Windows Vista
Securing & Safe Computing
Pre-Setup Notes
As of August 12, 2009, all of the following procedures to secure the Windows Vista operating system have been tested on a virtual environment using Sun VirtualBox to ensure that there are no critical exploits to the system. After properly securing the Windows Vista environment, the operating system was tested against SiteProtector, an IBM product that tests for vulnerable machines on a network. Windows Vista passed two scans by SiteProtector (1 with the firewall on and 1 with the firewall off) which in theory passed the setup procedures guidelines. For testing purposes, I recommend using VMware or Sun VirtualBox virtualization software. Feel free to test Windows Vista in these virtual environments to protect your host system from any unwanted damages.
Software tested on Windows Vista:
Internet Browser- Passed-Firefox is the recommended choice for safe computer browsing Most Major Firewalls (ZoneAlarm, Comodo) – Passed
- Vista passed vulnerability scan with IBM Internet Scanner with basic windows firewall. Antivirus-Passed
-McAfee VirusScan is Recommend (Free to UC community)
-Most major Anti-Virus software is compatible with Vista. Visit the windows website below for a full list of Anti-virus software that is supported.
http://www.microsoft.com/windows/antivirus-partners/windows-vista.aspx
Other Software That Passed:
MalwareBytes – Anti-Malware Software Eraser – Hard-Drive Erasing Software
TrueCrypt- Hard-Dive and Volume Encryption Software
IZARC- Free Unzip/Zip software with over 20 different file extensions
If any vulnerabilities or exploits are found during the testing of Windows Vista please report to: UCIT Office of Information Security Email:
HOW TO PROPERLY SET UP, AND SECURE YOUR WINDOWS VISTA PC
FOR SAFE COMPUTING
This is a work in progress. Version – 07/30/09
Billions of people buy Microsoft software. Microsoft has therefore made a quite understandable decision to set up its products so as to operate smoothly right out of the box for the majority of people. Many computer users don’t know a great deal about the inner workings of computers and operating systems, nor do they need to for the most part. However, there are a few things that should be done to secure Microsoft Windows prior to putting into use. This guide is designed to let the average computer user make a home PC or personal laptop much more protected against penetration by a hacker.
A few notes before we begin:
• Where you see (RC) it indicates that you should “Right Click” the indicated item vs. left clicking as usual.
• [#] The number in square brackets indicates the number of minutes this step took me in my trial. Your experience may differ based on a variety of factors.
• Windows Vista has gotten rid of the “ownership” factor of your own pc. Now, what used to be “My Computer and My Documents” is now called “Computer and Documents.”
• I do usually not give specific instruction steps for clicking “Apply”, “Save” or “OK”. These steps are implied by the instructions.
One last thing: Remember one immutable law of security. Physical access trumps almost any technical protections you may put in place. If you have a laptop, never leave it unattended. If it is stolen, a hacker will have unlimited time to break through your security. Buy a locking cable. Install a strong encryption package. None of the below will protect your system or data if a technically-minded thief has your computer.
That being said, let’s protect your machine from other types of attacks. All the steps from here on, including the clean install of Windows Vista, took less than 4 hours. On with the process…
1. Perform a Clean install of Windows Vista. [~40 minutes]
Go to Device Manager (Start > Computer (RC) > Properties > Click Device Manager link on the left)
…and make sure all your devices are working properly. Anything with a yellow exclamation point should be fixed. Consult your documentation or support if you need help to resolve these.
2. Customize Start Menu to add “System Administrative Tools”. You will need these to perform some of the following configurations. [1]
Right click Start > click Properties
Go to Start Menu tab > Customize
3. Go to Computer Management [3] (Only Vista Business and Vista Ultimate support the next step)
• Two ways to get to it:
1) Click Start > Computer (RC) > Manage
2) Click Start > All Programs > Administrative Tools > Computer Management
• Secure the user accounts:
1) Delete all unnecessary accounts (support, HelpAssistant, etc…) by right clicking each in turn and selecting Delete.
