Subscribe to Malware Help RSS Feed RSS Feed - Subscribe to Malware Help. Org on Twitter Follow on Twitter - Malware Help YouTube Channel YouTube Channel - Subscribe to Malware Help by Email Subscribe by Email

Hardening Windows Security – Part 1

by Shanmuga| Tweet This | Google +1 | Facebook | Stumble It | Reddit | Digg | del.icio.us


These spyware prevention and other malware prevention tips and ideas are designed for a Home PC running Windows XP Professional and certain tips may apply to small home network running Windows XP Professional, as such some of the recommendations may not work for other versions of Windows. As always, it is recommended to back up the data before making any changes to your computer.


Out of the box Windows installs with certain dangerous defaults which when left alone will prove to be the biggest bottle neck when you set upon to secure your system against malware and hackers.


Use a Non-Admin Account


If there is one magic silver bullet Malware prevention solution to prevent against installation of Malware, it is using a non-admin account AKA a LUA (Least privileged User Account)AKA a limited user account when performing normal day-to-day tasks such as writing documents, browsing the Internet, reading E-mail, instant messaging etc and use an account with administrator privileges only for specific tasks that require them. This will drastically limit your exposure to Malware.



…….If the exploit happens to be written so that it requires admin privileges (as many do), just running as User stops it dead. But if you are running as admin, an exploit can:


* install kernel-mode rootkits and/or keyloggers (which can be close to impossible to detect)


* install and start services


* install ActiveX controls, including IE and shell add-ins (common with spyware and adware)


* access data belonging to other users


* cause code to run whenever anybody else logs on (including capturing passwords entered into the Ctrl-Alt-Del logon dialog)


* replace OS and other program files with trojan horses


* access LSA Secrets, including other sensitive account information, possibly including account info for domain accounts


* disable/uninstall anti-virus


* cover its tracks in the event log


* render your machine unbootable


* if your account is an administrator on other computers on the network, the malware gains admin control over those computers as well


* and lots more.


Aaron Margosis' WebLog : Why you shouldn't run as admin…



So why not everybody run as a limited user ?


The downside to running as a non-admin user is that not everything works like it should. Check out this MSKB article, Certain Programs Do Not Work Correctly If You Log On Using a Limited User Account


Why does least-privilege computing break applications?



Because of programmers who write everyday applications that require them. Why do they do this? Because using admin rights made it easier to write certain programs. It also didn't used to be a big deal. This type of development, however, encouraged all user accounts to be set up with admin privileges by default, opening the door for some of the malicious code we're fighting today.'Least Privilege' Can Be the Best



Finally, a must read if you decide to go the "limited user" way, Aaron Margosis' WebLog : Non-admin for home users


Use effective passwords


A weak password will not offer protection against determined hacker. So when you choose a password, don't pick one that is obvious like your name, your spouse's name or your pet's name.


  • Select a password that is atleast 8 charecters long. Windows accepts passwords upto 127 charecters in length!

  • Use a mixture of uppercase and lowercase letters, numbers, and other characters such as *, ?, or $.

  • If you have multiple systems, do not use the same password in all.

  • Never, ever write your passwords down or send them in unencrypted e-mail messages.

More tips on selecting a strong and easy to remember passwords Ten Windows Password Myths


Use a Bios/Bootlevel Password


Once set, the bootlevel bios password is required every time your system is started. It protects your system by completely disabling it until a password is entered. Normally you can set a bootlevel password by selecting the option in your bios setup. While you are at it, also consider setting up a password for accessing the bios setup itself to prevent an unauthorized user from changing the bios settings.


Use the screensaver to secure your PC

windows security malware prevention spyware prevention

This step will secure your computer when you are away for a short period. Turn on the screensaver manually or set it to activate after a fixed time interval, such as 10 minutes. Normally, in all versions of Windows the screensaver password can be set from the screensaver tab in the display properties window.


Turnoff/Rename/Password protect the Guest account


A guest account provides access to the computer for any user who does not have a user account on the computer. Microsoft recommends against disabling the Guest account in XP Description of the Guest account in Windows XP , it can be turned off, renamed and passworded to provide comparatively more security.


To turn off Guest account access, follow these steps:

windows security malware prevention

  • Click Start, click Control Panel, and then double-click User Accounts.

  • Click the Guest account.

  • Click Turn off Guest access.

Rename and password protect the Guest account, because the Guest account is known to exist on all Windows 2000 Server, Windows 2000 Professional, and Windows XP computers, renaming the account makes it slightly more difficult for unauthorized persons to guess this user name and password combination.


