Securing Microsoft

Windows

(2000/XP/2003)

by Guillaume Kaddouch, November 2006

INDEX TABLE

INTRODUCTION.................................................................................... 3

I – KEEPING YOUR WINDOWS UP TO DATE...........................................4

1.1. Enabling Automatic Windows Update........................................................ 4
1.2. Checking Microsoft Office updates............................................................. 5

II - CONFIGURING WINDOWS SERVICES..............................................6

2.1. Disabling unneeded Windows services...................................................... 6
2.2. Setting services startup to manual............................................................ 9

III – REMOVING UNNEEDED PROGRAMS AT STARTUP........................ 10

IV - RUNNING EXPOSED PROGRAMS WITH RESTRICTED RIGHTS....... 11

4.1. Identifying 'critical' or 'exposed' applications..........................................11
4.2. Setting restricted rights for a given program (WinXP PRO/Win2K3)....... 11
4.3. Setting restricted rights for a given program (WinXP Home/Win2K).......14

V - CONFIGURING FILES AND EXTENSIONS DISPLAY......................... 15

VI - SETTING UP STRONG PASSWORDS.............................................. 16

6.1. Password complexity............................................................................... 16
6.2. Password diversity.................................................................................. 16

CONCLUSION.......................................................................................18

Securing Microsoft Windows 2/18 Guillaume Kaddouch

INTRODUCTION

This guide is for the average user or a new user who just bought a computer, and is willing to
secure his Windows Operating System. This guide does not contain complex tips meant for
advanced users, but rather the basis of Windows security for everyday use. There is nothing
incredible or until now unknown in this guide, so if you are looking at this, you can skip it. The
purpose of this paper is to help you configuring securely your OS, and to disable some default
dangerous settings.

Lastly, I have came across badly infected computers, and some of them had at least one
antivirus, and even a firewall. Nowadays malware are more aggressive than ever, and are
more and more using user-mode rootkits to hide their files and processes, while attacking your
main security applications to disable them. Some of these infected systems were not without
any security, but the users have randomly added some security software without
understanding what they were doing. Security is not a setup executable that you can install
and forget, but instead a global process, beginning with the OS (configuring it), and requiring
understanding and awareness from the one who is securing his system.

Usually, when you first get a computer and are asking for advices to secure it, you are often
told to install various security software, such as an antivirus. However, following this way, you
are adding security on the top of something insecure by default, your Operating System.

Windows is your security foundations, if it is weak, then everything on top of it can collapse.
For instance, a malware could exploit a known Windows vulnerability in a service running by
default, to execute, but if this vulnerability is patched, and that this service is disabled, then
the malware is dead in it's track. Thus, you must take care of Windows itself first, this is as
critical as making the foundations of a building.

In what follows, we will see together how to decrease your exposure to various threats, by
disabling unneeded Windows services, configuring few Windows options, setting up updates,
controlling what is starting up, setting strong passwords, and by setting up some critical
programs rights and privileges.

This guide applies to Windows XP Home Edition and Professional Edition, Windows 2000, and
Windows 2003. However, some general advices are true for all OS, so it's still good to read this
guide even if you have Windows 98.

Securing Microsoft Windows 3/18 Guillaume Kaddouch

I – KEEPING YOUR WINDOWS UP TO DATE
Updating your OS and keeping it updated at any time, is the most critical step to begin with.
You can have the most secure computer of the world, if you have critical unpatched
vulnerabilities, they can be exploited against you and potentially bypass all of your security
measures. A vulnerability can be exploited either locally or remotely, and can be used to
disable some of your security software and/or to execute arbitrary codes.

1.1. Enabling Automatic Windows Update

There is different possibilities, the easiest is to set automatic updates to automatically check
updates, download them, and install them, without your intervention.
To do so, click on the Start button, launch the Configuration Panel, then click on the
“Automatic Updates” icon :

You can then select the first option, “Automatic (recommended)” :

However, I advise to configure the updates to notify you in case of new updates available,
without downloading them. Thus, you will be able to choose when downloading them, and to
uncheck updates you may not want, such as the Windows Genuine Advantage Notification
update, for instance :

Securing Microsoft Windows 4/18 Guillaume Kaddouch

Either way, the purpose is to apply updates as soon as available, to avoid in the wild malware
to exploit these vulnerabilities against you. Most of the exploited vulnerabilities, are,
surprisingly, already known ones for which a fix is available since a long time (sometimes more
than a year !). Some trojan and spyware are targeting patched flaws because they know some
people never update their Windows.