2) User account controls are only available in Windows Vista Ultimate and Windows Vista Business. For anyone with other versions please move to the next step.
3) The Guest account cannot be deleted, but it should already be disabled. (This is shown by the circle with a down arrow over the account.) Leave this account disabled.
4) Set a strong password on all active accounts (including Administrator). For tips on how to select a strong password see: http://www.uc.edu/infosec/HowToChooseAPassword.htm
4. Click Disk Management in the left pane and verify that all disk partitions are formatted with NTFS. [1]
5. Set a Screen Saver and set the system to require a password upon resume. [1] Right Click anywhere on the desktop and select Personalize
Select the Screen Saver tab toward the bottom right of the window. Select your preferred Screen Saver. Be sure to check “On resume, display logon screen” as shown
6. Open your Documents folder, and then select Organize > Folder and Search Options… [1]
Click View tab. Under “Hidden files and folders”, set “Show hidden files and folders” for the time being (you can set this one back to hide after we are done)
7. Review and modify file permissions on your hard drives. [3]
Click Start > Computer. Right click on your main hard drive and select Properties
On the Sharing tab, remove the default share by clicking Advanced Sharing > uncheck Share This folder. By default, Windows Vista does not share this folder.
On the Security tab, remove the “Everyone” group from file permissions by selecting it and pressing the delete key. By default Windows Vista does not have an “Everyone” group.
Repeat this for any other hard drives that might be connected to your computer
More permission setting advice can be found here, but this may be more detail than most users need to worry about… http://www.windowsitlibrary.com/Content/121/18/1.html
8. Configure Windows Firewall. [3]
• Click Start > Control Panel > Classic View > Windows Firewall
• On the side panel click Turn firewall on or off
• Check On(recommended)
• Click the Ok button to return to Windows Firewall main screen. Close this window and open Windows
(Start > All Programs (RC) > Administrative Tools > Click Windows Firewall and Advanced Settings)
• Click Windows Firewall Properties
9. Change workgroup name if desired. [2]
• Click Start > Computer (RC) > Properties, Click Change Settings (Located under Computer name, domain and workgroup settings), under Computer Name Tab, Click Change.
• Change the computer and workgroup name to meet your needs.
NOTE – For computers on your local workgroup to properly communicate, they will all need to be set up to:
• Have the same workgroup name
10. Create a non-administrator user account for normal use. [3]
• Start > Control Panel > User Accounts and Family Safety > Add or remove user accounts
• Click Create a new account
• Enter the user name you desire and select Standard User
Add a strong password. See http://www.uc.edu/infosec/password/choosepassword.html for tips.
11. Disable Bluetooth if it is not being used. [1] 12. Disable Wireless if it is not being used. [1]
Note: The steps in this document will help protect your PC from attack, but understand that wireless
connectivity is currently not a secure technology. It is possible to break WEP encryption (the wireless encryption still used by most wireless access points if any is used at all) in less than 15 minutes using a tool that is freely available online. So, while wireless access is incredibly useful, it is not secure. Just something of which to be aware.
13. Connect your computer to your network via the network cable or wireless adapter. [1] 14. Install a reputable Anti-Virus package like McAfee, Panda or Avira. [5]
Currently, the University of Cincinnati offers free Anti-Virus/Spyware protection using the award winning McAfee antivirus software. The latest version of McAfee hosted on the University of Cincinnati’s website is fully compatible with Windows Vista and offers real-time scanning to prevent malicious content from access your pc. You can download McAfee by clicking the link below and following the directions for installation.
http://www.uc.edu/ucit/ware/software/mcafee.html
If you don’t want to use McAfee, Microsoft provides a list of both, free and pay, anti-virus software that are fully compatible with Windows Vista. Follow the link below to visit this site.
http://www.microsoft.com/windows/antivirus-partners/windows-vista.aspx
15. Install the latest version of Internet Explorer (IE 7 comes standard in Vista).
• Secure Internet Explorer. [5]
1) Go to Internet Options (located under tools dropdown box)
2) Go to the Privacy tab and set cookie security to High. Once you have done this, you will need to explicitly add any site that you want to have cookies. This requires a little extra work on you part, but it will virtually eliminate the incredible proliferation of cookies that infect most computers and dramatically compromise your privacy. There are a relatively low number of sites that absolutely require cookies.
