WINDOWS 7 RC build:7100 Securing & Safe Computing
27
WINDOWS 7 RC build:7100 Securing & Safe Computing PROTECTING YOUR PERSONAL COMPUTER FROM MALICIOUS THREATS
Transcript of WINDOWS 7 RC build:7100 Securing & Safe Computing
WINDOWS 7 RC build:7100
Securing & Safe Computing
PROTECTING YOUR PERSONAL COMPUTER FROM MALICIOUS THREATS
Pre-Setup Notes
As of August 12, 2009, all of the following procedures to secure the Windows 7 operating system have been tested on a virtual environment using VMware to ensure that there are no critical exploits to the system. After properly securing the Windows 7 environment, the operating system was tested against SiteProtector, a product of IBM that tests for vulnerable machines on a network. Windows 7 passed two scans by SiteProtector (1 with the firewall on and 1 with the firewall off) which in theory passed the setup procedures guidelines. For testing purposes, I recommend using VMware or VirtualBox virtualization software. Feel free to test Windows 7 in these virtual environments to protect your host system from any unwanted damages.
Software tested on Windows 7:
Internet Browser- Passed
-Firefox is the recommended choice for safe computer browsing
Most Major Firewalls (ZoneAlarm, Comodo) – Failed
- Outpost and PC tools firewall’s work, but it is not recommended to use during the early stages of Windows 7.
-Use standard Windows firewall until vendors create a Windows 7 compliant firewall.
Antivirus-Passed
-Use Avira Free (Recommended) or AVG Free
Other Software That Passed:
MalwareBytes – Anti-Malware Software
Eraser – Hard-Drive Erasing Software
TrueCrypt- Hard-Dive and Volume Encryption Software
IZARC- Free Unzip/Zip software with over 20 different file extensions
CamStudio- Desktop Screen Recording Software - Free
If any vulnerabilities or exploits are found during the testing of Windows 7 please contact and report to:
UCIT Office of Information Security Email:
HOW TO PROPERLY SET UP, AND SECURE YOUR WINDOWS 7 PC FOR
SAFE COMPUTING
This is a work in progress. Version – 07/30/09
Billions of people buy Microsoft software. Microsoft has therefore made a quite understandable decision to set up
its products so as to operate smoothly right out of the box for the majority of people. Many computer users don’t
know a great deal about the inner workings of computers and operating systems, nor do they need to for the most
part. However, there are a few things that should be done to secure Microsoft Windows prior to putting into use.
This guide is designed to let the average computer user make a home PC or personal laptop much more protected
against penetration by a hacker.
I have tried to make these instructions fairly comprehensive, but there is room for improvement in anything. If
you have any suggestions, clarifications or corrections, please contact me at: [email protected]
A few notes before we begin:
• Where you see (RC) it indicates that you should “Right Click” the indicated item vs. left clicking as usual.
• [#] The number in square brackets indicates the number of minutes this step took me in my trial. Your
experience may differ based on a variety of factors.
• Windows 7 and Windows Vista have gotten rid of the “ownership” factor of your own pc. Now, what used
to be “My Computer and My Documents” is now called “Computer and Documents”. When you see open
“Computer” or open “Documents”, it means open “My Computer” or open “My Documents”.
• I do usually not give specific instruction steps for clicking “Apply”, “Save” or “OK”. These steps are implied
by the instructions.
One last thing: Remember one immutable law of security. Physical access trumps almost any technical protections
you may put in place. If you have a laptop, never leave it unattended. If it is stolen, a hacker will have unlimited
time to break through your security. Buy a locking cable. Install a strong encryption package. None of the below
will protect your system or data if a technically-minded thief has your computer.
