| Content: |
Configuring NT-services much more secure |
Advanced steps for configuration (2K/XP) |
Other contributions to security |
Life goes on! We've recently launched our new Windows 7 security website, while this page is going to be discontinued.
So please visit our new website: Making Windows 7 more secure
Windows 2000 and XP belong to the same NT family like NT4 or Win2003 Server.
NT means "NT New Technology" and was introduced by Microsoft with the new developed
32-bit server operating System Windows NT 3.1 back in 1993.
But Microsoft doesn't do a good job here: (unnecessary) network services are not disabled by default what breaks
an important law of networking: "Do not offer services, you really don't need".
Services are programs starting up while the operatin system boots. They don't need any
interactive or log on action by user and do provide features which may be used by other programs.
For instance: a stand alone workstation doesn't need any network services, so it's smart switching them off. As you see
it is important to configure computer systems as secure as needed. That avoids and minimizes attacks to
your IT-Infrastructure and preserves the reliability of your enterprise or home workstation.
To follow up these security measures the following manuals are available describing the safe and secure configuration of NT-services on Windows2000 and Windows XP environments. They also describe the way how to change start-up type (auto, demand, disabled) of the services. After that you won't offer unnecessary services to the world wide web anymore and avoid/minimize the risk of damage.
The bunch of different services makes it very difficult to ensure a secure configuration as you have to manage many machines (i.e. in small sized industries). To avoid mistakes there is a script available using the WindowsNT command line interface to configure services as safe and comfortably as possible. Th following actions are performed by this script:
Back in January 2004 we introduced a new and improved version v2.0, which unfortunately raised the code complexity
same time. For that reason Ansgar Wiechers started helping me to "re-facture"
the complete script. At the end version v2.2 was released for download.
This new version offers much better compatibility for Windows XP SP2 and SP3 environments, a re-designed GUI, new features
(i.e. fingerprinting) and more security options. According to your personal preferences, you get more options
to get your workstation back in a safe and secure state. Next an introduction tells you briefly about all new
features.
| (1) LAN | This will close all open ports. Some services ("automatic updates", "scheduler") and SMB remain unchanged. Use this option in case you still need network features (for instance drives or printers). |
| (2) Standard | Unlike option (1), SMB will be disabled. On W2K-systems all ports will be closed. On WinXP you must disable the scheduler service in order to close all ports. Some services (for instance "automatic updates" or "scheduler") remain unchanged. |
| (3) ALL | Carry out all changes recommended by www.ntsvcfg.de. All services + SMB are being disabled. (this option is recommended while really "hardens" your workstation making it "bullet-proofed") |
| (4) Restore | Restore the changes you've made at last. A pop-up might appear warning you while writing to the registry. Confirm/ignore this message by clicking OK. |
| "/reLAN" | Reset certain services to "auto" needed for LAN operations, and restart these services automatically after that. This option is available through the command line interface only. |
| "/fix" | Fix a problem regarding the scheduler service ("wrong parameter"), caused by using an older versions of the svc2kxp-script. This option is available through the command line interface only. |
| /? | Displays a help screen about start parameters available for this script. |
Example:
svc2kxp.cmd /std (recommended
for stand-alone computers
using dial-up internet connections)
svc2kxp.cmd /lan (Warning: retains basic (native) network support for computers
connected to a LAN/WAN) or via a DSL/Cable modem.
Choosing one option only (e.g. LAN, Standard oder All) is good enough. In order to run the script, file SC.EXE" is requiered. This file is part of Windows XP, the W2k/XP-ResourceKit and also VisualStudio.NET. On an active internet connection the script may try to download the required file SC.EXE and copy to the \SYSTEM32 directory. Alternate sources for this file are: ftp://ftp.microsoft.com/reskit/win2000/sc.zip or http://www.dynawell.com/reskit/microsoft/win2000/sc.zip Unzip file SC.EXE from archive and copy it to Winnt/System32/ respectively Windows/System32/. Using this script is NOT recommended for LAN/network environments!