3) Go to the Security Tab and set to High for the Internet zone as shown.
4) On the same tab, click the “Trusted Sites” (Green checkmark). Click the Sites button
On the resulting screen, uncheck “Require https” (at the bottom) and then enter the following URLs as shown above. These will be required to run Windows update in the next step.
update.microsoft.com *.update.microsoft.com download.windowsupdate.com windowsupdate.microsoft.com
(If you are using IE 8 or later, enable SmartScreen Filter. In IE8- SmartScreen Filter allows you to browse the
internet safely. SmartScreen Filter blocks malicious websites. To enable SmartScreen Filter, click Start > type in
the search bar Internet Options (hit enter)> click the Advanced Tab > under Security make sure the box is
16. Run Windows Update. [45]
Click Start > All Programs > Windows Update
Another window will open prompting you to update. Click the install updates button (if applicable).
Another method of updating your Windows OS is by going to www.windowsupdate.com on IE8 and following instructions from there.
17. Configure Local Security Policies. [15]
Click Start > All Programs > Administrative Tools > Local Security Policies
• In the Account Policies > Password Policy section, set: 1)Do Not Enforce Password History
2)Set Maximum Password Age – 42 days 3)Set Minimum Password Age – 0 days 4)Minimum password length – 10
5)Password must meet complexity requirements – Enabled 6)Store password in reversible encryption - Disable
• Set Account Lockout Policy
1) Threshold 5 attempts 2) Duration 60 minutes
• Set Local Policies > Audit Policy as shown
• Under Security Options do the following. 1) Accounts: Guest account – Disable
2) Accounts: Rename administrator account – Rename this to something else. I chose “HighLevel” 3) Accounts: Rename guest account – Rename this to something else. I chose “DoNotUse”
4) Domain member: Require strong (Windows 2000 or later) session key – Enabled 5) Interactive logon: Do not display last user name – Enabled
7) Set a logon message if desired
(Like “This computer is the property of company X. Authorized use only.” etc…) a) Interactive logon: Message text for users attempting to log on
b) Interactive logon: Message title for users attempting to log on
8) Microsoft network client: Send unencrypted password to third-party SMB servers – Disabled 9) Network access: Allow anonymous SID/Name translation – Disabled
10)Network access: Do not allow anonymous enumeration of SAM accounts – Enabled
11)Network access: Do not allow anonymous enumeration of SAM accounts and shares – Enabled 12)Network access: Do not allow storage of credentials or .NET Passports for network authentication
– Enabled
13)Network access: Let Everyone permissions apply to anonymous users – Enabled
14)These next three settings should have all their entries removed to prevent “Null Session” attacks: a) Network access: Named Pipes that can be accessed anonymously
b) Network access: Remotely accessible registry path
c) Network access: Remotely accessible registry paths and sub-paths d) Network access: Shares that can be accessed anonymously
• These are the default values for the above three keys. I am including them here in case you need them for future reference:
o Named Pipes
Do Not Enter Anything: by default there are no values in this setting
o Remotely accessible registry path
System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion
o Remotely accessible registry paths and sub-paths
System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog
o Shares that can be accessed anonymously
Do Not Enter Anything: by default there are no values in this setting 15)Network access: Sharing and security model for local accounts – Classic
16)Network security: Do not store LAN Manager hash value on next password change – Enabled 17)Network security: LAN Manager authentication level – Send NTLMv2 response only\refuse LM &
NTLM
18)Network security: Minimum session security for NTLM SSP based (including secure RPC) clients – Check “Require NTLMv2” and “Require 128-bit encryption”
19)Network security: Minimum session security for NTLM SSP based (including secure RPC) servers – Check “Require NTLMv2” and “Require 128-bit encryption”
20)Recovery console: Allow automatic administrative logon Disabled
• In User Rights Assignment, set the following. You will sometimes be removing groups (like “Everyone”)
and adding others (like “SYSTEM”).
