Harden XP Part1

There are lots of howtos , books dealing with security and hardening operating systems in general.However there's not a bunch off sites that cover a broader range off hardening / security settings.Personally i such as windows xp for its drivers and compattibillity , configurablility and looks.What i certainly do not such as is the gigantic quantity off build in features (flaws) such as remote desktop connection , etc making xp vulnerable in its default state. My goal is to display the quick security options and emphasizing what the side effects / advantages  are, as well as then let u see some additional security settings with the use off the build in mmc ( microsoft management console) and the default

security templates which is allready present at every XP box.

In my opinion, u do not need to read a whole security book with normal page lenght off 500 for some sec settings which would fit on one page.

1) disable netbios over tcp/ip  {no side effect unless u using netbios names}

  goto start--->control panel ---->network and net connections

  --->network connections

  right click on your (local , whatever u use) connection and goto properties

  right click tcp/ip goto options , click on advanced and select the tab WINS, clear the disable netbios over tcp/ip checkbox.

2) While being there you might ass well disable (better uninstall)

   client for microsoft networks and file and printer sharing.

  Really the only thing you need is tcp/ip ( the standard net protocol)

 this might affect sharing files with icq or msn, aim etc, which is bad anyway. Kazaa and overnet file sharing programs remain unaffected through this

procedure.

Â

3)Change your computer name to something less usual such as a underscore

4)goto start ---> run and press browse

 browse to C:WINDOWSsystem32ddeshare.exe

and press enter, disable all mentioned shares present, such as the hearts (port 135), blackjack etc, ever wondered where this port 135 comes from ?

6)Regedit part

 goto start--->run and enter "regedit"

before going further make a backup off the registry through exporting the current registry settings under file--->export etc

goto HKEY_LOCAL_MACHINESYSTEMCurrentControlsetControl
Lsarestrictanonymous

double click on this reg key and enter the the value 2

this disables totally null session enumeration (nobody can not enumerate

accounts etc)

restrictanonymoussam should be at value one , can not go to a higher value

7)goto

HKEY_LOCAL_MACHINESYSTEMCurrentControlsetControl
ServicesLanManServer

click on the + in front off LanManServer and click on Parameters

on the right half off the regeditor double click on NullSessionPipes

Delete everything whats there as value

Same goes for lanmanworkstation

8) goto

HKEY_LOCAL_MACHINESYSTEMCurrentControlsetControl
ServicesTcpipParameters

double click on EnableIcmpRedirect and enter the value zero ( disabled)

same goes for DeadGwDetect

double click on EnableSecurityFilters and enter the value one ( enabled)

Â

export ( save) your new registry settings to a floppy , for later use .

-------------------------------------------------------------

Windows XP Professional

9) goto start--->run and enter mmc

this will open the microsoft management console

goto File--->Add/Remove Snap-in..

goto Add and select the snap-ins 1) security templates

                                                     2) security  configuration and analysis

once done corect u should see two windows:

one named console one and one named Console RootSecurity Templates

right click on Security Configuration and Analysis and goto open database