That being said, let’s protect your machine from other types of attacks. All the steps below, including the clean
install of Windows 7 Release Candidate, took less than 4 hours. On with the process…
1. Perform a Clean install of Windows 7 RC (release candidate). This copy of Windows is a pre-release beta
of the final version of Windows 7. [~70 minutes]
Go to Device Manager (Start > Computer (RC) > Properties > Click Device Manager link on the left)
…and make sure all your devices are working properly. Anything with a yellow exclamation point should
be fixed. Consult your documentation or support if you need help to resolve these.
2. Customize Start Menu to add “System Administrative Tools”. You will need these to perform some of the
following configurations. [1]
Right click Start > click Properties
Go to Start Menu tab > Customize
Configure Start Menu Items to paste and add “System Administrative Tools” to your menu as shown:
3. Create a non-administrator user account for normal use. [3]
• Start > Control Panel > User Accounts and Family Safety > Add or remove user accounts
• Click Create a new account
• Enter the user name you desire and select Standard User
• Click on the new account
• Add a strong password. See http://www.uc.edu/infosec/password/choosepassword.html for tips.
4. Go to Computer Management [3]
• Two ways to get to it:
• Click Start > Computer (RC) > Manage
• Click Start > All Programs > Administrative Tools > Computer Management
• Secure the user accounts:
• Delete all unnecessary accounts (support, HelpAssistant, etc…) by right clicking each in turn and
selecting Delete.
• In Windows 7 RC, (Support, HelpAssistant, etc…) are not pre-installed onto the system. However, it might
be installed on a machine that has been factory loaded with the Windows 7 OS.
• The Guest account cannot be deleted, but it should already be disabled. (This is shown by the circle
with a down arrow over the account.) Leave this account disabled.
• Set a strong password on all active accounts (including Administrator). For tips on how to select a strong
password see: http://www.uc.edu/infosec/password/choosepassword.html
• Click Disk Management in the left pane and verify that all disk partitions are formatted with NTFS
5. Set a screen saver and set the system to require a password upon resume. [1]
Right Click anywhere on the desktop and select Personalize
Select the Screen Saver tab toward the bottom right of the window. Select your preferred Screen Saver.
Be sure to check “On resume, display logon screen” as shown
6. Open your Documents folder, and then select Organize > Folder and Search Options… [1]
Click View tab. Under “Hidden files and folders”, set “Show hidden files and folders” for the time being
(you can set this one back to hide after we are done)
Scroll to the bottom and uncheck “Use Sharing Wizard” (this one you will want to keep this way)
7. Review and modify file permissions on your hard drives. [3]
Click Start > Computer. Right click on your main hard drive and select Properties
On the Sharing tab, remove the default share by clicking Advanced Sharing > uncheck Share This folder.
By default, Windows 7 does not share this folder.
On the Security tab, remove the “Everyone” group from file permissions by selecting it and pressing the
delete key. By default Windows 7 does not have an “Everyone” group.
Repeat this for any other hard drives that might be connected to your computer
More permission setting advice can be found here, but this may be more detail than most users need to
worry about… http://www.windowsitlibrary.com/Content/121/18/1.html
8. Configure Windows Firewall. [3]
• Click Start > Control Panel > System and Security > Windows Firewall
• On the side panel (left) click Turn firewall on or off
• Turn the firewall on for public and private networks. (You can either be notified of blocks or have
windows block all incoming connections, including those in the list of allowed programs.) •
• Click the back button to return to Windows Firewall main screen. Click Advanced Settings (panel to the
left).
• Click Properties (Panel to the right). Click Customize (located under Logging) and allow logging for
dropped packets & successful connections
9. Raise the UAC slide bar – Yes this is the same annoying pop up box from Vista that ask you if you want to do the
things you want to do. Put the slider all the way up to high. This is a very good defense tool especially when it notifies
you on the things that you do not want to happen on your PC.
To access this click Start > in the search bar type UAC (USER ACCOUNT CONTROLL SETTINGS) > hit enter on your
keyboard
10. Change workgroup name if desired. [2]
• Click Start > Computer (RC) > Properties, Click Change Settings (Located under Computer name, domain
and workgroup settings), under Computer Name Tab, Click Change.
