Suggested Best Practices for Securing Windows

Introduction

Take the following measures in order to secure your Windows Vista, XP, 2000, and NT systems. For basic security tips visit the Windows Security Checklist. More resources can be found at the end of this article.

Windows

Secure Windows Accounts

Rename the Administrator account. This will prevent most attacks that try the login combination of "Administrator" and a guessed or brute-forced password. By leaving the Administrator account available to hackers you give them 50% of the information they need to compromise your computer. You can also create a decoy Administrator account with no privileges and a 10+ digit complex password that might keep any potential hackers busy and frustrated for a while. If you create a decoy account you should enable auditing to watch for signs of tampering. To access auditing options in XP or Vista open the Control Panel (in Classic View) > Administrative Tools > Local Security Policy . In the left pane expand Local Policies and select Audit Policy.

If possible it is best to use an account with limited privileges for day-to-day use in order to restrict access to system files in the event of a compromise. The Guest account should be disabled and, if using Windows XP Home Edition, password protected to prevent hackers from accessing your shared files. Selecting "Turn Off the Guest Account" in XP Home will only disallow it from logging in to Windows - it can still be used to allow remote access to shared files and folders.

For information on creating accounts and login passwords refer to the following articles:

Pick strong passwords

A minimum of seven or fourteen characters should be used for a Windows password. Use a combination of letters, characters and symbols, and avoid dictionary words. See our document on Choosing Passwords for more information.

Every user should have a logon password. It is a good idea to set your computer to require a password when the computer comes back from sleep or hibernate so that no one can locally access your computer while you are away.

Use Windows Security Tools

Use Windows Update to update your system on a regular basis. You can use Automatic Updates to monitor this process for you.

Microsoft Baseline Security Analyzer is a tool that assesses the system security of small and medium-sized networks.

Use Antivirus and Firewall Software

Keep antivirus software updated and functioning. As new virus definitions come out, they provide protection from the latest trojans, viruses, and other attacks. Symantec AntiVirus is available for free for UNC-Chapel Hill faculty, staff, and students.

It is also important to obtain and install a personal firewall to protect the system from any unauthorized or unwanted network activity. Windows Firewall comes on every Windows XP (Service Pack 2), Server 2003, and Vista machine.

Use Spybot and Ad-Aware

Download and install Spybot and Ad-Aware to detect and remove spyware and adware from your computer. After installation download and install all available updates. Be sure to download updates and run a full system scan at least once per month.

Permissions

Setting permissions for files and folders can allow a little bit more security. You can choose to give a user or group Full Control, Read Permissions, Modify Permissions, Change Owner, or Delete rights. To set, view, change, or remove permissions of files or folders, right-click on that file or folder and choose Properties, then click Security.

Set and Account Lockout Policy

Windows includes a feature that will disable a user account after a set number of failed logins. To turn this on and specify the number of login attempts you wish to be allowed, go to Contol Panel (in Classic View) > Administrative Tools > Local Security Policy > Account Policies > Account Lockout Policy .

Set up Event Logging

Event logging is a Windows service which records important operating system, software, and hardware events in a collection on your hard drive.

Make sure to enable auditing in the security policy in order to obtain a good set of log files. Your log files are your main ammunition against attackers whether your system is compromised or not. Also consider moving your log files from their default location to another part of the system (preferably another partition devoted only to the logs). Ensure that only administrators can read the system logs and that no other users have read permissions.

  • For Windows Vista users: read Microsoft's article About Windows Event Log for more information.
  • For Windows XP and 2000 users: visit Microsoft's topic on Event Logging
  • For Windows 2000 and 2003 versions: refer to Microsoft's article for more information on logs and instructions on how to move them.

Turn Off Shares

If no programs depend on the default Windows shares, turn off the "server" service, and turn off "file and printer sharing." This will prevent connections to the shares, however it will also prevent the usage of computer browser and may not allow directory access to a domain. This will not affect domain logins.

Disable Hidden Filename Extensions

Should your system be compromised with or without your knowledge it is good to have this security measure implemented. Often viruses and Trojans will disguise themselves with a filename which appears legitimate but has a hidden extension (for example, puppies.jpg.exe); if you have "Hide extensions for known file types" selected (under Folder Options > View ) you will simply see puppies.jpg, an image file. While this will be unusual in relation to valid files in the same location it is easy to fail to notice subtle differences such as this.

Take Measures to Protect Your Data

Encryption of single files or of your entire hard drive is an excellent method of guarding your data - and yourself - against exploitation. Ways in which you can secure your data and instructions on how to use encryption can be found in this HelpDoc article.

Windows Vista

User Account Control

By default, user accounts are set up as limited accounts with fewer administrative privileges as a measure to prevent malware from taking administrative privileges. Some users choose to turn this service off due to the number of prompts for administrative clearance that are received; however, keeping User Account Control operational is a useful security measure.

