1) Make sure your hard drives are formatted as NTFS rather than FAT32.
If rebuilding your system, choose the option to format all hard drives as NTFS rather
If your machine is already built, you can check to see which file system is in use by
opening up “ Computer”and click with the right-hand mouse on the icon for the
local disk(s). Choose “ properties”and the type of file system will be displayed on the
If the file system is listed as FAT32, you can change it to NTFS by opening the Start
Menu and clicking on the “ Run”button. Type in cmd and hit enter. A command prompt
window will appear, where you should type the following command:
convert c: /FS:NTFS
2) All accounts on your system should be password-protected. Remember to follow "good
password" conventions (i.e. at least seven characters long, a mixture of numbers and
letters, no names, words easily guessed, dates, SSN's, etc.) DO NOT USE A BLANK
ADMINISTRATIVE PASSWORD UNDER ANY CIRCUMSTANCES. Also, do not
use the same username and password or machine name and password.
To set passwords for your accounts, open up the Start Menu and choose “ Control
Panel”from the right side of the menu. Click on the “ User Accounts”icon in the
Control Panel. Towards the bottom of the screen under “ Pick an account to change” ,
click on a user account picture. Click on “Change my password”and repeat these steps
to give each user account a “ good”password. Note that by default, the Administrator
account does not appear as an account under User Accounts. EXTREMELY
IMPORTANT: YOU MUST GIVE YOUR ADMINISTRATOR
ACCOUNT A PASSWORD! To do so, open the Start Menu and click on “Log
off” When the welcome screen appears where you normally click on your icon to log in,
instead simultaneously press the following keys: Ctrl, Alt, and Delete. A Log On to
Windows dialog box will appear. Type the word Administrator in the User name: box
and click on the OK button. Repeat the steps to open the User Accounts section of the
Control Panel. The Administrator account should now appear at the bottom of the
screen. Follow the steps as above to add a “ good”password to this Administrator
Note: If you are rebuilding your machine because it has been compromised,
change all administrative passwords on your machine(s). This is especially
important after a compromise because the password file may be retrieved and run
against a "cracker". However, it is also important to change passwords relatively
frequently for normal security measures.
3) Use another (already secured) computer to download the most recent Service Pack to
This is trial version
removable media such as CDRom, Zip, or Jaz Disk. Install this service pack to your
computer before it is connected to the Internet for the first time to avoid a compromise.
The current Service pack is SP2, which is available after Labor Day, 2004 for Penn
State users at the ITS or your local Penn State campus Helpdesks or it can be
Service pack 2 installs a new feature for Windows XP: the Windows Security Center,
which monitors three security “ :
essentials” firewall, updates, and antivirus. These
three features are described in detail in the next three recommendations below.
4) Service Pack two has a firewall built in to it that will protect your computer from some
forms of incoming hostile attacks. By default, this is turned on in XP SP2. It is
recommended that either you leave this built-in firewall turned on, or that you install a
piece of software onto your computer known as a personal firewall.
A personal firewall program will protect your computer both from incoming attacks and
outgoing attack. If your computer is infected with a virus or worm, a personal firewall
will also prevent your computer from attacking other computers on the Internet, whereas
the Windows firewall will not. Some examples of personal firewalls include: ZoneAlarm,
Symantec Internet Firewall, Tiny, and Network Ice. You can purchase a personal
firewall either online or in a computer or department stores, or you can download a free
personal firewall from http://www.zonealarm.com. Note that due to licensing terms, you
cannot download the freeware version of ZoneAlarm to University-owned computers.
If installing a personal firewall, you will need to disable the built-in Windows firewall.
To do so, open the Control Panel and click on the “ Security Center”icon. Scroll down
to the bottom of the Security Center screen and click on the “ Windows Firewall”icon.
Click on the radio button to change the setting from “ (Recommended)”to “ Off”.
5) The second feature of the Windows Security Center is known as Automatic Updates.
Automatic Updates is a program installed on your computer that automatically contacts
the Microsoft site to determine if there are any essential patches, hotfixes, or service
packs available to protect your machine from vulnerabilities. If any patches are
available, they will be automatically downloaded to your computer. It is vital that your
machine gets these patches in one of two ways: Automatic Updates or Windows Update.
By default, Automatic Updates is turned on, and your computer will attempt to contact
the Microsoft web site every night at 3:00am, download, and install any available
patches. There are several options you can change under Automatic Updates
configuration by clicking on the Automatic Updates icon in the Windows Security
Center. You can change the time of this occurrence if your computer is not generally
turned on overnight. You can also choose to download any updates but have the
computer wait until you give approval to install them. A third option is to have your
computer notify you if there are any available updates, but to not download the updates.
The final option is to turn Automatic Updates off.