• Change the computer and workgroup name to meet your needs.
11. NOTE – For computers on your local workgroup to properly communicate, they will all need to be set up to:
• Have the same workgroup name
• Have different computer names
12. Disable Bluetooth if it is not being used. [1]
13. Disable Wireless if it is not being used. [1]
Note: The steps in this document will help protect your PC from attack, but understand that wireless
connectivity is currently not a secure technology. It is possible to break WEP encryption (the wireless
encryption still used by most wireless access points if any is used at all) in less than 15 minutes using a tool
that is freely available online. So, while wireless access is incredibly useful, it is not secure. Just something of
which to be aware.
14. Connect your computer to your network via the network cable or wireless adapter. [1]
15. Install a reputable Anti-Virus package like McAfee, Panda or Avira. [5]
Currently, the University of Cincinnati offers free Anti-Virus/Spyware protection using the award winning
McAfee antivirus software. The latest version of McAfee hosted on the University of Cincinnati’s website
is fully compatible with Windows 7 and offers real-time scanning to prevent malicious content from
access your pc. You can download McAfee by clicking the link below and following the directions for
installation.
http://www.uc.edu/ucit/ware/software/mcafee.html
Another alternative to having an excellent Anti-Virus program is to download Avira Free Anti-Vir
Personal anti-virus. This is an award winning anti-virus program that offers real time protection for your
pc and catches threats almost instantaneously. Click the link below to download Avira Anti-Vir.
http://download.cnet.com/Avira-AntiVir-Personal-Free-Antivirus/3000-2239_4-10322935.html?part=dl-
10322935&subj=dl&tag=button&cdlPid=11012914
Update your Anti-Virus package. [7]
16. Install Internet Explorer 8 (Comes standard with Windows 7).
• For better security and safer browsing, install Google Chrome or Mozilla Firefox web browsers [15]
17. Secure Internet Explorer 8 on Windows 7. [5]
• Go to Internet Options (located under tools dropdown box)
• Go to the Privacy tab and set cookie security to High. Once you have done this, you will need to explicitly
add any site that you want to have cookies. This requires a little extra work on you part, but it will
virtually eliminate the incredible proliferation of cookies that infect most computers and dramatically
compromise your privacy. There are a relatively low number of sites that absolutely require cookies.
• Go to the Security Tab and set to High for the Internet zone as shown.
• On the same tab, click the “trusted Sites” (Green checkmark). Click the Sites button
• On the resulting screen, uncheck “Require https” (at the bottom) and then enter the following URLs as
shown above. These will be required to run Windows update in the next step.
update.microsoft.com
*.update.microsoft.com
download.windowsupdate.com
windowsupdate.microsoft.com
18. Enable SmartScreen Filter on IE8- SmartScreen Filter allows you to browse the internet safely. SmartScreen
Filter blocks malicious websites. To enable SmartScreen Filter, click Start > type in the search bar Internet
Options (hit enter)> click the Advanced Tab > under Security make sure the box is checked next to “Enable
SmartScreen Filter”.
19. Run Windows Update. [45]
Click Start > All Programs > Windows Update
Another window will open prompting you to update. Click the install updates button (if applicable).
Another method of updating your Windows OS is by going to www.windowsupdate.com on IE8 and following
instructions from there.
20. Install any utilities that you may wish. [variable] Almost all programs can be run on Windows 7, even older
programs that are not yet compatible with Windows 7!
• Unless otherwise stated in this manual all software can be run on Windows 7. When you see (Not
compatible with Windows 7), that particular software cannot be used with Windows 7. Testing of these
non-compatible programs has been done so that you do not have to waste your time. These
compatibility issues can either be permanent, or the software manufacturers have not yet developed
new versions of their software to run on the Windows 7 environment.