http://www.ntsvcfg.de/svc2kxp.zip (v2.2_build10 as of August 30th 2008; 19 kb; ZIP-MD5: 20F69073283D0F0663016CF3CB38C874)
( history (german) / v2.0build5 and later is published under GNU General Public License. For more information visit www.gnu.com )
Please be aware that the offered script will only carry out parts of the steps from the tutorial at ntsvcfg.de. Some are still left to be changed manually. What the script does and what needs to be done by the user do, just look at the following overview:
Index:
user needs to perform changes or check for proper execution
already done by the script
Windows 2000 |
Windows XP |
|---|---|
| 1. Release NetBios services (netbios-ssn, netbios-ns, netbios-dgm) from dial-up/LAN adapter (your prefered internet connection) (more information, german) | 1. Release NetBios services (netbios-ssn, netbios-ns, netbios-dgm, port 135,137,139) from dial-up/LAN adapter (part A+B+C) (more information, german) |
2. Termination of epmap, isakmp und microsoft-ds*
|
2. Terminating epmap (closes port 135)
|
| * Instead of disabling NetBT, the registry entry "SMBDeviceEnabled=0" is being set closing port 445 while NetBIOS features remain untouched (more information, german) | 3. Terminating mtaskp (closes port 1026) |
| 4. Terminating ssdp (closes ports 1900, 5000) | |
| 5. Terminating alg (closes ports >3000) | |
| 6. Terminating microsoft-ds* (closes port 445) |
Notice: There is no support for Windows NT4 and W2k3 (server) by the script.
To check whether all unnecessary services are terminated and all ports are in the state "closed" or not, please follow the instructions from this this website: http://www.linux-sec.net/Audit/nmap.test.gwif.html. (Remember: Not every internet service provider (ISP) allows you testing your computer for open ports. Therefore results may be incorrect if the ISP uses a proxy.)
Are ports still open out there? Check and find out more about reasons:
For daily use working with user-rights only
and not as administrator is one of the best and most effective way
to protect your computer from getting compromised.
Also use NTFS as file system allowing you to setup permissions for extra security and protect
your PC against spyware, malware, trojans, and more.
Every day new security leaks in operating systems are disclosed, so it is necessary to keep your
Windows up to date. Simply visit the Windows-Update
website and install all important updates and service packs. In addition to that, this script configures the NT Services
properly. But it doesn't patch or update anything!
How to do this? Read the tutorial on the upper part of this website so
you don't offer unnecessary services after there and minimize the risk of damage to your system.
To support your effort for a proper-configured system use the offered script "svc2kxp.cmd".
It is recommended to use a safe and secure browser. Internet Explorer and
Outlook Express aren't it because of mistakes in concept (i.e. ActiveX) and
too much critical failures allowing exploits to hijack your IE. The "zones model"
is also affected so it isn't trustworthy anymore
Browsers like the suite Mozilla (browser/email/news) or Firebird/Firefox (browser) and Thunderbird (email/newsgroup) as stand-alone derivates of Mozilla and also Opera are a good choice.
z.B. Mozilla + Sun JRE (Java)
WindowsXP has a build-in Firewall (also called Internet Connection Firewall, ICF)
which is integrated in the TCP/IP stack. Please notice that this
firewall isn't globally activated by default so you have to turn on it for every
internet adapter (once for permanent and every time for non persistent internet
connections). The advantage of this firewall is a very simple configuration and a low risk of
unauthorized changing the configuration (i.e. parameters, rules).
|
Get the news up to the minute - follow us on Twitter... |
At this time I want to say THANK YOU to all people who are helping me creating this website and the offered script and making this projekt possible, especially:
Bernd Eckenfels, Wolfgang Ewert, Stephan Grossklass, Chris Haaser, Sybille Kahl, Stefan Kanthak, Besim Karadeniz, Rüdiger Lahl, Daniel Leidert, Johannes Lichtenberger, Joachim Meyer, Harald Mühlböck, Michael Paul, Jürgen Port, Manuel Reimer, Rüdiger Rösler, Björn Schliessmann, Alexander Skwar, Ralf Storm, Jörg Ulbrich, Karin Weber, Ansgar Wiechers, Thomas Winter.
Also to Christian D. Anderson from www.dupond.com helping me during translating parts of this site.
This web site is free of any commercial intentions. It's understood as a private, complimentary website contributing to the de.comp.security.misc newsgroup. Any names or products used are brands and the property of their respective owners. Commercial use of this website is not allowed without approval, so please contact us upfront. Content on this website is provided to the exclusion of any guarantee and liability. |
|
| www.ntsvcfg.de, © 2003-2010 Torsten Mann, Albert-Schweitzer-Str. 6, 01187 Dresden. More... | Last Update: February 7th, 2010, 08:39am PST |
