Tweaking Optimizing Windows.pdf - GEGeek

More documents

Recommendations

Info

Downloads:- http://corporate.windowsupdate.microsoft.com/en/default.asp www.microsoft.com/windows2000/downloads/ http://support.microsoft.com/highlights/default.asp?pr=topsdn&cl=136&SD=TECH Also download the Windows Critical Update Notification tool and never miss a Critical Update again. Whenever a new Critical Fix is released, you will be notified. You can install or uninstall Windows Critical Update Notification by using either of the following methods: Click Start, point to Settings, and then click Control Panel. Double-click Add/Remove Programs. Click Microsoft Windows Critical Update Notification. Click Add/Remove. http://support.microsoft.com/support/kb/articles/Q224/4/20.ASP Also visit http://windowsupdate.microsoft.com/ and also see other Microsoft links in links further in this document. As new security fixes become available it is important to apply these new fixes. Microsoft has created the Qchain tool to chain hotfixes together in order for only one reboot to be required when installing several fixes. http://support.microsoft.com/support/kb/articles/Q296/8/61.asp HFNetChk One particularly important element of operating a secure system is staying up to date on security patches. It's critical to know which patches have been applied to your system and, more importantly, which haven't. Microsoft has released a tool called HFNetChk that will significantly aid system administrators in this task. HFNetChk is a command-line tool that enables an administrator to check the patch status of all the machines in a network from a central location. The tool does this by referring to an XML database that's constantly updated by Microsoft. HFNetChk can be run on Windows NT 4.0 or Windows 2000 systems, and will scan either the local system or remote ones for patches www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/tools/hfnetchk.asp Windows NT 4.0, Windows 2000, All system services, including Internet Information Server 4.0 and 5.0, SQL Server 7.0 and 2000 (including Microsoft Data Engine), Internet Explorer 5.01 and later 7. Subscribe Subscribe to the Security Focus newsletters and check out there website at www.securityfocus.com/ Subscribe to the Security Admin newsletters and check out there website at www.secadministrator.com/ Subscribe to an email alert service that warns you about new, in-the-wild, viruses like the free service at www.sophos.com/virusinfo/notifications Subscribe to the Microsoft Security Notification Service. This is a free e-mail notification service that Microsoft uses to send information to subscribers about the security of Microsoft products. www.microsoft.com/technet/security/bulletin/notify.asp Also keep an eye on Microsoft's security bulletins at www.microsoft.com/security www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/notify.asp Microsoft Personal Security Advisor Microsoft Personal Security Advisor (MPSA) is an easy to use web application that will help you secure your Windows NT 4.0 and Windows 2000 computer system. Simply navigate to the MPSA site and press the Scan Now button to receive a detailed report of your computer's security settings and recommendations for improvement. MPSA will scan your system and build a customized report on items such as: missing security patches, weak passwords, Internet Explorer and Outlook Express security settings, and Office macro protection settings. More details on the specific features performed by MPSA are available by selecting the Features option on the MPSA toolbar. For each weakness identified on your computer, MPSA provides easy to understand information on the security issue at hand, how to fix it, and links to additional information about the issue. Once you correct a reported deficiency, you can run the scan again and see the results of the change. Running MPSA on a regular basis will help ensure that your system stays up to date and secure. www.microsoft.com/technet/mpsa/start.asp 8. Disable NetBios, clean up network bindings, protocol optimisation and internet connection sharing If you are NOT connected to a local or wide area network and only use your dial up modem or cable modem for internet access then disable NetBios. Goto control panels, Network and examine every line beginning with "TCP/IP", click on properties and then remove all of the checkmarks from the services listed on the bindings tab! (Note that when you click "OK" after unbinding everything, Windows will think you're nuts and will warn you that you "have not selected any drivers to bind with." Just click "NO" to proceed.) It will quietly disappears from sight and your system's security skyrockets. You won't miss it at all, Windows will boot faster, and you'll have more memory for things you do need. And if you later decide to share your files with another computer (which is almost the only reason for Microsoft's networking) it's very easy to bring it back from the grave. Not only does unbinding TCP/IP from the Microsoft networking components prevent your computer's files from being accessed through abuses of Microsoft's networking. Unbind ALL network services from EVERY instance of the TCP/IP protocol! You can also do this by the following registry settings. Copy these next lines into notepad, save as Disable NetBios.reg (remembering to change save as type to all files), double click the file you have just created and jey presto you are a lot more secure on the Internet. Remember every time you enter a new dial up networking setting you will need to disable NetBios. The advantage of doing this is that you will get a better transfer speed and a lot better security. To verify these settings you can go onto shields up site (https://grc.com) and test before and after putting these settings into your registry. -----Begin cut & paste here----- REGEDIT4 [-HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VxD\VNETBIOS]