• When you download and save an executable program (.exe) to your desktop, you can change its
installation settings so that it can be compatible with Windows 7.
• After saving the executable file to your desktop
• (RC) the saved (.exe) icon > click Properties > click the Compatibility Tab on top > click “Run this
program in compatibility mode for:” > then choose the legacy Windows OS of your choice in which to
install the program.
21. Install ZoneAlarm. [4] Not Yet Compatible with Windows 7.
ZoneAlarm is a free bi-directional firewall that is consistently one of the best reviewed and secure personal
firewalls on the market. http://download.cnet.com/ZoneAlarm/3000-10435_4-10039884.html
Windows has a built in firewall, but third party software such as zone alarm offers better protection for your
Windows OS. Once ZoneAlarm is compatible with Windows 7, it is recommended to uninstall any third-party
firewall and download ZoneAlarm.
22. Windows 7 compatible Firewall. For the time being companies that develop firewalls are taking part of the
Windows 7 beta/RC testing. These companies are offering free firewall protection for the Beta/RC copies of
Windows 7 to further develop their firewalls until the release of the Windows 7 OS. Explore your options
online by doing a little research. Since there are very minimal firewall software’s that are compatible with
Windows 7 at the moment, using the standard Windows 7 firewall should be more than enough protection for
your pc.
23. Feel as though your computer is infected with spyware/malware? Install Malwarebytes Anti-Malware- FREE
spyware/malware removing software and scan your pc. This program is a top rated contender among anti-
spyware/malware programs. Reviews state that Malwarebytes is better than most non-open source Anti-
spyware/malware programs. Click the link below to be redirected to the download page.
http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?part=dl-
10804572&subj=dl&tag=button
24. Some of my favorites are:
• Eraser - http://www.heidi.ie/eraser/download.php - this utility wipes your hard-drive clean, or can be
used to wipe unnecessary data off of your drive for better performance and extra storage.
• TrueCrypt - http://www.truecrypt.org/ - run under Windows Vista Compatibility
Another utility Windows 7 offers that is just like truecrypt is Windows Bitlocker. Bitlocker is a
hard-drive/usb/volume encryption utility that offers you security for you data storage media in
the case of theft.
• WinRAR - http://www.rarlab.com/download.htm - not free
• Izarc – free open source archive utility (better alternative to winrar) that compresses and uncompresses
files in over 20 different formats. http://www.izarc.org
• CurrPorts - http://www.nirsoft.net/utils/cports.html
25. Install & Configure Firefox. [10].
This is a preferred browser from a security perspective. Firefox offers better security than its rival browsers.
26. Configure Local Security Policies. [15]
Click Start > All Programs > Administrative Tools > Local Security Policies
• In the Account Policies > Password Policy section, set:
• Do Not Enforce Password History
• Set Maximum Password Age – 42 days
• Set Minimum Password Age – 0 days
• Minimum password length - 10
• Password must meet complexity requirements – Enabled
• Store password in reversible encryption - Disable
• Set Account Lockout Policy
• Duration 60 minutes
• Threshold 5 attempts
• Reset lockout counter 60 min • Set Local Policies > Audit Policy as shown
• Under Security Options do the following.
