Using the Security Configuration Manager and Templates
The Security Configuration Manager (SCM) set of tools allows you to define security templates that can be applied to individual machines or any number of machines via Group Policy. Security templates can contain the following policies: password, lockout, Kerberos, audit, event log settings, registry values, service startup modes, service permissions, user rights, group membership restrictions, registry and file system permissions.
Microsoft provides a number of predefined security templates to help you lock down your PC via Group Policy. These templates represent low, medium and high security configurations, which can be customized to meet your specific needs. The relevant registry values configurable by SCM appear under Local PoliciesSecurity Options when using SCM tools such as the security templates snap-in, the security configuration and analysis snap-in, or the security settings extension to Group Policy. This feature is not available on the Windows XP Home Edition.
Password Security
Though it is often overlooked, a good password policy is essential to your network security. In large organizations it is tempting for poor administrators to create all local Administrator accounts, or worse, a common domain level administrator account, that uses a variation of the company name, computer name, or advertising logo line. i.e. %companyname%#1, winxp%companyname%, etc. Even worse are new user accounts with simple passwords such as "welcome", "letyouin", "new4you", with no requirement to change the password after the first logon. Use complex passwords that are changed at least every two months. Use Group Policy or the local computer policy to set restriction on password age, length, complexity, lockout duration, and the number of bad attempts. Click Start > Run > type GPEDIT.MSC > Go to Computer Configuration > Windows Settings > Security Settings > Local Policy > Security Options. Passwords need to be at least eight characters, but nine or more are better. Many cracking programs use the eight character standard as a starting point. Also, each password must follow the standards set for strong passwords. The basic goal is that the password be complex enough to thwart cracking attempts, and not so complex that users will have difficulty remembering their passwords and end up writing them on sticky notes stuck to the bottom of their keyboards.
Weak passwords are the order of the day for many people simply because the human memory works best by association. It's easy to *********** their passwords if you understand how people remember things, when they want to keep it simple. With a little imagination you can develop stronger passwords. One good technique is to take a phrase or the title to a book or movie, for example "Cheaper By The Dozen?" Take the second letter of each word "h-y-h-o" Arrange the result as "12h7y2h3o5." "12" is the dozen of the title, then each second letter matched to the number of letters in its word. There are unlimited variations you can create with this. Go ahead and have some fun with it. You will have stronger passwords. Try to get lengths of more than eight characters.
For those who are not into this kind of fun, rather than exhort you, ad nauseum, to use stronger passwords, whether in a network or simply online, get a good quality, third-party password management software and use it. It will generate and save the passwords you need in encrypted folders. Then you need remember only one or two passwords to use the software. One such application is Any Password, which is freeware. Another is SPS, which is shareware.
Software Restriction Policies
With a properly used software restriction policy, you can prevent unwanted programs from running, including viruses and Trojan horses and other software that are known to cause conflicts when installed. Software restriction policies can be used on a stand-alone computer by configuring the local security policy with the Group Policy and the Active Directory. Click Start > Run > type GPEDIT.MSC > Go to Computer Configuration > Windows Settings > Security Settings > Software Restriction Policies.
Avoid Unnecessary Accounts
Remove any duplicate user accounts: test, shared or general ones, etc. Use group policies to assign permissions as needed and check your accounts regularly. general accounts are famous for having weak passwords with lots of access and are at the top of crackers' lists of accounts to break into first.
Rename the Administrator Account
Why make it easy for crackers to hack into your Admin account? Renaming the Administrator account will stop some amateur crackers dead, and will annoy the more determined ones. Remember that crackers don't know what the inherent or group permissions are for an account. They will try to hack any local account they find, then other accounts as they move to improve their access. If you rename the account, try not to use the word "Admin" in its name. Pick something that won't sound like it has rights to anything. Examples: Recliner, Puck, GreenSpoon, Bucket, etc.
Create a False Administrator Account
Another way to frustrate crackers is to create a local account named "Administrator," giving that account no privileges and an impossible to guess +12 digit complex password. This will keep the script kiddies busy for a while. If you create a false Administrative account, enable auditing so you will know if it is being messed with.
Replace the "Everyone" Group with "Authenticated Users" on File Shares and Printers
"Everyone" in the context of Windows XP security, means that anyone who gains access to your network can access the data. Never assign the "Everyone" Group to have access to a file share on your network. Use "Authenticated Users" instead. This is especially important for printers, which have the "Everyone" Group assigned by default.
Stop the Last Logged-in User Name From Being Displayed
When you press Ctrl-Alt-Delete, a login dialog box appears which displays the name of the last user who logged in to the computer, and makes it easy to discover a user name that can be used in a password cracking attack. This can be disabled via the Group Policy snap in. Click Start > Run > type GPEDIT.MSC > Computer Configuration > Windows Settings > Security Settings > Local Policy > Security Options.
