Document Sample
RebuildXP Powered By Docstoc
     Recommended recourse:

       1) Make sure your hard drives are formatted as NTFS rather than FAT32.

          If rebuilding your system, choose the option to format all hard drives as NTFS rather
          than FAT32.

          If your machine is already built, you can check to see which file system is in use by
          opening up “ Computer”and click with the right-hand mouse on the icon for the
          local disk(s). Choose “ properties”and the type of file system will be displayed on the

          If the file system is listed as FAT32, you can change it to NTFS by opening the Start
          Menu and clicking on the “     Run”button. Type in cmd and hit enter. A command prompt
          window will appear, where you should type the following command:
          convert c: /FS:NTFS

       2) All accounts on your system should be password-protected. Remember to follow "good
          password" conventions (i.e. at least seven characters long, a mixture of numbers and
          letters, no names, words easily guessed, dates, SSN's, etc.) DO NOT USE A BLANK
          use the same username and password or machine name and password.

          To set passwords for your accounts, open up the Start Menu and choose “ Control
          Panel”from the right side of the menu. Click on the “ User Accounts”icon in the
          Control Panel. Towards the bottom of the screen under “ Pick an account to change” ,
          click on a user account picture. Click on “Change my password”and repeat these steps
          to give each user account a “ good”password. Note that by default, the Administrator
          account does not appear as an account under User Accounts. EXTREMELY
          ACCOUNT A PASSWORD! To do so, open the Start Menu and click on “Log
          off” When the welcome screen appears where you normally click on your icon to log in,
          instead simultaneously press the following keys: Ctrl, Alt, and Delete. A Log On to
          Windows dialog box will appear. Type the word Administrator in the User name: box
          and click on the OK button. Repeat the steps to open the User Accounts section of the
          Control Panel. The Administrator account should now appear at the bottom of the
          screen. Follow the steps as above to add a “ good”password to this Administrator

          Note: If you are rebuilding your machine because it has been compromised,
          change all administrative passwords on your machine(s). This is especially
          important after a compromise because the password file may be retrieved and run
          against a "cracker". However, it is also important to change passwords relatively
          frequently for normal security measures.

       3) Use another (already secured) computer to download the most recent Service Pack to

                             This is trial version
          removable media such as CDRom, Zip, or Jaz Disk. Install this service pack to your
          computer before it is connected to the Internet for the first time to avoid a compromise.

          The current Service pack is SP2, which is available after Labor Day, 2004 for Penn
          State users at the ITS or your local Penn State campus Helpdesks or it can be
          downloaded from:


          Service pack 2 installs a new feature for Windows XP: the Windows Security Center,
          which monitors three security “              :
                                          essentials” firewall, updates, and antivirus. These
          three features are described in detail in the next three recommendations below.

      4) Service Pack two has a firewall built in to it that will protect your computer from some
         forms of incoming hostile attacks. By default, this is turned on in XP SP2. It is
         recommended that either you leave this built-in firewall turned on, or that you install a
         piece of software onto your computer known as a personal firewall.

          A personal firewall program will protect your computer both from incoming attacks and
          outgoing attack. If your computer is infected with a virus or worm, a personal firewall
          will also prevent your computer from attacking other computers on the Internet, whereas
          the Windows firewall will not. Some examples of personal firewalls include: ZoneAlarm,
          Symantec Internet Firewall, Tiny, and Network Ice. You can purchase a personal
          firewall either online or in a computer or department stores, or you can download a free
          personal firewall from Note that due to licensing terms, you
          cannot download the freeware version of ZoneAlarm to University-owned computers.

          If installing a personal firewall, you will need to disable the built-in Windows firewall.
          To do so, open the Control Panel and click on the “    Security Center”icon. Scroll down
          to the bottom of the Security Center screen and click on the “   Windows Firewall”icon.
          Click on the radio button to change the setting from “ (Recommended)”to “          Off”.

