RonTheCon Posted May 28, 2006 Share Posted May 28, 2006 Solve Security Issues in Windows XP by Ron Mods: Please sticky this and change description to: Manual tweaks you can do to improve Windows XP Security. My description got cut off and I can't edit the title nor the description for this thread. Thank you. Do you not believe me? Think I'm some crazy hacker? Think I'm weird? Well ok then lol. All these tweaks are from websites such as www.TweakXP.com, www.TweakHound.com, www.WinGuides.com/windowsxp/, and www.MarkusJansson.net/exp.html so I'm not just pulling these tweaks right out of my bum. All I have done is organized it, and put all the most efficient and compatable tweaks that will still keep your operating system very stable with very few problems. At the end of this tutorial you can scan your computer for open holes and such and I guarantee you that you will have about 20 or so holes fixed on XP. This tutorial is practically a nessecity if you don't have a firewallsuch as McAfee, Norton, or Zone Alarm. WARNING: Please Create a system restore before even thinking about doing this tutorial. To run a system restore click on Start > Program > Accessories > System Tools > System Restore > Create a Restore Point. Sorry for all the people that have XP Home and not the Pro version. Turns out if you give Microsoft more money they will include more security features in the Microsoft OS, but won't turn them on because they are a**holes. Anyways, all the Categories for each listing says if it's for XP Pro Only or XP Home/Pro which means for both. Now here's the tutorial. -> First Step is to Backup Registry - XP Home/Pro - Thank you Andavari Download ERUNT. This is freeware by the way. and look for Back Up registry or something. -> Network Connection Security - XP Home/Pro Go to Start > Settings > Control Panel > Network Connections > Right click on Local Area Connection 2 > Click on Properties. On the General Tab, uncheck every checkbox except for Internet Protocol (TCP/IP). Now click on Internet Protocol (TCP/IP) and click on Properties. On the General tab, click on Advanced at the bottom. Advanced TCP/IP Settings should pop up. Click on the Options tab, then click on TCP/IP Filtering and click on Properties. Uncheck Enable TCP/IP Filtering (All Adapters). -> Closing ICMP Protocol and a few others - XP Home/Pro Go to Start > Run > regedit > HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Services > Tcpip > Click on Parameters, but do not click on the +. Double click on EnableICMPRedirect, which is on the right hand pane when you have clicked on Parameters. Once you double click on EnableICMPRedirect, change its value to 0. Make sure to also change the values of EnableDeadGWDetect, EnablePMTUDiscovery, and PerformRouterDiscovery to 0. While you're in Parameters, make sure to change the values of EnableDeadGWDetect, EnableSecurityFilters, and NoNameReleaseOnDemand to 1. -> Closing DCOM Protocol - XP Home/Pro Go to Start > Run > regedit > HKEY_LOCAL_MACHINE > Software > Microsoft > Ole Double click on EnableDCOM and set it to N. If the key doesn't exist, then create it by right clicking and clicking on New > String Value. Click on the new one you just made and press F2 to rename it to EnableDCOM. Go to HKEY_LOCAL_MACHINE > Software > Microsoft > Rpc Double click on DCOM Protocols and remove ncacn_ip_tcp only! Go to HKEY_LOCAL_MACHINE > system > CurrentControlSet > Services > Dnscache > Parameters and double click on MaxCachedSockets and change its value to 0. If it doesn't exist, create one by right clicking and clicking on New > DWORD Value. Click on the new one you just made and press F2 to rename it to MaxCachedSockets. Go to HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Services > NetBT > Parameters and click on SmbDeviceEnabled (REG_DWORD) and set its value to 0. If it doesn't exist, create one by right clicking and clicking on New > DWORD Value. Click on the new one you just made and press F2 to rename it to SmbDeviceEnabled. -> Tightening "Restrict Anonymous" Holes - XP Home/Pro Go to Start > Run > regedit > HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Control > Click on Lsa, but do not click on the +. Double click on restrictanonymous and change it to 2. Double click on restrictanonymoussam and change it to 1. -> LanMan - XP Home/Pro Go to Start > Run > regedit > HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Services > lanmanserver > Parameters. Double click on NullSessionPipes and erase everything in it. Double click on NullSessionShares and erase everything in it. Click on lanmanworkstation and do the same if there is NullSessionPipes and NullSessionShares. Make 2 new keys in lanmanserver (not lanmanworkstation) by right clicking on Parameters > New > DWORD Value > Change its name to AutoShareServer and make the other one AutoShareWks. Before setting their values, please read this. "This source claims, that it affects only Win2000, which has only 2 keys for it and WinXP has 3 keys for it. According to it, in WinXP it doesnot matter, if it is 1 or 2, but Belarc Advisor does not like it, when it is set to 2, so it lowers my score (from 7,29 to 6,46)." - TheTOM_SK So if you do not have Belarc Advisor, then set the value to 0. If you do, set the value to 2. -> User Accounts - XP Pro Only By default, the Guest account password is blank. Make it something difficult, such as a combination of letters and numbers, preferably not based on dictionary words. Go to Start > Settings > Control Panel > Administrative Tools > Computer Management > Local Users and Groups > Highlight User Account > right-click and click on Set Password. Remove/Delete any unused accounts, especially any 'remote assistance' accounts. Disable the Guest account since you can't delete it. Go to Start > Settings > Control Panel > Administrative Tools > Local Security Policy > Local Policies > Security Options Account > Rename Guest Account - Double click and rename the account to something weird like Fa98sasjd9as (this is where the weirdo leet language comes into play, but only here). -> Remote Machines - XP Pro Only If you do not need to connect to your computer from a remote machine, be sure to turn this off. Go to Control Panel > Administrative Tools > Local Security Policy > Local Policies > User rights Assessment > "Access this computer from the network" and then delete all users and groups. This should now be blank. Click on "Deny access to this computer from the network" - this should include all users and groups. Double click on the policy, click Add User or group, click Advanced, click Find Now, highlight all the accounts and click OK. Under System Properties > Remote > Turn off Remote Desktop and Remote invitations -> Change Remote Scheduled Tasks - XP Home/Pro Instead of having to wait for the remote scheduled tasks, which is useless information to anyone who is not a system administrator remotely configuring scheduled tasks, you can disable this feature. Go to Start > Run > regedit > HKEY_LOCAL_MACHINE > Software > Microsoft > Windows > CurrentVersion > Explorer > RemoteComputer > NameSpace In the NameSpace folder you will find two entries. One is "{2227A280-3AEA-1069-A2DE-08002B30309D}" which tells Explorer to show printers shared on the remote machine. The other, "{D6277990-4C6A-11CF-8D87-00AA0060F5BF}", tells Explorer to show remote scheduled tasks. This is the one that you should delete. If you have no use for viewing remote shared printers and are really only interested in shared files, consider deleting the printers key, "{2227A280-3AEA-1069-A2DE-08002B30309D}", as well. This will also boost your browsing speed. -> Disable Posix and OS/2 - XP Home/Pro DO NOT USE REGEDIT! Go to Start > Run > regedt32 Find HKEY_local_machine\system\currentcontrolset\Control\Session Manager\SubSystems Click on SubSystems Folder, but don't click on the Plus button, just click on the folder. Double click on the multistring called Optional in the right-hand pane. By default, the multistring's value will be POSIX; Delete that value and leave the space empty, but don't delete the Optional multistring. -> Firefox, an alternative to Internet Explorer - XP Home/Pro This program is the best web browser on the internet and clears soooo many holes by using this browser instead. Plus it has many positives and few negatives, while Internet Explorer has many negatives and few positives. More info here on Mozilla Firefox vs. Internet Explorer. -> Disable Crappy Services we don't need - XP Home/Pro Open up services.msc by going to Start > Run > "services.msc" without the quotation marks. Disable the following services and click on the button Stop if they are running. Automatic Updates - Though, you still need to do windows updates, but you don't need a process running all the time, slowing down your computer. Just do it by hand by going here. Alerter Clipbook Computer Browser Error Reporting Service - If you want to report everyone of Microsoft's errors, don't turn this off. Have fun. FTP Publishing Help and Support - Put this on manual Human Interface Device Access - This is recommended for people with usb mouse or keyboard, without it, it wont work! Indexing Service Messenger NetMeeting Remote Desktop Sharing Network DDE Network DDE DSDM Performance Logs and Alerts Protected Storage - This saves passwords. You should never save passwords, but leave this on incase you still do. Evenif it does leave secuirty holes and your passwords up for grabs... Remote Desktop Help Session Manager Remote Registry Routing and Remote Access Secondary Logon Security Accounts Manager SSDP Discovery Service Telnet Universal Plug and Play Device Host -> Reboot your Computer - XP Home/Pro Check to see if your internet works. Check to see if you can have other programs connect to the internet. If you can't, then post in this topic for help. I'll be able to figure your problem and help you find a solution. -> Windows Updates - XP Home/Pro I can't stress this enough. You NEED to do windows updates. Microsoft sucks so much, but everytime they issue out a patch or whatever, download it immediately. Every now and then just check for Windows Updates by clicking here or going to your Start Menu and clicking on Windows Updates right above Programs. If there are any updates to install, download and install them, and then reboot your computer. Don't be lazy. Don't be late. Keep your Computer, up to date. -> Run Online Security Checks - XP Home/Pro - Use IE for this only. Sorry Firefox fans. Hacker Whacker's Sweet Security Scans GRC - Shields Up Emsisoft's Security Checks Sygate Tech's Security Checks TrendMicro's Online Virus Scan Hacker Watch's Test Your Firewall - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Aftermath: YAY! Your computer should be much faster, much safer, and just much much better! Tell all those pesky hackers to **** off! Great job, and I hope to add more security tweaks in this topic. The changelog for this tutorial is in the next post. Once again. Great job! Want to Tweak your computer even more? Click Here. ~Ron Credits Me lol. TheTOM_SK Andavari Link to comment Share on other sites More sharing options...
