. Some extensions for exploitable
file type are still hidden even if you change
that setting. In addition, virus and Trojan-horse
writers commonly change the file icon so
that the file looks like a benign file type.
You can see that this situation makes opening
attachments much like Russian roulette. Unmask Exploitable File Extensions will tell you more about the problem and
how to fix it. [list of extensions]
Other Windows XP settings
Windows Services -- disable the Windows "services" that you are least likely to need,
but that compromise security and performance
Go to Steve Gibson's site. Read the articles,
download the files, and follow the instructions.
You'll do yourself and everyone else on the
Internet a big favor. In particular, even
though it doesn't pertain to settings exactly,
read about the XPdite tool there. Most of his recommendations have been covered
Browser and email client settings
Internet Explorer and Outlook Express settings are also important your security
on the Internet. You may have
program or even a firewall, but
settings aren't right you can
Windows XP Security Checklist -- a professional level guide to making
Windows XP secure.
Recommended updates that you should install if you have Windows
XP, 2000, Millennium Edition or 98 Second Edition. (Too bad there's not a list for plain old
98.) Good checklist if you want
the essential form the good to
Microsoft security notification service for notices on updates.