Xtreme PC Central Tech Forums  

Go Back   Xtreme PC Central Tech Forums > Technical Topics > Applications & Operating Systems

Applications & Operating Systems Problems with your Operating System? Got an application that's crashing? Find your answers here.

Reply
 
Thread Tools Display Modes
Old 12-09-2007, 5:34 PM   #1
APK
Member
 
Join Date: Dec 2007
Location: In a discrete point in the Space-Time Continuum
Posts: 90
iTrader: (0)
HOW TO SECURE Windows 2000/XP/Server 2003, & VISTA + make it "fun" to do

INTRODUCTION:

(Afterwards, the actual steps to perform beyond CIS Tool suggestions (which will need you to use tools like secpol.msc, gpedit.msc, services.msc, regedit.exe, explorer.exe + more, yet, all native tools to your OS) will be listed for your reference, each in their own post reply, to avoid "clutter"):

Windows CAN be secured very well, but, you have to go thru some "GYRATIONS/EFFORT" to do it, but, it IS doable (but not to any 100% levels, because again - new holes/vulnerabilities appear in the OS & its libs + apps, but this gets you closer, if not as close as a body needs to be!).

THIS IS GEARED TO "stand-alone" systems online on the internet (However - it can be adapted for LAN/WAN office or home networked environs, BUT, pay attention to step #2's 'warnings' about pulling Client For Microsoft Networks, &/or File & printer sharing - most networks require/need this)

--------------------------------------------------------------------------------------------------------------
BACKGROUND & INFORMATION + TOOLS YOU CAN USE TO HELP YOU SECURE YOUR SYSTEM:
--------------------------------------------------------------------------------------------------------------


Here I am running Windows Server 2003 SP #2, fully current patched by MS update pages, here (I check it every 2nd Tuesday of the month of course, on "Patch Tuesday's"):

http://www.microsoft.com/downloads/B...der=descending

It is a personally 'security-hardened' model I have been working on for many years, using principals I learned & used since the NT 3.5x days onward to this version of the OS: As is now?

I score an 85.760 on the CIS Tool 1.x currently as of 10/10/2007!



This is up from my past score here of 76.xxx on it (default score I had prior to this security hardening via CIS TOOL & its advisements & past the 84.735 I initially hardened it up to, & later 85.185 as well), & here is how to do it!

Currently, I can go NO higher than this score of 85.760 (of 100 total) on CIS Tool 1.x for Windows, pictured here (photo proof/pictures DO say, a 1,000 words (like this post, lol)) & even IF I could get past the few areas I know are wrong (the test errs, as it does on some areas in LINUX as well), I cannot get past 88% or so, period!

================================================== ==========================
HERE ARE LINUX SCORES FROM CIS TOOL (SuSE Enterprise Linux under VMWare):
================================================== ==========================

HARDENED LINUX:



DEFAULT LINUX:



(It appears that LINUX has FAR LESS TESTED, when compared to the SIZE of the Windows tets, & Linux CAN reach 90++ scores (but there is an error in CIS TOOL preventing myself from going to a higher than 85.760 score & I have submitted the data to CIS TOOL's authors on that account WITH PROOFS, and even if I could get the few areas I am scored down on still, it would not add to past 88% or so... bug, bigtime, do the math from my score & see))

================================================== ==========================

That is a DECENT ENOUGH score (especially considering the default score of VISTA even, is FAR BELOW THAT! Nice part is? The techniques noted here can LARGELY APPLY TO VISTA AS WELL, but afaik there is no CIS Tool version for VISTA (yet)! Still, read on...)

(For CIS Tool - There are Linux, Solaris, BSD variants, & other OS models ports (some only in .pdf security guide form though, not programmatically automated yet, like MacOS X) of this are available too by the way - not really "ports" strictly speaking, they require JAVA to run)

-------------------------------------------------------------------------------------------------------------------
DOWNLOAD URL FOR CIS TOOL (for multiple platforms), from "The Center for Internet Security" here:
-------------------------------------------------------------------------------------------------------------------


http://www.cisecurity.org/bench.html

IMPORTANT: This tool IS invaluable in guiding you to a more secure OS, on any OS platform really!

It actually makes it "FUN", in a techie/geeky/nerdy (whatever) kind of way, in that you really find out WHAT it is you know, vs. the CIS Tool results, as far as securing a Windows NT-based system. E.G./I.E,-> I've been @ this field in a professional capacity since 1994, & it taught me a "trick-or-two", let's put it THAT way.

CIS Tool = Great stuff, that makes much of this easier (what I add ontop of it is in the next steps)!

APK

P.S.=> Now that the "introductory material" (tools to use, how/why, results possible, etc. et al) has been put down? Now, here we go to the actual "meat" of the subject in my next post(s).

Also - IF you have more to add to this, OR critique of my points? Please - have @ it & let 'em rip (as we ALL can gain by for security & peace-of-mind online hopefully)

HOWEVER, please - hold off on the "English Grammar" critiques + "writing style" stuff (I did my best + refine it as I go & add more)

I would try to have made it shorter too, but it's complex material @ times, & definitely a lot of it (CIS Tool helps though)!


(So please, as to critiques - I only ask that you keep it computer security technically oriented, adding points I may have missed or supplementing those I suggest with alternates to things I Have).

Thanks! apk

Last edited by APK; 05-17-2008 at 11:27 PM.
APK is offline   Reply With Quote
Old 12-09-2007, 5:35 PM   #2
APK
Member
 
Join Date: Dec 2007
Location: In a discrete point in the Space-Time Continuum
Posts: 90
iTrader: (0)
STEP #1 of 12 - SECURING SERVICES @ THE ACL/Security SID + POLICIES LEVELS

SECURING SERVICES (ala MacOS X style, for its daemons, via privelege levels)

IMPORTANT - IF you're not sure what to do here? DON'T, & just skip it until later

(As this is probably the most "touchy" of the lot (I can field questions on this, pm or email me if need be))

================================================== =============================
APK 12 STEPS TO SECURE YOUR WINDOWS NT-BASED SYSTEM (2000/XP/SERVER 2003/VISTA):
================================================== =============================

1.) HARDENING & SECURING SERVICES HOW-TO (longest one of the lot but, one well worth pursuing... read on):

Many services I do not need are either cut off OR secured in their logon entity to lower privilege entities (from default, near "ALL POWERFUL" SYSTEM, to lesser ones like NETWORK SERVICE or LOCAL SERVICE).

I went at ALL of the services in Windows Server 2003 (some will not be in XP for instance, & Windows 2000 has no NETWORK SERVICE or LOCAL SERVICE as far as I know, but not sure, you can always make a limited privelege user too for this on 2000 if needed)...

(The reason I mention this, is, this "technique" IS a superiority of MORE MODERN Windows NT-based OS over their ancestors (especially NT 3.x-4.0) & on par w/ how this makes your Win32 NT-based OS' like 2000 (with more work), XP, Server 2003 (VISTA too if needed), very much like how MacOS X treats its daemon processes via privelege levels, which uses the same general principals)

It works, & although many service packs for Windows OS' have changed their services (not all but many nowadays) to less than SYSTEM, my list covers those they may not have in recent service packs AND 3rd party services are listed too that you may be running possibly!

This is for SERVICES YOU ACTUALLY NEED TO RUN (many, you really don't - this has always astounded me, & MS can put out "home versions" more this way imo, for gamers especially (auto-service "lean tuned turbocharged" for performance/speed/less resources consumption)).

ON THAT NOTE (for performance AND security)? CUTTING OFF SERVICES YOU DO NOT NEED TO RUN IS POSSIBLY THE BEST METHOD OF SECURING THEM, AND GAINING SPEED - AGAIN, SIMPLY SINCE YOU ARE NOT WASTING I/O, MEMORY, or OTHER RESOURCES ON THEM, PERIOD, in doing this!

Please, if you don't do this already? Hey - do consider it, when possible! It works like NO TOMORROW...

Many guides online exist for this, & I authored one of the first "back in the day" for NTCompatible.com as "Article #1" back in 1997/1998 - 2002 (early model is in URL below, much detail on registry hacks too for speed & security in it, cited in 2002 @ NeoWin):

http://www.neowin.net/news/main/01/1...-security-text

The latest ones are even BETTER/MORE CURRENT, as there are ones that DO EXIST FOR VISTA ONLINE ALSO!

Anyhow - on the note of 3rd party services, & many native ones (for 2000/XP/Server 2003, but not fully on VISTA as I do not run it @ home or on the job)?

I did testing to see which services could be run/logged in as LOCAL SERVICE, or NETWORK SERVICE, rather than the default of LOCAL SYSTEM (which means Operating System entity level privileges - which CAN be "misused" by various spyware/malware/virus exploits.

================================================== =============================

LOCAL SERVICE startable list (vs. LocalSystem Logon Default):

Acronis Scheduler 2 Service
Alerter (needs Workstation Service Running)
COM+ System Application
GHOST
Indexing Service
NVIDIA Display Driver Service
Office Source Engine
O&O Clever Cache
Remote Registry
Sandra Service
Sandra Data Service
SmartCard
Tcp/IP NetBIOS Helper
Telnet
UserProfile Hive Cleanup Service
Volume Shadowing Service
Windows UserMode Drivers
Windows Image Acquisition
WinHTTP Proxy AutoDiscovery Service

----------

NETWORK SERVICE startable list (vs. LocalSystem Logon Default):

ASP.NET State Service
Application Layer Gateway
Clipbook (needs Network DDE & Network DDE DSDM)
Microsoft Shadow Copy Provider
Executive Software Undelete
DNS Client
DHCP Client
Error Reporting
FileZilla Server
Machine Debug Manager
Merger
NetMeeting Remote Desktop Sharing Service
Network DDE
Network DDE DSDM
PDEngine (Raxco PerfectDisk)
Performance Logs & Alerts
RPC
Remote Desktop Help Session Manager Service
Remote Packet Capture Protocol v.0 (experimental MS service)
Resultant Set of Policies Provider
SAV Roam
Symantec LiveUpdate
Visual Studio 2005 Remote Debug

================================================== =============================

PLEASE NOTE: Each service uses a BLANK password when reassigning their logon entity (when you change it from the default of LOCAL SYSTEM Account), because they use SID's as far as I know, not standard passwords.

