Windows XP Security Tweaking for the paranoid
With the amount of spyware and malicious scripts floating around anybody that keeps sensitive materials on their system never can be too careful. I'd like to show you some tweaks that you should be using to help keep your data a bit safer than on default machines. The other part that I'll be looking into is pure paranoia! Everybody's out to get you, don't let your computer transmit data ANYWHERE without you telling it to.
This guide is intended for all of the people who believe tinfoil hats are fashionable. 99.5% of the people out there won't need or want these tweaks. We're not geeks REALLY! I like the way my hat makes me feel.... It makes me feel sexy AND secure.
This is now the second posting of this article. I'm sure It'll continue to see revisions
in the months to come as I come up with more things to add to both this guide and our application. If you have any
suggestions please select feedback from the dropdown below and post a message in
the forum. I'm always looking for more things to include in this guide and also our Security Tweaking Application.
Too Lazy to Tweak the Registry?
We've also built an application to help you change all of the settings talked about in this article. IANAG Security Tweaking Program It's an ongoing project to help you guys with all of your security and paranoid needs.
July 8 Updates:
* Included a bit about the security app
* Expanded the explanations of everything
* Added Additional Tips
I suggest doing a number of password related tweaks. It's very important to use alphanumeric passwords and NOT store your passwords anywhere on your system.
Disable Storage of Credentials and .NET Passwords
This is primarily .NET passwords but it also stores passwords for network drives, websites and other applications.
Prompt for Password when coming back from Standby
Every time you come back from hibernation or Suspend mode you'll have to enter a password to regain access to your computer. This is for all of those people that walk away from their computer for a while without logging off first.
Require Alphanumeric Windows Password
Alphanumeric passwords mean that you MUST use a combination of both letters and numbers for your passwords. This is a VERY good idea. Passwords with just letters or just numbers is very easy for things such as password crackers to figure out.If you combine use 3l1t3 speak passwords with passwords that are long you'll really make it hard on brute force crackers. Sure it takes you longer to type in, but it's worth it on anything that is important.
Set the Minimum Password Length
This one the title says everything that needs to be said. It will force people to use a password that is beyond a certain length. Alot of people use simple password such as dog which would take a brute force cracker nearly no time at all to figure out. This should be used alongside the alphanumeric passwords.
Disable Password Caching in Internet Explorer
I don't like IE storing passwords. I don't believe in trusting Microsoft with storing data like that anywhere on my system. This tweak disables the option to even allow IE to store your password.
Microsoft Doc can be found here. Quote:
"When you attempt to view a password-protected site, you are prompted to type your security credentials in the Enter Network Password dialog box. If you click the Save this password in your password list check box in this dialog box, your computer saves your password so you do not have to type the password again when you attempt to use the same document. This is known as password caching."
Disable Password Caching
This is a HUGE issue in the win 9x OS's that isn't nearly as bad in 2k/XP. This means the users passwords are not cached locally. This setting also removes the second Windows password screen and also removes the possibility of network passwords of getting out of sync.
Warning! Dialup users may not want to use this since your dialup password will no longer be cached while using this tweak
Password when returning from screensaver
only in 1.0+ By default users can change whether they want to enter their password to unlock the system after a screensaver has been running. We believe a password should always be entered to return to the system. This will force a password ;) This is really only for people who have other people around their systems.
Restrict Anonymous User Access
Anonymous users can list domain user names and enumerate share names by default. Lets stop this from happening!
2 can only be used in "pure" environments. You'd better read those MS
docs if you need more information about that setting cause I don't want
to explain it here ;)
Automatic Hidden Shares:
You'll find all these mysterious shares that look something like C$ which you can't simply delete. These are called administrative shares which the only way that I've found to remove these is through the registry.
They are created automatically on local disk drives in 2k and XP both.
Lets disable this. 0 means disabled, 1 means enabled
Hide Share Passwords with Asterisks
When you're accessing a password protected share, Windows shows the password in clear text when you're entering it. Lets replace this with asterisks.
More secure sharing
only in 1.0+ By default, on computers running Windows XP Professional and not joined to a domain, all incoming network connections are forced to use the Guest account. This means that an incoming connection, even if a user name and password is provided, has only Guest-level access to the share. Because of this, either the Guest user account or the Everyone group (the only group to which the Guest account belongs) must have permissions on the share and on the directories and files that are shared. Read the MS docs here.
Covering your tracks:
Clear the Page File at System Shutdown
Your pagefile basically caches all of the stuff that you have run recently. If you've been running some things that you don't want in that cached copy then you'll want to clear that pagefile.
The other big use for this is something sometimes referred to as "defragging" your pagefile. By deleting all of the old contents when you restart windows all of your pagefile will be recreated. If you're like most of us around here and very rarely reboot then turning this on will probably help your performance out a bit. This will make your shutdown process take longer since it is often times over 1Gb of data.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management]
Empty Temporary Internet Files
This will force IE to destroy temporary data stored like images. 0 will cause the destruction of these files while 1 allows it to leave everything behind!
Clear Internet Explorer Typed URL History
(in v.4+ of our app) This is a bit of a privacy concern on shared computers. I personally prefer not to let other people know where I've been ;)Delete this key you'd like to erase your typed URL history completely:
Clear cached Run Commands
Click Start --> Run and you'll see a little dropdown that shows all of the commands you've issued. You'll want to clear this from time to time.
Delete this key:
Disable Recent Documents History
Quit logging recently opened documents.
Disable User Tracking
Make windows quit logging which applications you run and which files and documents are being accessed.
Shutdown batch file:
This also has been reported to shave some time off of boot times. It destroys your internet history and your temp directory on shutdown. You can of course run this .bat file more frequently if you'd like.
Disable Active Desktop
There's just something about using web elements on your desktop that I just don't like! Yeah I'm paranoid that's what this application is all about.... only in 1.0+
Block Messenger Service SPAM
It's surprising how many people are still getting hit with this...
This will of course be something that I continue to add to as time goes on so please check back frequently for updates. I apologize to everybody who read this while the Key locations were messed up. This was an error in my article posting system that didn't like the \'s