Full Version of this article can be found here

Windows XP Security Tweaking for the paranoid

Intro:
With
the amount of spyware and malicious scripts floating around anybody that keeps sensitive materials on their system never can be too careful. I'd like to show you some tweaks that you should be using to help keep your data a bit safer than on default machines. The other part that I'll be looking into is pure paranoia! Everybody's out to get you, don't let your computer transmit data ANYWHERE without you telling it to.

This guide is intended for all of the people who believe tinfoil hats are fashionable. 99.5% of the people out there won't need or want these tweaks. We're not geeks REALLY! I like the way my hat makes me feel.... It makes me feel sexy AND secure.

This is now the second posting of this article. I'm sure It'll continue to see revisions in the months to come as I come up with more things to add to both this guide and our application. If you have any suggestions please select feedback from the dropdown below and post a message in the forum. I'm always looking for more things to include in this guide and also our Security Tweaking Application.

Too Lazy to Tweak the Registry?

We've also built an application to help you change all of the settings talked about in this article. IANAG Security Tweaking Program It's an ongoing project to help you guys with all of your security and paranoid needs.

Additional Tips:
Media Player Spyware stoppage
Control The Start Menu/Taskbar Using Group Policies
Hiding Drive Letters In My Computer
New Level of Windows Security!

July 8 Updates:
* Included a bit about the security app
* Expanded the explanations of everything
* Added Additional Tips

Passwords:

I suggest doing a number of password related tweaks. It's very important to use alphanumeric passwords and NOT store your passwords anywhere on your system.

Disable Storage of Credentials and .NET Passwords
This is primarily .NET passwords but it also stores passwords for network drives, websites and other applications.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"DisableDomainCreds"="1"

Prompt for Password when coming back from Standby
Every time you come back from hibernation or Suspend mode you'll have to enter a password to regain access to your computer. This is for all of those people that walk away from their computer for a while without logging off first.

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System\Power]
"PromptPasswordOnResume"="1"

Require Alphanumeric Windows Password
Alphanumeric passwords mean that you MUST use a combination of both letters and numbers for your passwords. This is a VERY good idea. Passwords with just letters or just numbers is very easy for things such as password crackers to figure out.If you combine use 3l1t3 speak passwords with passwords that are long you'll really make it hard on brute force crackers. Sure it takes you longer to type in, but it's worth it on anything that is important.

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Network]
"AlphanumPwds"="1"

Set the Minimum Password Length
This one the title says everything that needs to be said. It will force people to use a password that is beyond a certain length. Alot of people use simple password such as dog which would take a brute force cracker nearly no time at all to figure out. This should be used alongside the alphanumeric passwords.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Network]
"MinPwdLen"=hex:6

Disable Password Caching in Internet Explorer
I don't like IE storing passwords. I don't believe in trusting Microsoft with storing data like that anywhere on my system. This tweak disables the option to even allow IE to store your password.

Microsoft Doc can be found here. Quote:

"When you attempt to view a password-protected site, you are prompted to type your security credentials in the Enter Network Password dialog box. If you click the Save this password in your password list check box in this dialog box, your computer saves your password so you do not have to type the password again when you attempt to use the same document. This is known as password caching."

[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet Settings]
"DisablePasswordCaching"="1"

Disable Password Caching
This is a HUGE issue in the win 9x OS's that isn't nearly as bad in 2k/XP. This means the users passwords are not cached locally. This setting also removes the second Windows password screen and also removes the possibility of network passwords of getting out of sync.

Warning!
Dialup users may not want to use this since your dialup password will no longer be cached while using this tweak

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"DisablePwdCaching"="1"

Password when returning from screensaver
only in 1.0+ By default users can change whether they want to enter their password to unlock the system after a screensaver has been running. We believe a password should always be entered to return to the system. This will force a password ;) This is really only for people who have other people around their systems.

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control Panel\Desktop]
"ScreenSaverIsSecure"="1"


Networking:

Restrict Anonymous User Access
Anonymous users can list domain user names and enumerate share names by default. Lets stop this from happening!