WHEN YOU TEST THIS, AFTER RESETTING THE LOGON USER ENTITY EACH SERVICE USES: Just run your system awhile, & if say, Norton Antivirus refuses to update, or run right? You KNOW you set it wrong... say, if one you test that I do NOT list won't run as LOCAL SERVICE? Try NETWORK SERVICE instead... if that fails? YOU ARE STUCK USING LOCAL SYSTEM!

************************************************** ***************************

If you cannot operate properly while changing the security logon entity context of a service (should NOT happen w/ 3rd party services, & this article shows you which ones can be altered safely)?

Boot to "Safe Mode", & reset that service's logon entity back to LOCAL SYSTEM again & accept it cannot do this security technique is all... it DOES happen!

If that fails (shouldn't, but IF it does)? There are commands in the "Recovery Console" (installed from your Windows installation CD as a bootup option while in Windows using this commandline -> D:\i386\winnt32.exe /cmdcons, where D is your CD-Rom driveletter (substitute in your dvd/cd driveletter for D of course)) of:

ListSvc (shows services & drivers states of stopped or started)

Enable (starts up a service &/or driver)

Disable (stops a server &/or driver)

Which can turn them back on if/when needed

(ON Virtual Disk Service being removed, specifically (because it used to be in this list)): This was done solely because, although it will run as LOCAL SERVICE, diskmgmt.msc will not be able to work! Even though the Logical Disk Manager service does not list VirtualDisk as a dependency, this occurs, so VirtualDisk service was pulled from BOTH the LOCAL SERVICE and NETWORK SERVICE lists here... apk)

================================================== =============================

SECURING SERVICES @ THE ACL LEVEL VIA A SECURITY POLICY HOW-TO:

STEP #1: CONFIGURE A CUSTOM Microsoft Management Console for this!

Configuring yourself a "CUSTOM MMC.EXE (Microsoft Mgt. Console)" setup for security policy templates, here is how (these are NOT default Computer Mgt. tools, so you have to do this yourself, or run them by themselves, but this makes working w/ them convenient):

The next part's per BelArcGuy of BELARC ADVISOR's advice (pun intended):

http://forums.techpowerup.com/showthread.php?t=16097

"Security Configuration and Analysis" is an MMC snap-in. To access the MMC, type in mmc to the Windows Run.. command to pop up the console. Then use it's File|Add/Remove Snap-in... command and click the Add button on the resulting dialog. Choose both "Security Configuration and Analysis" and "Security Templates", close that dialog, and OK. You'll end up with a management console that has both of those snap-ins enabled. The whole MMC mechanism is a bit weird, but does work"

(It's easy, & it works, & is necessary for the actual steps to do this, below)

Next, is the actual "meat" of what we need to do, per Microsoft, to set ACLs!

------------------------------------------------------------

STEP #2: HOW TO: Define Security Templates By Using the Security Templates Snap-In in Windows Server 2003

http://support.microsoft.com/kb/816297

Create and Define a New Security Template

(To define a new security template, follow these steps)

1. In the console tree, expand Security Templates
2. Right-click %SystemRoot%\Security\Templates, and then click New Template
3. In the Template name box, type a name for the new template.

(If you want, you can type a description in the Description box, and then click OK)

The new security template appears in the list of security templates. Note that the security settings for this template are not yet defined. When you expand the new security template in the console tree, expand each component of the template, and then double-click each security setting that is contained in that component, a status of Not Defined appears in the Computer Setting column.

1. To define a System Services policy, follow these steps:
a. Expand System Services
b. In the right pane, double-click the service that you want to configure
c. Specify the options that you want, and then click OK.

DONE!

APK

P.S.=> Again, this is probably the MOST lengthy & hardest of the lot, so DO NOT LET IT DISCOURAGE YOU, the rest of this article is far simpler/shorter to do, & yields benefits that are as good as THIS long step, especially in combination with it (for security) & are much shorter/simpler to do... & IF you need help? Ask experience networkers, here on this site, or myself (via "pm" or right in this thread, or if need be, email me here -> apk4776239@hotmail.com ... apk

Last edited by APK; 05-24-2008 at 4:06 PM.
APK is offline   Reply With Quote
Old 12-09-2007, 5:37 PM   #3
APK
Member
 
Join Date: Dec 2007
Location: In a discrete point in the Space-Time Continuum
Posts: 90
iTrader: (0)
STEP #2 - Removing unnecessary Network Client & Protocols in your Connection ONLINE

IF you have a HOME LAN/network? You skip this/leave this alone!

(... & do not disable the SERVER service (it creates the hidden default C$ administrative share for example) in services.msc & keep 127.0.0.1 (the default lone entry it has) in your %windir%\system32\drivers\etc HOSTS file as well).

2.) Disable Microsoft "File & Print Sharing" as well as "Client for Microsoft Networks" in your LOCAL AREA CONNECTION (if you do not need them that is for say, running your home LAN)!

E.G.-> Here? I pull ANY Networking clients (Client for MS Networks/File & Printer Sharing)) &/or Protocols (QoS = just 1 example) in the Local Area Connection! You can either UNCHECK THEIR CHECKBOXES (if say, you do decide to bind this machine to a network of somekind one day, OR have to occasionally (with family/friends' PC's or LAN parties for example))... OR, wholesale uninstall them.

NOTE - sometimes, even TROJANS/SPYWARES/MALWARES HIDE HERE ALSO - the std. set is:
  • Client For Microsoft Networks (removable via uninstall OR uncheck of checkbox if you have no LAN connectivity needs}
  • File and Printer Sharing (removable via uninstall OR uncheck of checkbox if you have no LAN connectivity needs}
  • QoS (removable via uninstall OR uncheck of checkbox if you have no LAN connectivity needs}
  • Tcp/IP Internet Protocol (need it to get online AND for Active Directory Networks too)
(That is, unless its for an antivirus & their Layered Service Provider hacks, such as Trend Micro use here, or more "hidden ones" like NOD32 or NAV use - sometimes, they're OK! So... look up others you MAY see here & decide if you need them or not, or if programs you do use that are LEGITIMATE need the others I do not list that are not std. w/ Microsoft OS', as those are above)

So, other than Tcp/IP typically, it gets removed here if I have no LAN (via either uninstall OR uncheck).

(I also disable NetBIOS over Tcp/IP in the WINS section of Tcp/IP Properties ADVANCED button section also - see, if you don't have a HOME or WORK LAN you can & go faster + be potentially more secure also. Again, for my single machine setup currently here, I certainly don't need anything more than Tcp/IP running, as I am currently @ home on a stand-alone machine that is not dependent on Microsoft's File Sharing etc. on a LAN/WAN).

Stopping the SERVER service helps here as well (no shares possible, not even the default C$ administrative share, iirc)

Also regarding the HOSTS file (which I also mention in this article as it yields HUGE security and speed benefits, more than this does by far imo)?

IF you have a LAN/WAN you use (or not), you will have to have the mandatory entry of:

127.0.0.1 localhost

In the HOSTS file, more on it below (needed for networking with a LAN/WAN - you could technically, dispense with it otherwise, but, as you can see above? It has practical uses... even SpyBot utilizes it & that is one HELL of a program, for this purpose:SECURITY!).

APK

Last edited by APK; 04-07-2008 at 3:40 AM.
APK is offline   Reply With Quote
Old 12-09-2007, 5:38 PM   #4
APK
Member
 
Join Date: Dec 2007
Location: In a discrete point in the Space-Time Continuum
Posts: 90
iTrader: (0)
STEP #3 - IP Security Policies usage

3.) Use IP security policies (modded AnalogX one, very good for starters, you can edit & add/remove from it as needed) - Download url link is here for that:

http://www.analogx.com/contents/articles/ipsec.htm

(Search "AnalogX Public Server IPSec Configuration v1.00 (29k zip file)" on that page & follow the directions on the page!)

NOTE: This can be 'troublesome' though, for folks that run filesharing clients though.

An alternative to this is using IP Ports Filtrations, in combination with a GOOD software firewall &/or NAT 'firewalling' (or true stateful inspection type) router. All of these work in combination w/ one another perfectly.

(HOWEVER - Should you choose to use it, and do filesharing programs? No problem really, because you can turn them on/off @ will using secpol.msc & the IP stack in Windows 2000/XP/Server 2003/VISTA is of "plug-N-play" design largely, & will allow it & when done? TURN THEM ON, AGAIN! These work WITH software & hardware router firewalls, IP port filtering, and security IP policies, simultaneosly/concurrently, for "layered security", no hassles!).

APK

Last edited by APK; 04-07-2008 at 3:41 AM.
APK is offline   Reply With Quote
Old 12-09-2007, 5:38 PM   #5
APK
Member
 
Join Date: Dec 2007
Location: In a discrete point in the Space-Time Continuum
Posts: 90
iTrader: (0)
STEP #4 - IP Ports Filtrations

Port Filtering (HOW TO & WHY)

4.) Another thing I do for securing a Windows NT-based OS: IP Port Filtrations (like ip security policies (per AnalogX above), it is often called the "poor man's firewall" & works perfectly with both IPSecurity policies, hardware AND software firewalls, all in combination/simultaneously running)!

DIRECTIONS ON HOW TO IMPLEMENT THEM (very easy):

Start Menu ->

Connect To Item (on the right hand side) ->

Local Area Connection (whatever you called it, this is the default, iirc) open it via double click OR, right-click popup menu PROPERTIES item ->

Properties button on left-hand side bottom, press/click it ->

NEXT SCREEN (Local Area Connection PROPERTIES) ->
"This connection uses the followng items" (go down the list, to Tcp/IP & select it & /click the PROPERTIES button there) ->

Press/Click the Advanced Button @ the bottom Right-Hand Side (shows Advanced Tcp/IP Settings screen) ->

OPTIONS tab, use it & Tcp IP Filtering is in the list, highlite/select it ->

Beneath the Optional Settings, press/click the PROPERTIES button on the lower right-hand side ->

Check the "Enable Tcp/IP Filtering (on all adapters)" selection ->

In the far right, IP PROTOCOLS section, add ports 6 (tcp) & 17 (udp) ->

In the far left "tcp ports" list - check off the radio button above the list titled "PERMIT ONLY", & then add ports you want to have open (all others will be filtered out, & for example, I leave port 80,8080, & 443 here open, only on my standalone, non-networked home machine!

