Client Management Suite

Securing That XP Desktop, Part 1 

01-22-2009 11:23 AM

The best kind of desktop is a secure desktop. As you all know, hackers are a tricky bunch. You have to go beyond Symantec Antivirus and actually lock Windows down if you want to make sure your computing environment is actually secure. A few weeks ago our network guy saw some suspicious traffic on our network. We all stopped what we were doing and tried to help him figure out what was going on. It looked like a virus, a trojan, and a worm all wrapped into one. After lots of hunting and troubleshooting he was able to figure out that it was normal traffic. We changed some settings on our servers and desktops to prevent the problem in the future and to make them more secure. I thought I would share some of our security settings with the Juice Community.

Here are some of the things that I wish I had done months before:

Disable Autorun

I had seen dozens of articles that suggested I turn off autorun, but I never did it. If you have an infected USB key, CD or DVD disk, ZIP disk (do you remember those?) and you insert it into your device, autorun will infect your machine. I disabled autorun in two different ways:

  1. The first registry key:
    Windows Registry Editor Version 5.00
    
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
    "NoDriveTypeAutoRun"=dword:000000ff
    
    
  2. Here is a different registry key that I like to use as well:
    Windows Registry Editor Version 5.00
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
    @="@SYS:DoesNotExist"
    
    

In this case I like to have double security. I really want to make sure that autorun is actually turned off. The first key disables autorun for all devices (with the use of different values in the DWORD you can disable autorun on USB keys only, for example). The second key disables the file (Autorun.inf) that Windows reads to autorun something. Between these two, you will be mighty safe.

Registry

Did you know that you can remotely edit registries? I found out this a few years back. It is great that the system admin can do something like that, but we don't want a hacker doing that, do we. Use this registry key to turn off remote registry editing:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry]
"Start"=dword:00000004

I also like to completely disable the ability to do anything with the registry. I do that in two ways, the first is here:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"=dword:00000001

After this key is set, the user is not allowed to add a registry key. If they install software they still can. You can also drop registry keys on the machine using SVS layers, RIPs, and using Wise Package Studio.

I also like to remove access to the various Windows programs that allow the user to edit the registry. Here are the commands:

REM Regedit...
echo y| cacls "C:\WINDOWS\system32\regedit.exe" /t /c /p "Administrator":F
echo y| cacls "C:\WINDOWS\system32\regedit.exe" /t /c /e /g "System":F


REM Regedit...
echo y| cacls "C:\WINDOWS\regedit.exe" /t /c /p "Administrator":F
echo y| cacls "C:\WINDOWS\regedit.exe" /t /c /e /g "System":F


REM Reg.exe...
echo y| cacls "C:\WINDOWS\system32\reg.exe" /t /c /p "Administrator":F
echo y| cacls "C:\WINDOWS\system32\reg.exe" /t /c /e /g "System":F


REM regedt32.exe...
echo y| cacls "C:\WINDOWS\system32\regedt32.exe" /t /c /p "Administrator":F
echo y| cacls "C:\WINDOWS\system32\regedt32.exe" /t /c /e /g "System":F

File Sharing

If users want to share a document, they can share it through a network drive or through something like Google Docs (for our domain of course). Here is a registry key that disables shared documents:

Windows Registry Editor Version 5.00

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoSharedDocuments"=dword:00000001

I also like to disable simple file sharing with this key:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"forceguest"=dword:00000000

There are a few default shares on every computer. After the scare I talked about above, we decided that we don't even want the default shares enabled. The following registry key will disable these shares: ADMIN$, C$, D$ -

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters]
"Size"=dword:00000002
"DisableDos"=dword:00000000
"autodisconnect"=dword:0000000f
"enableforcedlogoff"=dword:00000001
"enablesecuritysignature"=dword:00000000
"requiresecuritysignature"=dword:00000000
"NullSessionPipes"=hex(7):43,00,4f,00,4d,00,4e,00,41,00,50,00,00,00,43,00,4f,\
 00,4d,00,4e,00,4f,00,44,00,45,00,00,00,53,00,51,00,4c,00,5c,00,51,00,55,00,\
 45,00,52,00,59,00,00,00,53,00,50,00,4f,00,4f,00,4c,00,53,00,53,00,00,00,4c,\
 00,4c,00,53,00,52,00,50,00,43,00,00,00,62,00,72,00,6f,00,77,00,73,00,65,00,\
 72,00,00,00,00,00
"NullSessionShares"=hex(7):43,00,4f,00,4d,00,43,00,46,00,47,00,00,00,44,00,46,\
 00,53,00,24,00,00,00,00,00
"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
 00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
 73,00,72,00,76,00,73,00,76,00,63,00,2e,00,64,00,6c,00,6c,00,00,00
"Lmannounce"=dword:00000000
"Guid"=hex:22,3a,ba,ab,cd,bc,c3,43,9e,77,86,56,70,5a,39,55
"AdjustedNullSessionPipes"=dword:00000001
"CachedOpenLimit"=dword:00000000
"AutoShareWks"=dword:00000000

There is one more share that is hanging around. It is called IPC$. To turn this one off, you have to disable the "Server Service" on your machine. You can do it by using this script at the command prompt:

ECHO Security...
sc config "lanmanserver" start= disabled

Note: Some things may depend on this share being available. From what I can tell, all of our Altiris and Symantec stuff is working just fine. It was worth the extra security for me, so I disabled this share. I actually prevent this service from installing when I install XP. If you are interested in that script, let me know...

