CastleCops® - Thirty steps to PC security

TurboTramp writes "Thirty steps to PC security:

This article describes the steps necessary to secure your Windows operating system from malicious exploits. The solutions listed below will protect you from e very major vulnerability found on the Internet today. If by chance you would prefer to use tested software to enable these solutions, just click http://www.ge ocities.com/turbotramp2/samurai.zip (above) to download the most recent version of Samurai. This Host-based Intrusion Prevention System will secure your machi ne using the solutions listed below.

DISABLE INSECURE CONTROLS: Disable known insecure ActiveX controls.

This solution disables the use of insecure ActiveX controls. The registry key .HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility. is updated wit h the GUID.s of known insecure controls that do not affect normal operation when disabled. The GUIDs are:

// ADODB control
{00000566-0000-0010-8000-00AA006D2EA4}
// Shell.Application
{13709620-C279-11CE-A49E-444553540000}
// AnchorClick DHTML Behavior
{8856F961-340A-11D0-A96B-00C04FD705A2}
// Image Control 1.0 (uses asycpict.dll)
{D4A97620-8E8F-11CF-93CD-00AA00C08FDF}
// DHTML Editing Control
{2D360201-FFF5-11D1-8D03-00A0C959BC0A}

PREVENT AIM EXPLOIT: Disable the AIM URL protocol handler.

This solution prevents the use of the AIM URL protocol by replacing the insecure ActiveX GUID with a harmless substitute, in this case the HTML Help GUID is u sed. The AIM URL protocol is not required for normal operation and does not affect AOL Instant Messaging.

The registry key is .HKCR\PROTOCOLS\Handler\aim..
The registry value is .CLSID..

PREVENT ANONYMOUS ACCOUNTS: Prevent anonymous accounts.

This solution prevents the use anonymous sessions by setting the registry value .HKLM\System\CurrentControlSet\Control\Lsa\restrictanonymous. to true. This se tting will not become active until the machine is rebooted. As such, .The new configuration will require a reboot. will be displayed when this setting is alte red in Samurai.

DISABLE AUTO FILE OPEN: Disable automatic file open from explorer.

This solution prevents Explorer from opening files without first prompting the user. This is accomplished by masking all auto open bits in EditFlags values of registry keys located in HKLM\Software\Classes, HKLM\Software\Classes\Shell\Open, HKLM\Software\Classes\CLSID, HKCU\Software\Classes, HKCU\Software\Classes\S hell\Open and HKCU\Software\Classes\CLSID.

STOP BIT SERVICE: Stop the Background Intelligent Transfer Service.

This solution stops the Background Intelligent Transfer Service. This service is not required for normal operation and can be abused to allow full control of a host machine from a remote computer.

DISABLE URL PROTOCOLS: Disable dangerous URL protocols.

This solution disables the use of insecure URL types "ms-its., "ms-itss", "its", "mk" and "local" by removing the type entries from the .HKLM\Software\Classes \Protocols\Handler. and .HKCR\Protocols\Handler. registry keys.

DISABLE DYNAMIC ICONS: Disable insecure job icon handlers.

This solution disables dynamic icon handlers for (.job) JobObject files by removing the "IconHandler" keys from "HKCR\JobObject\shellex" and "HKLM\SOFTWARE\Cl asses\JobObject\shellex". Dynamic job icon handlers are not required for normal operation and can be abused to allow full control of a host machine from a remote computer.

SECURE EXPLORER ZONE 0: Set and secure "My Computer" zone.