If you prefer to manually check for updates, you can go to :

http://windowsupdate.microsoft.com/

1.2. Checking Microsoft Office updates

If you have Microsoft Office installed, you should go there :
http://office.microsoft.com

There are often some critical flaws discovered in Microsoft Word or PowerPoint, consequently
you should keep en eye on Microsoft Office updates as well.
It goes a little beyond the “Securing Windows”, but since Microsoft Office is often part of the
default installation while buying a new computer, I think it is as important to talk about it than
Windows itself. Moreover, Microsoft Office, once installed, is integrated into the OS, and it's
vulnerabilities can hurt your whole system (e.g. Word will be the default .doc files viewer and
can be automatically triggered from your Internet browser).
While we are at it, there is a free alternative to Microsoft Office, it is OpenOffice.org. It
includes the same components corresponding to Word/Excel/PowerPoint/Access and is
compatible with Microsoft Office. While Microsoft Office 2003 Professional did suffer 15 critical
vulnerabilities in 2006 until now, OpenOffice.org 2.x only had 2 non critical ones. Of course it
could be explained because Microsoft Office is more targeted, anyone is free to interpret these
statistics.

You can grab OpenOffice.org there : http://www.openoffice.org/

Securing Microsoft Windows 5/18 Guillaume Kaddouch

II - CONFIGURING WINDOWS SERVICES
One of the most overlooked step by people buying a new computer.
A service, is a component which brings a functionality to Windows, and enables you to do a
particular task. For instance, if you want to print, the Spooler service must be enabled.
Otherwise, Windows will refuse to print. Same for files sharing on a LAN, if the Server service
is disabled, you wont be able to share any files.
Then, regarding security, some services running by default are dangerous for your system. For
instance some services are opening up your system to the network, making it directly
attackable remotely. Such services are RemoteRegistry, Messenger (not to be confused with
MSN Messenger which is an external application), and Server. There are more, these ones are
just common open holes.
Generally, in security, you must close any service/feature you do not use, to reduce your
exposure surface (your entry points). A patched flaw in a service prevents it to be abused by a
known vulnerability (as explained in the first chapter), but still the service is exposed to the
Internet at large, and could be vulnerable to flaws yet to be discovered (0-day exploits).

2.1. Disabling unneeded Windows services

Some of the services I am describing below, are sometimes necessary if you need a particular
feature (e.g. The WZCSVC service which is labelled as “Wireless Configuration Service”). You
should not disable a service if you need what it does. Consequently, in the list of services I am
giving below and that I advise to disable, you should be aware of your system and particular
setup, to not disable necessary services for your system.
To access the service manager, click on the Start menu, then click Run. Enter “services.msc”
without the quotes, click OK.

The service names I will give are not the one you can see under the “Name” column, but the
one you can see when you double click on a service line. A new window appears, and in the
first tab there is the “Service name” line. These names are the same for everyone, it will be
easier for you to spot them no matter your Windows language.

Securing Microsoft Windows 6/18 Guillaume Kaddouch

You can see in this example that the service called “IMAPI CD-Burning COM” under the “Name”
column, is internally named “ImapiService”. This is the difference between the “Display name”
and the “Service name”. Below, I'm using the later.
Services to keep (16) :
• RpcSs
• AudioSrv (unless you don't have a sound card)
• Dhcp (if you are on a network, LAN/WAN/Internet)
• Netman (if you are on a network, LAN/WAN/Internet)
• ShellHWDetection
• ProtectedStorage
• SamSs
• Winmgmt
• EventLog
• DcomLaunch
• wuauserv (unless you have disabled Windows automatic updates)
• BITS (unless you have disabled Windows automatic updates)
• Schedule
• PlugPlay
• CryptSvc
• Themes (unless you do not use any theme)

Services you may need to keep depending on your system :

• FastUserSwitchingCompatibility (if you are using the fast user switching feature)
• WZCSVC (if you are on a Wireless network)
• Browser (if you need to browse LAN computers)
• SharedAccess (if you are using the Windows XP firewall)
• srservice (if you are using the restore feature)
• Spooler (if you want to print)
• lanmanserver (if you want to share files on a LAN)

