Security Concepts-Windows XP Hardening

Brief Intro....
OS Hardening is the process of securing a system  by implementing the latest OS patches, hotfixes and updates and following procedures and policies to reduce system and network attacks that are widespread today.

Thus, the idea of OS hardening is to minimize a computer's exposure to current and future threats by fully configuring the operating system and removing unnecessary applications.

Hardening your system will not cost you anything. However, you will need to spend some time changing your systems default values and adding adequate software.

This document is designed to implement sufficient security measures on the pc’s installed with windows xp operating system.

14 Steps for hardening Windows XP
 

1. Rename administrator account

The built-in administrator account and administrator group has the greatest number of default permissions and privilege as well as the ability to change their permissions and privileges. The object is to prevent an intruder from gaining control over the computer and administrator rights from the built-in Administrator account. To accomplish this, we will rename the Administrator account, change its description, and Password-protect it.
Step by Step Procedure for renaming and password protecting in Windows XP Pro computers:
 

1. Right click on ‘My Computer’ then click on ‘Manage’, which opens the Microsoft Management console.
2. Open the Users folder under Local users and groups, right click on ‘Administrator’ and click ‘Rename’ and type in the new name or the account.
3. Right click the newly named account, click ‘Properties’ and change the description for the account so as not to reveal its true nature.
4. Click on ‘OK’
5. Right click on the new ‘Administrator’ account, and click ‘Set Password’.
6. Click ‘Proceed’ in the message box
7. Type in and confirm the new password for the account in the boxes and then click ‘OK’

2. Using strong password

Pick a password at least 8 characters long. I prefer 15 or more characters. Windows will accept a maximum of 127 characters.
Use both Upper and Lower case letters, numbers, and try to use characters as well. If you have multiple computers, do not repeat the same passwords on each one. Never write down passwords and leave them in plain sight, or send them in email.
 

3. Use BOOT level BIOS password

Once you set a Boot level BIOS password, it will be required every time the system is started. The system is completely disabled until the password is entered. This is normally accomplished by selecting the password option in the BIOS setup. You may also want to consider an additional password for accessing the BIOS settings in order to prevent unauthorized changes in the BIOS settings.
 

4. Use screensaver

Proper use of the screensaver will help protect your computer while you are away from it for short periods of time. This is especially important in business environments. Just bring up the screensaver settings and enable password protection.
Remember to pick a time period for the screensaver to start, perhaps 10 minutes. If you are going to be away for an unknown time period, you can always start the screensaver manually when you are called away. Another quick way to secure things is to simply hit Ctrl-Alt-Delete which brings up the task manager. You then select ‘Lock Computer’ by left clicking the button
 

1. Right click an open area of the desktop 
2. Left click properties from the choices
3. Left click the screensaver tab
4. Check the box to "On resume, password protect"
    

5. Guest Account

Microsoft recommends against disabling the Guest account in Windows XP or removing it in either Win2k or XP.

Step by step Procedure for renaming and password protecting Guest Account in XP 
 

1. Right click on ‘My Computer’, and then click ‘Manage’ which opens the Microsoft Management Console.
2. Open the Users folder under Local users and groups, right click on ‘Guest’ and click ‘Rename’ and type in the new name for the account.
3. Right click on ‘Guest’, click properties and edit the description for the account so its true nature will not be revealed.
    

6. Use NTFS file system

When Windows XP or Windows 2000 is installed, it should be installed on a separate partition formatted with the NTFS File system rather than the older FAT File system. The NTFS system allows you to configure which users have access to which data, who can perform what kinds of operations, and allows you to encrypt files and data.
 

7. Disable auto-logins

Do not use any automated logins and be sure all users are password protected.

Step by step Procedure to restrict auto-logins

1. Go to the control panel, click on administrative tools,
2. Click local security policy. Make sure all users have a password set for the account.

I also recommend having only one administrator account on each machine
 

8. Disable enumeration of SIDs

Even after renaming Guest and Administrator accounts, an intruder armed with the right software can still find the real account by enumerating the account SIDs (Security Identifiers) because renaming an account does not change its SID. Once an account name has been identified (an attacker is looking for an Administrator account here) a brute force attack on the password is usually the next step.
This can be avoided by not allowing the enumeration of Account SIDs.
 

Step by step Procedure for disabling enumeration of SIDs in XP pro

1. Click Start, go to Control Panel, click administrative tools, and click local security policy.
2. Click the ‘Security Options’ folder in the left pane
3. Double click ‘Network access: Do not allow anonymous enumeration of SAM accounts and shares’ on the right pane.
4. Choose ‘Enabled’ and then click ‘Apply’ and ‘OK’ to save your settings
    

9. Unhide File extensions

By default, Windows XP and Windows 2000 hide known file extensions to simplify displays. The problem with this is that a malware writer can hide a file extension type after the file display and keep you from knowing what kind of file you are about to open. This is especially true for files hiding Trojans. Let’s not let this happen for most file types.