Moderators hazelnut Posted May 28, 2006 Moderators Share Posted May 28, 2006 never heard of you Ron the Con. Will not be using or recommending your advice. Try setting up your own website instead of using the resources of this one. Support contact https://support.ccleaner.com/s/contact-form?language=en_US&form=general or support@ccleaner.com Link to comment Share on other sites More sharing options...
RonTheCon Posted May 28, 2006 Author Share Posted May 28, 2006 Thank you so much for welcoming me into this community. You are just so kind. Almost as kind as America is to communists. Link to comment Share on other sites More sharing options...
Moderators hazelnut Posted May 28, 2006 Moderators Share Posted May 28, 2006 Part of your advice is telling people to edit the registry, NOT a very good idea. Support contact https://support.ccleaner.com/s/contact-form?language=en_US&form=general or support@ccleaner.com Link to comment Share on other sites More sharing options...
Eldmannen Posted May 28, 2006 Share Posted May 28, 2006 I guess many of these could be done with the tool 'SafeXP'. Also, some of above mentioned things maybe might break compatibility... Link to comment Share on other sites More sharing options...
Moderators Andavari Posted May 28, 2006 Moderators Share Posted May 28, 2006 Well at least you recommended using System Restore, that I can't fault you on. However I also won't be trying any of your so-called tweaks, hence they weren't asked for in the first place, e.g.; there was no request for them. It would've however been a different situation if someone had specifically asked how to tweak a particular thing and you supplied the information, other than that I surely don't welcome tweaks like these as some inexperienced users may use them. Anyways, welcome to the forums. Link to comment Share on other sites More sharing options...
RonTheCon Posted May 28, 2006 Author Share Posted May 28, 2006 I'm just trying to help. No one has to do this. They may choose to. These tweaks are from many different websites and have been proven to work fine. The only thing that can go wrong is that you will not be able to connect to the internet. If you can't, simply double click on the registry backup you made and reboot. If you still can't connect, then just go back to a previous restore point. So you're all set. Thank you for welcoming me Andavari. Link to comment Share on other sites More sharing options...
Humpty Posted May 29, 2006 Share Posted May 29, 2006 Welcome to the forum Ron the Con. Coupla queeries: Disable Dcom and Perfect Disk,which I use, will throw up errors. Check this services guide If you have disabled POSIX can you still bring up a command promt window? Link to comment Share on other sites More sharing options...
DjLizard Posted May 29, 2006 Share Posted May 29, 2006 Don't disable Error Reporting. Click here if CCleaner Issues are re-appearing DjLizard.net DjLizard.net wiki Dial-a-fix Dial-a-fix tips DjLizard.net software support forum Do you live in Bradenton, Sarasota, Tampa, or St. Petersburg, Florida? Visit Digital Doctors where I work Link to comment Share on other sites More sharing options...
RonTheCon Posted May 29, 2006 Author Share Posted May 29, 2006 DCOM protocol is different from the DCOM service. I said to disable the protocol, nothing there about the service. Yes Command prompt will still work. I have these twekas right here on this computer, no problems. Been using it with the tweaks for about 4 months. Thank you for the help though. Don't disable error reporting? Well If you want to send in every error windows brings up, you'll be on the computer forever man. I added a small description of the error reporting service though, incase anyone wants to use it, they shouldn't disable it. Link to comment Share on other sites More sharing options...
Glenn Posted May 29, 2006 Share Posted May 29, 2006 I have these twekas right here on this computer, no problems. ... Well If you want to send in every error windows brings up, you'll be on the computer forever man.Have you ever considered there's a connection? I don't get more than a handful of errors a year regularly using 4 PC's. Link to comment Share on other sites More sharing options...
RonTheCon Posted May 29, 2006 Author Share Posted May 29, 2006 Well don't bother arguing with me man. Why bother? Just go and enable it. Problem solved. Link to comment Share on other sites More sharing options...
DjLizard Posted May 30, 2006 Share Posted May 30, 2006 Well if you're (not "you" literally; everyone) getting so many error reports that you'd consider disabling error reporting to thwart it, maybe you should consider having the erorrs checked out by a professional instead of cutting the arm off because of wrist pain You're not one of those "Microsoft/Windows sucks" people who constantly expect problems, or think all problems are because "Windows sucks", are you? Click here if CCleaner Issues are re-appearing DjLizard.net DjLizard.net wiki Dial-a-fix Dial-a-fix tips DjLizard.net software support forum Do you live in Bradenton, Sarasota, Tampa, or St. Petersburg, Florida? Visit Digital Doctors where I work Link to comment Share on other sites More sharing options...
RonTheCon Posted May 31, 2006 Author Share Posted May 31, 2006 Yeah I am lol but can you blame me? EVERYONE has problems with Microsoft! Did you know that the games on your microsoft XP computer try to connect ot the internet? I'm talking about the ones that are Single player like Freecell!!! WTF? Try deleting the directory where the games are stored: C:\Program Files\MSN Game Zone\Windows 3 seconds after you kill them, they suddenly reappear. They are impossible to get rid of... I think I can delete them with System Mechanic, but since I have a firewall, they can't connect to the internet anyways. So... kind of a side issue for now. Maybe if I become rich enough, I can dich Microsoft and get a Mac. They are too expensive though. Link to comment Share on other sites More sharing options...
Glenn Posted May 31, 2006 Share Posted May 31, 2006 Did you know that the games on your microsoft XP computer try to connect ot the internet? I'm talking about the ones that are Single player like Freecell!!! WTF? Try deleting the directory where the games are stored: C:\Program Files\MSN Game Zone\Windows Sorry to have to tell you this but you have problems ... 1. I've never had a legitimate Microsoft single player game try to connect to the internet. You may have malware. 2. Single player games like Freecell aren't in C:\Program Files\MSN Game Zone\Windows (at least they're not supposed to be). EDIT - From Microsft Support: SUMMARY This article describes how to manually remove and reinstall the MSN Gaming Zone software. MORE INFORMATION To remove and reinstall Zone.com software manually, follow these steps: 1. Click Start, point to Settings, and then click Control Panel. 2. Double-click Add/Remove Programs. 3. On the Install/Uninstall tab, click Zone.com, and then click Add/Remove. 4. Follow the instructions on the screen to remove Microsoft MSN Gaming Zone. 5. Remove Zone.com Heartbeat ActiveX control or plug-in. For additional information about how to do this, click the article number below to view the article in the Microsoft Knowledge Base: 225041 (http://support.microsoft.com/kb/225041/EN-US/) Zone: How to Remove the Heartbeat ActiveX Control 6. Empty the Temporary Internet Files folder. 7. Visit the following Zone.com Web site to reinstall the Zone software: http://classic.zone.msn.com/services/install.asp (http://classic.zone.msn.com/services/install.asp) Link to comment Share on other sites More sharing options...
krit86lr Posted May 31, 2006 Share Posted May 31, 2006 Sorry to have to tell you this but you have problems ... Agreed. Can this thread just be removed please? Windows Pro Media 8.1 x64 | 8GB Ram | 500G HDD 7200 RPM | All that I know about my graphics is that it's Intel Link to comment Share on other sites More sharing options...
DjLizard Posted May 31, 2006 Share Posted May 31, 2006 Yeah I am lol but can you blame me? EVERYONE has problems with Microsoft! Yeah, everyone has problems. People have hardware failures and third-party software conflicts and bugs. People have problems with Linux, Mac OS X, MS-DOS, OS/2, UNIX, and any other operating system out there. Welcome to computing. Click here if CCleaner Issues are re-appearing DjLizard.net DjLizard.net wiki Dial-a-fix Dial-a-fix tips DjLizard.net software support forum Do you live in Bradenton, Sarasota, Tampa, or St. Petersburg, Florida? Visit Digital Doctors where I work Link to comment Share on other sites More sharing options...
1984 Posted June 1, 2006 Share Posted June 1, 2006 wow, lots of hostility. welcome ronthecon. i dont really understand any of your tweaks, so they aint for me, but it doesnt bother me that you posted them. Link to comment Share on other sites More sharing options...