Finally, I highly suggest that you disable null connections. Here is the key:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"everyoneincludesanonymous"=dword:00000000
"restrictanonymous"=dword:00000002
"restrictanonymoussam"=dword:00000001

Desktop Security

There are a few places that I lock down on the desktop. These security measures are meant for public machines only. Some of the settings would drive a normal user crazy, and some make sense. You will have to decide how much you want to annoy your users. Here are the "Display Properties" settings I like to tweak:

Disable Appearance Tab - I don't want users of a public machine messing with these settings. It is not their machine, they don't get to customize it. Here is the appearance tab in the wild:

Here is the registry key that I use to remove it:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"NoDispAppearancePage"=dword:00000001

Disable Background (Desktop) Tab - Here is the background tab:

And here is the registry key to disable it:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"NoDispBackgroundPage"=dword:00000001

Disable Screen Saver Tab - Here is the screen saver tab:

And here is the key to disable it:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"NoDispScrSavPage"=dword:00000001

Disable Themes Tab -

And here is how to disable it:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"NoThemesTab"=dword:00000001

This is a good place to stop. There are many more settings that I have use to keep my desktop secure. In the next article we will talk about a number of topics, including how to lock down the control panel and how to push these settings out to the computers you manage. All of these keys have helped secure our desktops. The more settings that we have implemented the more problems we have prevented. I never thought about it until now, but if you take a few minutes to push out these settings out to your computers you will be saving tons of time (and I mean weeks of time). Avoiding a virus is much better than getting infected (but, I am typing to the choir right now..).

Some of you are probably thinking that XP is way too old to worry about. I disagree. We have decided to use XP until we can get our arms around Windows 7. Also, you probably are supporting several OSes in your environment. A lot of these keys will probably work in Vista and in Windows 7. If they don't, at least you will know what to look for. Finally, some of you are probably thinking that these are all group policies that can be set from Active Directory. You are correct. To help users get logged in faster (especially on public machines) I push as many settings to the client as I can. If you have any questions about what we have discussed in this article please drop me a line in the comment section. Until next time...I have attached all of the registry keys and scripts to this document for your securing pleasure.

License:AJSL
By clicking the download link below, you agree to the terms and conditions in the Altiris Juice Software License
Support:User-contributed tools on the Juice are not supported by Altiris Technical Support. If you have questions about a tool, please communicate directly with the author by visiting their profile page and clicking the 'contact' tab.

Statistics
0 Favorited
0 Views
14 Files
0 Shares
0 Downloads
Attachment(s)
JPG file
10.JPG   37 KB   1 version
Uploaded - 02-25-2020
jpg file
10471.jpg   3 KB   1 version
Uploaded - 02-25-2020
jpg file
10471-10_3.jpg   37 KB   1 version
Uploaded - 02-25-2020
jpg file
10471-10_3_0.jpg   19 KB   1 version
Uploaded - 02-25-2020
jpg file
10471-12_2.jpg   33 KB   1 version
Uploaded - 02-25-2020
jpg file
10471-12_2_0.jpg   16 KB   1 version
Uploaded - 02-25-2020
jpg file
10471-14_2.jpg   31 KB   1 version
Uploaded - 02-25-2020
jpg file
10471-14_2_0.jpg   14 KB   1 version
Uploaded - 02-25-2020
jpg file
10471-17_2.jpg   41 KB   1 version
Uploaded - 02-25-2020
jpg file
10471-17_2_0.jpg   20 KB   1 version
Uploaded - 02-25-2020
JPG file
12.JPG   33 KB   1 version
Uploaded - 02-25-2020
JPG file
14.JPG   31 KB   1 version
Uploaded - 02-25-2020
JPG file
17.JPG   41 KB   1 version
Uploaded - 02-25-2020
txt file
Securing the Desktop-PartI.txt   3 KB   1 version
Uploaded - 02-25-2020

Tags and Keywords

Comments

03-08-2009 07:40 PM

Most of these tips were mostly common sense, but the regestry keys are what helped me. I have been looking for a way to disable regestry editing for awhile, but wasn't quiet sure if it was working or not. After trying the posted method, I can no longer edit the reg, so it must be in effect. Thanks for posting the information.

And just a quick question, is it possible to enable regestry editing again in case of emergency?

02-13-2009 11:20 AM

Simple filesharing is not automatically disabled when XP is a member of the domain. Unless your domain has some group policy to do this, it is not disabled.
As for having it disabled, I think it cause problems with the NS more then the DS.

02-13-2009 10:55 AM

Yes, the KB950582 MS patch is required in order to disable Autorun feature.
To discover if this patch is applied, check on the HKEY_LOCAL_MACHINE\SOFTWARE\ Microsoft\Updates\Windows XP\SP4 , if you don't see the KB950582 hive, you will have to download (see the downlaod list below) and install this patch.
Later you can go ahed with the Autorun configuration as well describe in the article.
- Update for Windows XP (KB950582)
- Update for Windows Vista (KB950582)

- Update for Windows Server 2008 (KB950582)

01-28-2009 03:27 PM

Just wanted to add in order for 'NoDriveTypeAutoRun' to work, I think you need to make sure you install KB950582 (http://www.microsoft.com/downloads/details.aspx?FamilyId=CC4FB38C-579B-40F7-89C4-1721D7B8DAA5&displaylang=en). I guess this only gets added via Windows Update on Vista and Server 2008. Any other OS needs it applied manually.

01-28-2009 11:12 AM

If an XP machine is a member of a Domain then Simple File Sharing is disabled regardless of whether this is ticked or not.
The AClient needs this option to be disabled for Remote Agent Installer in the DS Console to deploy the agent.

01-22-2009 05:35 PM

Heya, yep, we disable Simple File Sharing here and the Aclient still works.

01-22-2009 04:25 PM

Would the Aclient still function properly with Simple File Sharing disabled?

Related Entries and Links

No Related Resource entered.