      5) The second feature of the Windows Security Center is known as Automatic Updates.
         Automatic Updates is a program installed on your computer that automatically contacts
         the Microsoft site to determine if there are any essential patches, hotfixes, or service
         packs available to protect your machine from vulnerabilities. If any patches are
         available, they will be automatically downloaded to your computer. It is vital that your
         machine gets these patches in one of two ways: Automatic Updates or Windows Update.

          By default, Automatic Updates is turned on, and your computer will attempt to contact
          the Microsoft web site every night at 3:00am, download, and install any available
          patches. There are several options you can change under Automatic Updates
          configuration by clicking on the Automatic Updates icon in the Windows Security
          Center. You can change the time of this occurrence if your computer is not generally
          turned on overnight. You can also choose to download any updates but have the
          computer wait until you give approval to install them. A third option is to have your
          computer notify you if there are any available updates, but to not download the updates.
          The final option is to turn Automatic Updates off.

                              This is trial version
          If you use a modem to connect to the Internet rather than an “always-on”connection,
          you may wish to get your updates through “  Windows Update”instead of Automatic
          Updates. Your computer will not download any patches automatically with Windows
          Update. After connecting to the Internet, you must open the Start Menu, and click on
            All           ,
          “ Programs” then choose Windows Update. You will be taken to a Microsoft
          webpage, where you should click on either “ Express Install (Recommended)”to
          download all available patches or “ Custom Install”to choose which updates to install.
          It is recommended that if you are using Windows Update to manually apply patches
          rather than Automatic Updates, you check for available Windows Update patches at
          least weekly.

      6) The third feature of the Windows Security Center is that it will check to see if an
         Antivirus program is installed on your computer. If you have not already done so, install
         an Antivirus program.

          To view information about how to obtain free Symantec Norton AntiVirus
          software as a member of the PSU community, please visit:

          After installing your antivirus program, you must update what is known as virus
          definition files to keep your computer protected against the latest virus threats.
          Virus definition files are cumulative and are usually are available for you to
          download weekly. If you do not download these definition files, your computer is
          only protected against OLD viruses and it is possible that your computer will get
          infected with a newer virus.

          If your antivirus program is Norton Antivirus, open the program either through
          the start menu or by double-clicking the yellow shield-like icon located near the
          clock in the system tray. After Norton Antivirus opens, click on the “Live
          Update” button located on the bottom right-hand side of the screen. Follow the
          next prompts to download any available updates. You can either perform this
          step manually at least once a week or you can go to the “ File” menu and click on
          “                     ,
            Schedule Updates” where you can enter a time for your computer to
          automatically contact Symantec’ site to check for, download, and install any
          available definition files.

      7) Download freeware Anti-spyware software such as Adaware and Spybot Search and
         Destroy to protect your machine from certain malicious programs as Spyware and
         Adware. Spyware is software that gets installed on your machine without your
         knowledge or consent that may monitor your internet usage and transmit it to another
         computer. Spyware can be bundled with other software that you install or is often
         installed by clicking on a deceptive pop-up message.

          Lavasoft’ Adaware can be downloaded from:

          Spybot Search and Destroy can be downloaded from:

                             This is trial version

          Remember to update your anti-spyware program by clicking on the “      Update”button in
          the software after it is installed to make sure that your computer is aware of the latest
          Spyware threats.

      8) Turn all unnecessary services off (e.g. FTP, telnet, Remote Access, etc.).

          Go to the start menu and choose "settings". Under settings, select the control panel.
          Once the control panel opens, you should see a menu choice on the upper left hand
          corner that will either say "Switch to Classic View" or "Switch to Category View". If
          you are in Classic View, choose “  Administrative Tools”from the right hand menu and
          then “           .
                Services” If you are in Category View, choose "Performance and Maintenance"
          from the right hand menu and then choose "Administrative Tools" towards the bottom.
          Under the Administrative Tools Menu, choose “    Services”.