Disabling Remote Desktop
Remote Desktop allows you to access your computer from a remote location. It is not enabled by default in Windows XP Pro. Using it can leave the computers in a network vulnerable to attack and infiltration.
Using the computer's local Group Policy to disable Remote Desktop:
Click Start, click Run, type gpedit.msc, and then click OK.
In the Group Policy editor, click to expand Computer Configuration, click to expand Administrative Templates, click to expand Windows Components, and then click to expand Terminal Services.
Double-click the "Do not allow new client connections policy"
Set the policy to Enabled, and then click OK.
Disable Unnecessary Services
An unnecessary service is an unneeded cracker hole, as well as a drain on system resources. You can disable services via Control Panel > Administrative Tools > Services. The listings of unneeded services on Windows XP is too big for this article.
Enable EFS (Encrypting File System)
Windows XP Professional comes with an encryption system that adds an extra layer of security for drives, folders, or files. This will help prevent a cracker from accessing your files by physically mounting the hard drive on another PC or taking ownership of files. Be sure to enable encryption on Folders, not just files. All files that are placed in that folder will then be encrypted. It is not available on Windows XP Home Edition, but you can use third-party encryption software to get the same result.
Encrypt the Client-side Cache
With Windows XP, you can mark any shared folder that is available on the network or on any Web page to be available offline. The contents of these shared folders or pages are copied to an Offline Files database that is known as the client-side cache, where you can access them when not connected to the network. To safeguard offline files against theft, you can specify that the client-side cache is encrypted. To encrypt the Offline Files database on a local computer: Click Start > Folder Options > select the Offline Files tab. If Offline Files are not already enabled, click the Enable Offline Files option > Click the Encrypt offline files to secure data option > Click OK. When encryption of offline files is enabled or disabled, the entire database is affected, it's "all or nothing," you cannot encrypt only some offline files. (Not a problem with third-party encryption software.) If you are using the Fast User Switching feature, you will not be able to use offline files, and none of the options on the Offline Files tab will be available. To disable Fast User Switching, use the User Accounts utility in the Control Panel.
Encrypting Temp Folders
Microsoft applications often use the temp folder to store copies of files while they are being updated or changed. They may not clean the folder when you close the program. Encrypting the temp folders provides an extra layer of security for your files. This feature is not available on the Windows XP Home Edition, unless you use third-party encryption software.
I Need Your Replys Now!!!!!!!!!!!!!!!!
The Security Configuration Manager (SCM) set of tools allows you to define security templates that can be applied to individual machines or any number of machines via Group Policy. Security templates can contain the following policies: password, lockout, Kerberos, audit, event log settings, registry values, service startup modes, service permissions, user rights, group membership restrictions, registry and file system permissions.
Microsoft provides a number of predefined security templates to help you lock down your PC via Group Policy. These templates represent low, medium and high security configurations, which can be customized to meet your specific needs. The relevant registry values configurable by SCM appear under Local PoliciesSecurity Options when using SCM tools such as the security templates snap-in, the security configuration and analysis snap-in, or the security settings extension to Group Policy. This feature is not available on the Windows XP Home Edition.
Password Security
Though it is often overlooked, a good password policy is essential to your network security. In large organizations it is tempting for poor administrators to create all local Administrator accounts, or worse, a common domain level administrator account, that uses a variation of the company name, computer name, or advertising logo line. i.e. %companyname%#1, winxp%companyname%, etc. Even worse are new user accounts with simple passwords such as "welcome", "letyouin", "new4you", with no requirement to change the password after the first logon. Use complex passwords that are changed at least every two months. Use Group Policy or the local computer policy to set restriction on password age, length, complexity, lockout duration, and the number of bad attempts. Click Start > Run > type GPEDIT.MSC > Go to Computer Configuration > Windows Settings > Security Settings > Local Policy > Security Options. Passwords need to be at least eight characters, but nine or more are better. Many cracking programs use the eight character standard as a starting point. Also, each password must follow the standards set for strong passwords. The basic goal is that the password be complex enough to thwart cracking attempts, and not so complex that users will have difficulty remembering their passwords and end up writing them on sticky notes stuck to the bottom of their keyboards.
Weak passwords are the order of the day for many people simply because the human memory works best by association. It's easy to *********** their passwords if you understand how people remember things, when they want to keep it simple. With a little imagination you can develop stronger passwords. One good technique is to take a phrase or the title to a book or movie, for example "Cheaper By The Dozen?" Take the second letter of each word "h-y-h-o" Arrange the result as "12h7y2h3o5." "12" is the dozen of the title, then each second letter matched to the number of letters in its word. There are unlimited variations you can create with this. Go ahead and have some fun with it. You will have stronger passwords. Try to get lengths of more than eight characters.