(For a HOME or WORK LAN, you may need to open up ports 135/137/139/445 for a Windows based network for file & print sharing PLUS enable NetBIOS over Tcp/IP in your network connection properties & ENABLE Client for Microsoft Networks & File and Print sharing too)

NOTE - you may need more if you run mail servers, & what-have-you (this varies by application))

I leave the UDP section "PERMIT ALL" because of ephemeral/short-lived ports usage that Windows does (I have never successfully filtered this properly but it doesn't matter as much imo, because udp does not do 'callback' as tcp does, & that is why tcp can be DDOS'd/DOS'd imo - it only sends out info., but never demands verification of delivery (faster, but less reliable)) ->

DONE!

You may need a reboot & it will signal if it needs it or not (probably will, even in VISTA):

I say this, because although IP Security Policies work with the "Plug-N-Play" design of modern Windows NT-based OS' (ipsec.sys) & do NOT require a reboot to activate/deactivate them in Windows 2000/XP/Server 2003/VISTA? This is working @ a diff. level & diff. driver iirc (tcpip.sys) & level of the telecommunications stacks in this OS family & WILL require a reboot to take effect (for a more detailed read of this, see here):

----

http://www.microsoft.com/technet/com...uy/cg0605.mspx

(In THAT url above? Trust me - Enjoy the read, it is VERY informative: That article shows you how TcpIP.sys, ipnat.sys, ipsec.sys, & ipfiltdrv.sys interact, PLUS how you can use them to your advantage in security!)

----

Also, these URL's will be helpful as well, bigtime (for understanding (e.g. - knowing which IP ports you need to leave open & why (or, why not)):

IANA PROTOCOL NUMBERS LIST:

http://www.isi.edu/in-notes/iana/***...otocol-numbers

IANA PORTS LIST (well-known, registered, & dynamic/private ports):

http://www.isi.edu/in-notes/iana/***...s/port-numbers

APK

Last edited by APK; 05-24-2008 at 3:54 PM. Reason: Added IANA ports #'s & IP ports references for readers
APK is offline   Reply With Quote
Old 12-09-2007, 5:39 PM   #6
APK
Member
 
Join Date: Dec 2007
Location: In a discrete point in the Space-Time Continuum
Posts: 90
iTrader: (0)
STEP #5 - CUSTOM HOSTS FILES, & their SPEED and SECURITY benefits

CUSTOM HOSTS FILE USAGE (for speed, AND SECURITY)

5.) The use of a CUSTOM ADBANNER BLOCKING HOSTS FILE (my personal one houses, as of this date, 823,891 known adbanner servers, OR sites known to bear malicious code & exploits)

Custom HOSTS files work in combination with Opera adbanner blocks & the usage of .PAC filering files + cascading style sheets for this purpose.

(As well as speeding up access to sites I often access - doing this, acting as my own "DNS Server" more or less, is orders of magnitude faster than calling out to my ISP/BSP DNS servers, waiting out a roundtrip return URL-> IP Address resolution. It may take some maintenance for this @ times, especially if sites change HOSTING PROVIDERS, but this is a rarity & most sites TELL YOU when they do this as well, so you can make fast edits, as needed (and, on Windows NT-based OS since 2000/XP/Server 2003 & VISTA? A reboot is NOT required upon edits & commits of changes in the new largely near fully PnP IP stacks!))

For a copy of mine, write me, here -> apk4776239@hotmail.com

And, I will send it to you in .zip or .rar format (with sped up sites # UNIX comment symbol disabled, enable the ones you use AFTER you 'ping' them first from my list, & add ones YOU PERSONALLY USE to it as needed after determining their IP address via a PING of them)

RESULTS USERS WHO HAVE USED MY HOSTS FILE ARE SEEING? OK - THIS TESTIMONIAL SHOULD SERVE THE PURPOSE AS A "NUFF SAID":

----

http://forums.theplanet.com/index.ph......60&start=60

"the use of the hosts file has worked for me in many ways. for one it stops ad banners, it helps speed up your computer as well. if you need more proof i am writing to you on a 400 hertz computer and i run with ease. i do not get 200++ viruses and spy ware a month as i use to. now i am lucky if i get 1 or 2 viruses a month. if you want my opinion if you stick to what APK says in his article about securing your computer then you will be safe and should not get any viruses or spy ware, but if you do get hit with viruses and spy ware then it will your own fault. keep up the good fight APK."

- Kings Joker, user of my guide @ THE PLANET

----

So, as you can see?

Someone who used to get HUNDREDS of malware infestations a month, by stumbling into bad malscripted websites or those that serve up malware executable downloads, etc./et al, is now FAR BETTER PROTECTED by the version of my HOSTS file I use, & NO LONGER SEES THAT LEVEL OF INFESTATION, no less!

(He gets it each day from me, via email, because I keep up on it everyday via the lists below (And, via a program I wrote to integrate the entries, alphabetize them (helps with DNS client cache loads, or B-Tree populations in diskcache), & lastly, to "normalize it" via duplicated entries removal (so file is smaller & faster to load/read too))

It just works!

Additionally, it works SO WELL, that Kings Joker above runs Windows 2000, no service packs, no hotfixes, no antivirus, no antispyware programs (he just installed them recently to check his infestations levels in fact, but for 1/2 a year++ or more, he did not to test this, acting as my "Lab Rat #1 in fact)... And, his results? NO SPYWARE/MALWARE/TROJANS/VIRUSES/WORMS (NO malware-in-general):

For direct reply on his findings & results? Write he here ->
walbergerj@yahoo.com

He can "fill you in" on the rest, as to his results &/or findings (which basically state that all you need, is to run a protective custom HOSTS file that's kept current, & be judicious about your usage of javascript (both points are covered in this article/guide, extensively, AND THEY WORK!)

----

An example of WHY you'd want to use one of these for security's sake? Read here:

Why block out adbanners, for security then (not just for added speed)? Well, because they have been found as bearing malware in them, per these articles:

HACKERS USE ADBANNERS ON MAJOR SITES TO HIJACK YOUR SYSTEM -> http://www.wired.com/techbiz/media/n...11/doubleclick

THE NEXT AD YOU CLICK MAY BE A VIRUS -> http://it.slashdot.org/story/09/06/1...May-Be-a-Virus

NY TIMES INFECTED WITH MALWARE ADBANNER -> http://news.slashdot.org/article.pl?.../09/13/2346229

MICROSOFT HIT BY MALWARES IN ADBANNERS -> http://apcmag.com/microsoft_apologis...ng_malware.htm

Additionally, there IS the FACT that downloading adbanner content takes up bandwidth you pay for, and CPU time (& thus, electricity) + RAM in processing adbanner code (for animations & the like) within your webbrowser programs also... HOSTS files stop all of these happening, per this list of adbanner "downsides"...

ADBANNERS SLOW DOWN THE WEB -> http://tech.slashdot.org/article.pl?sid=09/11/30/166218

ADDITIONALLY, WATCH IT USING JAVASCRIPT "EVERWHERE/INDISCRIMINATELY", per this article:

http://news.cnet.com/JavaScript-open...9891&subj=news

(OPERA offers native 'site-by-site' preferences for this & other things like cookies, FireFox has NoScript & Adblock addons)

----

ADDITIONALLY, because on Windows Server 2003 (however, no others I have seen @ least so far), sometimes, the HOSTS file precedence vs. say, local DNS servers on a LAN, gets overridden by them? You MAY have to implement this:

http://support.microsoft.com/kb/139270/EN-US"]How to change name resolution order on Windows 95 and Windows NT[/url]

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Tcpip\ServiceProvider]
"LocalPriority"=dword:00000005
"HostsPriority"=dword:00000006
"DnsPriority"=dword:00000007
"NetbtPriority"=dword:00000008

(LOWER NUMBERS HERE = GREATER PRIORITY)

As you can see, I give my LOCAL DNS Cache the greatest priority (because it has my HOSTS file loaded into it @ system startup (IP stack startup, actually)), & THEN, my custom adbanner blocking/speedup fav sites (which this post is showing folks how to do, & yes, it works) is next, & then my ISP/BSP's DNS servers, & lastly NetBios/WINS stuff (which I just plain do NOT use, because I have no LanManager style network running here, ONLY Tcp/IP)

----

IMPORTANT NOTE: IF your system seems to "lag" while the HOSTS file is in use (this typically does not occur with 1mb or less sized HOSTS files in my experience), especially IF it is a relatively LARGER SIZED one (in the case I saw where this happened, it was a 12mb sized one I use, & it was applied on a Windows XP Home Edition system w/ 256mb of RAM on an AMD Athlon64 3200mhz system), YOU MAY HAVE TO DISABLE YOUR DNS Client Service!

* This is achieved via going to the START button, RUN command, type in SERVICES.MSC & once it comes to the screen, find the DNS Client Service in the list of services & right-click on it (or, doubleclick) & use the PROPERTIES screen, & use the STOP button (to stop the service) & then set its startup type to DISABLED, & this 'lagging' goes away (reboot is recommended, especially on Windows 2000 systems, for the HOSTS file to reload... otherwise, changes may take up to 5 minutes to take, so reboots make that quicker & assured on ANY Ms Windows-NT based OS (2000/XP/Server 2003 & VISTA).

----
DIRECTIONS FOR USE (also in my downloadable CUSTOM HOSTS file above, with MORE on how to really use them to get even more speed than blocking adbanners mind you is in its internal documentation):

You replace your:

%windir%\system32\drivers\etc

Original version of HOSTS with this one (overwrite it, but, first copy your original OR rename it to keep it around IF ever needed), & have @ it (HBO internet, no commercials + thus MORE SPEED (and, you WILL notice it) by not calling out to ad servers, loading their data, & running it... & certainly NO possibility of being infected by adbanners that bear RBN (Russian Business Network) malware javascripted/FLASH bearing adbanners that infect you as has been seen lately/very currently in fact - between this, and stalling out Java/JavaScript + ActiveX/ActiveScripting globally in your browsers as noted in the last step & why? You are "proof" against MOST attacks today (& consider disabling IFrames too, an oft used attack today as well!)).

Now, like I do? It IS possible to alter the default location of the HOSTS file, & to take away I/O from your main disk to load it by using another one... like a 2nd HDD you may have IF you have one for example!