This is trial version
If you use a modem to connect to the Internet rather than an “always-on”connection,
you may wish to get your updates through “ Windows Update”instead of Automatic
Updates. Your computer will not download any patches automatically with Windows
Update. After connecting to the Internet, you must open the Start Menu, and click on
“ Programs” then choose Windows Update. You will be taken to a Microsoft
webpage, where you should click on either “ Express Install (Recommended)”to
download all available patches or “ Custom Install”to choose which updates to install.
It is recommended that if you are using Windows Update to manually apply patches
rather than Automatic Updates, you check for available Windows Update patches at
6) The third feature of the Windows Security Center is that it will check to see if an
Antivirus program is installed on your computer. If you have not already done so, install
an Antivirus program.
To view information about how to obtain free Symantec Norton AntiVirus
software as a member of the PSU community, please visit:
After installing your antivirus program, you must update what is known as virus
definition files to keep your computer protected against the latest virus threats.
Virus definition files are cumulative and are usually are available for you to
download weekly. If you do not download these definition files, your computer is
only protected against OLD viruses and it is possible that your computer will get
infected with a newer virus.
If your antivirus program is Norton Antivirus, open the program either through
the start menu or by double-clicking the yellow shield-like icon located near the
clock in the system tray. After Norton Antivirus opens, click on the “Live
Update” button located on the bottom right-hand side of the screen. Follow the
next prompts to download any available updates. You can either perform this
step manually at least once a week or you can go to the “ File” menu and click on
Schedule Updates” where you can enter a time for your computer to
automatically contact Symantec’ site to check for, download, and install any
available definition files.
7) Download freeware Anti-spyware software such as Adaware and Spybot Search and
Destroy to protect your machine from certain malicious programs as Spyware and
Adware. Spyware is software that gets installed on your machine without your
knowledge or consent that may monitor your internet usage and transmit it to another
computer. Spyware can be bundled with other software that you install or is often
installed by clicking on a deceptive pop-up message.
Lavasoft’ Adaware can be downloaded from:
Spybot Search and Destroy can be downloaded from:
This is trial version
Remember to update your anti-spyware program by clicking on the “ Update”button in
the software after it is installed to make sure that your computer is aware of the latest
8) Turn all unnecessary services off (e.g. FTP, telnet, Remote Access, etc.).
Go to the start menu and choose "settings". Under settings, select the control panel.
Once the control panel opens, you should see a menu choice on the upper left hand
corner that will either say "Switch to Classic View" or "Switch to Category View". If
you are in Classic View, choose “ Administrative Tools”from the right hand menu and
then “ .
Services” If you are in Category View, choose "Performance and Maintenance"
from the right hand menu and then choose "Administrative Tools" towards the bottom.
Under the Administrative Tools Menu, choose “ Services”.
Specific XP Services which should be stopped and disabled unless specifically needed:
· Remote Desktop Help Session Manager (Remote Assistance)
· Remote Access Auto Connection Manager
· Netmeeting Remote Desktop Sharing
· SSDP (Universal Plug and Play)
· Remote Registry Access
· Remote Registry Access is a service that runs by default in Windows XP.
If you are not remotely administering your computer, this service should
be stopped and set from automatic startup to either manual or disabled.
It is dangerous to remotely allow someone to edit your registry.
9) Disable Remote Assistance until it is needed.
Remote Assistance is designed to allow others to take control of your computer to assist
in troubleshooting and fix problems.
To turn this off, navigate to the Control Panelà Classic Viewà Systemà ” Remote”
tabà ” Settings”button. Click on the Advanced button and uncheck “ Allow this
computer to be controlled remotely” .
10) Delete any unused accounts on machine(s) and/or domain(s).
As described in step 2 above, you can access the local accounts by navigating to the
Control Panel, choosing "Category View" and selecting "User Accounts" from the right
11) Also apply patches to all other applicable programs (e.g. Cold Fusion, PC Anywhere,
Oracle, SQL, Exchange, etc.) For example, if you have Microsoft Office installed, get
patches for the software by navigating to: http://officeupdate.microsoft.com/
12) Turn off automatic searching for file and printer sharing unless absolutely required.
Also uncheck “ simple file sharing”if possible.
This is trial version
Under the start menu, select “ .
Run” In the Run box, type “ Explorer”and click ok or
press the Enter button. An explorer window displaying contents of your computer should
appear on the screen. On the “ Tools”menu of the explorer, select “Folder Options” .
The Folder Options should display four tabs (General, View, File Types, and Offline
Files). Click on the “ View”tab. Under “ ,
Files and Folders” uncheck the box that
specifies “Automatically search for network folders and printers.” “ Use simple file
sharing” is the last item in the menu and it should also be unchecked if possible.
13) Do not install IIS (Web Server) unless absolutely necessary.
14) Do not create any shares (folders) on your hard drive that do not require a password.
15) By default in Windows XP, there are several administrative shares (e.g. C$, D$, IPC$,
PRINT$). Do not take steps to grant additional access to these administrative shares to
other users than the default administrator.
16) Set local machine account and password policies such as password length, complexity,
lockout time and duration, etc. under “Account Policies”in Local Security Policies.