Securing Microsoft Windows 7/18 Guillaume Kaddouch

Also please notice that some software, for instance security applications, install services on
your system. It is impossible to write an exhaustive list, but usually if you see services related
to your antivirus or firewall, of course do not disable them.
All of the other services should be disable. To disable a service, right click on it, select
“Properties”, and in the new window, change the startup type to “Disable” (instead of
Automatic).
Tweaking it's services is tedious. For the best safety you should disable your services one by
one (except the aforementioned ones that you should keep) and check that you didn't lose any
functionalities (e.g. network, USB peripherals). It is impossible to show a list of services that
you should disable, as everyone's system is unique (LAN/WAN/Internet/standalone, printer,
scanner, USB peripherals, some software services, etc...).

You should be aware that some services not listed here may be vital for
your system and that disabling them may break some functionalities. Do
not disable services installed by your security applications. As I said
above, disable them one by one and not all at once, and check that
nothing is broken. If you can, make backups before applying this chapter.

Few services cannot be disabled using the services manager. For these ones, you can use the
tool Windows Worms Doors Cleaner that I have done. It is available there :
http://www.firewallleaktester.com/wwdc.htm

Disabling these services can also break few applications expecting them to be always enabled.
If it causes any problem, WWDC allows you to revert back your modification.

Securing Microsoft Windows 8/18 Guillaume Kaddouch

2.2. Setting services startup to manual
There is services you need only occasionally, not every day. Despite being a waste of
resources if you use them rarely, it's also against the security principle to disable anything you
do not use.
However, you cannot disable them totally, as you use them, even if it's not often. The solution
is to set their “Startup type” to “Manual”. This way, as soon as the software or the Windows
feature that use this service, will need it, it will automatically activate it. That is the best trade-
off between security and usability. Unfortunately, sometimes the software is not smart enough
to start back it's own service, and you must go into the service manager and click on “Start”
button. The choice is up to you, between giving the priority to security, or usability.

Also, you can set a service to Manual if you are unsure to need it or not.

Securing Microsoft Windows 9/18 Guillaume Kaddouch

III – REMOVING UNNEEDED PROGRAMS AT STARTUP
Services are not the sole tasks to launch at startup, some other programs and applications
also does (often too much). Following the same principle to disable what we don't need, this
time we will disable what we don't need to start as soon as we log in (even if we will need
them later). This will save resources, will speed up Windows bootup, and will reduce our
exposure while we start.
To see what is launched at startup, go to the Start button, click Run, then enter “msconfig”
without the quotes (not available on Windows 2000). You will be able to see in the “Startup”
tab, all of your applications launched at startup. Ideally, you should disable everything except
your security software (antivirus, firewall, anti-spyware). Often they is “parasites” you can
uncheck such as your CD or DVD burning software, Microsoft Office, Adobe reader, etc...

Obviously do not disable your security applications, everything si unchecked on the screenshot
above, but this is just for the example. Of course the above startup item “kav” (Kaspersky
Antivirus) should stay checked.
If you do not have access to msconfig, there is a free tool called Autoruns from Sysinternals :
http://www.sysinternals.com/Utilities/Autoruns.html
Also check your startup folder, located at “Start -> All programs -> startup”.
Having the bare minimum starting up, and only the needed services, decrease dramatically
your exposure to network and local threats, without talking about the advantage of having
more resources available (CPU and memory).

Securing Microsoft Windows 10/18 Guillaume Kaddouch

IV - RUNNING EXPOSED PROGRAMS WITH RESTRICTED RIGHTS
Ideally, we should all use a restricted user account, unlike the default administrator account
Windows gives us. Not having administrator privileges cut off a vast majority of malware, and
prevent them to do any harm.
Unfortunately, this is not always possible, due to some software badly designed which cannot
run without having administrator privileges. There is also video games refusing to let you play
online because their anti-cheat component requires admin rights. Some software setup does
not work properly while being used with the “run as” command and fail to install.
Also some people can find that running a restricted account is a real pain when they want to
constantly install/remove software. If you can afford it, having a restricted user account is a
very good point, and you can skip this chapter. If not, in the following you will see how to run
critical applications with restricted rights, while being on an administrator account.