(E.G.-> I move mine to my CENATEK RocketDrive SSD (solid state RamDisk), for F A S T access since seek times on it are 1000's of times faster than on std. mechanical disks, & doesn't matter WHAT kind - & here I also place my pagefile.sys on its own partition (first) & then webpage caches, %temp% environmental variable ops, logging (even eventlogs, which like HOSTS file, can be moved in the registry to another disk, & applications often have the ability to move their logs in their configuration screens as well)) via this registry key, should you elect to do the same:

In regedit.exe's right-hand-side pane, follow this path:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Tcpip\Parameters

& in the left-hand-side pane of regedit.exe, you change the DataBasePath path value there to the disk & folder you wish to place your HOSTS file in (which makes for faster OS & IP stack initialization since it is on another drive, in my case an SSD so it is THAT MUCH QUICKER since seeks on them are so fast, to load the HOSTS data into your RAM (local DNS cache)).

----

ADVANTAGES OF HOSTS FILES OVER BROWSER ADDONS ALONE, & EVEN DNS SERVERS:

1.) HOSTS files eat A LOT LESS CPU cycles than browser addons do no less (since browser addons have to parse each HTML page & tag content in them)!

2.) HOSTS files are also NOT severely LIMITED TO 1 BROWSER FAMILY ONLY... browser addons, are. HOSTS files cover & protect (for security) and speed up (all apps that are webbound) any app you have that goes to the internet (specifically the web).

3.) HOSTS files allow you to bypass DNS Server requests logs (via hardcoding your favorite sites into them to avoid not only the TIME taken roundtrip to an external DNS server, but also for avoiding those logs OR a DNS server that has been compromised (see Dan Kaminsky online, on that note)).

4.) HOSTS files will allow you to get to sites you like, via hardcoding your favs into a HOSTS file, FAR faster than DNS servers can by FAR (by saving the roundtrip inquiry time to a DNS server & back to you).

5.) HOSTS files also allow you to not worry about a DNS server being compromised, or downed (if either occurs, you STILL get to sites you hardcode in a HOSTS file anyhow in EITHER case).

6.) HOSTS files are EASILY user controlled, obtained (for reliable ones -> http://en.wikipedia.org/wiki/Hosts_file"]http://en.wikipedia.org/wiki/Hosts_file[/url] [wikipedia.org] ) & edited too, via texteditors like Windows notepad.exe or Linux nano (etc.)

7.) HOSTS files aren't as vulnerable to "bugs" either like programs/libs/extensions of that nature are, OR even DNS servers, as they are NOT code, & because of what's next too

8.) HOSTS files are also EASILY secured well, via write-protection "read-only" attributes set on them, or more radically, via ACL's even.

9.) HOSTS files are a solution which also globally extends to EVERY WEBBOUND APP YOU HAVE - NOt just a single webbrowser type (e.g. FireFox/Mozilla & its addons exemplify this, such as ADBLOCK)

10.) HOSTS files are NOT BLOCKABLE by websites, as was tried on users by ARSTECHNICA (and it worked, proving HOSTS files are a better solution for this because they cannot be blocked & detected for, in that manner), to that websites' users' dismay:

----

http://arstechnica.com/business/news...s-you-love.ars

An experiment gone wrong - By Ken Fisher | Last updated March 6, 2010 11:11 AM

"Starting late Friday afternoon we conducted a 12 hour experiment to see if it would be possible to simply make content disappear for visitors who were using a very popular ad blocking tool. Technologically, it was a success in that it worked. Ad blockers, and only ad blockers, couldn't see our content."

and

"Our experiment is over, and we're glad we did it because it led to us learning that we needed to communicate our point of view every once in a while. Sure, some people told us we deserved to die in a fire. But that's the Internet!"

Thus, as you can see? Well - THAT all "went over like a lead balloon" with their users in other words, because Arstechnica was forced to change it back to the old way where ADBLOCK still could work to do its job (REDDIT however, has not, for example). However/Again - this is proof that HOSTS files can still do the job, blocking potentially malscripted ads (or ads in general because they slow you down) vs. adblockers like ADBLOCK!

----

This is NOT possible for websites to pull on you, IF you use a HOSTS file (vs. other adblocking technologies, such as ADBLOCK)

11.) AND, LASTLY? SINCE MALWARE GENERALLY HAS TO OPERATE ON WHAT YOU YOURSELF CAN DO (running as limited class/least privlege user, hopefully, OR even as ADMIN/ROOT/SUPERUSER)? HOSTS "LOCK IN" malware too, vs. communicating "back to mama" for orders (provided they have name servers + C&C botnet servers listed in them, blocked off in your HOSTS that is) - you might think they use a hardcoded IP, which IS possible, but generally they do not & RECYCLE domain/host names they own, & this? This stops that cold, too! Bonus...




(It's a GOOD idea to layer in the usage of BOTH browser addons for security like adblock, &/or NoScript (especially this one, as it covers what HOSTS files can't in javascript which is the main deliverer of MOST attacks online & SECUNIA.COM can verify this for anyone really by looking @ the past few years of attacks nowadays), for the concept of "layered security")

APK

P.S.=> To keep "ontop of the latest known malicious sites" online? See these sites (1 I mentioned here already, this is the rest of the list I use, & others too):

START OF WEBSITES & SOURCES + TOOLS I USED TO POPULATE THIS LIST + MY ORIGINAL LIST OF BLOCKED ADBANNERS SERVERS

http://ddanchev.blogspot.com/
http://www.malwareurl.com/listing-urls.php
https://zeustracker.abuse.ch/monitor.php?filter=online
http://www.malware.com.br/lists.shtml
http://securitylabs.websense.com/content/alerts.aspx
http://www.stopbadware.org
http://blog.fireeye.com/
http://mtc.sri.com/
http://www.scansafe.com/threat_center/threat_alerts
http://news.netcraft.com
http://www.shadowserver.org/
http://en.wikipedia.org/wiki/Hosts_file
http://www.mvps.org/
http://someonewhocares.org/
http://hostsfile.mine.nu/hosts0
http://hosts-file.net/?s=Download
http://www.stopbadware.org/home

Between they, & SpyBot "Search & Destroy"? You have most of, if not ALL of what a "body needs" for these purposes. if you know of others? Please list them, & thanks! apk

Last edited by APK; 04-24-2010 at 10:24 AM.
APK is offline   Reply With Quote
Old 12-09-2007, 5:40 PM   #7
APK
Member
 
Join Date: Dec 2007
Location: In a discrete point in the Space-Time Continuum
Posts: 90
iTrader: (0)
STEP #6 - Registry "hacks" for SPEED, & SECURITY!

6.) USE Tons of security & speed oriented registry hacks (reconfiging the OS basically - stuff like you might do in etc / conf in UNIX/LINUX I suppose)

WARNING: DO NOT USE THESE ON VISTA, Windows Server 2008, or Windows 7 (unless you KNOW exactly what you're doing on them though, & know which are safe there (they ARE safe on Windows 2000/XP/Server 2003 though & VERY "generic" - I recommend you get my 'latest set' directly from MYSELF though, & my email for that is below, thank you))

Download them from here @ SOFTPEDIA (where they are rated 4/5, but, the HOSTS file here is way outdated, use the one I suggest in steps below this present one instead)):

http://www.softpedia.com/get/Tweak/System-...up-Guides.shtml

OR

Read many of them here online:

=================================
APK "A to Z" Internet Speedup & Security Text!
=================================

http://www.neowin.net/news/main/01/11/29/a...--security-text

=================================

OR, just email me here for them -> apk4776239@hotmail.com

(The email option's the best, because I also have these PREBUILT, in .reg files, mind you, available by email, BUT, the ones I can mail ARE FULLY INTERNALLY DOCUMENTED!)

They are FULLY documented internally, with link url's to the Microsoft pages they came from, inside the .reg files, so YOU can look at what the hack does inside them, verify this @ MS, & know what the valid parameters are as well!

(This? It took me FOREVER a year or so ago to do this, but worth it!)

The urls, or downloadable .mht files, outline it all (as do my prebuilt .reg files, probably the BEST choice of the lot imo), as to what you can ".reg file hack" for better SPEED, and SECURITY online, in a modern Windows 2000/XP/Server 2003 OS & has references from Microsoft in it for each setting plus their definitions & parameters possible!

APK

Last edited by APK; 11-02-2009 at 2:20 PM. Reason: Adding detail & options
APK is offline   Reply With Quote
Old 12-09-2007, 5:40 PM   #8
APK
Member
 
Join Date: Dec 2007
Location: In a discrete point in the Space-Time Continuum
Posts: 90
iTrader: (0)
STEP #7 - Local Security Policies tools, & FileSystem + Registry ACL security

7.) USE General LOCAL security policies (in gpedit.msc/secpol.msc - afaik though, these are NOT in XP "Home" edition, sorry)), these are VALUABLE tools (and will be needed & suggestions for it will be told to you by the CIS Tool noted above - great stuff!) and regedit.exe!

(Newly added - regedit.exe use is for registry ACL permissions, via its EDIT menu, PERMISSIONS submenu item (to add/remove users that have rights to regisry hives/values, & to establish their rights levels therein))

ALSO NEWLY ADDED - Explorer.exe "right-click" on drive letters/folders/files (for file access ACL permissions hardening) using its popup menu selection of "PROPERTIES", & in the next screen, the SECURITY tab (to add/remove users that have rights to said items, & to establish their rights levels therein), also - this is another requirement of CIS Tool 1.x & its suggestions for better security.

HOWEVER: Here, you may not be able to see the SECURITY TAB mentioned above. This is why (AND, HOW TO FIX THAT & straight from the horses mouth @ MS):

http://support.microsoft.com/kb/304040

==========

Turning on and turning off Simple File Sharing

Simple File Sharing is always turned on in Windows XP Home Edition-based computers. By default, the Simple File Sharing UI is turned on in Windows XP Professional-based computers that are joined to a workgroup. Windows XP Professional-based computers that are joined to a domain use only the classic file sharing and security interface. When you use the Simple File Sharing UI (that is located in the folder's properties), both share and file permissions are configured.

If you turn off Simple File Sharing, you have more control over the permissions to individual users. However, you must have advanced knowledge of NTFS and share permissions to help keep your folders and files more secure. If you turn off Simple File Sharing, the Shared Documents feature is not turned off.