This solution secures .My Computer Zone. by resetting the values of the registry key .SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0.. Th ese special settings prevent many vulnerabilities including MS05-001, MS05-008 and MS05-014. The settings are:

1001 Download signed ActiveX controls Disable
1004 Download unsigned ActiveX controls Disable
1200 Run ActiveX controls and plug-ins Prompt
1201 Initialize and script ActiveX controls not marked as safe Disable
1400 Active Scripting Allow
1402 Scripting of Java applets Disable
1405 Script ActiveX controls marked as safe for scripting Allow
1406 Access data sources across domains Disable
1407 Allow paste operations via script Disable
1601 Submit non-encrypted form data Disable
1604 Font Download Disable
1605 Run Java Disable
1606 User Data persistence Disable
1607 Navigate sub-frames across different domains Disable
1608 Allow META REFRESH Disable
1609 Display mixed content Disable
1800 Installation of desktop items Disable
1802 Drag and drop or copy and paste of files Allow
1803 File Download Disable
1804 Launching programs and files in an IFRAME Disable
1E05 Software channel permissions 196608

DISABLE GRP ASSOCIATION: Disable dangerous .grp file conversions.

This solution disables the insecure association between ..grp. files and .MSProgramGroup. by deleting both registry keys from HKCR.

DISABLE GUEST ACCOUNT: Disable the Guest Account.

This solution disables the guest account by removing account registry keys .V. and .F. from .SAM\SAM\Domains\Account\Users\000001F5.. The guest account is not required for normal operation and can be used by privilege escalation exploits to gain full administrative control of a machine.

DISABLE HTML APP TYPE: Disable the HTML Application MIME type.

This solution disables the HTML application type by removing the .application/hta. registry key from both .HKCR\MIME\Database\Content Type. and .HKLM\SOFTWARE \Classes\MIME\Database\Content Type..

PREVENT HTML FRAME EXPLOIT: Check FRAME/IFRAME NAME field.

This solution registers an HTML filter that checks for FRAME and IFRAME tags with overly long NAMEs. The filter removes overly long names from the HTML stream to prevent a well-publicized buffer overflow. This can only be accomplished with the Samurai HIPS.

SECURE HTTP SETTINGS: Secure HTTP configuration parameters.

This solution adjusts registry values under the .HKLM\ System\CurrentControlSet\Services\\HTTP\Parameters. key to secure HTTP from many common vulnerabilities . The settings are:

"AllowRestrictedChars" 0
"EnableNonUTF8" 1
"FavorUTF8" 1
"MaxConnections" 0x7fffffff
"MaxEndpoints" 0
"MaxFieldLength" 16384
"MaxRequestBytes" 16384
"PercentUAllowed" 1
"UrlSegmentMaxCount" 255
"UriEnableCache" 1
"UriMaxUriBytes" 262144
"UriScavengerPeriod" 120
"UrlSegmentMaxLength" 260

PREVENT IMAGE EXPLOITS: Check image files for correctness.

This solution hooks various system calls to block Animated Cursor (.ANI) and GDI+ (.JPG) files containing buffer overflow exploits. Only files with embedded b uffer overflows will be blocked from image processing. Properly formatted ANI and JPG files will not be affected by this solution. This can only be accomplish ed with the Samurai HIPS.

STOP INDEX SERVICE: Stop the Windows Indexing Service.

This solution stops the Windows Indexing Service. This service is not required for normal operation and can be abused to allow full control of a host machine from a remote computer.

SECURE LICENSE LOGGING: Disable null session License Logging.

This solution disables insecure nullSession license logging by removing "LLSRPC" from the .NullSessionPipes. value of the .HKLM\SYSTEM\CurrentControlSet\Servi ces\LanmanServer\Parameters. registry key.

PREVENT LSASS EXPLOIT: Prevent LSASS (Sasser based) exploits.

This solution repairs a well-known LSASS vulnerability by setting the LSASS dcpromo.log file to .read only.. The dcpromo.log file can be found in the system d irectory under the .debug. directory.

STOP MESSAGE SERVICE: Stop the Windows Messaging Service.

This solution stops the Windows Messaging Service. This service is not required for normal operation and can be abused to allow full control of a host machine from a remote computer. This solution does not affect Instant Messaging services.

STOP NET DDE SERVICE: Stop the Net DDE Service.

This solution stops the Network Dynamic Data Exchange Service. This service is not required for normal operation and can be abused to allow full control of a host machine from a remote computer.

DISABLE PCT SERVICE: Disable the Private Communication Transport.