[-HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VxD\VNETSUP] ------End cut & paste here------ Single NT computers can be effectively protected from many kind of attacks by Unbinding NETBIOS and TCP/IP protocols. Workstation that does not need to share any disk, printer or other resources can be protected by shutting down SERVER service. Clean up networking bindings The next step in securing your system from prying eyes is to ensure your bindings are set appropriately and should only be used on machines that do not connect to other Windows-based machines. The next step will disable Microsoft Networking connections to and from your machine. This will make it a lot harder for external computers to access your shares, printers and other Server Message Block services on your computer. This will not stop them from exploiting non-Microsoft Networking services such as IIS (FTP, Web, Web file sharing, and Web shared printers). If you don't know what shares are, and if you're not attaching to an NT file server, chances are that you can take this top. Note that in this sense, we're not talking about a home network that solely uses Internet connection sharing network via Microsoft's own Internet Connection Sharing, or some other program that lets this machine assign IP addresses to your other computers (WinGate). Right click on Network, select properties. Right click on the icon for your connection to the Internet and select Properties. Select the tab on the top named "Networking". In the box below that says, "Components used by this network connection" Uncheck everything but TCP/IP. Protocol Optimization The protocols should be ordered by the frequency that they are used. For example, the most used protocol should be first and the least used last. Using Internet Connection Sharing The Networking Wizard wants to use TCP as the main protocol for everything, both inside and outside the LAN. For example, with Internet Connection Sharing (ICS) set up on one PC, the Wizard will set up TCP, with Print and File sharing enabled, and with NetBIOS enabled (or actually in the default setting, which seems to be "enabled" in this case) on the ICS PC, and on each PC on which you run the Wizard. This sounds and can be dangerous, because TCP is the protocol or "language" of the internet: Using TCP for your local communications can make it easier for hackers to jump from the internet to your local network. So, on the PC that's doing the sharing, you need to open the connection settings and unbind (remove) everything but TCP from the outbound network card- the one that connects to your ISP and the internet at large. That connection should have just plain-vanilla TCP- no file/print share, no "Microsoft Network Client," etc. Nothing but TCP, period. You also need a compatible firewall: On the Win98/WinME versions of ICS, you'll need to add an ICS-compatible firewall, such as Sygate Personal or Pro, or Zone Alarm Pro. On XP, the ICS setup will offer to enable the built-in firewall, and that's an OK place to start (better than nothing), although you may wish to install a more robust firewall. With nothing but TCP going in or out, and with the connection firewalled, you should be pretty safe: Tests like ShieldsUp www.grc.com should show full stealthing of the ICS PC- all ports should be invisible to the outside world, and NetBIOS shouldn't be open to the internet. But it can operate on the safe side of the LAN, letting the PCs access each other, and share files locally. This is very different from the way things work with NATS and some proxies. The old Sygate NAT I used forever worked just fine with XP clients set up in the traditional safe way, for example, using NetBEUI or IPX for the internal, peer-to-peer communication. But that way wouldn't work for XP if Windows' own ICS was doing the connection-sharing; for that, I had to use the Wizard-style networking, adjusted as above. A final note: Each PC on the safe side--- the inside--- of a shared connection needs its own firewall, too, even if the externallyconnected PC is firewalled, and even if the firewalling is provided by a piece of hardware. Don't rely on a single line of defense against internet threats: See www.informationweek.com/840/langa.htm 9. Shares and Shared Resources After you have decided what drives and printers you want the outside world to see, you have to share them. Do this by going to the resource you want to share and opening its properties. Go to sharing (not security), and select "New Share" for folders or "Shared as" for printers and assign the object the share name you want it to be seen as on the network. If you append a dollar sign to the share, it will not be displayed as browseable to the network, but it is still there. This doesn't really add security, but is a nice trick to use so you can share out your quake mods to your friends at work with out having a \\computername\quake share showing up in everyone's browse window. Remove the everyone group Now here's the important part: remove the Everyone group. In some ways, since we have disabled the Guest account this is redundant, but it is better to do a little extra work so that if you missed something, you still are secure at a second point (and in the NT 4.0 days, there was more than one exploit involving the "Everyone" group, so let's err on the side of being cautious). Now add the people or groups that