To turn Simple File Sharing on or off in Windows XP Professional, follow these steps:

1. Double-click My Computer on the desktop.
2. On the Tools menu, click Folder Options.
3. Click the View tab, and then select the Use Simple File Sharing

(Recommended) check box to turn on Simple File Sharing. (Clear this check box to turn off this feature.)

==========



* That turns the ability to see the NTFS ACL SECURITY TAB, back on in Explorer.exe, for YOUR usage here, in the capacity of security-hardening your machine!

APK

Last edited by APK; 04-07-2008 at 3:44 AM. Reason: Making it more concise
APK is offline   Reply With Quote
Old 12-09-2007, 5:41 PM   #9
APK
Member
 
Join Date: Dec 2007
Location: In a discrete point in the Space-Time Continuum
Posts: 90
iTrader: (0)
STEP #8 - AntiVirus/AntiSpyware/AntiRootkit tools, & OS + APPS patching

8.) KEEP UP ON PATCHES FROM MICROSOFT, for your OS & Microsoft Office Apps, & IE, etc., HERE (ordered by release date) and run AntiVirus/AntiSpyware/AntiRootkit tools (& yes, keep them updated/current)!

http://www.microsoft.com/downloads/B...der=descending

Again, keep up on antivirus/antispyware/antirootkit AND Java runtimes updates!

(Done either automatically via their services, or manually)

Download them manually & install them yourself (OR just let "Windows Automatic Updates" run)

ALSO - do the use of the "std. security stuff", like:

AntiVirus Programs
(NOD32 latest 2.7x - "best" one there is, all-around (best speed/efficiency, less "moving parts" in drivers (kernelmode-RPL0-Ring 0 portion) & services/gui usermode-RPL2-Ring3 sections + great consistent showings in detect rates, especially heuristics), & that is not only MY opinion after testing it vs. my former fav. NAV Corporate 10.2 (it is lighter in RAM & resource uses than NAV Corporate even, finds more virus' than others, & uses less "moving parts" (in the way of services componentry, than most do, & certainly less than NAV))

Proof? See here -> http://www.eset.com/products/compare.php

(That's a single source, there are others, such as av-comparatives.org, which also test & compare AntiVirus products out there as well on many levels (mostly detection rates). The URL above goes into more than that, such as program speed/efficiency/throughput, & the fact NOD32 is written almost TOTALLY in pure Assembler language (when, if coupled with a solid fast algorithm/engine, is untouchable even by C/C++ or Delphi even for that)).

+

SpyBot (Ad-Aware is another option) as my resident antispyware tool running in the background!

This tool in SPYBOT also installs & runs PERFECTLY in safemode (combined with ComboFix &/or SmitfraudFix, you can "burn out" just about ANY spyware/malware infestation in 30-60 minutes, depending on level of infection, speed of your disks/CPU/RAM, & amount of files on your disks - A good antivirus (See NOD32 above, best there is on speed/efficiency, resource consumption, & accuracy) alongside it plus vendor specialized "removal tools" is all a body needs (mostly) when infected.

AntiRootkit tools are another one to be conscious of nowadays, now that such machinations are available for Windows (they originated, afaik, in the UNIX world though).

The "best ones" (AntiRootkit scanners) & their download URL links are:

AVG AntiRootkit (NO LONGER UPDATED, credits to NightHawk, a forums mmember @ xtremepccentral.com)
BitDefender AntiRootkit
GMER
Rootkit Revealer
PrevX AntiRootkit
Rootkit Hook Analyzer
Sophos AntiRootkit
F-Secure Blacklight
Gromozon Rootkit Removal Tool
KLister
McAfee Rootkit Detective
PatchFinder
RogueRemover
VICE
System Virginity Verifier for Windows 2000/XP/2003

That is a list for you all to choose from, look them up on GOOGLE to download them from their homepages, as they all do a decent enough job though, & are 100% FREE - SO, DO use them!

APK

Last edited by APK; 02-25-2009 at 8:20 PM.
APK is offline   Reply With Quote
Old 12-09-2007, 5:42 PM   #10
APK
Member
 
Join Date: Dec 2007
Location: In a discrete point in the Space-Time Continuum
Posts: 90
iTrader: (0)
STEP #9 - Web Browser choices (for security), Browser 'isolation' tools & techniques

9.) It is also possible, for webbrowsers &/or email clients, to create a "VISTA LIKE IE 7 Protected Mode"-like type scenario, isolating them into their own spaces in memory, here are 2 methods, how (not needed on VISTA though, afaik):

IE6/7 & FF + OPERA AS WELL (as noted by A/C slashdot poster in reply to my methods, both his & my own work well, & are listed here @ /. (slashdot)) on modern NT-based OS "how-to":

http://it.slashdot.org/comments.pl?s...7&cid=19310513

MY METHOD for RUNNING IE in a "runas limited user class" sandbox effect:

"It is actually possible to run IE securely: just create a throwaway restricted user account for IE use alone. The restricted account user can't install software and can't access files of other users, so even if IE autoexecutes any nastiness, it can't do any damage.

Of course, it's a hassle to log in as a different user just to browse the web. So we'd want to use "runas" to run just IE as a different user.

Unfortunately, MS has made running IE as a different user a little harder than necessary. Rightclicking and using "Run as" doesn't seem to work. What did work for me was the following.

Say the limited account is called "IEuser". Then create a shortcut to "runas /user:IEuser cmd". on your desktop. Double-clicking this will open a command prompt that runs as IEuser. Now you can manually start IE with "start iexplore". Or create a batchfile c:windowsie.bat that just contains the line "start iexplore" and you can start IE by just typing "ie". Remove all shortcuts to IE from you normal desktop and only run it from the restricted account. This way you can use IE without worry about any IE exploits"

---------

ANOTHER, VERY QUITE POSSIBLY SUPERIOR METHOD:

http://theinvisiblethings.blogspot.c...every-day.html

See section: Do-It-Yourself: Implementing Privilege Separation. Using the psexec tool as described results in a "clean" process tree where iexplore.exe will show up directly under the root avoiding beeing a child process.

Note - The "invisible thing"? She's "Yuriko DeathStrike" as far as I am concerned... Joanna Rutkowska, my fellow "Polish Person" & she's a regular "wonder" in the security/hacking/cracking world!

This is my runopera.bat which runs opera as user internet:
psexec.exe -d -u internet -p p4ssw0rd "cmd" "/d /D /c start /b Opera.exe"

PLUS, Windows Server 2003 has a hardened IE6/7 by default (which can be duplicated on other Win32 OS versions, because it mainly just does what I have been doing for a long time & noted by myself earlier, in stuff like turning off ActiveX & scripting + JAVA online on the public internet, of all types by default, & I do this in ALL of my browsers (IE, FF, & Opera) & only make exceptions for CERTAIN sites)

---------

ANOTHER ALTERNATIVE THAT A USER SUGGESTED ADDON TO AUTOMATE THIS STUFF ON ISOLATION OF IE:

(Per "OILY 17" (TPU forums user) suggestion, to aid in automating this (a tool)):


http://forums.techpowerup.com/showth...284#post500284

"For running IE,Firefox etc as a throw away account has anyone tried this app out yet.Recently came across it, but have not tried it out yet.
Anyone any views?

http://www.sandboxie.com/

As the name suggests runs IE etc in a sand box effect."

Thanks oily (apk) - RECENT UPDATE: I've tried "sandboxie" & understand the layered filtering driver it employs for writes (ignores reads from main HDD) & it IS a great idea, + it works!

---------

ALSO - Microsoft puts out a tool for users for 2000/XP/Server 2003 called "DropMyRights" which also works, albeit on a diff. principal than SANDBOXIE DOES (via running like VISTA UAC does, dropping user priveleges to various areas of your system). It is downloadable here:

DROPMYRIGHTS DOWNLOAD URL:

http://msdn2.microsoft.com/en-us/library/ms972827.aspx

DropMyRights commandline (for shortcuts/icons on desktop properties menu via rightclick usage on them etc.) usage is in a nutshell, structured like this, using IE as an example:

"C:\Documents and Settings\Administrator\My Documents\MSDN\DropMyRights\DropMyRights.exe" "C:\Program Files\Internet Explorer\iexplore.exe" -extoff

---------

AND, keep in mind: even XP webbrowers have a "safemode option" (like the default one of Windows Server 2003) that doesn't allow bad plugins/addons (or any) to run. Common commandlines for your shortcuts for that are:

INTERNET EXPLORER SAFEMODE COMMANDLINE SWITCH:

"C:\Program Files\Internet Explorer\iexplore.exe"-extoff

NETSCAPE NAVIGATOR/FIREFOX SAFEMODE COMMANDLINE SWITCH:

"C:\Program Files\Netscape\Navigator 9\navigator.exe"-safe-mode

APK

Last edited by APK; 05-17-2008 at 11:29 PM.
APK is offline   Reply With Quote
Old 12-09-2007, 5:43 PM   #11
APK
Member
 
Join Date: Dec 2007
Location: In a discrete point in the Space-Time Continuum
Posts: 90
iTrader: (0)
STEP #10 - Email practices, & COMMON-SENSE!

10.) Plus good email client practices like using .txt mail only, no RTF or HTML mail, not opening or allowing attachments unless I know the person & even THEN, scan it with an antivirus (still gets email scanned though by your resident antivirus email scan component (use AntiVirus programs with these, OR, manually scan ANY attachments before opening them (if you get Microsoft Office .doc, .xls, .ppt etc. files uncompressed? HOLD DOWN THE SHIFT KEY AS YOU OPEN THEM - this stops macros from running & macros are the avenue utilized using VBA script to infect you))

APK

Last edited by APK; 04-07-2008 at 3:46 AM.
APK is offline   Reply With Quote
Old 12-09-2007, 5:44 PM   #12
APK
Member
 
Join Date: Dec 2007
Location: In a discrete point in the Space-Time Continuum
Posts: 90
iTrader: (0)
STEP #11 - NAT "firewalling" subnetting true stateful packet inspecting routers

11.) I also use a LinkSys/CISCO BEFSX41 "NAT" true firewalling CISCO technology-based router (with cookie & scripting filtering built-in @ the hardware level), these are excellent investments for security.

BY THE WAY, IF YOU OWN A ROUTER? TURN OFF THE UPNP FEATURES IN IT!

