Subscribe to Malware Help RSS Feed RSS Feed - Subscribe to Malware Help. Org on Twitter Follow on Twitter - Malware Help YouTube Channel YouTube Channel - Subscribe to Malware Help by Email Subscribe by Email

Hardening Windows Security – Part 2

by Shanmuga| Tweet This | Google +1 | Facebook | Stumble It | Reddit | Digg | del.icio.us

Unhide the file extensions

By default, Windows hides the extensions of files when viewed in Windows Explorer and on the Windows desktop. This is exploited by malware to hide themselves by imparting a hidden second extension in order to penetrate the victims system. AnnaKournikova.jpg.vbs is an example where the windows sees only .JPG as the extention and the user is fooled into thinking that he is actually downloading a juicy image instead of the worm with an extension .vbs.

To unhide the file extensions, follow these steps:

MHO00061 Hardening Windows Security   Part 2

  • Click Start, Open Control Panel, Click Folder options
  • Click on the View tab
  • Uncheck Hide extensions for known file types

There are certain file extensions which will remain hidden even after the above procedure is followed. They are .shs, .pif and .lnk. Now these extensions are being used by malware writters to let loose dangerous Trojans on the unsuspecting victims. So, when in doubt don't download or run the file.

Disable Remote assistance and Remote Desktop

Remote assistance is where you can invite another person to log on to your machine for remote troubleshooting. You can re-enable it whenever you require such assistance.

Remote Desktop on Windows XP Professional, "you can have access to a Windows session that is running on your computer when you are at another computer. This means, for example, that you can connect to your work computer from home and have access to all of your applications, files, and network resources as though you were in front of your computer at work. You can leave programs running at work and when you get home, you can see your desktop at work displayed on your home computer, with the same programs running".

MHO00071 Hardening Windows Security   Part 2

To disable, open the System folder in Control Panel. Click on the Remote tab, uncheck both "Allow Remote Assistance invitations to be sent from this computer" and "Allow users to connect remotely to this computer", Click Apply to save the settings.

Disable unnecessary and potentially dangerous services

Default installations of Windows XP comes with a number of services that are not necessary and some of those unwanted services can be outright dangerous. Unless disabled explicitly these services start during the boot process and reside in memory wasting precious RAM.

To change the services settings, go to services configuration screen in XP by the following steps:

Click Start, Click Run Type in 'Services.msc' and click OK.

In the services configuration screen, double click on the name of the service to change the startup type options for that particular service.

There are three settings possible, they are

Automatic : When this option is selected the service is initiated while loading windows.

Manual : When this option is selected the service is not loaded during the boot process, but if needed it can be initiated automatically in the background without the user going in to the services configuration to manually start it.

Disabled : When this option is selected the service is not initiated during the boot process and also it cannot be started without changing the startup options in the services configuration and reboot or by clicking on the 'start' button manually.

I am not going to get into nuances of each and every service that is enabled by default, there are whole sites devoted to that. Check out the following links for tips on tweaking the services to your needs.

Elder Geek – Services Guide for Windows XP

Snakefoot's Windows NT4/2000/XP Services

The indicated settings are general in nature and may not be suitable for each and everyone as many services are necessitated by individual preferences and operational environments. It is imperative that you should backup your data and set a restore point before tweaking with the services.

A note on 'Messenger" service – Why disable the Messenger service?

MHO00081 Hardening Windows Security   Part 2

If advertisements are opening on your computer in a window titled Messenger Service, it may mean that the Messenger service is enabled and running in your system. Although the name of the service is similar, Messenger Service in Windows XP is not related to instant messaging programs such as Windows Messenger and MSN Messenger, disabling it will not affect the functioning of the IM programs.

Messenger Service window that contains an Internet advertisement appears

Shoot The Messenger

Use EFS (Encrypting File System) to encrypt My Documents folder and Temp folder

The Encrypting File System available in Windows 2000 and Windows XP lets you encrypt selected NTFS files and folders using public key cryptography. Encrypting sensitive folders by means of EFS adds another layer of security. When folders are encrypted, their data is protected even if an attacker has full access to the computer's data storage. Read more on EFS here

Encrypting File System before attempting the following.

Encrypt the My Documents folder (%UserProfile%My Documents) to ensure that the personal folder, in which most Microsoft Office documents are saved, is encrypted by default.

Encrypt the Temp folder (%TEMP%) to ensure that the temporary files that are created by various applications are encrypted.

