• Vista Wallpapers
• Windows Wallpapers

To do this:
Right-Mouse click ?My Computer?
- Select ?Manage?
- Select ?Local Users and Groups?
- Right-Mouse select ?Users? and create a New User
This new user will automatically be a member of the ?Users? group. Make sure it is not also an administrator in the same ?Manage? window. To do so:

Left-Mouse click on ?Local Users and Groups/Groups?
- Right-mouse click on ?Administrators? and remove all users that do not belong, including this new user.
Use this new account for everything from now on, except installing and removing software.
NOTE: When you join a Windows domain at UW the logon gina (as it?s called) changes from listing all userids, on the computer on the startup screen, to a login prompt asking for userid, password and domain when you join a domain. It may also introduce new users along with changes outlined below.

Security Policy Changes

Policies are usually applied in Academic Support in Active Directory. In some cases workstations in these departments do not fall into our domain and are therefore left more open than desired. For this reason these policies are applied locally. If the workstation does join the ADS domain policies there will take precedence. This might mean some of the policies below get applied twice, but that?s better than not at all.
Go to Start Menu\Settings\Control Panel\Administrative Tools\Local Security Policy

1. Position the window so it is fully visible.

2. Under Account Policies\Password Policy, change the following options:
Maximum Password Age 0
Minimum Password Length 7
Passwords must meet complexity requirements Enabled

3. Under Account Policies\Account Lockout Policy, change the following options:
Account Lockout Threshold 15
Account Lockout Duration 5

4. Under Local Policies\Audit Policy, change the following options:
Audit Account Logon Events Check the Success and Failure options
Audit Logon Events Check the Success and Failure options

5. Under Local Policies\User Rights Assignment, change the following options:
Access this computer from the Network Uncheck (or remove) all entries
Change system time Add Everyone
Log on locally Remove (or uncheck) the xxx/Guest account

6. Under Local Policies\Security Options, change the following options:
Devices: Allowed to format & eject removable media Administrators & Power Users
Interactive Login: Do No Require CTRL+ALT+DEL requirement for logon Disabled
Microsoft Network Client: Send unencrypted password to connect to third-party SMB servers Enabled
Network Access: Do Not Allow Anonymous Enumeration of SAM Accounts Enabled
Network Access: Do Not Allow Anonymous Enumeration of SAM Accounts And Shares Enabled
Shutdown: Clear virtual memory pagefile when System shuts down Enabled
(SAM accounts are Anonymous connections from the Windows 2000 days)

7. Check the following web links for more information:
a. http://ist.uwaterloo.ca/cs/w2kclient/GroupPolicies.html
b. http://ist.uwaterloo.ca/cs/w2kclient/GroupPoliciesUW.html
8. Close the Local Security Settings window.

Changes to Services

Some services take up unnecessary resources. Others are not required by most and can be disabled on mass. Cases can always be made to enable certain services if required. Windows XP supplies reasonable explanations of what most services do in the Extended view when a service is selected.

1. Right-click My Computer/Manage

2. Expand and reposition the window

3. Expand the Services & Applications tab

4. Select Services

5. Double-click the following services listed (if they are there). Under Startup Type select Manual and click the Stop button to stop the service if it is running. If the service is already listed as Manual, don?t worry about it.
a. Computer Browser (installed & on automatic by default)
b. IMAPI CD Burning COM Service (installed, but already on manual by default)
c. Indexing Service (installed but manual by default)
d. FAX Service (not installed by default)
e. FTP Publishing Service (not installed by default)
f. Volume Shadow Copy
g. Windows Image Acquisition
h. World Wide Web Publishing Service (not installed by default)

Add UW/IST Security Certificate

This is more of a convenience than a hardening issue. Having the certificate present saves the client having to do it later.

Install the IST security certificate:

1. Go to http://ist.uwaterloo.ca/security/IST-CA/
2. Click on click here
3. Click Open to execute the certificate
4. Click the Install Certificate button
5. Click Next, Next, Finish
6. Click Yes to the Root Certificate Store window.
7. Click OK to the Certificate Import wizard
8. Click OK & exit Internet Explorer

MBSA Patch Check & Security Tests

Microsoft only shows the critical patches when using Windows Update and there could still be possible security holes you don?t know about. All images must be checked for security flaws before they are deployed.

Using the MBSA (Microsoft Baseline Security Analyzer) tool, you will probably see many more patches for specific problems which are not considered critical. Review the documents referred to and patch the security holes accordingly. Always reboot after patch installations or HFNetChk might not know that the patch was applied.

Installing MBSA

1. Go to http://www.microsoft.com and search for HFNETCHK (this is part of MBSA)

a) Download the HFNETCHK application to the desktop
b) Execute it and install it to c:\hfnetchk
c) Launch a cmd window, and go to the c:\hfnetchk folder
d) Enter hfnetchk ?z ?v (This will connect to Microsoft, download a security update & patch database)
e) It will scan the PC for non-critical patches which have not been installed, and tell you which ones are missing via a Qxxxxxx document number.
f) Check the document # (Q######) on http://www.microsoft.com/technet to see if it really is necessary to install it.
g) Delete the HfNetChk folder when done

Security Tests

1. Go to http://ist.uwaterloo.ca/security/howto

a. Go to the Windows NT/2000/XP Hardening section and choose the Penetration Test option
b. From this page you can choose either the Free On-Line Virus & Security Check, or the Gibson Research Corporation shields test. Do both of them.
c. If anything comes back as bad, consult with Reg Quinton regarding how to fix it, if necessary.
d. Ports like 135 (RPC), 139 (NetBios) & 445 (Windows SMB) will likely come back as exposed.

2. Call Reg Quinton and have him do a remote security scan of the machine. He will report if anything unusual or bad comes back.

Set Start Menu Security
This changes the permissions on all the elements under the Start Menu to be accessible to all, but changeable only to Administrators. The good reason for this is that it prevents a user from completely messing up the Start Menu, but does still allow some customization.

1. Go to C:\Documents and Settings\All Users

2. Right-click on the Start Menu icon, select Properties and go to the Security tab

3. Click on the Power Users entry under the Group or User Names field

4. Click Advanced button

5. Unselect Inherit from Parent the Permission Entries?

6. Click Copy in the window that pops up and OK

7. Click OK to the Advanced window

8. Unselect the Allow checkmark on Modify and Write. Read & Execute, List Folder Contents & Read should be checked.

9. Click Apply

10. Check that the settings for User and Power User settings are now the same

11. Select Power User again

12. Click the Advanced tab

13. Remove any entry that starts with Deny ? Power Users (TLAB)?

14. Select Allow Power Users? entry

15. Click Edit button

16. Uncheck Delete Subfolders & Files & Delete under the Allow column

17. Click OK

18. Click Apply, OK, OK

19. Check that the power user permissions for an object inside a folder in the Start Menu only has Read & Execute and Read checked under the Allow column.

20. Close all windows.

source: winxp.uwaterloo.ca