          Specific XP Services which should be stopped and disabled unless specifically needed:
             · Remote Desktop Help Session Manager (Remote Assistance)
             · Remote Access Auto Connection Manager
             · Netmeeting Remote Desktop Sharing
             · SSDP (Universal Plug and Play)
             · Remote Registry Access
                      · Remote Registry Access is a service that runs by default in Windows XP.
                          If you are not remotely administering your computer, this service should
                          be stopped and set from automatic startup to either manual or disabled.
                          It is dangerous to remotely allow someone to edit your registry.

      9) Disable Remote Assistance until it is needed.

          Remote Assistance is designed to allow others to take control of your computer to assist
          in troubleshooting and fix problems.

          To turn this off, navigate to the Control Panelà Classic Viewà Systemà ” Remote”
          tabà ” Settings”button. Click on the Advanced button and uncheck “   Allow this
          computer to be controlled remotely”   .

      10) Delete any unused accounts on machine(s) and/or domain(s).

          As described in step 2 above, you can access the local accounts by navigating to the
          Control Panel, choosing "Category View" and selecting "User Accounts" from the right
          hand menu.

      11) Also apply patches to all other applicable programs (e.g. Cold Fusion, PC Anywhere,
          Oracle, SQL, Exchange, etc.) For example, if you have Microsoft Office installed, get
          patches for the software by navigating to:

      12) Turn off automatic searching for file and printer sharing unless absolutely required.
          Also uncheck “ simple file sharing”if possible.

                              This is trial version
          Under the start menu, select “      .
                                         Run” In the Run box, type “  Explorer”and click ok or
          press the Enter button. An explorer window displaying contents of your computer should
          appear on the screen. On the “   Tools”menu of the explorer, select “Folder Options” .
          The Folder Options should display four tabs (General, View, File Types, and Offline
          Files). Click on the “ View”tab. Under “                      ,
                                                    Files and Folders” uncheck the box that
          specifies “Automatically search for network folders and printers.” “ Use simple file
          sharing” is the last item in the menu and it should also be unchecked if possible.

      13) Do not install IIS (Web Server) unless absolutely necessary.

      14) Do not create any shares (folders) on your hard drive that do not require a password.

      15) By default in Windows XP, there are several administrative shares (e.g. C$, D$, IPC$,
          PRINT$). Do not take steps to grant additional access to these administrative shares to
          other users than the default administrator.

      16) Set local machine account and password policies such as password length, complexity,
          lockout time and duration, etc. under “Account Policies”in Local Security Policies.

          You can access Account Policies from: Startà Control Panelà (Classic
          View)à Administrative Toolsà Local Security Settingsà Account Policies

          Under the “Password Policy”of Account Polices, you may wish to use the following
          recommended settings:

              ·   Password History = 5
              ·   Password Length = 7 or more
              ·   Complexity Requirements = Enabled

          Under the “ Account Lockout Policy”of Account Policies, you may wish to use the
          following recommended settings:

              ·   Lockout Duration –15 minutes or more
              · Lockout threshold –5 or less
              · Lockout reset counter –15 minutes or more

      17) Add success and failure auditing for policy change, account management, and logon

          You can access Auditing Policies from: Start à Control Panelà (Classic
          View)à Administrative Toolsà Local Security Policyà Local Policiesà Audit Policy.

          Once in this policy, click on the correct boxes to add the following auditing:

              ·   Account Logon Events –Success / Failure
              ·   Account Management –Success / Failure
              ·   Directory Service Access –Failure
              ·   Logon Events –Success / Failure

                              This is trial version
              ·   Object Access –If you want to audit this, S/F
              ·   Policy change –Success / Failure
              ·   Privilege Use –Failure
              ·   Process Tracking –Failure
              · System Events –Failure

      18) Set "User Rights" assignment in the local security policy to define specific actions of the
          machine’ users.

          You can access User Rights Assignments Policies from: Start à Control
          Panelà (Classic View)à Administrative Toolsà Local Security Policyà Local
          Policiesà User Rights Assignnment.