For those who are not into this kind of fun, rather than exhort you, ad nauseum, to use stronger passwords, whether in a network or simply online, get a good quality, third-party password management software and use it. It will generate and save the passwords you need in encrypted folders. Then you need remember only one or two passwords to use the software. One such application is Any Password, which is freeware. Another is SPS, which is shareware.
Software Restriction Policies
With a properly used software restriction policy, you can prevent unwanted programs from running, including viruses and Trojan horses and other software that are known to cause conflicts when installed. Software restriction policies can be used on a stand-alone computer by configuring the local security policy with the Group Policy and the Active Directory. Click Start > Run > type GPEDIT.MSC > Go to Computer Configuration > Windows Settings > Security Settings > Software Restriction Policies.
Avoid Unnecessary Accounts
Remove any duplicate user accounts: test, shared or general ones, etc. Use group policies to assign permissions as needed and check your accounts regularly. general accounts are famous for having weak passwords with lots of access and are at the top of crackers' lists of accounts to break into first.
Rename the Administrator Account
Why make it easy for crackers to hack into your Admin account? Renaming the Administrator account will stop some amateur crackers dead, and will annoy the more determined ones. Remember that crackers don't know what the inherent or group permissions are for an account. They will try to hack any local account they find, then other accounts as they move to improve their access. If you rename the account, try not to use the word "Admin" in its name. Pick something that won't sound like it has rights to anything. Examples: Recliner, Puck, GreenSpoon, Bucket, etc.
Create a False Administrator Account
Another way to frustrate crackers is to create a local account named "Administrator," giving that account no privileges and an impossible to guess +12 digit complex password. This will keep the script kiddies busy for a while. If you create a false Administrative account, enable auditing so you will know if it is being messed with.
Replace the "Everyone" Group with "Authenticated Users" on File Shares and Printers
"Everyone" in the context of Windows XP security, means that anyone who gains access to your network can access the data. Never assign the "Everyone" Group to have access to a file share on your network. Use "Authenticated Users" instead. This is especially important for printers, which have the "Everyone" Group assigned by default.
Stop the Last Logged-in User Name From Being Displayed
When you press Ctrl-Alt-Delete, a login dialog box appears which displays the name of the last user who logged in to the computer, and makes it easy to discover a user name that can be used in a password cracking attack. This can be disabled via the Group Policy snap in. Click Start > Run > type GPEDIT.MSC > Computer Configuration > Windows Settings > Security Settings > Local Policy > Security Options.
Disabling Remote Desktop
Remote Desktop allows you to access your computer from a remote location. It is not enabled by default in Windows XP Pro. Using it can leave the computers in a network vulnerable to attack and infiltration.
Using the computer's local Group Policy to disable Remote Desktop:
Click Start, click Run, type gpedit.msc, and then click OK.
In the Group Policy editor, click to expand Computer Configuration, click to expand Administrative Templates, click to expand Windows Components, and then click to expand Terminal Services.
Double-click the "Do not allow new client connections policy"
Set the policy to Enabled, and then click OK.
Disable Unnecessary Services
An unnecessary service is an unneeded cracker hole, as well as a drain on system resources. You can disable services via Control Panel > Administrative Tools > Services. The listings of unneeded services on Windows XP is too big for this article.
Enable EFS (Encrypting File System)
Windows XP Professional comes with an encryption system that adds an extra layer of security for drives, folders, or files. This will help prevent a cracker from accessing your files by physically mounting the hard drive on another PC or taking ownership of files. Be sure to enable encryption on Folders, not just files. All files that are placed in that folder will then be encrypted. It is not available on Windows XP Home Edition, but you can use third-party encryption software to get the same result.
Encrypt the Client-side Cache
With Windows XP, you can mark any shared folder that is available on the network or on any Web page to be available offline. The contents of these shared folders or pages are copied to an Offline Files database that is known as the client-side cache, where you can access them when not connected to the network. To safeguard offline files against theft, you can specify that the client-side cache is encrypted. To encrypt the Offline Files database on a local computer: Click Start > Folder Options > select the Offline Files tab. If Offline Files are not already enabled, click the Enable Offline Files option > Click the Encrypt offline files to secure data option > Click OK. When encryption of offline files is enabled or disabled, the entire database is affected, it's "all or nothing," you cannot encrypt only some offline files. (Not a problem with third-party encryption software.) If you are using the Fast User Switching feature, you will not be able to use offline files, and none of the options on the Offline Files tab will be available. To disable Fast User Switching, use the User Accounts utility in the Control Panel.
Encrypting Temp Folders
Microsoft applications often use the temp folder to store copies of files while they are being updated or changed. They may not clean the folder when you close the program. Encrypting the temp folders provides an extra layer of security for your files. This feature is not available on the Windows XP Home Edition, unless you use third-party encryption software.
I Need Your Replys Now!!!!!!!!!!!!!!!!
| |
Posts
0 comments:
Post a Comment