Happy Trails Computer Club

home > security > level 1  2  3 > settings  
System Security Settings
Windows is "too smart for its own good." It trys to be all things to all people. There are too many useless (for most people) processes running in the background, and a few of them create most of the serious security holes. Windows 98 was bad enough, Bill went completely overboard with XP.

Disable printer and file sharing

If you want to protect what's on your computer, the most important thing you can do -- after installing a firewall -- is make sure "Printer and File Sharing" is disabled. That is, unless you need to share printers or files over a local network. If that's the case, see below.

Windows XP: Most new computers will already have "Print and File Sharing" "disabled". To check yours: [Click Start > Control Panel > click "Switch to Classic View" over in the left hand column if you're not already there. (you can always switch back later).

Right-click each Internet connection that you use (you may only use one) in turn, and select "Properties". Go to the Networking tab in the properties dialog, and check to see that File and Printer Sharing for Microsoft Networks is not checked (uncheck if it is). Most users can also uncheck Client for Microsoft Networks.

Windows 98: Click Start > point at Settings > click Control Panel > double-click the Network icon. In the dialog box that opens, scan the list of installed network components for "File and Printer Sharing for Microsoft Networks." If this item is present, highlight it and then click the Remove button.

Windows 95: Click Start > point at Settings > click Control Panel > click (double-click?) the "File and Print Sharing..." button. In the dialog box that opens, make sure both boxes are not checked (if checked, click to uncheck). Click OK.

http://www.usask.ca/its/help_desk/cpusecurity/nosharing.html -- alternate instructions for disabling Print and File Sharing.

If you must share

If you must share files or printers in a local network (don't even try it over the Internet), read about what you can do about it at GRC.com. And if you want do a little extra to make your network more secure, start here.

Disable Universal Plug & Play

This security hole is so big that the FBI issued a warning about closing it. They later reversed their opinion, but they are confused. It's a big problem.

Method 1: Disable the service named "SSDP Discovery Service". Click Start > All Programs > Administrative Services > Services. Go to "SSDP Discovery Service" > click "Stop the service" if it's running > right-click the service > select Properties > set "Startup Type" to "Disabled".

Method 2: Go to Steve Gibson's site. Look around until you find "UnPlug n' Pray". Download the file and run it, following his instructions. Use Google and do a "domain search" for the term if you can't find it any other way.

NetBIOS Null Sessions (Windows XP/2000 only -- does not apply to 95, 98, Me.)

You've seen how they hack into computers on TV and in the movies. Usually it's a hokie simulation, but the key step is getting past the first layer of defense. NetBIOS Null Sessions make this easy. The first step is to identify the accounts on your computer. For example, did you know that your computer has a "guest" account? Once account names are known, password guessing can begin.

Disabling those pesky null sessions

Method 1: If you have a good firewall this method could be easy. If you're a belt and suspenders kind of person you can combine this method with one of the others below. Just block the following ports with your firewall. That will prevent Null Sessions (and block other attacks that use NetBIOS as well). I've tried the built in firewall in Windows XP (ICF) and it blocks all these ports just fine. You should always test your firewall from time to time just to be sure, especially after applying -- strangely enough -- any security patches.

Port -- Related Service
135 -- TCP DCE/RPC Portmapper
137 -- TCP/UDP NetBIOS Name Service
138 -- TCP/UDP NetBIOS Datagram Service
139 -- TCP NetBIOS Session Service
445 -- TCP Microsoft-DS (Windows 2000 CIFS/SMB)

Method 2: Read about the problem and use the script (200 KB) from Brown University -- direct link to download the script.

Method 3: Edit the Registry: Set the following Registry key (if you don't know how to edit the Registry you'd best not mess with it): HKLM/System/CurrentControlSet/Control/LSA/RestrictAnonymous=2

Method 4: For Windows XP Professional Edition only -- read about how to do it on the NetBIOS page at Brown University.

Disable Windows Scripting Host

Unless you use (unlikely) Windows Scripting Host (WSH) you may want to disable it. (Some antivirus programs and firewalls already protect you from this hazard.) If you're not sure, read this. There are many ways to do it. I recommend that you use Symantec's "Noscript.exe" program, because you can easily re-enable WSH if you need it temporarily. Put a shortcut on your Desktop or in your Start > Programs folder to make it easier.

Bogus file extensions

The default Windows setting, "Hide extensions for known file types..." , of course makes it impossible to see what a file type really is. Some extensions for exploitable file type are still hidden even if you change that setting. In addition, virus and Trojan-horse writers commonly change the file icon so that the file looks like a benign file type. You can see that this situation makes opening attachments much like Russian roulette. Unmask Exploitable File Extensions will tell you more about the problem and how to fix it. [list of extensions]

Other Windows XP settings

Windows Services -- disable the Windows "services" that you are least likely to need, but that compromise security and performance the most.

Go to Steve Gibson's site. Read the articles, download the files, and follow the instructions. You'll do yourself and everyone else on the Internet a big favor. In particular, even though it doesn't pertain to settings exactly, read about the XPdite tool there. Most of his recommendations have been covered above. [more]

Browser and email client settings

Internet Explorer and Outlook Express settings are also important your security on the Internet. You may have an antivirus program or even a firewall, but if these settings aren't right you can be vulnerable anyway.

Resources

Windows XP Security Checklist -- a professional level guide to making Windows XP secure.

Recommended updates that you should install if you have Windows XP, 2000, Millennium Edition or 98 Second Edition. (Too bad there's not a list for plain old 98.) Good checklist if you want to separate the essential form the good to have updates.

Microsoft security notification service for notices on updates.

"When you get to the end of your rope, tie a knot and hang on." -- FDR
club stuff
help
topics
computers
software
hardware
internet
security
overview
   lost? > index
attack vectors
   attachments
   deception
   email
   hackers
   web sites
   worms
defenses
   #  2  3
safe settings
   system
   browser
   email client
safe practices
   patching
   email
   attachments
   surfing
   file handling
defense tools
   malware
   antivirus
   anti-trojan
   firewalls
defense tests
privacy
resources