To encrypt a selected folder:

MHO00091 Hardening Windows Security   Part 2

Open Windows Explorer.

Right-click the folder that you want to encrypt, and then click Properties. On the General tab, click Advanced. Select the Encrypt contents to secure data check box.

Related link Error Message "Access Denied" When Starting a Recently Installed Program

Clear Page File at System Shutdown

Ensure that the system page file is cleared before shutdown. This will ensure that any sensitive information from process memory will not be paged to disk in clear text form at shutdown.

MHO00101 Hardening Windows Security   Part 2

Start the Registry Editor (regedit.exe) and browse to the following key on the left pane:

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession ManagerMemory Management

Find the value ClearPageFileAtShutdown on the right pane and Doubleclick on ClearPageFileAtShutdown and:

set to 0 to turn the behaviour off

set to 1 to turn the behaviour on

OR

Open Administrative Tools folder in Control panel, Start > Control Panel > Administrative Tools > Local Security Policy > Local Policies and click on Security Options Double click on the entry Shutdown: clear virtual memory Pagefile in the right pane and select Enabled.

Disable Dump file creation

when your computer stops unexpectedly as a result of a Stop error (also known as a "blue screen of death", system crash, or bug check), a Memory.dmp file is automatically created and it is helpful when diagnosing problems using debugging tools. Like the page file this stored data can contain sensitive information and passwords.

To disable dump file creation: Open the System folder in Control Panel, Click on the Advanced tab and then Click on the Settings button under Startup and Recovery option. Under Write debugging information, Click to open the drop down menu and select none and OK your way out.

MHO00111 Hardening Windows Security   Part 2

Note: Disabling the dump file creation does delete the dump file created on earlier occasions. To delete it, use Windows explorer and browse to the default location, C:Windows and delete the Memory.dmp file.

Disable Dr.Watson dump file creation

A memory dump file similar to the above is created by Dr.Watson, a program error debugger that gathers information about your computer when an error (or user-mode fault) occurs with a program.

To disable Dr.Watson dump file: Start the Registry Editor (regedit.exe) and browse to the following key on the left pane:

MHO00121 Hardening Windows Security   Part 2

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionAeDebug

Click on it and double click the value Auto on the right pane and change the value to "0".

Note: Disabling Dr.Watson does delete the dump file created on earlier occasions. To delete it, use Windows explorer and browse to C:Documents and SettingsAll UsersApplication DataMicrosoftDr Watson and delete the files named User.dmp and Drwtsn32.log.

Neutralize the scrap file

A scrap file is a type of file used to transfer objects between programs on Windows computers. A scrap file can contain just about anything from simple data, to a document or spreadsheet, to an executable program.

The scrap file can be named with most any extension to make it look like a benign file (e.g., .GIF, .JPG, .TXT, etc.) and then Windows adds the .SHS extension to that. In most cases, even if you have Windows set to show all file extensions, the .SHS extension will not show up after you've saved the file to disk (it should be visible as an attachment to an E-mail message). This can make scrap files more dangerous as they can easily appear to be something they are not just by giving the file a benign name.

Windows assigns "RUNDLL32.EXE SHSCRAP.DLL, OPENSCRAP_RUNDLL %1" to the .SHS extension by default and, when opened, Windows will unpack the scrap file and open or execute whatever is in the file. You will have no control over this once you attempt to open the scrap file.

The display of the .SHS extension is controlled by the following registry entry…

HKEY_CLASSES_ROOTShellScrap

and "NeverShowExt" on the right pane.

MHO00131 Hardening Windows Security   Part 2

To neutralize the scrap file you can either change "NeverShowExt" to "AlwaysShowExt" or simply delete the entry. Then, reboot and .SHS files should show their extension even when saved to disk.

Scrap Files Can Tear You Up

Keep Yourself Informed

Newer and more sinister Malware are detected nearly every other day, making it imperative that some one interested in better online security keeps oneself better informed on the ongoings in the Anti- Malware field.

Checkout this link to know about Keeping Yourself Informed.

Back to Malware Prevention – Hardening Windows Security -1



{ 1 comment… read it below or add one }

Sally Tudor March 25, 2011 at 1:30 AM

Excellent resource! Thank you so much for posting. This has helped me with my homework.
God bless you, Sally

Reply

Leave a Comment

{ 2 trackbacks }