The best kind of desktop is a secure desktop. As you all know, hackers are a tricky bunch. You have to go beyond Symantec Antivirus and actually lock Windows down if you want to make sure your computing environment is actually secure. A few weeks ago our network guy saw some suspicious traffic on our network. We all stopped what we were doing and tried to help him figure out what was going on. It looked like a virus, a trojan, and a worm all wrapped into one. After lots of hunting and troubleshooting he was able to figure out that it was normal traffic. We changed some settings on our servers and desktops to prevent the problem in the future and to make them more secure. I thought I would share some of our security settings with the Juice Community.
Here are some of the things that I wish I had done months before:
Disable Autorun
I had seen dozens of articles that suggested I turn off autorun, but I never did it. If you have an infected USB key, CD or DVD disk, ZIP disk (do you remember those?) and you insert it into your device, autorun will infect your machine. I disabled autorun in two different ways:
- The first registry key:
Windows Registry Editor Version 5.00
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=dword:000000ff
- Here is a different registry key that I like to use as well:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"
In this case I like to have double security. I really want to make sure that autorun is actually turned off. The first key disables autorun for all devices (with the use of different values in the DWORD you can disable autorun on USB keys only, for example). The second key disables the file (Autorun.inf) that Windows reads to autorun something. Between these two, you will be mighty safe.
Registry
Did you know that you can remotely edit registries? I found out this a few years back. It is great that the system admin can do something like that, but we don't want a hacker doing that, do we. Use this registry key to turn off remote registry editing:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry]
"Start"=dword:00000004
I also like to completely disable the ability to do anything with the registry. I do that in two ways, the first is here:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"=dword:00000001
After this key is set, the user is not allowed to add a registry key. If they install software they still can. You can also drop registry keys on the machine using SVS layers, RIPs, and using Wise Package Studio.
I also like to remove access to the various Windows programs that allow the user to edit the registry. Here are the commands:
REM Regedit...
echo y| cacls "C:\WINDOWS\system32\regedit.exe" /t /c /p "Administrator":F
echo y| cacls "C:\WINDOWS\system32\regedit.exe" /t /c /e /g "System":F
REM Regedit...
echo y| cacls "C:\WINDOWS\regedit.exe" /t /c /p "Administrator":F
echo y| cacls "C:\WINDOWS\regedit.exe" /t /c /e /g "System":F
REM Reg.exe...
echo y| cacls "C:\WINDOWS\system32\reg.exe" /t /c /p "Administrator":F
echo y| cacls "C:\WINDOWS\system32\reg.exe" /t /c /e /g "System":F
REM regedt32.exe...
echo y| cacls "C:\WINDOWS\system32\regedt32.exe" /t /c /p "Administrator":F
echo y| cacls "C:\WINDOWS\system32\regedt32.exe" /t /c /e /g "System":F
File Sharing
If users want to share a document, they can share it through a network drive or through something like Google Docs (for our domain of course). Here is a registry key that disables shared documents:
Windows Registry Editor Version 5.00
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoSharedDocuments"=dword:00000001
I also like to disable simple file sharing with this key:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"forceguest"=dword:00000000
There are a few default shares on every computer. After the scare I talked about above, we decided that we don't even want the default shares enabled. The following registry key will disable these shares: ADMIN$, C$, D$ -
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters]
"Size"=dword:00000002
"DisableDos"=dword:00000000
"autodisconnect"=dword:0000000f
"enableforcedlogoff"=dword:00000001
"enablesecuritysignature"=dword:00000000
"requiresecuritysignature"=dword:00000000
"NullSessionPipes"=hex(7):43,00,4f,00,4d,00,4e,00,41,00,50,00,00,00,43,00,4f,\
00,4d,00,4e,00,4f,00,44,00,45,00,00,00,53,00,51,00,4c,00,5c,00,51,00,55,00,\
45,00,52,00,59,00,00,00,53,00,50,00,4f,00,4f,00,4c,00,53,00,53,00,00,00,4c,\
00,4c,00,53,00,52,00,50,00,43,00,00,00,62,00,72,00,6f,00,77,00,73,00,65,00,\
72,00,00,00,00,00
"NullSessionShares"=hex(7):43,00,4f,00,4d,00,43,00,46,00,47,00,00,00,44,00,46,\
00,53,00,24,00,00,00,00,00
"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
73,00,72,00,76,00,73,00,76,00,63,00,2e,00,64,00,6c,00,6c,00,00,00
"Lmannounce"=dword:00000000
"Guid"=hex:22,3a,ba,ab,cd,bc,c3,43,9e,77,86,56,70,5a,39,55
"AdjustedNullSessionPipes"=dword:00000001
"CachedOpenLimit"=dword:00000000
"AutoShareWks"=dword:00000000
There is one more share that is hanging around. It is called IPC$. To turn this one off, you have to disable the "Server Service" on your machine. You can do it by using this script at the command prompt:
ECHO Security...
sc config "lanmanserver" start= disabled
Note: Some things may depend on this share being available. From what I can tell, all of our Altiris and Symantec stuff is working just fine. It was worth the extra security for me, so I disabled this share. I actually prevent this service from installing when I install XP. If you are interested in that script, let me know...
Finally, I highly suggest that you disable null connections. Here is the key:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"everyoneincludesanonymous"=dword:00000000
"restrictanonymous"=dword:00000002
"restrictanonymoussam"=dword:00000001
Desktop Security
There are a few places that I lock down on the desktop. These security measures are meant for public machines only. Some of the settings would drive a normal user crazy, and some make sense. You will have to decide how much you want to annoy your users. Here are the "Display Properties" settings I like to tweak:
Disable Appearance Tab - I don't want users of a public machine messing with these settings. It is not their machine, they don't get to customize it. Here is the appearance tab in the wild:
Here is the registry key that I use to remove it:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"NoDispAppearancePage"=dword:00000001
Disable Background (Desktop) Tab - Here is the background tab:
And here is the registry key to disable it:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"NoDispBackgroundPage"=dword:00000001
Disable Screen Saver Tab - Here is the screen saver tab:
And here is the key to disable it:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"NoDispScrSavPage"=dword:00000001
Disable Themes Tab -
And here is how to disable it:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"NoThemesTab"=dword:00000001
This is a good place to stop. There are many more settings that I have use to keep my desktop secure. In the next article we will talk about a number of topics, including how to lock down the control panel and how to push these settings out to the computers you manage. All of these keys have helped secure our desktops. The more settings that we have implemented the more problems we have prevented. I never thought about it until now, but if you take a few minutes to push out these settings out to your computers you will be saving tons of time (and I mean weeks of time). Avoiding a virus is much better than getting infected (but, I am typing to the choir right now..).
Some of you are probably thinking that XP is way too old to worry about. I disagree. We have decided to use XP until we can get our arms around Windows 7. Also, you probably are supporting several OSes in your environment. A lot of these keys will probably work in Vista and in Windows 7. If they don't, at least you will know what to look for. Finally, some of you are probably thinking that these are all group policies that can be set from Active Directory. You are correct. To help users get logged in faster (especially on public machines) I push as many settings to the client as I can. If you have any questions about what we have discussed in this article please drop me a line in the comment section. Until next time...I have attached all of the registry keys and scripts to this document for your securing pleasure.
| License: | AJSL
By clicking the download link below, you agree to the terms and conditions in the Altiris Juice Software License |
| Support: | User-contributed tools on the Juice are not supported by Altiris Technical Support. If you have questions about a tool, please communicate directly with the author by visiting their profile page and clicking the 'contact' tab. |