you want to access your computer. This can be as wide open as the "Domain Users" or "Authenticated users" or as restrictive as just your user ID. One thing to remember is that regardless who has rights to the file system, if they don't have rights to the share they cant get to it. The same thing works in reverse, too. If you are sharing your MP3 collection as: \\computername\mp3s$ ... and you set the share to allow full control to everyone in the Authenticated Users group, those settings will not override the filesystem settings. Therefore, if all of you MP3s are only readable by user 'frufruhead,' then your share security settings won't change that. Now you can see why shares default so that "Everyone" can read them: on the most basic level, "everyone" can try and browse the share, but the default permissions take over on the filesystem. Here's a rhetorical question: do you already have shares on your machine? Windows 2000 (and Windows NT) comes with Administrative shares already enabled. This means that every file on every hard drive on your computer is shared to the network by default. Only members of your Administrators Group can get to these shares, but it still can make it easier for someone outside to access things that they shouldn't. They are shared from the root of the drive, so to remove them go to the properties of the drive, the sharing tab, and remove the C$ by selecting "Do not share this folder". This is ok on a home machine, but may get your administrator at work a bit miffed. If you are this concerned about security, you should also remove the administrative share at
Page 1 and 2:
Mr.X.'s TWEAKING AND OPTIMIZING WIN
Page 3 and 4:
-Msdownld.tmp This one needs manual
Page 5 and 6:
If you have Windows 95/NT you can e
Page 7 and 8:
BootKeys=1 BootMenu=0 BootMenuDefau
Page 9 and 10:
Settings\Cache\History] "CachePath"
Page 11 and 12:
Similarly, open Internet Explorer,
Page 13 and 14:
g - Restart your computer once step
Page 15 and 16: 38. Keep IE crash free Here's a tip
Page 17 and 18: 44. Switch off Dos memory manager D
Page 19 and 20: Data: D:\WIN95 58. Clear Recent Doc
Page 21 and 22: Click on the property tab for this
Page 23 and 24: Right-click in the right hand pane
Page 25 and 26: By the use of this client software,
Page 27 and 28: 8. Want Real mode DOS back in Windo
Page 29 and 30: Recommendation: This service will f
Page 31 and 32: detect and/or recognize your hardwa
Page 33 and 34: It should almost certainly benefit
Page 35 and 36: Click start. click settings. click
Page 37 and 38: Click Analyze, click ok, click Acti
Page 39 and 40: Nonbrowser. A nonbrowser is configu
Page 41 and 42: Private IP Addressing (APIPA) for p
Page 43 and 44: provides protected storage for sens
Page 45 and 46: If the service is turned off, RIS i
Page 47 and 48: enables NetBIOS name resolution. Pr
Page 49 and 50: 11. Adaptive Menus Microsoft Office
Page 51 and 52: 3. Speed up Internet Explorer 6 Fav
Page 53 and 54: Note that in doing this, you are co
Page 55 and 56: claimed for a ‘fixed’ page file
Page 57 and 58: When a NTFS drive is formatted it b
Page 59 and 60: Goto above key in registry and you
Page 61 and 62: To get Admin account on the "Welcom
Page 63 and 64: • Security is not opening attachm
Page 65: is not acceptable, and that anythin
Page 69 and 70: exists on your NT machine (this key
Page 71 and 72: - Not found in a dictionary - Not d
Page 73 and 74: Alt - 119 = w Alt - 120 = x Alt - 1
Page 75 and 76: Alt - 0166 = ¦ Alt - 0167 = § Alt
Page 77 and 78: 11. Remove the default administrato
Page 79 and 80: These logs can contain sensitive da
Page 81 and 82: Right-click in the right hand pane,
Page 83 and 84: 57. Temporarily Assign Yourself Adm
Page 85 and 86: Install the appropriate post-Servic
Page 87 and 88: Windows XP Home Edition Configurati
Page 89 and 90: Caution If your computer is not in
Page 91 and 92: C:\inetpub\ftproot (FTP server) C:\
Page 93 and 94: MBR Work - www.terabyteunlimited.co
Page 95 and 96: Extreme Tech www.extremetech.com Fi
Page 97 and 98: IconFactory.com www.iconfactory.com
Page 99 and 100: Cable Modem Tips http://homepage.nt
Page 101 and 102: _Google _Google Image Search _Googl
Page 103 and 104: Boot other device This feature dete
Page 105 and 106: feature is a little different from
Page 107 and 108: ypass the compensation circuit and
Page 109 and 110: Therefore, using the latest video B
Page 111 and 112: So, for optimal performance, you sh
Page 113 and 114: second clock cycle before sending t
Page 115 and 116: SDRam RAS precharge time This featu
Page 117 and 118:
The shorter the delay, the earlier
Page 119 and 120:
CPU level 1 cache The modern proces
Page 121 and 122:
MPS 1.1 was the original specificat
Page 123 and 124:
Please note that even if you don't
Page 125 and 126:
Advanced Settings tab of the associ
Page 127 and 128:
However, this is not a surefire way
Page 129 and 130:
This feature allows you to manually
Page 131 and 132:
doubling the bandwidth of the proce
Page 133 and 134:
When this feature is enabled, the s
Page 135 and 136:
VLink 8X support V-Link refers to V
Page 137 and 138:
You will notice that the interrupts
Page 139 and 140:
AMD OVERCLOCKING - changing the mul
Page 141 and 142:
Examples of terminology used You wi
Page 143 and 144:
are much easier to use. No matter w
Page 145 and 146:
Hard drive limitations Overclocking
Page 147 and 148:
5.0x 500Mhz 560Mhz 620Mhz 665Mhz 5.
Page 149 and 150:
If you see copper, you've gone too
Page 151 and 152:
"PC" specification that SDRAM uses
Page 153 and 154:
Benchmarks allow you to measure you
show all

Tweaking Optimizing Windows.pdf - GEGeek

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?