Why?

Take a read:

Most Home Routers Vulnerable to Flash UPnP Attack:

http://it.slashdot.org/it/08/01/14/1319256.shtml

* Just to be safe...



APK

Last edited by APK; 01-22-2008 at 10:22 PM.
APK is offline   Reply With Quote
Old 12-09-2007, 5:45 PM   #13
APK
Member
 
Join Date: Dec 2007
Location: In a discrete point in the Space-Time Continuum
Posts: 90
iTrader: (0)
STEP #12 - Windows Server 2003's "SCW" (FOR Win2k3, ONLY!)

12.) Windows Server 2003's SCW was run over it FIRST (this only exists on Windows Server 2003, not on 2000/XP or VISTA (you have to install this, it does NOT install by default) first to help security it (SCW = security configuration wizard, & it's pretty damn good believe-it-or-not, (@ least, as as starting point))...

Directions for its installation are as follows:

Start the Add or Remove Programs Control Panel applet.

Click Add/Remove Windows Components.

On the Windows Components Wizard screen, select the "Security Configuration Wizard" check box, as the figure shows. Click Next.

The Windows Components Wizard builds a list of files to be copied and finishes installing SCW. Click Finish.

DONE! Now, run it...

It is very simple to use, and will help even TRIM services you do not need running (which saves Memory, other resources, & I/O to cpu/ram/disk etc. AS WELL AS PROVIDING SECURITY should any services you disable turn up vulnerabilities (this has happened before)).

ALSO, per TPU forums user (username "xvi") @ techpowerup.com forums (software section): Use Microsoft Baseline Security Advisor, a free download from Microsoft as well to check your system for security holes, patch updates, etc. (be wary of the fact it does require various services running though, iirc, Terminal Server Services Client - I do NOT keep that running here anymore, & this program failed on me because of that (would not initialize @ all))

APK
APK is offline   Reply With Quote
Old 12-09-2007, 5:45 PM   #14
APK
Member
 
Join Date: Dec 2007
Location: In a discrete point in the Space-Time Continuum
Posts: 90
iTrader: (0)
IMPORTANT LAST POINTS: Browser safety ratings, + Scripting & addons safety, today

AN IMPORTANT SET OF POINTS TO SECURE YOUR WEBBROWSER, EMAIL PROGRAMS, & MORE:

STOP JAVASCRIPT USAGE IN YOUR BROWSERS (along with ActiveX & JAVA) On the PUBLIC internet, PERIOD (well, with SOME exceptions on sites that demand you use it, OR those that cannot function properly without it, some examples below)!


Why? Well, read on:

Fact is, that today? Well... Javascript's dangerous & can be used AGAINST you, as well as help you... it truly is, or can be, a 'double-edged sword'...

(For example - if you follow security related news, you will see that JavaScript is the key avenue being used against you in today's attacks (even thru adbanners!)). Some examples:

http://www.wired.com/techbiz/media/n...11/doubleclick

&

http://apcmag.com/5382/microsoft_apo...e_to_customers

If you MUST use Javascript (for instance, on a particular site like banking or shopping oriented ones)?

Try "NoScript" (the .xpi addon for FireFox/Mozilla/NetScape 9 etc.) & let it let YOU decide sites to use it on, & then DISABLE JAVA/JAVASCRIPT globally...

(& if you use IE, trying to do the same can be a nightmare (as IE will "nag you to death" if you turn off javascript on sites that use it)).

Opera has similar functionality, ALBEIT, built into it by default as a NATIVE tool!

I.E.-> The ability to GLOBALLY block scripting tools like Javascript, BUT... to also allow it for sites you MUST use it on as exceptions to the GLOBAL rule set in Tools, Preferences menus it has on its menubar.

Opera has the NATIVE BUILT IN ABILITY to allow you to use it on sites you visit IF you must, via rightclicks on the page & "EDIT SITE PREFERENCES" popup menu submenu item that appears.

Either way? It works, & I STRONGLY recommend this.

----

DISABLE INDISCIMINATE USE OF ADOBE FLASH:

From Mike567 (giving credit, where credit's due):

http://forums.windowsforum.org/index...ic=33716&st=20

[quote name='Mike567' date='Jun 12 2008, 11:28' post='267753']You need to disable the plugins, where flash is located.[/quote]

&, he's right... I "overlooked/omitted" that much!

Why is this important?? Well, take a peek here (very recent, 05/28/2008, as of the date of this posting):

Adobe Flash Zero-Day Attack Underway:

http://it.slashdot.org/article.pl?si...38247&from=rss

----

I also recommend Opera for these reasons (less security holes period, & the 1 it had yesterday? Patched yesterday too... fast!)

=====
SECUNIA DATA ON BROWSER SECURITY (dated 06/26/2008):
=====

Opera 9.27-9.50 (new release) security advisories @ SECUNIA (0% unpatched):

http://secunia.com/product/10615/?task=advisories

----

FireFox 3.x security advisories @ SECUNIA (100% unpatched):

http://secunia.com/product/19089/

----

IE 7 (latest cumulative update from MS) security advisories @ SECUNIA (37% unpatched):

http://secunia.com/product/12366/

----

Those %'s are the latest for FireFox 2.0.0.14, Netscape 9.0.0.6, IE7 after last "patch Tuesday" from MS with the "CUMULATIVE IE UPDATES" they have (see the security downloads URL I post in the 12 steps above to secure yourself), & Opera 9.27... all latest/greatest models.

So, as you can see?

Well, NOT ONLY IS OPERA MORE SECURE/BEARING LESS SECURITY VULNERABILITIES?

It's faster too, on just about ANYTHING a browser does
, & is probably the MOST standards compliant browser under the sun (not counting HTML dev tools). This is borne out in these tests:

http://www.howtocreate.co.uk/browserSpeed.html

AND, yes others (most recently in Javascript parsing speeds, oddly enough, lol... given the topic of my post here that is), right here:

http://nontroppo.org/timer/kestrel_tests/

NEW NEWS/NEWSFLASH: FF3 is "king of the heap" here now, in javascript parsing speeds, but of what gain is this? Security risks abound in running javascript on "every site under the sun"... limiting it to sites you absolutely NEED it for is the way, IF you wish to stay safer online that is.

Opera's just more std.'s compliant - for example, having passed all the ACID (2/3 before anyone on the latter & one of the first for the former no less), plus it's faster + MULTIPLATFORM, & more secure than the others out there - thus, it's an "all-around" overall best solution!

QUESTION - So, "where do you want to go today?"...

ANSWER = Opera (if you're into speed, security, & std.'s compliance + using a webbrowser that runs on most any platform out there for computing is where).

----

ALSO - HOW TO SET THE "KILL BIT" ON ACTIVEX CONTROLS:

(I.E.-> This is how to stop an ActiveX control from running in Internet Explorer)

http://support.microsoft.com/kb/240797

In case you have "problematic" or security vulnerable ActiveX controls, per this RealPlayer example thereof:

http://service.real.com/realplayer/s...007_player/en/

APK

Last edited by APK; 06-26-2008 at 11:36 AM.
APK is offline   Reply With Quote
Old 12-09-2007, 7:37 PM   #15
Ski52
Registered User
 
Ski52's Avatar
 
Join Date: Mar 2002
Location: Palm Bay, Florida USA
Posts: 385
iTrader: (0)
If I gotta go thru all this - I'll just throw it away and get another one................

Who you kiddin'?? A little much don't ya think??
__________________
~ Ski 52 ~
Ski52 is offline   Reply With Quote
Old 12-09-2007, 8:03 PM   #16
APK
Member
 
Join Date: Dec 2007
Location: In a discrete point in the Space-Time Continuum
Posts: 90
iTrader: (0)
On length of it: NOT AS BAD AS YOU THINK BECAUSE OF CIS TOOL making it FUN

Quote:
Originally Posted by Ski52 View Post
If I gotta go thru all this - I'll just throw it away and get another one................

Who you kiddin'?? A little much don't ya think??
Heh, yes, it is long to do & test it, as I stated @ the end... but, the rewards are YEARS of uptime, safe & SECURE uptime.

Faster too, oddly enough. Though it's often said, layers of security (even 1) slow you down. Layered security IS where it is @, & that guide above gives it to you. In essence: Bust thru one locked door, to encounter yet another, & layers of that is what it shows you.

Also - The stuff above, in some of it? I personally GUARANTEE you speed increases online, noticeable ones (faster bigtime)... just in using CUSTOM HOSTS FILES ALONE from step #5, especially today (in the era of hijacked adbanners no less & javascript gone wrong (IFrames too)).

E.G.-> Plus, I have had this SAME setup on Windows Server 2003 SP #2 fully hotfix patched after every "patch tuesday" from MS, keep "up & running" 24x7 since late 2002/early 2003 iirc (that's about when I first set it up) & on this rig, my newest? Since 2005... & because of the steps noted above mainly. No virus/spyware/trojans/malware etc. @ all.

(You can too!)

* I guess the "best part" of this whole thing, while using CIS Tool, is that it makes it ALMOST FUN to do, like a game, testing what you THINK you may know about how your OS is setup for security, vs. what the CIS tool result is in large part.

APK

P.S.=> I'll tell you 1 thing: I've been @ this field for 15 yrs.++ professionally, & I learned there is always MORE TO LEARN from using this tool for security of a PC in CIS Tool... it taught me a "trick-or-two", this is certain.

Now - Does it account for ALL of the things I put into the 12 steps above? No, it does not, for every one of them, which is why they are listed too... apk

Last edited by APK; 05-17-2008 at 11:32 PM. Reason: Putting in "salient points"...
APK is offline   Reply With Quote
Old 01-08-2008, 5:36 PM   #17
APK
Member
 
Join Date: Dec 2007
Location: In a discrete point in the Space-Time Continuum
Posts: 90
iTrader: (0)
A GREAT NEW DNS SERVER (with a "special security twist") - BUT, NOT FOR AD LANS/WANS!

Better, Safer, & F A S T E R DNS Servers

DO NOT USE THIS WITH A HOME or BUSINESS LAN THAT HAS ActiveDirectory going (because, for example - it will mess up things like FULL Outlook binding to EXCHANGE SERVER for instance, because of INTERNAL DNS SERVER dependencies AD has (ActiveDirectory is HEAVILY dependent on DNS resolutions is why)

That said & aside?