• Accounts: Guest account – Disable
• Accounts: Rename administrator account – Rename this to something else. I chose “HighLevel”
• Accounts: Rename guest account – Rename this to something else. I chose “DoNotUse”
• Domain member: Require strong (Windows 2000 or later) session key – Enabled
• Interactive logon: Do not display last user name – Enabled
• Interactive logon: Do not require CTRL+ALT+DEL – Disabled
• Set a logon message if desired
(Like “This computer is the property of company X. Authorized use only.” etc…)
1. Interactive logon: Message text for users attempting to log on
2. Interactive logon: Message title for users attempting to log on
• Microsoft network client: Send unencrypted password to third-party SMB servers – Disabled
• Network access: Allow anonymous SID/Name translation – Disabled
• Network access: Do not allow anonymous enumeration of SAM accounts – Enabled
• Network access: Do not allow anonymous enumeration of SAM accounts and shares – Enabled
• Network access: Do not allow storage of credentials or .NET Passports for network authentication
– Enabled
• Network access: Let Everyone permissions apply to anonymous users – Enabled
• These next three settings should have all their entries removed to prevent “Null Session” attacks:
1. Network access: Named Pipes that can be accessed anonymously
2. Network access: Remotely accessible registry path
3. Network access: Remotely accessible registry paths and sub-paths
4. Network access: Shares that can be accessed anonymously
• These are the default values for the above three keys. I am including them here in case you need them
for future reference:
o Named Pipes Do Not Enter Anything: by default there are no values in this setting
o Remotely accessible registry path System\CurrentControlSet\Control\ProductOptions
System\CurrentControlSet\Control\Server Applications
Software\Microsoft\Windows NT\CurrentVersion
o Remotely accessible registry paths and sub-paths System\CurrentControlSet\Control\Print\Printers
System\CurrentControlSet\Services\Eventlog
Software\Microsoft\OLAP Server
Software\Microsoft\Windows NT\CurrentVersion\Print
Software\Microsoft\WindowsNT\CurrentVersion\Windows
System\CurrentControlSet\Control\ContentIndex
System\CurrentControlSet\Control\Terminal Server
System\CurrentControlSet\Control\Terminal Server\UserConfig
System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration
Software\Microsoft\Windows NT\CurrentVersion\Perflib
System\CurrentControlSet\Services\SysmonLog
o Shares that can be accessed anonymously Do Not Enter Anything: by default there are no values in this setting
• Network access: Sharing and security model for local accounts – Classic
• Network security: Do not store LAN Manager hash value on next password change – Enabled
• Network security: LAN Manager authentication level – Send NTLMv2 response only\refuse LM &
NTLM
• Network security: Minimum session security for NTLM SSP based (including secure RPC) clients
– Check “Require NTLMv2” and “Require 128-bit encryption”
• Network security: Minimum session security for NTLM SSP based (including secure RPC) servers
– Check “Require NTLMv2” and “Require 128-bit encryption”
• Recovery console: Allow automatic administrative logon Disabled
• In User Rights Assignment, set the following. You will sometimes be removing groups (like “Everyone”)
and adding others (like “SYSTEM”).
• Access this computer from the network – Administrators (remove “everyone” and other groups)
• Bypass traverse checking – Administrators, SERVICE, power users, users
• Deny access to this computer from the network – ANONYMOUS LOGON
• Deny logon locally – Guest
• Deny logon through terminal services – Everyone
• Log on as a batch job – <remove all>
• Log on as a service – <remove all>
• Log on locally – <remove Guest>
27. Shutdown and disable Services that are not required. [15]
• Start Services manager in one of two ways:
• Click Start > All Programs > Administrative Tools > Services
• OR
• Click Start > Type in the search bar at the bottom Services > click Services
• To stop a service:
• Select the service you want to modify (green arrow)
• Click the Stop button (red arrow)
• To set a service to Manual or Disable it:
• Double click the service you want to modify
• Stop the service (there are a few that will not stop until you reboot)
• Select Disabled or Manual under Startup Type
• Click Apply and OK
• Go through the Services manager and set the following services like this:
• Application Experience - Set to Manual
• Application Layer Gateway – Provides support for 3rd party plug-ins for Internet Connection
Sharing/Internet Connection Firewall. Required if using Internet Connection Sharing/Internet Connection
Firewall to connect to the internet. Automatic if using ICS, Disabled if not.
• Com + System… – Disable.
• Computer Browser – The browser service is used to maintain the list of PCs you see in Network
Neighborhood. This is normally a server function. A home user can set this to Manual.