DJpailo Posted June 1, 2006 Share Posted June 1, 2006 wow, lots of hostility. welcome ronthecon. i dont really understand any of your tweaks, so they aint for me, but it doesnt bother me that you posted them. same for me as well http://www.lavasoftusa.com http://wiki.lunarsof.../PC_Maintenance Link to comment Share on other sites More sharing options...
TheTOM_SK Posted June 2, 2006 Share Posted June 2, 2006 -> Tightening "Restrict Anonymous" Holes - XP Home/Pro[*] Go to Start > Run > regedit > HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Control > Click on Lsa, but do not click on the +. [*] Double click on restrictanonymous and change it to 2. Wouldnot be better to set it to 1? [*] Go to Start > Run > regedit > HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Services > lanmanserver > Parameters. [*] Make 2 new keys in lanmanserver (not lanmanworkstation) by right clicking on Parameters > New > DWORD Value > Change its name to AutoShareServer and make the other one AutoShareWks. Both their values should be set to 2. Why to set AutoShareServer & AutoShareWks to 2? Only 0 & 1 are availabe, no? By the way, if you would create reg file, it would be easier for some people. Link to comment Share on other sites More sharing options...
RonTheCon Posted June 8, 2006 Author Share Posted June 8, 2006 Glenn. I'm sorry, but it's true. If you have Norton, you can see that freecell and other games are trying to connect to the internet trying to send out information from your computer to microsoft leaving a huge hole open. krit86lr I'm sorry you feel that way. Seems like all the girls have turned into horrible mangy cats that won't give chances. Lordoftheweb and DJpailo you are good people. Thank you for welcoming me. I wish there were more warm people like you on forums. Also, yesterday I had my computer tested by 3 or 4 hackers and the only way they could get in at first by Ddosing, but all the other holes were blocked. Then I used System Mechanic 6 professional and turned off Ddosing on my computer, and then checked it again. Finally a stable very hard to hack operating system. TheTOMsk Value 1 will just restrict anonymous people, but value 2 will restrict enumerating accounts also. Source and holy s**t. Thank you for pointing that out. That value should be 0! Thank you thank you! Editted and fixed. ~Ron Yeah, everyone has problems. People have hardware failures and third-party software conflicts and bugs. People have problems with Linux, Mac OS X, MS-DOS, OS/2, UNIX, and any other operating system out there. Welcome to computing. Microsoft is known to have problems. You sir are very oblivious to your surroundings. Please talk to someone who is in the engineering field and over the age of 30 so they can tell you about reality on computers. Linux OS has a lot less problems. Don't be oblivious man... It just gets under my skin and makes me insane lol. ~Ron Link to comment Share on other sites More sharing options...
1984 Posted June 9, 2006 Share Posted June 9, 2006 gentlemen, lets not disrespect the forum by disrespecting eachother. if you need to debate an issue and escalate any perceived/real animosity, why not take it to pm? if you just want to debate computing issues, then im sure those of us that are just grasshoppers when it comes to computers, would be interested in learning from whatever you both post. because honestly, sometimes i feel like a dummy while some of you are talking about this and that, and i cant even find the button on the keyboard. such is life. Link to comment Share on other sites More sharing options...
Capman Posted June 9, 2006 Share Posted June 9, 2006 gentlemen, lets not disrespect the forum by disrespecting eachother. if you need to debate an issue and escalate any perceived/real animosity, why not take it to pm? if you just want to debate computing issues, then im sure those of us that are just grasshoppers when it comes to computers, would be interested in learning from whatever you both post. because honestly, sometimes i feel like a dummy while some of you are talking about this and that, and i cant even find the button on the keyboard. such is life. If RonTheCon had took his time to read through any of Dj's previous 1,239 posts, then he would know that Dj is a much respected and very knowledgable member of this forum. Just my opinion though. Link to comment Share on other sites More sharing options...
1984 Posted June 9, 2006 Share Posted June 9, 2006 thats a fair statement Capman. i was just kind of hoping that a pissing match would not ensue. Link to comment Share on other sites More sharing options...
krit86lr Posted June 9, 2006 Share Posted June 9, 2006 thats a fair statement Capman. i was just kind of hoping that a pissing match would not ensue. I'm kind of thinking that it will. Windows Pro Media 8.1 x64 | 8GB Ram | 500G HDD 7200 RPM | All that I know about my graphics is that it's Intel Link to comment Share on other sites More sharing options...
Recommended Posts