To rename the Guest account in XP Pro, follow these steps:



  • Right click on 'My computer' and click 'Manage', which opens the Microsoft Management console.

  • Open the Users folder under Local users and groups, right click on 'Guest' and click Rename and type in your preferred unique name.

  • Right click on 'Guest', click properties and edit the description for the account, so as not to reveal its true nature.


To Password Protect the Guest account, follow these steps:


Right click on 'My computer' and click 'Manage', which opens the Microsoft Management console. Open the Users folder under Local users and groups, right click on 'Guest' and click set password and proceed past the security warning and set the password for the Guest account.


As Local Users and Groups option is not available in XP Home edition, follow these steps:


Click start, click run and type in the command "net user guest *" without quotes, press enter and you will be prompted for a password to use.


Rename/Password protect the administrator account


An administrator account has the largest amount of default permissions and the ability to change their own permissions. To stop the intruders from accessing your computers and gaining administrative rights from the built-in Administrator account, it is highly recommended to rename the Administrator account


To rename the administrator account in windows XP Pro, follow these steps:


  • Right click on 'My computer' and click 'Manage', which opens the Microsoft Management console.

  • Open the Users folder under Local users and groups, right click on 'Administrator' and click Rename and type in your preferred unique name.

  • Right click on 'Administrator', click properties and edit the description for the account, so as not to reveal its true nature.

To password protect the administrator account, if you have not done it already, or to change the password follow these steps:


  • Right click on 'My computer' and click 'Manage', which opens the Microsoft Management console.

  • Open the Users folder under Local users and groups, right click on 'Administrator' and click Set Password.

  • Click Proceed in the message box that appears.

  • Type and confirm the new password in the appropriate boxes, and then click OK.

Disable Enumeration of Account SIDs


Even if you rename the Guest and Administrator accounts, you need to be aware that there are software programs which will let an intruder find the real account by enumerating the account SIDs (Security Identifiers) as renaming an account does not change its SID. Once administrator account names were identified (by the SID), brute force password guessing began and exploitation of accounts with weak passwords immediately followed.


To disable enumeration of Account SIDs follow these steps:

windows security spyware prevention

  • Click Start, go to control panel, Click administrative tools and click local security policy.

  • Click on the "Security Options" folder in the left pane.

  • Scroll down and double click on Network access: Do not allow anonymous enumeration of SAM accounts and shares on the right pane.

  • Choose Enabled and click Apply & Ok to save the settings.

Use NTFS File system


Install Windows XP in a partition formatted with NTFS file system. NTFS has built-in security features which other older file systems like FAT lacks. NTFS file system allows you to configure which user can perform what sorts of operations on the available data. It allows you to encrypt files and folders to protect your sensitive data.


More on NTFS file system……NTFS.com NTFS File System.


Disable Automated Logins – Make sure all user accounts are password protected


Click start, go to control panel, click administrative tools and click Local security policy. Select all user names one by one and make sure there is a password set for each account that is enabled.


Limit the number of unnecessary login accounts


Remove all unnecessary user accounts and also prune the Administrator group. By limiting user accounts and the members of the Administrator group, you limit the number of users who might choose passwords that could expose your system.


Disable Simple File Sharing

windows security malware prevention

If you are not connected to a domain, the simplified file sharing is enabled in Windows XP by default. This allows remote users to access the system's shares freely without being prompted for a password. When simple file sharing is enabled, you can share folders with everyone on your network or workgroup, the downside is you cannot prevent specific users from accessing those folders. It is recommended that you turn off simple file sharing which will enable you to permit specific users logged on with the user rights you have granted to access the designated folders. It is to be noted that simple file sharing cannot be turned off in Windows XP Home edition.


More on File sharing and how to disable simple file sharing in Windows XP….. Windows XP Professional File Sharing


How to configure file sharing in Windows XP


Disable File and print sharing

With an always-on connection, enabling file and print sharing becomes the equivalent of leaving your front door open when you are not at home. Unless absolutely necessary disable file and print sharing.


To disable file and print sharing, follow these steps:

windows security spyware prevention

  • Click Start, point to Settings, and then click Control Panel.

  • Double-click Internet Options. On the Connections tab, select your connection, and then click Settings.

  • Click Properties, click the Networking tab and uncheck file and Printer Sharing for Microsoft Networks.

Malware Prevention – Hardening Windows Security – Part 2



{ 0 comments… add one now }

Leave a Comment

{ 4 trackbacks }