• Desktop Window Management Session Manager – Set to Manual
• Diagnostic Policy Service – Set to Manual
• Distributed Link Tracking Client – Distributed Link Tracking Client sends notifications of files moving between
NTFS volumes in a network domain. Disable on a home computer.
• Distributed Transaction Coordinator – Coordinates transactions that are distributed across two or more
databases, message queues, file systems, or other transaction-protected resource managers. Manual.
• DNS Client – Resolves and caches Domain Name System (DNS) names. This is normally provided by your ISP.
Disable and if you have name resolution problems, return it to Automatic.
• Fax Service – Set to Manual if you don't need fax services.
• Internet Connection Sharing – If you are want to share an Internet connection for your home network, then
set this to Automatic. If not, leave this set to Manual.
• IP Helper – Set to Manual
• Net Logon – Supports pass-through authentication of account logon events for computers in a domain.
Logging onto a domain? Leave it. Otherwise set it to Manual.
• Offline Files – Set to Manual
• Portable Device Enumerator Service- Set to Manual
• Print Spooler – Set to Manual
• Protected Storage – Set to Manual
• Remote Access Connection Manager – Only needed if you are configuring a new network connection. Keep
Disabled normally.
• Remote Registry – Allows remote registry manipulation. A home user can set this to Manual.
• Routing and Remote Access – Offers routing services to businesses in local area and wide area network
environments. A home user can set this to Manual.
• RPC – Manual. Cannot change in Windows 7
• Secondary Logon – Set to Manual.
• Security Accounts Manager – Stores security information for local user accounts. A home user can set this to
Manual unless you are using Local Security Policy Editor.
• Server – Disable this service unless you are sharing files on your hard drive or your printer. Hackers will get
nowhere if you do.
• SSDP – Part of UpnP. Disable.
• Tablet PC Input Service – Set to Manual
• TCP/IP NetBIOS Helper – Provides support for name resolution via a lookup of the LMHosts file. If you are
not using LMHOSTS name resolution, you can set it to Manual.
• Telephony – Provides Telephony API (TAPI) support for programs that control telephony devices and IP based
voice connections on the local computer and, through the LAN, on servers that are also running the service.
Normally set to Manual on workstations. Leave it on Manual.
• Telnet – Allows a remote user to log on to the system and run programs using the command line. Disable!
• Universal Plug and Play Device Host – Provides support to host Universal Plug and Play devices. Disable
unless installing new hardware.
• WebClient – Provides HTTP services for applications on the Windows platform. Required if you are running a
web server. Most common entry point for hackers! Disable it.
• Workstation – Creates and maintains client network connections to remote servers. If this service is stopped,
these connections will be unavailable. If this service is disabled, any services that explicitly depend on it will
fail to start. Set this to Manual. May normally be left stopped.
• Reactivating Services
If you want to run certain functions of Windows, you will have to turn some services back on:
• Enable local workgroup networking – Workstation (set to auto)
to be visible on local network – Server (set to auto)
to see others on local network – Computer Browser (set to auto)
• If you install software that needs telephony, like Skype, you may need to re-enable Telephony and
perhaps Remote Access Connection Manager. Test this by trying the software first and then
enabling first one then the other.
28. Disable Dump File Creation
• A dump file can be a useful troubleshooting tool when either the system or application crashes and causes
the infamous "Blue Screen of Death". However, they also can provide a hacker with potentially sensitive
information such as application passwords. You can disable the dump file by going to Start > Computer
(RC) > Properties, click Advanced System Settings > Startup and Recovery section under Advanced Tab>
click Settings
Change the options for “Write Debugging Information" to None.