Windows Firewall

Vista's firewall features some improvement over that of XP. It offers the option to monitor outbound connections as well as inbound, though most outbound filtering is turned off by default. The firewall examines Windows services and blocks them if they perform any unexpected behaviors (indicative of malware). Unfortunately it is difficult to configure a group rule for detecting malware that attempt to spread from your computer to other locations over the internet. To configure your outbound firewall you must go to Run and type wf.msc to open the Windows Firewall with Advance Security page.

Read Microsoft's article on configuring Windows Firewall. If you wish to use another firewall be sure to research whether it will work with Windows Vista.

Windows Defender

Use Windows Defender to protect against malware. It is pre-installed on Vista machines but can be downloaded for XP and Windows Server 2003.

Internet Explorer 7

IE7 comes default in Vista installs and offers a Phishing Filter, Protected Mode, Parental Controls, and Data Execution Prevention. DEP is designed to help prevent malware attacks, but is not turned on by default. To enable it, open IE7 with administrative privileges, then go to Tools > Internet Options . On the Advanced tab, scroll down and select Enable memory protection to help mitigate online attacks.

BitLocker Drive Encryption

Vista Enterprise and Ultimate include a new feature known as BitLocker Drive Encryption which guards against physical threats to your data. For more information see Protecting Your Sensitive Data.

Windows XP

Windows Updates

Be sure that your system has Service Pack 2 and is fully updated. If you're on Service Pack 1 or before, be sure to back up all of your data before updating to SP2; some computers don't handle the transition very well.

Windows Firewall

XP's Firewall monitors all inbound connections for signs of malware and intrusion attempts. It is important to have this or some other firewall software enabled. Review the Campus Requirements for Windows XP Firewall in SP2 to make sure your computer's firewall meets UNC standards.

Upgrade to Internet Explorer 7

Internet Explorer 7 is Microsoft's most secure browser to date. It attempts to correct some of the earlier versions' security vulnerabilities and incorporates new security features such as a Phishing Filter and visual security tips. Enable Data Execution Prevention to help prevent malware attacks. Open IE7 with administrative privileges, then go to Tools > Internet Options . On the Advanced tab, scroll down and select Enable memory protection to help mitigate online attacks.

Disable Simple File Sharing

Microsoft made an attempt in XP to make file sharing easier for everyone by introducing Simple File Sharing. Unfortunately this is an all or nothing feature that either doesn't share your files or shares your files with everyone. Disable Simple File Sharing and return to Windows' default setting which allows you to control who accesses what and at what level. Do this by going to the Control Panel, opening Folder Options, and choosing View. Uncheck the Use Simple File Sharing (Recommended) at the bottom of the list.

Format Your Hard Drive to NTFS

Make sure that all partitions of your hard drive are formatted using the NTFS file system, rather than FAT16 or FAT32. NTFS systems offer access control and protections that are unavailable in the FAT systems. If done carefully conversion may be completed without erasing all of your data, but it is recommended to back everything up anyway. Refer to Microsoft's article for more information.

Previous Windows Versions

Restrict or prevent anonymous access and account enumeration on your Windows NT and 2000 systems

Windows NT and 2000 has, in addition to a standard User, an Anonymous or Null user account with no username or password. This account access (named 'Null Credentials Logon' in NT and 'Anonymous Access' in 2000) is allowed to access certain information on the network, such as account names, services, shares, permissions, policies, etc., and is an often unnecessary security risk. If you are not instructed by your domain administrator to keep this user available it is best to restrict it using the following steps:

This must be done using the Registry Editor. Click on the Start Menu and choose Run. In the box type regedt32 and hit OK. In the left menu expand Computer and navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa. On the Edit menu, click Add Value and use the following entry:

  • Value Name: RestrictAnonymous
  • Data Type: REG_DWORD
  • Value: 1

For NT and mixed environments, choose 1 for the data field, or choose the Do not allow enumeration of SAM accounts and shares directive. For pure Windows 2000 environments or for the paranoid, choose the data value of 2 or No access without explicit anonymous permission. This will prevent NULL session attacks, which are a common and frequent threat. For more information on NULL sessions and their vulnerabilities, please see this SANS document and Microsoft Knowledgebase articles on restricting information available to anonymous logon users and using the 'RestrictAnonymous' registry value.

Use Security Tools

HFNetChk for Windows NT and 2000 creates a way for an administrator of a network to scan local and remote systems for available patches.

More Information

Visit the following resources for more information on securing Windows:

Please call 962-HELP or contact ITS Security at security@unc.edu if you have any questions.


Top
University of North Carolina - Chapel Hill