Jump to content


Photo
- - - - -

How to secure (harden) Windows XP SP3 OS?


  • Please log in to reply
9 replies to this topic

#1 Engineering

Engineering

    I broke 10 posts and all I got was this lousy title!

  • Members
  • 16 posts
  • Gender:Male
  • Location:127.0.0.1

Posted 14 August 2009 - 02:57 PM

What do you do to secure your Windows XP OS?


What can you comment or contribute to the following checklist:


*Only crucial system services running (less exploitable processes + performance improvement),

*Hardened Hosts files (blacklists),

*Uninstalling Telnet/Net meeting/Messenger/WMP/DCOM vulnerabilities, what else?, etc (generic Windows bloatware),

*Disabling UPnP, Administrative shares (IPC$,etc), LMHash, Null sessions, epmap (port 135), SMB (port 445), SSDP (port 1900), etc

*Disabling DCOM, paging from executives, remote desktop, remote registry, TCP/IP NetBIOS Helper (NetBT), etc

*Secure file deletion (DOD 5222.20-M),

*Any server based network hosting capabilities unavailable,

*Group Policy Enforcement in place (based on NSA checklists)

*Latest Windows Patches,

*Firewall + AV + Peerguardian (ipblock lists) + IDS app, etc

*Web browser with javascript security policies and cookie management, (Firefox w/ Noscript)

*Registry tweaks (which?),

*HDD encryption (which?),

*User without Admin rights,

*etc etc... What else can you think of?


HTTP + SSL + HTTPS + Nothing else.

(And yes I have read multiple pages of Google query results. I'd like to hear your personal practices and security habits)


See where I'm getting to?

What else crosses your mind?


#2 Colonel Panic

Colonel Panic

    Hakker addict

  • Members
  • 607 posts
  • Gender:Male
  • Location:IN YR BROWSER, SAYIN SUM SHIT

Posted 14 August 2009 - 03:30 PM

Simpler solution: install Windows 7.

Done.

#3 phasma

phasma

    Hakker addict

  • Members
  • 527 posts
  • Country:
  • Gender:Male
  • Location:Pennsylvania

Posted 14 August 2009 - 03:32 PM

What Colonel Panic said, and just be extra careful on what you download and install! Most Windows vulnerabilities lye with the user's carelessness!

#4 tekio

tekio

    5(R1P7 |<1DD13

  • Binrev Financier
  • 1,082 posts
  • Gender:Male
  • Location:The Blue Nowhere

Posted 14 August 2009 - 04:13 PM

Don't forget your screen emits radiation too. Perhaps, enclosing it in cement would circumvent one from spying on your desktop from emitted radiation.

#5 Engineering

Engineering

    I broke 10 posts and all I got was this lousy title!

  • Members
  • 16 posts
  • Gender:Male
  • Location:127.0.0.1

Posted 15 August 2009 - 03:01 PM

Simpler solution: install Windows 7.

Done.


How is Windows 7 superior to Windows XP?

#6 Engineering

Engineering

    I broke 10 posts and all I got was this lousy title!

  • Members
  • 16 posts
  • Gender:Male
  • Location:127.0.0.1

Posted 15 August 2009 - 03:10 PM

Don't forget your screen emits radiation too. Perhaps, enclosing it in cement would circumvent one from spying on your desktop from emitted radiation.


Cement? How about some kind of metal mesh? Is there an inexpensive way to build a Faraday cage?

#7 Ohm

Ohm

    I could have written a book with all of these posts

  • Members
  • 3,209 posts
  • Gender:Male
  • Location:Maine, USA

Posted 15 August 2009 - 07:07 PM


Simpler solution: install Windows 7.

Done.


How is Windows 7 superior to Windows XP?


Many ways. UAC being a big part of it.

#8 Colonel Panic

Colonel Panic

    Hakker addict

  • Members
  • 607 posts
  • Gender:Male
  • Location:IN YR BROWSER, SAYIN SUM SHIT

Posted 16 August 2009 - 05:32 PM

UAC is actually a very well-conceived security model. It is extremely robust, allows for very granular permissions management, and provides excellent protection against the installation of dangerous or unwanted software.

Its main drawback is one of practicality and marketing. To the average tech-tarded user, Windows is supposed to be "easy" and to "just work." So when UAC throws up warnings and confirmation dialogs whenever something happens that might compromise security, it is often perceived as an annoyance. When the typical Windows users see all these warnings popping up, they tend to react in one of 3 ways: they either freak out because it's something they don't understand; they just ignore it and click through (like how people often deal with EULAs and SSL certificate warnings); or worst of all, they disable UAC altogether.

The problem is that average schmoes don't really understand their computers, and don't care to understand them. They just want the machines to work for their purposes with a minimum of hassle and trouble. As I see it, there's no way to provide adequate security without educating the end-user about security. The only workable solution I can see is for the manufacturers to meet the users halfway. After all, they are manufacturing extremely complex high-tech products, not dinnerware, rag-mops or toilet paper. Their customers need to be informed about how the products work. If they users aren't going to RTFM (as most of them obviously don't), then the company ought to make the effort to provide tech support or else build some kind of education into their products' UIs.

Edited by Colonel Panic, 16 August 2009 - 07:11 PM.


#9 Colonel Panic

Colonel Panic

    Hakker addict

  • Members
  • 607 posts
  • Gender:Male
  • Location:IN YR BROWSER, SAYIN SUM SHIT

Posted 16 August 2009 - 05:34 PM


Don't forget your screen emits radiation too. Perhaps, enclosing it in cement would circumvent one from spying on your desktop from emitted radiation.


Cement? How about some kind of metal mesh? Is there an inexpensive way to build a Faraday cage?

A Faraday cage must be extremely strong and made of a tough material to withstand assaults from formidable claws and razor-sharp fangs. For safety, you should always attach a sign that reads, "DANGER: DO NOT FEED THE FARADAY." (cheers, RTF!)

Seriously, the cage needs to be made of a highly conductive wire mesh, with a spacing of a very small fraction of the wavelength of EM radiation you want to block. The cage must be extremely well-grounded. The best way to accomplish this would be to weld a thick strip of woven conductor, and then weld the other end of that to a highly-conductive solid metal stake driven several feet deep into the ground.

The actual spacing of the mesh is important though. Here's a thread on the Anandtech forums that describes Faraday cage construction: http://forums.anandt...hreadid=2151509

Edited by Colonel Panic, 16 August 2009 - 07:14 PM.


#10 dinscurge

dinscurge

    "I Hack, therefore, I am"

  • Members
  • 935 posts
  • Country:
  • Gender:Male
  • Location:the bunker

Posted 16 August 2009 - 06:26 PM

you could always get/make a hardware router that cant be configured remotely besides that you just need a firewall and anti virus. as most routers will make the computer be fairly secure i mean say your net bios port is open(forget the number but it is by default on xp atleast) they cant do anything with it because your not port forwarding, i can open telnet and cant do anything as the port isnt on the internet they actually have to be on your network. so if you can use a wired router. otherwise wpa2.<jk> idk put a lock on your computer so they cant open the box, put a switch on the inside of the box for the power so they cant turn it. encase it in a rugged carbon nanotube cage? and bolt it to the wall with 2in bolts.</jk>

edit: apparently people cant tell so </jk>

Edited by dinscurge, 16 August 2009 - 06:27 PM.





BinRev is hosted by the great people at Lunarpages!