MS Docs:
246261
296405
163846

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA]
"RestrictAnonymous"="1"

2 can only be used in "pure" environments. You'd better read those MS docs if you need more information about that setting cause I don't want to explain it here ;)

Automatic Hidden Shares:
You'll find all these mysterious shares that look something like C$ which you can't simply delete. These are called administrative shares which the only way that I've found to remove these is through the registry.

They are created automatically on local disk drives in 2k and XP both.

MS Docs:
245117
288164

Lets disable this. 0 means disabled, 1 means enabled

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters]
"AutoShareServer"="0"
"AutoShareWks"="0"

Hide Share Passwords with Asterisks
When you're accessing a password protected share, Windows shows the password in clear text when you're entering it. Lets replace this with asterisks.

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Network]
"HideSharePwds"="1"


Hide your computer from people browsing network
make it so that other people on your network can't see your computer while they browse through the network!
If you have a system that doesn't have anything shared you may want to completely remove it from your list of computers on the network.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters]
"Hidden"="1"

More secure sharing
only in 1.0+ By default, on computers running Windows XP Professional and not joined to a domain, all incoming network connections are forced to use the Guest account. This means that an incoming connection, even if a user name and password is provided, has only Guest-level access to the share. Because of this, either the Guest user account or the Everyone group (the only group to which the Guest account belongs) must have permissions on the share and on the directories and files that are shared.  Read the MS docs here.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"ForceGuest"="0"

Covering your tracks:

Clear the Page File at System Shutdown
Your pagefile basically caches all of the stuff that you have run recently. If you've been running some things that you don't want in that cached copy then you'll want to clear that pagefile.

The other big use for this is something sometimes referred to as "defragging" your pagefile. By deleting all of the old contents when you restart windows all of your pagefile will be recreated. If you're like most of us around here and very rarely reboot then turning this on will probably help your performance out a bit. This will make your shutdown process take longer since it is often times over 1Gb of data.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management]
"ClearPageFileAtShutdown"="1"

Empty Temporary Internet Files
This will force IE to destroy temporary data stored like images. 0 will cause the destruction of these files while 1 allows it to leave everything behind!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache]
"Persistent"="0"

Clear Internet Explorer Typed URL History

(in v.4+ of our app) This is a bit of a privacy concern on shared computers. I personally prefer not to let other people know where I've been ;)

Delete this key you'd like to erase your typed URL history completely:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs]

Clear cached Run Commands

Click Start --> Run and you'll see a little dropdown that shows all of the commands you've issued. You'll want to clear this from time to time.

Delete this key:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU]

Disable Recent Documents History
Quit logging recently opened documents.
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoRecentDocsHistory"="1"

Disable User Tracking
Make windows quit logging which applications you run and which files and documents are being accessed.
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoInstrumentation"="1"

Shutdown batch file:

This also has been reported to shave some time off of boot times. It destroys your internet history and your temp directory on shutdown. You can of course run this .bat file more frequently if you'd like.

  1. Open notepad and enter the following lines: (replace USERNAME with your username and C:Temp with your temp directory)
    RD /S /q "C:\Documents and Settings\USERNAME\Local Settings\History"
    RD /S /q "C:\Documents and Settings\Default User\Local Settings\History"
    RD /S /q "C:\Temp"
  2. Save the file to your C: and rename it to something like deltemp.bat
  3. Now click Start, Run and type in gpedit.msc --->Computer Configuration --->Windows Settings --->Scripts and double click on Shutdown --->Click Add browse to the batch file you created and press ok. You're now covering stuff up every time you shutdown ;)

Misc:

Disable Active Desktop
There's just something about using web elements on your desktop that I just don't like! Yeah I'm paranoid that's what this application is all about.... only in 1.0+
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoActiveDesktop"="1"

Block Messenger Service SPAM
It's surprising how many people are still getting hit with this...
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger]
"Start"="4"

This will of course be something that I continue to add to as time goes on so please check back frequently for updates. I apologize to everybody who read this while the Key locations were messed up. This was an error in my article posting system that didn't like the \'s