4.1. Identifying 'critical' or 'exposed' applications

Not all of your applications are concerned. Generally, exposed applications are the network-
enabled ones, because they can be reached and thus be abused remotely.
Some easy ones are your browser, your email client, your instant messaging application, your
Peer to Peer client, or any else network-enabled application which may be either permanently
running or very often used.
You are the only one who can decide which application is exposed on your side, I cannot give
an exhaustive list. For instance you may be running a server (e.g. FTP) which is particularly
exposed.
At the very least, you should have your browser and email client.

4.2. Setting restricted rights for a given program (WinXP PRO/Win2K3)

For Windows XP Professional and Windows 2003 (go to the next part for Windows XP Home
and Windows 2000) :
Using the local policies manager, you can define restrictions, in a way that any executable you
wish, automatically runs with restricted privileges, as if you were in a restricted user account.
Before starting the local policies manager, there is a registry modification to do, in order to
have the “Basic User” (means “restricted user”) option available.
To start the registry editor, go to Start -> Run, and enter “regedit” without the quotes, OK,
then go to :
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\

and add a DWORD value :“Levels” (right click on the right pane, select “New”, then
“DWORD”). Set it's hexadecimal value to 20000 (should appear as 0x20000).

Securing Microsoft Windows 11/18 Guillaume Kaddouch

Close the registry. Now go to Start -> Run, and enter “secpol.msc” without the quotes, this will
run the local policies manager.
Click on the left side on Software Restriction Policies. Theoretically, Windows should say “No
Software Restriction Policies Defined”. Right-click on "Software Restriction Policies", and then
click on "Create New Policies" :

Finally click on the Additional Rules folder.

Securing Microsoft Windows 12/18 Guillaume Kaddouch

We are at it finally, you can right click on the right pane, and select “New Path Rule”. In the
Path text box enter your application path (e.g. Your browser). In the Security Level list, select
“Basic User”, then click OK, that's all. Create as many rule as applications you want to restrict.

From now on, every time the restricted application will run, either ran manually or
automatically, it will not have the administrator privileges.

Be aware that you may have to revert it's rights to “Unrestricted” in order to update your
application.

Securing Microsoft Windows 13/18 Guillaume Kaddouch

4.3. Setting restricted rights for a given program (WinXP Home/Win2K)
For Windows XP Home and Windows 2000:
In Windows XP Home Edition and Windows 2000, as an alternative you can use the
DropMyRights tool from Michael Howard, available at this page :
http://msdn.microsoft.com/library/default.asp?url=/library/en-
us/dncode/html/secure11152004.asp

(original screenshot from Michael Howard)

As explained on the page, you have to create a shortcut which calls DropMyRights executable,
and passing it as parameter the executable path you want to restrict.
It is a little less user-friendly as you have to click this shortcut every time, because if by
mistake you run the application directly it will not be restricted, same if the application is ran
automatically by a script for instance.
Anyway, this great tool enables you to run critical programs with restricted privileges, when
your OS does not provide such feature.

Securing Microsoft Windows 14/18 Guillaume Kaddouch

V - CONFIGURING FILES AND EXTENSIONS DISPLAY
Since a long time, malware try to fool the user by making him to believe he runs something,
whereas it is something else. For instance you can see many files with a double extension,
such as virus.txt.exe. The reason for this, is that by default Windows hides known file
extensions, such as .exe, .txt, .dll, etc... By naming a malicious file “malware.txt.exe”,
Windows will hide the real extension part, the “.exe”, and will display “malware.txt”. The file
having as icon a text icon (as if it was a text file), the illusion is perfect.
Also, some trojans will simply set the “hidden” attribute on their files. Since Windows is also
not showing hidden files by default, a trojan could hide easily from the user, and trick it with
no effort.
Granted, if hidden files are not showed by default, it's because critical system files are hidden,
and that the user cannot mistakenly delete what he cannot see or select. However, if you are
not a system file serial killer, this feature fights back against you in favour of malware.
There is also trojan using the super hidden file attribute, which corresponds to files having
system attribute + hidden attribute (very critical files). In what follows, you will be able to see
them all.
Launch the explorer (Start -> Run -> explorer). In the Tools menu, select Folder Options. Go
to the second tab, Display. Under “files and folders”, check everything. Under “hidden files and
folders”, check the first one “Show hidden files and folders”. Then below, uncheck everything
(except, if you want, “remember folder settings”).