You can access Account Policies from: Startà Control Panelà (Classic
View)à Administrative Toolsà Local Security Settingsà Account Policies
Under the “Password Policy”of Account Polices, you may wish to use the following
· Password History = 5
· Password Length = 7 or more
· Complexity Requirements = Enabled
Under the “ Account Lockout Policy”of Account Policies, you may wish to use the
following recommended settings:
· Lockout Duration –15 minutes or more
· Lockout threshold –5 or less
· Lockout reset counter –15 minutes or more
17) Add success and failure auditing for policy change, account management, and logon
You can access Auditing Policies from: Start à Control Panelà (Classic
View)à Administrative Toolsà Local Security Policyà Local Policiesà Audit Policy.
Once in this policy, click on the correct boxes to add the following auditing:
· Account Logon Events –Success / Failure
· Account Management –Success / Failure
· Directory Service Access –Failure
· Logon Events –Success / Failure
This is trial version
· Object Access –If you want to audit this, S/F
· Policy change –Success / Failure
· Privilege Use –Failure
· Process Tracking –Failure
· System Events –Failure
18) Set "User Rights" assignment in the local security policy to define specific actions of the
You can access User Rights Assignments Policies from: Start à Control
Panelà (Classic View)à Administrative Toolsà Local Security Policyà Local
Policiesà User Rights Assignnment.
A suggested setting to check is "Access this machine from the network." If you do not
want others to remotely access your machine, you can uncheck all non-applicable boxes
(e.g. Remove “ ).
Everyone” However, if your machine is a server, others may need
access to the machine and you will need to assign this setting accordingly.
19) Under Security Options of Local Security Settings are quite a few options to secure your
machine. Two of these options are to rename guest and administrator accounts. It is
recommended that you do so since these accounts exist on all Windows NT-based
machines and are commonly used to try to attempt machine compromises with. This
menu also contains other items you may wish to set, including such as
"Control-Alt-Delete" required before logon, and "Don't display last user" logged in.
You can access Security Options Policies from: Start à Control Panelà (Classic
View)à Administrative Toolsà Local Security Policyà Local Policiesà Security
Suggested Local Security Settings:
· Accounts: Guest Account Status –make sure that this is set to disabled
· Accounts: Rename Administrator account –please do this by typing in an
alternate name for the administrative account!
· Accounts: Rename Guest account –please do this!
· Accounts: Limit local use of blank passwords to console logon –DO NOT
change this to disabled!
· Devices: Restrict CD-ROM and Floppy to locally logged on user –Change to
· Interactive Logon: Do not display last user name in logon screen –Set to
Enabled. If you enable this, you will have to type in both user name and
password upon logging in, rather than have the system remember the last
· Interactive Logon: Message text and Message Title for users attempting to log
on –If you want a popup message before the Control-Alt-Delete screen, type
whatever you want this to say
· Network Access: Do not allow anonymous enumeration of SAM Accounts –Set
this to Enabled
· Network Access: Do not allow anonymous enumeration of SAM Account and
This is trial version
Shares –Set to Enabled
· Network Access: Remotely accessible registry paths: remove all paths
· Shutdown: Allow system to be shut down without having to log on –Set to
Disabled if you don’ want the “shut down”button in the Control-Alt-Delete
· Shutdown –Clear virtual memory pagefile when shutting down –Set to Enabled
20) If you are running IIS, Extended Logging Properties should be enabled for your website
and/or FTP server.
To check your current logging configuration, open IIS Manager (usually located on the
Start Menu under the NT4.0 Option Pack). Right click on the Name of your web site (if
you have not named it, it will be called "Default Web Site"), choose "properties" and
click on the "web site" tab. Towards the bottom of the page, you will see a check box for
enable logging, which should be checked, and the format should be W3C Extended Log
File Format, not Active Log Format. Click on the "properties" button located beside the
format and choose the "extended logging properties" tab to make sure that it includes
Date, Time, Server IP, Client IP, URI Stem, and URI Query so that you can fully log
every access to your web site.
21) Check your event logs (and web logs if you are running a web server) at least weekly to
ensure awareness of any intrusions/problems.
Event logs can be viewed by typing eventvwr in the box at "start->run". Three types of
logs should be checked: application, security, and system.
IIS logs -by default- are located at: C:\Winnt\System32\Logfiles\. A typical web log will
be in the W3svc1 folder of Logfiles and will be named ex010801 (by date-in this case,
August 01, 01).
22) If rebuilding your system, restore your *data* from backups, if possible only after the
operating system has been secured.
23) Subscribe to the Microsoft Security Notification Service (for future vulnerability
24) If you suspect an intruder, check for any unusual connections to your machine using the
windows command netstat -na
25) Download and install Microsoft’ Baseline Security Analyzer to analyze the security of
your system from:
26) Please remember to report any future instances of compromise to Security Operations
and Services at either (814) 863-9533 or email@example.com.
This is trial version