If you need to troubleshoot unexplained crashes at a later date, you can re-enable this option until the
issue is resolved but be sure to disable it again later and delete any stored dump files
29. Run GRC security tests. [5]
http://www.grc.com/freepopular.htm
• UnPlug n’ Pray
• Shoot the Messenger
• Leak Test
• MouseTrap
• SocketLock – doesn’t exist anymore
30. Set up software restriction policies. [5]
• Click Start > in search bar at bottom type > Local Security Policy
Click Software Restriction Policies, click Action, click New Software Restriction Policy
• Double click on Enforcement and set it to “All” (vs. not on libraries)
• Double click on Trusted Publishers and set it to “Allow only all administrators to manage Trusted
Publishers”
31. Set up a share folder if desired
• If you want to share files with other computers on your home network you will need to set up a shared
folder. Create a new folder for this purpose, then right click on it and click Properties. On the Sharing
tab, click “Advanced Sharing”. Provide the name of the share (“Share” below). I recommend that you
limit the number of computers that can connect to your computer to a realistic number for you network.
I put “2” in the example below. Once that is set, click the Permissions button. On the “Permissions for
Share” screen, remove the “Everyone” group and replace it with “Authenticated Users”. Finally, add the
“ANONYMOUS LOGON” group and set all permissions for it to Deny as shown.
32. Test your security. [4]
• Run GRC “Sheilds-Up!” found at http://www.grc.com/default.htm
• If available, scan your system with a vulnerability scanner such as Nessus, ISS or NexPose
33. Change your boot sequence and set bios passwords. [6]
• Refer to your system documentation for instructions on how to do this
• Change the boot sequence to start with your hard drive
• For the slightly more paranoid, you can set the bios password so that the computer cannot be even
started without entering a password. This will require you to enter two passwords to start up your
system (bios and windows) and is normally not required.
34. Post Configuration Clean-up
• If desired, you may hide your Hidden files again. Open your Documents folder, and then select Organize>
click Folder and Search Options > click the View tab > Under “Hidden files and folders”, set “Do not show
hidden files and folders”
To reset security if something gets fouled up… (Reference - http://support.microsoft.com/kb/313222) Even though Microsoft Fix it works for
XP/Vista, this does not mean it works for Windows 7. Be very cautious when tampering with your OS settings.
• To reset Security Policies secedit /configure /cfg C:\WINDOWS\repair\secsetup.inf /areas securitypolicy /db secsetup.sdb /verbose
• To reset Services secedit /configure /cfg C:\WINDOWS\repair\secsetup.inf /areas services /db secsetup.sdb /verbose
• To reset User Rights secedit /configure /cfg C:\WINDOWS\repair\secsetup.inf /areas user_rights /db secsetup.sdb /verbose
• To reset All secedit /configure /cfg C:\WINDOWS\repair\secsetup.inf /db secsetup.sdb /verbose
35. Remember to always backup your data. It is important to back up your data in the event of your computer
crashing, catching a virus and etc. Always back up your important data on an external drive.
References
• General
http://labmice.techtarget.com/articles/winxpsecuritychecklist.htm
http://www.windowsitlibrary.com/Content/121/18/1.html
http://www.pcworld.com/article/168535/seven_ways_to_secure_windows_7.html
• Services
http://www.tweakhound.com/xp/security/page_3.htm
http://www.ntsvcfg.de/ntsvcfg_eng.html
• http://www.techknowl.com/2009/03/disable-unwanted-services-and-speed-up.html
• Registry
http://www.windowsitlibrary.com/Content/121/18/1.html
• Local Security Settings
http://support.microsoft.com/kb/823659
• Networking
http://www.grc.com/su-bondage.htm & http://www.grc.com/su-rebindingnt.htm)
http://www.windowsnetworking.com/articles_tutorials/Install-Microsoft-Loopback-adapter-Windows-XP.html
http://www.windowsnetworking.com/articles_tutorials/Optimize-Network-Connections-Windows-XP.html
http://support.microsoft.com/default.aspx?scid=kb;EN-US;894564
• Folder and File Permissions
http://www.windowsitlibrary.com/Content/121/18/1.html
http://technet.microsoft.com/en-us/library/bb727037.aspx