1) Access this computer from the network – Administrators (remove “everyone” and other groups) 2) Bypass traverse checking – Administrators, SERVICE, power users, users
3) Deny access to this computer from the network – ANONYMOUS LOGON 4) Deny logon locally – Guest
5) Deny logon through terminal services – Everyone 6) Log on as a batch job – <remove all>
7) Log on as a service – <remove all>
18. Shutdown and disable Services that are not required. [15]
• Start Services manager in one of two ways:
1) Click Start > All Programs > Administrative Tools > Services
2) OR
3) Click Start > Type in the search bar at the bottom Services > click Services
• To stop a service:
1) Select the service you want to modify (green arrow) 2) Click the Stop button (red arrow)
• To set a service to Manual or Disable it:
4) Double click the service you want to modify
5) Stop the service (there are a few that will not stop until you reboot) 6) Select Disabled or Manual under Startup Type
7) Click Apply and OK
• Go through the Services manager and set the following services like this:
1) Application Experience - Set to Manual
2) Application Layer Gateway – Provides support for 3rd party plug-ins for Internet Connection
Sharing/Internet Connection Firewall. Required if using Internet Connection Sharing/Internet Connection Firewall to connect to the internet. Automatic if using ICS, Disabled if not.
3) Com + System… – Disable.
4) Computer Browser – The browser service is used to maintain the list of PCs you see in Network
Neighborhood. This is normally a server function. A home user can set this to Manual.
5) Desktop Window Management Session Manager – Set to Manual
6) Diagnostic Policy Service – Set to Manual
7) Distributed Link Tracking Client – Distributed Link Tracking Client sends notifications of files
moving between NTFS volumes in a network domain. Disable on a home computer.
8) Distributed Transaction Coordinator – Coordinates transactions that are distributed across two or
more databases, message queues, file systems, or other transaction-protected resource managers. Manual.
9) DNS Client – Resolves and caches Domain Name System (DNS) names. This is normally provided
by your ISP. Disable and if you have name resolution problems, return it to Automatic. 10)Fax – Set to Manual if you don't need fax services.
11)Internet Connection Sharing – If you are want to share an Internet connection for your home
network, then set this to Automatic. If not, leave this set to Manual.
12)IP Helper – Set to Manual
13)Net Logon – Supports pass-through authentication of account logon events for computers in a
domain. Logging onto a domain? Leave it. Otherwise set it to Manual.
15)Portable Device Enumerator Service- Set to Manual
16)Print Spooler – Set to Manual
17)Protected Storage – Set to Manual
18)Remote Access Connection Manager – Only needed if you are configuring a new network
connection. Keep Disabled normally.
19)Remote Registry – Allows remote registry manipulation. A home user can set this to Manual.
20)Routing and Remote Access – Offers routing services to businesses in local area and wide area
network environments. A home user can set this to Manual.
21)Secondary Logon – Set to Manual.
22)Security Accounts Manager – Stores security information for local user accounts. A home user can
set this to Manual unless you are using Local Security Policy Editor.
23)Server – Disable this service unless you are sharing files on your hard drive or your printer.
Hackers will get nowhere if you do.
24)SSDP Discovery – Part of UpnP. Disable.
25)Tablet PC Input Service – Set to Manual
26)TCP/IP NetBIOS Helper – Provides support for name resolution via a lookup of the LMHosts file. If
you are not using LMHOSTS name resolution, you can set it to Manual.
27)Telephony – Provides Telephony API (TAPI) support for programs that control telephony devices
and IP based voice connections on the local computer and, through the LAN, on servers that are also running the service. Normally set to Manual on workstations. Leave it on Manual.
28)UPnP Device Host - Universal Plug and Play Device Host – Provides support to host Universal Plug
and Play devices. Disable unless installing new hardware.