This solution disables the PCT protocol by disabling both the .Client. and .Server. registry keys under .HKLM\System\CurrentControlSet\Control\SecurityProvide rs\SCHANNEL\Protocols\PCT 1.0.. The PCT protocol is not required for normal operation and can be abused to allow full control of a host machine from a remote computer.

DISABLE UPNP SERVICE: Disable the Universal Plug and Play Service.

This solution stops the Simple Service Discovery Protocol, which disables Universal Plug and Play. The SSDP service is not required for normal operation and c an be abused to allow full control of a host machine from a remote computer. This solution does not affect local Plug and Play operation.

DISABLE RDS: Disable the Remote Data Services Datafactory.

This solution disables 3 insecure RDS datafactory objects; RDSServer.DataFactory, AdvancedDataFactory and VbBusObj.VbBusObjCls by removing the corresponding r egistry keys from .HKLM\System\CurrentControlSet\Services\W3SVC\Parameters\ADCLaunch.. These objects are not used in normal operation and will not affect othe r Remote Data Services.

STOP REMOTE REGISTRY SERVICE: Stop the Remote Registry Service.

This solution stops the Remote Registry Service. This service is not required for normal operation and can be used to remotely reconfigure a host machine from a remote computer.

DISABLE ROOTKITS: Clear existing rootkits and prevent future loading.

This solution hooks system calls to prevent the loading of rootkits and refreshes the kernel.s system call table to clear existing rootkits. This solution als o contains a user interface that informs the operator when attempts are made to load device drivers during normal operation. This can only be accomplished wit h the Samurai HIPS.

DISABLE RPC-DCOM: Disable RPC based DCOM.

This solution disables the DCOM client protocol of the Remote Procedure Call protocol by setting .HKLM\Software\Microsoft\OLE\EnableDCOM. to .N. and removing any data in .HKLM\Software\Microsoft\Rpc\DCOM Protocols.. The Client DCOM portion of RPC is not required for normal operation and can be abused to allow full control of a host machine from a remote computer. This setting will not become active until the machine is rebooted. As such, .The new configuration will requ ire a reboot. will be displayed when this setting is altered in Samurai.

DELETE SAM FILE: Delete the backup password file.

Many Windows operating systems save a backup copy of the SAM file in the repair directory under the system directory. This file contains SMB username and pass word data that can be decoded by utilities such as JohnTheRipper to retrieve valid login information. The backup file is only used for emergency backup and is not required for normal operation.

DISABLE SHELL URL: Disable the Shell URL protocol handler.

The solution disables the Shell protocol handler by replacing the insecure ActiveX GUID found at .HKCR\PROTOCOLS\Handler\shell\CLSID. with a harmless substitu te, in this case the HTML Help GUID. The Shell URL protocol is not required for normal operation and can be abused to allow full control of a host machine fro m a remote computer.

BLOCK SYN ATTACKS: Prevent TCP/IP SYN attacks.

This solution helps to prevent SYN Flood Attacks from disabling TCP/IP by setting the "SynAttackProtect" value of the "HKLM\SYSTEM\CurrentControlSet\Services\ TcpIp\Parameters" registry key. The value is set to 2, which adds additional delays to connection indications and allows TCP connection requests to quickly ti meout when a SYN attack is in progress.

DISABLE WWW DAV: Disable Distributed Web Authoring.

This solution disables the Distributed Web Authoring service by setting the "DisableWebDAV" value of the "HKLM\System\CurrentControlSet\Services\W3SVC\Paramet ers" registry key. This service is not required for normal operation and can be abused to allow full control of a host machine from a remote computer.

DISABLE WIN SERVICE: Disable the Windows Internet Naming Service.

This solution disables the Windows Internet Naming Service. This service is not required for normal operation and can be abused to allow full control of a hos t machine from a remote computer.

I hope this helps,
TurboTramp "


	2002-2008 � Computer Cops LLC dba CastleCops®. All rights reserved. Acceptable Use Policy. Use signifies your agreement. 234ppm 0.232s (0.014s) Making cybercriminals unhappy since 2002*