          A suggested setting to check is "Access this machine from the network." If you do not
          want others to remotely access your machine, you can uncheck all non-applicable boxes
          (e.g. Remove “            ).
                         Everyone” However, if your machine is a server, others may need
          access to the machine and you will need to assign this setting accordingly.

      19) Under Security Options of Local Security Settings are quite a few options to secure your
          machine. Two of these options are to rename guest and administrator accounts. It is
          recommended that you do so since these accounts exist on all Windows NT-based
          machines and are commonly used to try to attempt machine compromises with. This
          menu also contains other items you may wish to set, including such as
          "Control-Alt-Delete" required before logon, and "Don't display last user" logged in.

          You can access Security Options Policies from: Start à Control Panelà (Classic
          View)à Administrative Toolsà Local Security Policyà Local Policiesà Security

          Suggested Local Security Settings:

              ·   Accounts: Guest Account Status –make sure that this is set to disabled
              ·   Accounts: Rename Administrator account –please do this by typing in an
                  alternate name for the administrative account!
              ·   Accounts: Rename Guest account –please do this!
              ·   Accounts: Limit local use of blank passwords to console logon –DO NOT
                  change this to disabled!
              ·   Devices: Restrict CD-ROM and Floppy to locally logged on user –Change to
              ·   Interactive Logon: Do not display last user name in logon screen –Set to
                  Enabled. If you enable this, you will have to type in both user name and
                  password upon logging in, rather than have the system remember the last
              ·   Interactive Logon: Message text and Message Title for users attempting to log
                  on –If you want a popup message before the Control-Alt-Delete screen, type
                  whatever you want this to say
              ·   Network Access: Do not allow anonymous enumeration of SAM Accounts –Set
                  this to Enabled
              ·   Network Access: Do not allow anonymous enumeration of SAM Account and

                              This is trial version
                  Shares –Set to Enabled
              ·   Network Access: Remotely accessible registry paths: remove all paths
              ·   Shutdown: Allow system to be shut down without having to log on –Set to
                  Disabled if you don’ want the “shut down”button in the Control-Alt-Delete
                  logon box.
              ·   Shutdown –Clear virtual memory pagefile when shutting down –Set to Enabled

      20) If you are running IIS, Extended Logging Properties should be enabled for your website
          and/or FTP server.

          To check your current logging configuration, open IIS Manager (usually located on the
          Start Menu under the NT4.0 Option Pack). Right click on the Name of your web site (if
          you have not named it, it will be called "Default Web Site"), choose "properties" and
          click on the "web site" tab. Towards the bottom of the page, you will see a check box for
          enable logging, which should be checked, and the format should be W3C Extended Log
          File Format, not Active Log Format. Click on the "properties" button located beside the
          format and choose the "extended logging properties" tab to make sure that it includes
          Date, Time, Server IP, Client IP, URI Stem, and URI Query so that you can fully log
          every access to your web site.

      21) Check your event logs (and web logs if you are running a web server) at least weekly to
          ensure awareness of any intrusions/problems.

          Event logs can be viewed by typing eventvwr in the box at "start->run". Three types of
          logs should be checked: application, security, and system.

          IIS logs -by default- are located at: C:\Winnt\System32\Logfiles\. A typical web log will
          be in the W3svc1 folder of Logfiles and will be named ex010801 (by date-in this case,
          August 01, 01).

      22) If rebuilding your system, restore your *data* from backups, if possible only after the
          operating system has been secured.

      23) Subscribe to the Microsoft Security Notification Service (for future vulnerability
          reports) at:

      24) If you suspect an intruder, check for any unusual connections to your machine using the
          windows command netstat -na

      25) Download and install Microsoft’ Baseline Security Analyzer to analyze the security of
          your system from:

      26) Please remember to report any future instances of compromise to Security Operations
          and Services at either (814) 863-9533 or

                              This is trial version

Shared By: