Secure Windows Configuration

Update: I know very little about configuring Windows Vista for security. You can get the basics from Paul Thurrott's review of Vista security though.

Not all of the suggested changes in Windows are easy to make unless you have experience working with the sort of thing that entails. For that reason, I've used [basic/strong/robust], [strong/robust] or [robust] here, and in the pages that follow, to indicate which changes apply to the particular track of the "7-step Plan" that you're on.

Create a new System Restore point [Start > All Programs > Accessories > System Tools > System Restore] before you make these configuration changes.

Disable Universal Plug & Play
[basic/strong/robust]

This security hole is so big that the FBI issued a warning about it. They later reversed their opinion, but they are confused. It really is a big problem.

Method 1: Disable the service named "SSDP Discovery Service". Click Start > Control Panel > Administrative Services > Services. Go to "SSDP Discovery Service" > click "Stop the service" if it's running > right-click the service > select Properties > set "Startup Type" to "Disabled".

Method 2: Use Steve Gibson's "UnPlug n' Pray". Try this search if you can't find it. Download the file and run it, following his instructions.

Disable dangerous but unused network services
[strong/robust]

Make these changes first. Then, if you do need to share printers and files over a local network, see below.

Windows XP: Most newer computers come with "Print and File Sharing" "disabled". Many older ones did not. To check yours:
[Click Start > Control Panel > click "Switch to Classic View" over in the left hand column if you're not already there. (you can always switch back later).

Right-click each Internet connection that you have -- you may have just one -- and select "Properties". Go to the Networking tab in the properties dialog, and check to see that File and Printer Sharing for Microsoft Networks is not checked (uncheck if it is). Also uncheck Client for Microsoft Networks.

Windows 98: Click Start > point at Settings > click Control Panel > double-click the Network icon. In the dialog box that opens, scan the list of installed network components for "File and Printer Sharing for Microsoft Networks." If this item is present, highlight it and then click the Remove button.

Windows 95: Click Start > point at Settings > click Control Panel > click (double-click?) the "File and Print Sharing..." button. In the dialog box that opens, make sure both boxes are not checked (if checked, click to uncheck). Click OK.

If you must share

If you must share files or printers in a local network read about what you can do about it at GRC.com. And if you want do a little extra to make your network more secure, start here.

Disable NetBIOS Null Sessions (Windows XP/2000 only)
[strong/robust]

Method 1: If you have a good firewall this method could be easy. If you're a belt and suspenders kind of person you can combine this method with one of the others below. Just block the following ports with your firewall. That will prevent Null Sessions (and block other attacks that use NetBIOS as well). I've tried the built in firewall in Windows XP (ICF) and it blocks all these ports just fine.

Port -- Related Service
135 -- TCP DCE/RPC Portmapper
137 -- TCP/UDP NetBIOS Name Service
138 -- TCP/UDP NetBIOS Datagram Service
139 -- TCP NetBIOS Session Service
445 -- TCP Microsoft-DS (Windows 2000 CIFS/SMB)

Method 2: Read about the problem and use the script (200 KB) from Brown University -- direct link to download the script.

Method 3: Edit the Registry: Set the following Registry key (if you don't know how to edit the Registry you'd best not mess with it):

HKLM/System/CurrentControlSet/Control/LSA/RestrictAnonymous=2

Method 4: For Windows XP Professional Edition only -- read about how to do it on the NetBIOS page at Brown University.

Other security measures
[strong/robust]

Disable the Windows "services" that you are least likely to need, but that compromise security and performance the most.

The default Windows setting, "Hide extensions for known file types..." makes it impossible to see what the "type" of a file really is. What's worse, some extensions for exploitable file type are still hidden even if you change that setting. In addition, virus and Trojan-horse writers commonly change the file icon so that the file looks like a benign file type.

You can see that this situation makes opening attachments much like Russian roulette. Unmask Exploitable File Extensions will tell you more about the problem and how to fix it. [list of extensions]

If you're interested in fully battening down Windows, I also suggest that you do NOT run as admin.

• map of security section

• Step 2: tighten configuration: windows services; browser settings; email settings
• bypassing security constraints

• email security
• web smarts
• catalog of threats
• elements of defense
• security software
• strong passwords
• 7 steps to security
• bullet-proof security
• WiFi and hotspot security
• how to wipe your hard drive
• how to remove malware

• attack vectors: deception: the #1 threat; spam and scams; phishing; bogus and booby-trapped webpages; poisoned ads, comments, etc.; popup warnings; drive-by email; attachments; downloads; social and p2p networks; hackers and worms
• malicious content: spyware; viruses and worms; trojans

Ninety percent of all mental errors are in your head. --Yogi Berra