On both Windows XP and Windows 2000, follow these steps:

1. Click Start, go to settings, open the Control Panel, and double click ‘Folder Options’
2. Left click the ‘View’ tab
3. Uncheck the box for ‘Hide extensions for known file types’

There are still three known file extensions that will remain hidden even after the above procedure. They are .shs, .pif, and .lnk so if in doubt, the rule should be not to open or run the file.

10. Disable Remote Desktop and Remote invitations

This applies to Windows XP machines only. Remote assistance allows you to invite another person to logon to your machine for remote troubleshooting. I recommend you leave it disabled. You can always re-enable it later if the service is ever needed. Remote desktop is available on XP Professional and allows you access to a Windows session on one computer while you are at another computer in another location, not only over a LAN, but over the Internet as well.
 

1. Click Start, go to settings, then Control Panel
2. Double click on the System icon
3. Click on the ‘Remote’ tab, and uncheck the boxes to ‘Allow Remote Assistance invitations to be sent from this computer’, and ‘Allow users to connect remotely to this computer’
4. Click ‘Apply’ to save the settings, and close the windows.
    

11. Clear page file at system shutdown

Default settings allow process memory files to be paged to the hard disk in clear text form at shutdown. Although this allows more rapid recovery of this information the next time the system is started, it’s a great place for an intruder to look for any sensitive
information, and it is displayed in plain text form.
 

Step by step Procedure to clear page file at shutdown

1. Click Start and go to settings and open the Control Panel
2. Open ‘Administrative Tools, and choose ‘Local Security Policy’ followed by ‘Local Policies’ in the left pane, and then ‘Security Options’
3. In the right pane, right click on ‘Clear virtual memory pagefile when system shuts down’ , left click ‘Security’, and choose ‘Enabled’
4. Left click ‘OK’ to save your settings, and close all open windows.
    

12. Disable Dump file creation

When Windows stops unexpectedly as the result of a Stop Error (“blue screen of death” or system crash), a Memory.dmp file is
created and it can be helpful when using debugging tools and software. Like the page file above, it can contain sensitive information and passwords displayed in plain text form. An intruder can definitely make use of it.
 

Step by step Procedure to disable dump file creation

1. Click on Start, go the settings, and open the Control Panel
2. Double click the ‘System’ icon and then click the ‘Advanced’ tab
3. Click the ‘Startup and Recovery button, and look for ‘Write Debugging Information’ toward the bottom of the window (XP users will have to first click on ‘Settings’)
4. Click on the down arrow at the right of the top window. Default setting is Small Memory Dump (64 KB). Choose ‘(none)’
5. Click ‘OK’ to save your settings and close all open windows.
    

13.Disable Dr.Watson dump file creation

Another memory dump file similar to the ones above is created by Dr Watson. This is a program error debugger that gathers all kinds of information about your computer when a user error or user-mode fault occurs within a program.
 

Step by step Procedure to disable DR.Watson dump file creation

1. Go to start, then run, then type in ‘regedit.exe’ and hit ‘Return’
2. Browse to the following location in the left pane:
3. HKEY_LOCAL-MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug
4. Left click on the value ‘Auto’ on the right pane, and change the value from ‘1’ to ‘0’
5. Close the registry editor.
6. Procedure to delete dump files created by Dr.Watsons on earlier occassions
7. Open Windows explorer
8. Browse to C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson and delete files named User.dmp and Drwtsn32log.
    

14. Unhide scrap file extensions

 A scrap file is used by Windows machines to transfer data between programs, and it can contain just about anything from data to an executable program. Remember that in our discussion of file types, we chose to uncheck the box to ‘Hide known file extension types’ to show all file extensions and that I told you three file types would still remain hidden, one of them being .shs

A scrap file can be renamed with a different file extension to make it look benign. Windows assigns ‘RUNDLL32.EXESHSCRAP.DLL, OPENSCRAP_RUNDLL %1’ to the .SHS extension by default. When the file is opened, Windows will unpack the scrap file and open or execute whatever is in the file. Once the scrap file is opened, you have absolutely no control over it. The trick here is to get the file to show its true .shs extension.

Step by step procedure to unhide scrap files extensions
 

1. Go to ‘Start’, ‘Run’ and then type in “regedit.exe’
2. Left click ‘Edit’, then ‘Find’, and type in: HKEY_CLASSES_ROOT\ShellScrap and click ‘Find’
3. Once found, in the right pane, right click on ‘NeverShowExt’ and choose ‘Modify’
4. Type in ‘AlwaysShowExt’ and hit ‘Return’
5. Close the Registry Editor
6. Complete shut-down and re-boot

    .SHS files should now show the true file extension even when saved to disk.