• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Help with security settings

#1
I got an email from a friend with some security tweak suggestions. Before I do any of them I'd like to know what they do. Can anyone help to clarify exactly what these tweaks do and what they protect against please???

I ask my friend and he had no idea.

---
Registry Tweaks

HKEY_LOCAL_MACHINE\SOFTWARE \Microsoft\Ole

EnableDCOM = N

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc

DCOM Protocols > Remove ncacn_ip_tcp


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\AllowedPaths\

Machine > Delete all value data INSIDE this key


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\

Create:
DWORD - MaxCachedSockets = 0


HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters\

Create:
DWORD - AutoShareServer = 0
DWORD - AutoShareWks = 0

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSession Pipes\

NullSessionPipes > Delete all value data INSIDE this key

NullSessionShares > Delete all value data INSIDE this key


HKEY_LOCAL_MACHINE\ SYSTEM\CurrentControlSet\Services\NetBT\Parameters

TransportBindName = Delete all value data INSIDE this key

Create:
DWORD - SmbDeviceEnabled = 0

other
start > Run: telnet.exe
Type (and press enter): unset ntlm


Start > Connect to > right click account name > Properties > Networking

TCP/IP > Properties > Advanced > WINS

Enable LMhosts lookup = untick
Disable Netbios over TCP/IP = select
---

Thanks in advance :cool:
 

fitz

Woah.. I'm still here?
Staff member
Political User
#2
sy64004 said:
HKEY_LOCAL_MACHINE\SOFTWARE \Microsoft\Ole
EnableDCOM = N
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/com/htm/reg_0w8d.asp
Basically prevents remote users from remotely launching servers or connecting to objects on your machine

sy64004 said:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc
DCOM Protocols > Remove ncacn_ip_tcp
I believe this is preventing remote RPC connections.. not 100% sure on that though

sy64004 said:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\AllowedPaths\
Machine > Delete all value data INSIDE this key
Prevents remote access to the registry

sy64004 said:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\
Create:
DWORD - MaxCachedSockets = 0
Other than some sites that tell people to create this with no explaination of what it does, I've never heard of this value. The best I can think of looking at the location and key value is when making DNS queries, XP may keep the socket open to the DNS server in case the client makes another request. This value may close the connection when done which would force the client to reopen a connection when it makes another request.

sy64004 said:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters\
Create:
DWORD - AutoShareServer = 0
DWORD - AutoShareWks = 0
This would disable the administrative shares (ie: the hidden c$ share). Note: For XP or Win2k Pro, I believe you only need the AutoShareWks value.. the AutoShareServer value is if you are running win2k3 or win2k Server

sy64004 said:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSession Pipes\
NullSessionPipes > Delete all value data INSIDE this key
NullSessionShares > Delete all value data INSIDE this key
This removes access from NullSessions.. among other things, removing access would prevent a remote user from enumerating user accounts and shares on your system.

sy64004 said:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters
TransportBindName = Delete all value data INSIDE this key
umm... according to this article http://support.microsoft.com/default.aspx?scid=kb;en-us;314053 (at the bottom), this key was used for internal development and should not be changed...

sy64004 said:
Create:
DWORD - SmbDeviceEnabled = 0
This disables DirectHosting and forces incoming connections to use port 139 instead of port 445

sy64004 said:
start > Run: telnet.exe
Type (and press enter): unset ntlm
easy enough.. turns off NTLM authentication in a telnet session.. Honestly, who uses the built-in telnet client? You should be using a 3rd party telnet client anyway... preferably one that support SSH).

sy64004 said:
Start > Connect to > right click account name > Properties > Networking
TCP/IP > Properties > Advanced > WINS
Enable LMhosts lookup = untick
Disable Netbios over TCP/IP = select
Unchecking the LMHosts lookup stops the computer from using a local LMHosts file (the NETBIOS equivalant of the hosts file). This could be useful if a trojan/worm/virus/or other attack managed to copy a lmhosts file locally onto your system to redirect outbound requests from your machine to a different host.
Disabling NetBIOS is a good thing if you know what you are doing.

WARNING: Disabling NetBIOS may break your home network!

Disclaimer: I've done most of this off the top of my head.. I may be wrong on some issues.. and I'm sure someone else here will correct me if I am.

--fitz
 
#3
Thanks Fitz for the info. I have always disabled the netbios service and I don't have a home network so this setting should be ok, right???
 
#5
perris said:
I can't imagine why these values wouldn't be included in sp2 if they had merrit
This is why I'm asking for peoples help/ opinions on these settings.

Are they going into Paranoidville or are they actually worth doing???

I'm not on a home network, I have a crappy dial up connection with ZA pro at default settings so if anyone can give me some pointers I'd be very greatful :cool:
 

Members online

Latest posts

Latest profile posts

Perris Calderon wrote on Electronic Punk's profile.
Ep, glad to see you come back and tidy up...did want to ask a one day favor, I want to enhance my resume , was hoping you could make me administrator for a day, if so, take me right off since I won't be here to do anything, and don't know the slightest about the board, but it would be nice putting "served administrator osnn", if can do, THANKS

Been running around Quora lately, luv it there https://tinyurl.com/ycpxl
Electronic Punk wrote on Perris Calderon's profile.
All good still mate?
Hello, is there anybody in there? Just nod if you can hear me ...
Xie
What a long strange trip it's been. =)

Forum statistics

Threads
61,962
Messages
673,240
Members
89,017
Latest member
loxioalix