I found something VERY cool, as regards online security, that I stumbled onto during my meanderings online today!

ScrubItDNS:

http://www.scrubit.com



* GREAT IDEA, & it WORKS, painlessly... AND F A S T, too!

(OpenDNS is another GOOD one, but it is NOT as easy to setup for filtering things like "Pr0n" from kids eyes, so thus, I give the "nod" to ScrubIT DNS for that purpose, by ALL means!)

APK

P.S.=> Take a read of what it does, how EASY it is to implement (lol, they even give a GUI to do the job for you, because digging into your network connection MIGHT be a "bit much" for some folks, to make it easy for anyone really... 2 clicks!) & YOU DECIDE...

I have tried it, & it DOES work, by filtering off sites thru it that are 'dangerous' OR 'offensive' (like ones you might find that are involved with the above exploit, or others like GOOGLE + SPYBOT Search & Destroy help you with) - PLUS, Pr0n sites (some of you, lol, may NOT like that "feature" though).

Still, bottom-line - For layered security? This is a GOOD idea, this "scrubit" DNS server... imo, so far @ least... apk

Last edited by APK; 05-17-2008 at 11:33 PM. Reason: To warn users with HOME or BUSINESS ActiveDirectory LANS/WANS to avoid this one... apk
APK is offline   Reply With Quote
Old 01-08-2008, 9:20 PM   #18
ThRoNkA
Registered User
 
ThRoNkA's Avatar
 
Join Date: May 2003
Location: Plano, TX
Posts: 7,148
iTrader: (0)

ThRoNkA's System Info

If you DONT like ScrubIt, try OpenDNS. Same Technology and same stuff. Free for personal use.
__________________
iPhone 4 CDMA Verizon
16GB Version
iOS 5.0.1 Jailbroken
RedSn0w 0.9b6b

Motto: Why stick to default when it is yours?
ThRoNkA is offline   Reply With Quote
Old 01-09-2008, 4:38 AM   #19
APK
Member
 
Join Date: Dec 2007
Location: In a discrete point in the Space-Time Continuum
Posts: 90
iTrader: (0)
Quote:
Originally Posted by ThRoNkA View Post
If you DONT like ScrubIt, try OpenDNS. Same Technology and same stuff. Free for personal use.
I mention OpenDNS above in fact (good point on your part also though)...

However:

I do NOT think OpenDNS does QUITE the same thing...

What I mean, specifically, is this - I do not believe that OpenDNS performs "scrubbing" out of any sites that say, do pornography, as their main theme... whereas, ScrubIT DNS servers, do.

(& I am not even sure if the folks @ OpenDNS perform "scrubs" of sites that are known to be hosters of malware (of varying forms such as virus/spyware/trojans/rootkits OR even poisoned adbanners via Javascript/Flash + Shockware Object/Java/ActiveX payloads, etc. et al)).

Correct me if I am wrong here though, & thanks in advance!

See - I used OpenDNS for a GOOD YEAR (or, more actually) prior to switching over to this one, yesterday, & I never noticed they doing as thorough of a job as this new server does & for the areas I note above.

NOT saying they are not "good stuff", because I do state literally above, that OpenDNS are (good stuff)...

I guess, my bottom-line here, so far in NOW using this new & FREE filtering DNS Server service?

I think based on what I've seen SO FAR @ least? They do not "cover as much ground" in filtering as say, ScrubIT DNS Servers do is all...

APK

P.S.=> Then again, as I stated in my last post?

The "porno/Pr9b" (whatever) scrubbing MIGHT not be a feature some folks would like (& that's not sarcasm, or any kind of putdown etc. because "to each his own" (as long as it does not bother OR harm others) is my motto, personally!))... apk

Last edited by APK; 01-09-2008 at 4:42 AM.
APK is offline   Reply With Quote
Old 01-09-2008, 6:20 AM   #20
ThRoNkA
Registered User
 
ThRoNkA's Avatar
 
Join Date: May 2003
Location: Plano, TX
Posts: 7,148
iTrader: (0)

ThRoNkA's System Info

That was added about May of 2007 - you have to tell it to do that.
I do agree with most of your information. Honestly, I have never heard of scrubit but with my research after you posted it and comparison, OpenDNS is another option if you choose to choose it. Thats all. BUT I would use ScrubIt because of your comparison and try it.
__________________
iPhone 4 CDMA Verizon
16GB Version
iOS 5.0.1 Jailbroken
RedSn0w 0.9b6b

Motto: Why stick to default when it is yours?

Last edited by ThRoNkA; 01-09-2008 at 6:25 AM.
ThRoNkA is offline   Reply With Quote
Old 01-09-2008, 11:17 PM   #21
APK
Member
 
Join Date: Dec 2007
Location: In a discrete point in the Space-Time Continuum
Posts: 90
iTrader: (0)
Quote:
Originally Posted by ThRoNkA View Post
That was added about May of 2007 - you have to tell it to do that.
Heh, I used it for an entire year past (prior to 1-2 days ago, instead opting for ScrubIT DNS servers because of the default filtering), & I did NOT know that it did that!

Hey, don't get me wrong - I truly liked OpenDNS server, & mainly because of good speeds results were there using them!

Also - I had NO idea you had a way to "tell it to do that"... as you stated, lol!

Mainly, I say this, because I just entered their DNS Servers into my Network Connections LOCAL AREA CONNECTION is all, as the DNS servers I used...

So, where to tell them to perform filtering there, based on some DNS server's IP addresses, I guess is my question!

Cool to know you CAN, per what you state, but... HOW TO DO IT??


Doing DNS IP-to-URL resolutions with OpenDNS servers (getting them to do a "scrub filtered" net, proofing you more vs. various malware servers out there on "bad sites lists" etc. et al)?

Quote:
Originally Posted by ThRoNkA View Post
I do agree with most of your information.
Oh, that list of mine works... no questions asked. IF you can obey a few simple rules + restrictions from it (mainly JavaScript/ActiveX Controls/IFrames-Frames usages)? I'd wager one can stay virus/spyware/malware/trojan-free... I do!

Quote:
Originally Posted by ThRoNkA View Post
Honestly, I have never heard of scrubit but with my research after you posted it and comparison, OpenDNS is another option if you choose to choose it. Thats all. BUT I would use ScrubIt because of your comparison and try it.
Can you tell me though, HOW did you "tell OpenDNS" to do filtering scrubbing of BOGUS sites & such, if all you really get from they, is IP addresses to their DNS servers that you insert into your NETWORK Connection properties as your DNS Servers?

Thanks for that info.! Live & learn...

APK
APK is offline   Reply With Quote
Old 01-10-2008, 11:25 PM   #22
ThRoNkA
Registered User
 
ThRoNkA's Avatar
 
Join Date: May 2003
Location: Plano, TX
Posts: 7,148
iTrader: (0)

ThRoNkA's System Info

[/quote]
Oh, that list of mine works... no questions asked. IF you can obey a few simple rules + restrictions from it (mainly JavaScript/ActiveX Controls/IFrames-Frames usages)? I'd wager one can stay virus/spyware/malware/trojan-free... I do![/quote]
Trust me, I followed it to a "T" - I like it! Its part of our business pc's now.


Quote:
Can you tell me though, HOW did you "tell OpenDNS" to do filtering scrubbing of BOGUS sites & such, if all you really get from they, is IP addresses to their DNS servers that you insert into your NETWORK Connection properties as your DNS Servers?

No problem! Look at the feature list here:
http://www.opendns.com/features/overview/

1) Phishing Protection
2) Domain Blocking (you choose)
3) Adult Site Blocking (you choose)
4) Web Proxy Blocking (you choose)

To do this, you install the DNS in your Router, or PC. Thats the easy part, like you described. BUT now you login, after signing up for an account, add your PC to the list, aka your ip on the account setting, or even use a program to update your IP in their records via your OpenDNS login. Enabling of features listed above is available on the fly.
__________________
iPhone 4 CDMA Verizon
16GB Version
iOS 5.0.1 Jailbroken
RedSn0w 0.9b6b

Motto: Why stick to default when it is yours?
ThRoNkA is offline   Reply With Quote
Old 01-11-2008, 10:42 AM   #23
APK
Member
 
Join Date: Dec 2007
Location: In a discrete point in the Space-Time Continuum
Posts: 90
iTrader: (0)
Quote:
Originally Posted by ThRoNkA View Post
Quote:
Oh, that list of mine works... no questions asked. IF you can obey a few simple rules + restrictions from it (mainly JavaScript/ActiveX Controls/IFrames-Frames usages)? I'd wager one can stay virus/spyware/malware/trojan-free... I do!
Trust me, I followed it to a "T" - I like it! Its part of our business pc's now.
That's GREAT NEWS, & great for you - you're following the "recommended trend" by MOST of the 'security gurus' out here today: & that's to use LAYERED SECURITY & down to the 'endpoint nodes', such as PC workstations on a work OR home LAN/WAN!

ALSO?

* It truly IS good to see that it functions fine in a business environs (other than the one I apply it to on the job here daily, lol!) too, simply by following point #2's points/restrictions!

(MOSTLY, & watching it on PORT FILTERING too... & JUST AS WELL AS IT DOES ON HOME SYSTEMS (standalone with no home LAN) CONNECTED TO THE INTERNET via DSL/CABLEMODEM/FIOS, etc. et al!

Cool... good news!

Quote:
Originally Posted by ThRoNkA View Post
No problem! Look at the feature list here:
http://www.opendns.com/features/overview/

1) Phishing Protection
2) Domain Blocking (you choose)
3) Adult Site Blocking (you choose)
4) Web Proxy Blocking (you choose)

To do this, you install the DNS in your Router, or PC. Thats the easy part, like you described. BUT now you login, after signing up for an account, add your PC to the list, aka your ip on the account setting, or even use a program to update your IP in their records via your OpenDNS login. Enabling of features listed above is available on the fly.
First off:

THANKS for that info.!



I say that, again, & mainly because OpenDNS is decent stuff (& as I stated here earlier, I had been using it for around 1 yr. now, prior to my trying this NEW filtering DNS server in ScrubIt DNS).

Now - It sounds ALMOST like it adds you to their DOMAIN via DNS Suffixes, based on your explanation here... but... I have not gotten to that page, but I will to learn more, once I get done posting this.