29)WebClient – Provides HTTP services for applications on the Windows platform. Required if you are
running a web server. Most common entry point for hackers! Disable it.
30)Workstation – Creates and maintains client network connections to remote servers. If this service
is stopped, these connections will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. Set this to Manual. May normally be left stopped.
• Reactivating Services
If you want to run certain functions of Windows, you will have to turn some services back on: 1) Enable local workgroup networking – Workstation (set to auto)
to be visible on local network – Server (set to auto)
to see others on local network – Computer Browser (set to auto)
2) If you install software that needs telephony, like Skype, you may need to re-enable Telephony and perhaps Remote Access Connection Manager. Test this by trying the software first and then enabling first one then the other.
19. Disable Dump File Creation
• A dump file can be a useful troubleshooting tool when either the system or application crashes and causes the infamous "Blue Screen of Death". However, they also can provide a hacker with potentially sensitive information such as application passwords. You can disable the dump file by going to Start > Computer
(RC) > Properties, click Advanced System Settings > Startup and Recovery section under Advanced Tab> click Settings
• Change the options for “Write Debugging Information" to None.
If you need to troubleshoot unexplained crashes at a later date, you can re-enable this option until the issue is resolved but be sure to disable it again later and delete any stored dump files
20. Run GRC security tests. [5]
http://www.grc.com/freepopular.htm
• UnPlug n’ Pray
• Shoot the Messenger
• Leak Test
21. Set up software restriction policies. [5]
• Click Start > in search bar at bottom type > Local Security Policy
Click Software Restriction Policies, click Action, click New Software Restriction Policy
• Double click on Enforcement and set it to “All” (vs. not on libraries)
• Double click on Trusted Publishers and set it to “Allow only all administrators to manage Trusted Publishers”
22. Set up a share folder if desired
• If you want to share files with other computers on your home network you will need to set up a shared folder. Create a new folder for this purpose, then right click on it and click Properties. On the Sharing
tab, click “Advanced Sharing”. Provide the name of the share (“Share” below). I recommend that you limit the number of computers that can connect to your computer to a realistic number for you network. I put “2” in the example below. Once that is set, click the Permissions button. On the “Permissions for Share” screen, remove the “Everyone” group and replace it with “Authenticated Users”. Finally, add the
“ANONYMOUS LOGON” group and set all permissions for it to Deny as shown.
23. Test your security. [4]
• Run GRC “Sheilds-Up!” found at http://www.grc.com/default.htm
24. Change your boot sequence and set bios passwords. [6]
• Refer to your system documentation for instructions on how to do this
• Change the boot sequence to start with your hard drive
• For the slightly more paranoid, you can set the bios password so that the computer cannot be even started without entering a password. This will require you to enter two passwords to start up your system (bios and windows) and is normally not required.
25. Post Configuration Clean-up
• If desired, you may hide your Hidden files again. Open your Documents folder, and then select Organize>
click Folder and Search Options > click the View tab > Under “Hidden files and folders”, set “Do not show hidden files and folders”
26. Remember to always backup your data. It is important to back up your data in the event of your computer crashing, catching a virus and etc. Always back up your important data on an external drive.
To reset security if something gets fouled up… (Reference - http://support.microsoft.com/kb/313222) Be very
cautious when tampering with your OS settings.
• To reset Security Policies secedit /configure /cfg C:\WINDOWS\repair\secsetup.inf /areas securitypolicy /db secsetup.sdb /verbose
• To reset Services secedit /configure /cfg C:\WINDOWS\repair\secsetup.inf /areas services /db secsetup.sdb /verbose
• To reset User Rights secedit /configure /cfg C:\WINDOWS\repair\secsetup.inf /areas user_rights /db secsetup.sdb /verbose
Other Security Applications
There are a wide variety of security products that you can use on your Vista machine. While we do make recommendations as to what security products work best, it is solely your decision as to what products you want to use.
Firewalls
In the case of firewalls, the windows firewall that comes pre-installed on the OS is much better than past versions. Windows Firewall and a good Anti-virus product are effective in keeping your computer running at optimal performance. For those of you that want more protection, we recommend using ZoneAlarm or Comodo.
