Hardening Windows Security – Part 2
- Unhide the file extensions
- Disable Remote assistance
- Disable Remote Desktop
- Disable unnecessary services
- Encrypt vital folders
- Clear Page File at System Shutdown
- Disable Dump file creation
- Disable Dr.Watson dump file
- Neutralize the scrap file
By default, Windows hides the extensions of files when viewed in Windows Explorer and on the Windows desktop. This is exploited by malware to hide themselves by imparting a hidden second extension in order to penetrate the victims system. AnnaKournikova.jpg.vbs is an example where the windows sees only .JPG as the extention and the user is fooled into thinking that he is actually downloading a juicy image instead of the worm with an extension .vbs.
To unhide the file extensions, follow these steps:
- Click Start, Open Control Panel, Click Folder options
- Click on the View tab
- Uncheck Hide extensions for known file types
There are certain file extensions which will remain hidden even after the above procedure is followed. They are .shs, .pif and .lnk. Now these extensions are being used by malware writters to let loose dangerous Trojans on the unsuspecting victims. So, when in doubt don't download or run the file.
Remote assistance is where you can invite another person to log on to your machine for remote troubleshooting. You can re-enable it whenever you require such assistance.
Remote Desktop on Windows XP Professional, "you can have access to a Windows session that is running on your computer when you are at another computer. This means, for example, that you can connect to your work computer from home and have access to all of your applications, files, and network resources as though you were in front of your computer at work. You can leave programs running at work and when you get home, you can see your desktop at work displayed on your home computer, with the same programs running".
To disable, open the System folder in Control Panel. Click on the Remote tab, uncheck both "Allow Remote Assistance invitations to be sent from this computer" and "Allow users to connect remotely to this computer", Click Apply to save the settings.
Default installations of Windows XP comes with a number of services that are not necessary and some of those unwanted services can be outright dangerous. Unless disabled explicitly these services start during the boot process and reside in memory wasting precious RAM.
To change the services settings, go to services configuration screen in XP by the following steps:
Click Start, Click Run Type in 'Services.msc' and click OK.
In the services configuration screen, double click on the name of the service to change the startup type options for that particular service.
There are three settings possible, they are
Automatic : When this option is selected the service is initiated while loading windows.
Manual : When this option is selected the service is not loaded during the boot process, but if needed it can be initiated automatically in the background without the user going in to the services configuration to manually start it.
Disabled : When this option is selected the service is not initiated during the boot process and also it cannot be started without changing the startup options in the services configuration and reboot or by clicking on the 'start' button manually.
I am not going to get into nuances of each and every service that is enabled by default, there are whole sites devoted to that. Check out the following links for tips on tweaking the services to your needs.
The indicated settings are general in nature and may not be suitable for each and everyone as many services are necessitated by individual preferences and operational environments. It is imperative that you should backup your data and set a restore point before tweaking with the services.
A note on 'Messenger" service – Why disable the Messenger service?
If advertisements are opening on your computer in a window titled Messenger Service, it may mean that the Messenger service is enabled and running in your system. Although the name of the service is similar, Messenger Service in Windows XP is not related to instant messaging programs such as Windows Messenger and MSN Messenger, disabling it will not affect the functioning of the IM programs.
The Encrypting File System available in Windows 2000 and Windows XP lets you encrypt selected NTFS files and folders using public key cryptography. Encrypting sensitive folders by means of EFS adds another layer of security. When folders are encrypted, their data is protected even if an attacker has full access to the computer's data storage. Read more on EFS here
Encrypting File System before attempting the following.
Encrypt the My Documents folder (%UserProfile%My Documents) to ensure that the personal folder, in which most Microsoft Office documents are saved, is encrypted by default.
Encrypt the Temp folder (%TEMP%) to ensure that the temporary files that are created by various applications are encrypted.
To encrypt a selected folder:
Open Windows Explorer.
Right-click the folder that you want to encrypt, and then click Properties. On the General tab, click Advanced. Select the Encrypt contents to secure data check box.
Ensure that the system page file is cleared before shutdown. This will ensure that any sensitive information from process memory will not be paged to disk in clear text form at shutdown.
Start the Registry Editor (regedit.exe) and browse to the following key on the left pane:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession ManagerMemory Management
Find the value ClearPageFileAtShutdown on the right pane and Doubleclick on ClearPageFileAtShutdown and:
set to 0 to turn the behaviour off
set to 1 to turn the behaviour on
Open Administrative Tools folder in Control panel, Start > Control Panel > Administrative Tools > Local Security Policy > Local Policies and click on Security Options Double click on the entry Shutdown: clear virtual memory Pagefile in the right pane and select Enabled.
when your computer stops unexpectedly as a result of a Stop error (also known as a "blue screen of death", system crash, or bug check), a Memory.dmp file is automatically created and it is helpful when diagnosing problems using debugging tools. Like the page file this stored data can contain sensitive information and passwords.
To disable dump file creation: Open the System folder in Control Panel, Click on the Advanced tab and then Click on the Settings button under Startup and Recovery option. Under Write debugging information, Click to open the drop down menu and select none and OK your way out.
Note: Disabling the dump file creation does delete the dump file created on earlier occasions. To delete it, use Windows explorer and browse to the default location, C:Windows and delete the Memory.dmp file.
A memory dump file similar to the above is created by Dr.Watson, a program error debugger that gathers information about your computer when an error (or user-mode fault) occurs with a program.
To disable Dr.Watson dump file: Start the Registry Editor (regedit.exe) and browse to the following key on the left pane:
Click on it and double click the value Auto on the right pane and change the value to "0".
Note: Disabling Dr.Watson does delete the dump file created on earlier occasions. To delete it, use Windows explorer and browse to C:Documents and SettingsAll UsersApplication DataMicrosoftDr Watson and delete the files named User.dmp and Drwtsn32.log.
A scrap file is a type of file used to transfer objects between programs on Windows computers. A scrap file can contain just about anything from simple data, to a document or spreadsheet, to an executable program.
The scrap file can be named with most any extension to make it look like a benign file (e.g., .GIF, .JPG, .TXT, etc.) and then Windows adds the .SHS extension to that. In most cases, even if you have Windows set to show all file extensions, the .SHS extension will not show up after you've saved the file to disk (it should be visible as an attachment to an E-mail message). This can make scrap files more dangerous as they can easily appear to be something they are not just by giving the file a benign name.
Windows assigns "RUNDLL32.EXE SHSCRAP.DLL, OPENSCRAP_RUNDLL %1" to the .SHS extension by default and, when opened, Windows will unpack the scrap file and open or execute whatever is in the file. You will have no control over this once you attempt to open the scrap file.
The display of the .SHS extension is controlled by the following registry entry…
and "NeverShowExt" on the right pane.
To neutralize the scrap file you can either change "NeverShowExt" to "AlwaysShowExt" or simply delete the entry. Then, reboot and .SHS files should show their extension even when saved to disk.
Newer and more sinister Malware are detected nearly every other day, making it imperative that some one interested in better online security keeps oneself better informed on the ongoings in the Anti- Malware field.
Checkout this link to know about Keeping Yourself Informed.