Help with security settings

[sy64004]

I got an email from a friend with some security tweak suggestions. Before I do any of them I'd like to know what they do. Can anyone help to clarify exactly what these tweaks do and what they protect against please???

I ask my friend and he had no idea.

---
Registry Tweaks

HKEY_LOCAL_MACHINE\SOFTWARE \Microsoft\Ole

EnableDCOM = N

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc

DCOM Protocols > Remove ncacn_ip_tcp


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\AllowedPaths\

Machine > Delete all value data INSIDE this key


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\

Create:
DWORD - MaxCachedSockets = 0


HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters\

Create:
DWORD - AutoShareServer = 0
DWORD - AutoShareWks = 0

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSession Pipes\

NullSessionPipes > Delete all value data INSIDE this key

NullSessionShares > Delete all value data INSIDE this key


HKEY_LOCAL_MACHINE\ SYSTEM\CurrentControlSet\Services\NetBT\Parameters

TransportBindName = Delete all value data INSIDE this key

Create:
DWORD - SmbDeviceEnabled = 0

other
start > Run: telnet.exe
Type (and press enter): unset ntlm


Start > Connect to > right click account name > Properties > Networking

TCP/IP > Properties > Advanced > WINS

Enable LMhosts lookup = untick
Disable Netbios over TCP/IP = select
---

Thanks in advance

 

[fitz]

HKEY_LOCAL_MACHINE\SOFTWARE \Microsoft\Ole
EnableDCOM = N

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/com/htm/reg_0w8d.asp
Basically prevents remote users from remotely launching servers or connecting to objects on your machine

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc
DCOM Protocols > Remove ncacn_ip_tcp

I believe this is preventing remote RPC connections.. not 100% sure on that though

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\AllowedPaths\
Machine > Delete all value data INSIDE this key

Prevents remote access to the registry

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\
Create:
DWORD - MaxCachedSockets = 0

Other than some sites that tell people to create this with no explaination of what it does, I've never heard of this value. The best I can think of looking at the location and key value is when making DNS queries, XP may keep the socket open to the DNS server in case the client makes another request. This value may close the connection when done which would force the client to reopen a connection when it makes another request.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters\
Create:
DWORD - AutoShareServer = 0
DWORD - AutoShareWks = 0

This would disable the administrative shares (ie: the hidden c$ share). Note: For XP or Win2k Pro, I believe you only need the AutoShareWks value.. the AutoShareServer value is if you are running win2k3 or win2k Server

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSession Pipes\
NullSessionPipes > Delete all value data INSIDE this key
NullSessionShares > Delete all value data INSIDE this key

This removes access from NullSessions.. among other things, removing access would prevent a remote user from enumerating user accounts and shares on your system.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters
TransportBindName = Delete all value data INSIDE this key

umm... according to this article http://support.microsoft.com/default.aspx?scid=kb;en-us;314053 (at the bottom), this key was used for internal development and should not be changed...

Create:
DWORD - SmbDeviceEnabled = 0

This disables DirectHosting and forces incoming connections to use port 139 instead of port 445

start > Run: telnet.exe
Type (and press enter): unset ntlm

easy enough.. turns off NTLM authentication in a telnet session.. Honestly, who uses the built-in telnet client? You should be using a 3rd party telnet client anyway... preferably one that support SSH).

Start > Connect to > right click account name > Properties > Networking
TCP/IP > Properties > Advanced > WINS
Enable LMhosts lookup = untick
Disable Netbios over TCP/IP = select

Unchecking the LMHosts lookup stops the computer from using a local LMHosts file (the NETBIOS equivalant of the hosts file). This could be useful if a trojan/worm/virus/or other attack managed to copy a lmhosts file locally onto your system to redirect outbound requests from your machine to a different host.
Disabling NetBIOS is a good thing if you know what you are doing.

WARNING: Disabling NetBIOS may break your home network!

Disclaimer: I've done most of this off the top of my head.. I may be wrong on some issues.. and I'm sure someone else here will correct me if I am.

--fitz

 

[sy64004]

Thanks Fitz for the info. I have always disabled the netbios service and I don't have a home network so this setting should be ok, right???

 

[Perris Calderon]

I can't imagine why these values wouldn't be included in sp2 if they had merrit

 

[sy64004]

I can't imagine why these values wouldn't be included in sp2 if they had merrit

This is why I'm asking for peoples help/ opinions on these settings.

Are they going into Paranoidville or are they actually worth doing???

I'm not on a home network, I have a crappy dial up connection with ZA pro at default settings so if anyone can give me some pointers I'd be very greatful

 

[Perris Calderon]

on dialup you have no worries...your za pro and antivirus is plenty

if you want to batten down your box, have a look here

 

[sy64004]

spotted that last night mate. downloaded but only had a quick glance through. Thanks for thew heads up