ZoneAlarm [4] is a free bi-directional firewall that is consistently one of the best reviewed and
secure personal firewalls on the market. http://download.cnet.com/ZoneAlarm/3000-10435_4- 10039884.html
Comodo [4] combines both a firewall and anti-virus software for optimum security on personal
computers. CNET editors have given it 5 Stars. http://download.cnet.com/Comodo-Internet- Security/3000-10435_4-10460704.html?tag=mncol
Anti-virus, Anti-spyware, and Anti-malware
McAfee Anti-virus & Anti-spyware
As mentioned earlier in this article, UC is proud to offer McAfee Anti-virus and Anti-spyware software FREE to the UC community. McAfee has been ranked #1 in Anti-virus software for 7 years straight. We recommend that everyone in the UC community take advantage of this great offer. We do realize that you may prefer a different Anti-virus program or may be paying for another Anti-virus program, and that is why we do not require you to use McAfee.
Other Anti-virus & Anti-spyware
As mentioned at the beginning of this document, there are other alternatives to using McAfee. 2 good free Anti-virus suites are AVG and Comodo. If you prefer to use a different one there is a complete list of supported software at the link below.
http://www.microsoft.com/windows/antivirus-partners/windows-vista.aspx
Malware Remover
Feel as though your computer is infected with spyware/malware? Install Malwarebytes Anti- Malware- FREE spyware/malware removing software and scan your pc. This program is a top rated contender among anti-spyware/malware programs. Reviews state that Malwarebytes is better than most non-open source Anti-spyware/malware programs. Click the link below to be redirected to the download page.
http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?part=dl- 10804572&subj=dl&tag=button
Utilities
Disk Erasers
Eraser - http://www.heidi.ie/eraser/download.php - this utility wipes your hard-drive clean, or can be used to wipe unnecessary data off of your drive for better performance and extra storage. Encryption
TrueCrypt - http://www.truecrypt.org/ - TrueCrypt is an open source encryption tool that allows for single file and whole disk encryption.
Bitlocker – Vista provides its own whole disk encryption solution that comes free with the installation of vista. is a hard-drive/usb/volume encryption utility that offers you security for you data storage media in the case of theft.
File Management
WinRAR - http://www.rarlab.com/download.htm - Comprehensive archive utility that can compress and decompress RAR and WIN files along with many others - not free
Izarc – free open source archive utility (better alternative to winrar) that compresses and decompresses files in over 20 different formats. http://www.izarc.org
Network
CurrPorts - http://www.nirsoft.net/utils/cports.html - CurrPorts is network monitoring software that displays the list of all currently opened TCP/IP and UDP ports on your local computer. Browsers
Firefox - http://www.mozilla.com/en-US/firefox/personal.html - Firefox is a secure open source browser that is free of charge. This is the preferred browser for security.
References • General http://labmice.techtarget.com/articles/winxpsecuritychecklist.htm http://www.windowsitlibrary.com/Content/121/18/1.html • Services http://www.tweakhound.com/xp/security/page_3.htm http://www.ntsvcfg.de/ntsvcfg_eng.html • http://www.techknowl.com/2009/03/disable-unwanted-services-and-speed-up.html • Registry http://www.windowsitlibrary.com/Content/121/18/1.html
• Local Security Settings
http://support.microsoft.com/kb/823659
• Networking
http://www.grc.com/su-bondage.htm & http://www.grc.com/su-rebindingnt.htm)
http://www.windowsnetworking.com/articles_tutorials/Install-Microsoft-Loopback-adapter-Windows-XP.html
http://www.windowsnetworking.com/articles_tutorials/Optimize-Network-Connections-Windows-XP.html
http://support.microsoft.com/default.aspx?scid=kb;EN-US;894564
• Folder and File Permissions
http://www.windowsitlibrary.com/Content/121/18/1.html http://technet.microsoft.com/en-us/library/bb727037.aspx