SO... that all said?

I will hold off on committing myself to THAT particular speculation of mine, as to how it works!

I.E.-> Once I try it out here I can make a better informed statement via observation of the network connection settings once this is in place to test it out!

(I say that, because, right now? Well - I am only guessing @ the mechanics used by your explanation @ this point)

HOWEVER - I do know, however, that scrubitdns doesn't do DNS suffix registrations usage!

(BUT AGAIN: I will find out tonite, once I get home from work, HOW OpenDNS is implementing this... & see how "accurate" my guess here, really is).

APK

Last edited by APK; 01-11-2008 at 10:48 AM.
APK is offline   Reply With Quote
Old 01-13-2008, 7:15 AM   #24
APK
Member
 
Join Date: Dec 2007
Location: In a discrete point in the Space-Time Continuum
Posts: 90
iTrader: (0)
CIS Tool 90.112 score on Windows XP SP#2 fully hotfix patched, up from 46.x default

http://img297.imageshack.us/img297/2240/52041100vo6.png



That's an example of where your score (for users on Windows XP SP #2 no less fully hotfix patched as of this date) can be @ scoring-wise, on the CIS Tool benchmark test gauge of Windows Security, after following its suggestions for security-hardening your systems.

A 90.112 score... & that was AlexStarFire's score from the 3dguru.com forums, once he applied it to his home system ("stand-alone", non-HOME or WORK-LAN system, online on the public internet), which is way, Way, WAY up from its initial default score of 46.xxx/100...



* Thronka here, is an example (by way of contrast) who employed it to security-harden the endpoints on his LAN/WAN setup @ work, who is also enjoying it successfully as well, albeit this time, in a BUSINESS environs (as I have it as well, for both HOME standalone machine online today, & also on the job)

This is doable (if NOT advisable) to do, thus, in ANY type of concern... be it home, OR business.

APK

P.S.=> I hope you guys also employ it thus as well - it starts with reaching just 1 person, & then, by example? Others start to apply it also, & then things start to change "for the better", because by securing yourself, & maybe even setting up your pals & families machines' this way? You lessen the possibility of "spreading the diseases" out there online today... apk

Last edited by APK; 01-13-2008 at 7:31 AM.
APK is offline   Reply With Quote
Old 01-13-2008, 2:26 PM   #25
ThRoNkA
Registered User
 
ThRoNkA's Avatar
 
Join Date: May 2003
Location: Plano, TX
Posts: 7,148
iTrader: (0)

ThRoNkA's System Info

Quote:
Originally Posted by APK View Post
http://img297.imageshack.us/img297/2240/52041100vo6.png



That's an example of where your score (for users on Windows XP SP #2 no less fully hotfix patched as of this date) can be @ scoring-wise, on the CIS Tool benchmark test gauge of Windows Security, after following its suggestions for security-hardening your systems.

A 90.112 score... & that was AlexStarFire's score from the 3dguru.com forums, once he applied it to his home system ("stand-alone", non-HOME or WORK-LAN system, online on the public internet), which is way, Way, WAY up from its initial default score of 46.xxx/100...



* Thronka here, is an example (by way of contrast) who employed it to security-harden the endpoints on his LAN/WAN setup @ work, who is also enjoying it successfully as well, albeit this time, in a BUSINESS environs (as I have it as well, for both HOME standalone machine online today, & also on the job)

This is doable (if NOT advisable) to do, thus, in ANY type of concern... be it home, OR business.

APK

P.S.=> I hope you guys also employ it thus as well - it starts with reaching just 1 person, & then, by example? Others start to apply it also, & then things start to change "for the better", because by securing yourself, & maybe even setting up your pals & families machines' this way? You lessen the possibility of "spreading the diseases" out there online today... apk

If you are weary about getting into this guys, do this instead.
The number one thing you can do is create a limited account for everday use, along with antivirus and anti-spyware program. PAssword protect that account and admin account. Only use the admin account to make changes.
Thats the start - THEN USE HIS LIST!
__________________
iPhone 4 CDMA Verizon
16GB Version
iOS 5.0.1 Jailbroken
RedSn0w 0.9b6b

Motto: Why stick to default when it is yours?
ThRoNkA is offline   Reply With Quote
Old 01-13-2008, 8:19 PM   #26
APK
Member
 
Join Date: Dec 2007
Location: In a discrete point in the Space-Time Continuum
Posts: 90
iTrader: (0)
Quote:
Originally Posted by ThRoNkA View Post
The number one thing you can do is create a limited account for everday use, along with antivirus and anti-spyware program. PAssword protect that account and admin account. Only use the admin account to make changes.
Thats the start - THEN USE HIS LIST!
In a corporate environs, especially, this is absolutely the thing to do.



* Personally, & you guys MIGHT not believe this? I have had this setup "security-hardened" steadily more over time & running solid since early 2003!

(It all came from experiences starting FIRST in the NT 3.5x days, into NT 4.0, & into more "modern" variants like 2000/XP & now, Server 2003... this stuff, in principle, also works for VISTA too)

Setup like the above (well, not THAT well initially, because it gets better all the time really, patches & what-not PLUS increasing my "know-how" etc. from placse like this & other sources too)??

I have had it running 110% "bulletproof & bugfree" (yes, there is ways to tell + tools & logs etc. et al, even against "hidden stuff")... in that entire timeframe.

4th yr. straight on THIS very setup I am typing from here to you now on, no less, better than ever (mostly per the above material) & surprisingly enough??

RUNNING AS THE ADMINISTRATOR USER HERE, the entire 4 yrs.! No hassles...

APK
APK is offline   Reply With Quote
Old 01-14-2008, 6:37 PM   #27
APK
Member
 
Join Date: Dec 2007
Location: In a discrete point in the Space-Time Continuum
Posts: 90
iTrader: (0)
IMPORTANT POINT - STRESSING DO NOT USE AD LANS/WANS with external DNS servers again

ONE THING THAT I HAVE TO NOTE, THAT IS RATHER IMPORTANT:

Using an external DNS server (like OpenDNS &/or ScrubIT DNS, which I mention last page - but, omitted this little critical factoid) in a business settings that utilizes Active Directory, is NOT a good idea:

SURE, ones like OpenDNS & ScrubIT DNS are excellent, fast, & more secured than std. ones your typical ISP/BSP gives you, no doubt...

HOWEVER:

There IS a catch-22, because they won't FULLY "mesh" with your internal LAN AD (active directory) setup
, mainly since because AD is SO DNS dependent, it's not funny.

Makes sense though - & I omitted this in my earlier posts about ScrubIT DNS in fact:

I mean, how on EARTH could an external DNS server be able to serve up IP addresses that are privatized behind a router & a subnet (unless LMHOSTS could work around it, that is)...

Systems under your LAN/WAN subnet with privatized non-internet broadcastable IP Addresses especially, like 169.254 (not that you'd usually see THAT, lol), 10.x.x.x, 172.x.x.x, & 192.168.1.xxx DHCP assgined ones... so, be wary of using them with LANS/WANS.

SO, anyone with a LAN/WAN (be it HOME, or BUSINESS)? Beware of using OpenDNS or ScrubIT DNS servers, even though I "extolled their virtues" on the pages preceeding this one.

OpenDNS &/or ScrubIT DNS are GREAT for home users that have "stand-alone" (meaning not networked to other computers' drives + printers, etc. et al) setups, that are hooked up to the internet... they WILL "mess some stuff up" in ActiveDirectory/AD networks though.

Found that out myself in the past: For example - Things like Outlook (FULL) when setup to hitch up with EXCHANCE SERVER (instead of a POP or IMAP or even HTML mail account) will "flake out" for instance, IF you use external 3rd party DNS servers that are external to your network (LAN/WAN & home OR business).



* Sorry about that, I will have to edit that post for this too...

APK
APK is offline   Reply With Quote
Old 01-15-2008, 6:36 AM   #28
ThRoNkA
Registered User
 
ThRoNkA's Avatar
 
Join Date: May 2003
Location: Plano, TX
Posts: 7,148
iTrader: (0)

ThRoNkA's System Info

In regards to AD, make sure you use one DNS FOR ScrubIT and the other for your Business DNS. Thats what I am doing at my office.
__________________
iPhone 4 CDMA Verizon
16GB Version
iOS 5.0.1 Jailbroken
RedSn0w 0.9b6b

Motto: Why stick to default when it is yours?
ThRoNkA is offline   Reply With Quote
Old 01-15-2008, 7:27 AM   #29
APK
Member
 
Join Date: Dec 2007
Location: In a discrete point in the Space-Time Continuum
Posts: 90
iTrader: (0)
Quote:
Originally Posted by ThRoNkA View Post
In regards to AD, make sure you use one DNS FOR ScrubIT and the other for your Business DNS. Thats what I am doing at my office.
Hey Thronka: Glad you showed up... & that is one point I was considering doing, myself, also - BUT, question (since you have implemented it successfully apparently):

Do you put the OpenDNS &/or ScrubIT DNS in as the PRIMARY DNS server, OR Alternate DNS server?

ON A GUESS?

I would say, put your INTERNAL AD DNS Server as the PRIMARY DNS

&

OpenDNS or ScrubIT DNS as the SECONDARY DNS...

In your LOCAL AREA CONNECTION, right?

APK

P.S.=> Thanks for participating in this, first of all, & secondly?

For showing up & commenting again on THIS note (external DNS server usage)

All in all - you've been a GREAT help to me by the way, so... thanks for that, in case I forgot to state it earlier! apk

Last edited by APK; 01-15-2008 at 7:37 AM.
APK is offline   Reply With Quote
Old 01-15-2008, 3:48 PM   #30
ThRoNkA
Registered User
 
ThRoNkA's Avatar
 
Join Date: May 2003
Location: Plano, TX
Posts: 7,148
iTrader: (0)

ThRoNkA's System Info

I got around that using a VPN. I used the ScrubIT DNS on the Alternate on my VPN and used the Full blown ones on my LAN. Works great
__________________
iPhone 4 CDMA Verizon
16GB Version
iOS 5.0.1 Jailbroken
RedSn0w 0.9b6b

Motto: Why stick to default when it is yours?
ThRoNkA is offline   Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -6. The time now is 7:51 AM.


Powered by vBulletin
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Copyright © 2001-20013 by Xtreme PC Central.com All rights reserved.