Securing Microsoft Windows 15/18 Guillaume Kaddouch

VI - SETTING UP STRONG PASSWORDS
Once you have reduced the number of doors, the remaining ones should be well locked. A
password may help preventing classical physical accesses (e.g. Your child typing randomly on
the keyboard), it will restrict shared files access to authorised users only, and will cause a
password prompt if administrator rights are needed from a restricted account. Having a blank
password for the default administrator account is absolutely not advised.
If we have a wider view, considering all of your software installed, you should set up a
password everywhere you can (e.g. antivirus, firewall), especially to open up your email client
or browser settings. Once you have your security installed and configured, you should ensure
it's integrity won't be compromised by password protecting it. If you cannot disable your
security without answering prompts, neither a malware can.

6.1. Password complexity

A good password should not mean anything. Do not use as password words such as your kids
name, your mother's name, your preferred song, or anything being in the dictionary.
Example : ypldsi
A password should be at least 8 characters long, the more there is, the stronger your
password is.
Example : apsldjsbch
A password should be composed of alphanumeric characters, in upper and lower cases, as well
as special characters.
Example : 0)@fZ+”%KL5o
Passwords such as “admin”, “Donovan”, or “admin123”, etc... can be easily cracked.

6.2. Password diversity

Once you know how to create strong passwords, the last thing to (not) do is to use the same
password everywhere... If your password is leaked, no matter how, everything falls down with
it.
You should have as many different passwords as your number of accesses. If for instance you
need 10 passwords, create 10 different ones, do not use ten times the same.
“Great in theory... but not very practical” you might say, and you will be right. It's not easy to
remember 10 passwords (or more) which have purposefully no meaning and are hence
inherently difficult to remember.
One way to achieve it anyway, is to use a third party software which will store your passwords
in an encrypted local database. Thus, you just need to remember one password to open your
encrypted passwords database, then you can see them all.
You can use for instance “Keepass password safe” which is a free open source software :
http://keepass.sourceforge.net/

Securing Microsoft Windows 16/18 Guillaume Kaddouch

Securing Microsoft Windows 17/18 Guillaume Kaddouch
CONCLUSION
When you keep your Windows up to date, every known vulnerability cannot hurt you in any
way, and cannot be used against you. Thus all of these lame browser exploits using one year
old patched vulnerabilities won't affect you at all.
By closing unneeded Windows services, especially the network ones (DCOM RPC, Messenger,
etc...), you prevent them from being exploited by 0-day exploits using unknown
vulnerabilities, or not yet patched.
By reducing the number of programs being ran at startup, you potentially reduce your
exposure (e.g. IM or P2P software not automatically starting).
Running critical applications with restricted rights cut off most of the malware in the wild
(trojan, spyware, worms, etc...) as they cannot modify critical system files, nor alter your
security applications.
Displaying all files and extensions regardless of their attribute gives you slightly more control
on what is happening on your system, as some malware try to fool you by using double
extensions and super hidden files.
Having strong passwords to lock down all of your security applications and settings, achieves
to seal your system.

Then, and only then, you may think to add security software

Too often, people loads an incredible list of security software without knowing how they work,
how they interact each others, without configuring them, and keeps being infected.
Theoretically, if your computer is well configured and locked, and that you are practising safe
hex (safe habits), you should not need any applications to secure your system. That shows
how important it is to configure your system first. I do not advise to follow this way
nevertheless, as unknown exploits could past your defence anyway. A layered approach is
always safer (securing Windows + adding security software). However, it's pointless to install
an incredible load of security software.

Security is not quantified by the number of security applications installed

Security must be based on strong foundations, your OS, but also your knowledge of it, and
your safe habits. Then, you can improve it by adding, for instance, one antivirus and one
personal firewall. If you wish to learn or want more control you may think about HIPS software
(Host Intrusion Prevention System). However keep in mind that it comes afterwards. Trying to
build a building by beginning from the roof, without any foundations, will result in the
inevitable outcome of a collapse.

Securing Microsoft Windows 18/18 Guillaume Kaddouch