Tweaking Optimizing Windows.pdf - GEGeek

More documents

Recommendations

Info

Alt - 0254 = þ Alt - 0255 = ÿ Create a password reset disk If you’re running Windows XP Professional as a local user in a workgroup environment, you can create a password reset disk to log onto your computer when you forget your password. To create the disk: Click Start, click Control Panel, and then click User Accounts. Click your account name. Under Related Tasks, click Prevent a forgotten password. Follow the directions in the Forgotten Password Wizard to create a password reset disk. Store the disk in a secure location, because anyone using it can access your local user account 19. Ensure that you have disabled the Guest Account The 'Guest' account allows anonymous access to a machine. Making sure that this account is disabled will prevent people from using services you may have inadvertently left open. You can get to this from "Control Panel > Users and Passwords" Then, click on the "Advanced" tab, and choose "Advanced." You should know be able to modify the Guest account in the "Users" folder. There is a tendency to confuse the "Everyone" group with the guest account/group. "Everyone" represents people that are authenticated in any way the client can verify, be locally or to a domain. If you are anyone, you are "Everyone". If a user doesn't have any other method of authentication, then they are allowed to access whatever the guest group/account has rights to. This is why you should disable your guest account. But keep in mind: anyone is everyone, including your own valid user. It is a common mistake for new users to set the filesystem permissions at the root of their system to "deny" Everyone access. Doing so will keep everyone, including you out. We're be covering filesystem permissions more in depth at another time. 20. Rename Administrator Unlike other Accounts, the Administrator ID cannot be locked out. This means that people can try as many times as they like to crack this ID. To make this more difficult, rename your administrative account to something else. Make it very easy to remember, like "RealAdmin" or something similar. Next, I would recommend making a dummy Administrator account that has NO rights to anything, named "Administrator" with no privileges. Scan the event log regularly looking for attempts to use this account and giving it a log in script that writes the client machine's host name and IP address to a file whenever someone is able to log in using it, and then kicks the user off. To add a login script to the dummy administrators account, go to Console1 and the properties of the dummy account. Change it in the "Login Scripts" entry. A login script, in the most simple terms, is just a batch file that a user runs when they login. This can be as simple as connecting a few network drives to as complex as, well, let it suffice to say it can get really complex. If you want to make a login script that puts the IP address info of the person logging into your machine into a log file, you would use something like this. Let's name the file Login.CMD, and let's create it in notepad just like any other text file. rem Make it so the person logging in doesnt see the script run @echo off Rem get the ipaddress of the local machine along with some other settings, you can write another Rem script to parse out just the ip address, but if they are NAT'ed or PAT'ed then the whole thing is a Rem lot more useful ipconfig >> \\\\ipaddr.log rem Exit the command shell Exit Please note a few things here: You need to be very restirictive on the rights to the folder on your machine. Give authenticated users read/change permissions at the share level, then go to Security, Advanced, Permissions, select your dummy account, and click "Edit". Make all the options deny except the right to append to the file. - You may want to enable quotas on this account as well, so a malicious user can't fill up your harddrive by repeatedly logging in, over and over. - This will only catch people running Windows machines or other SMB clients that will run a login script. - This is by no means the best way to detect an intruder. Use a firewall or some dedicated intrusion detection software. - Enable auditing on the shared directory so you can tell what's happening. Now it is time to create the ID you will actually be logging in with everyday. If it's your home desktop, go ahead and add this to the administrator's group for your local machine. Use this ID to log in for most things, reserving your renamed Administrator account for emergencies. If you are a member of a NT 4.0 domain or a Windows 2000 Active Directory tree, it is also a good idea to audit Logon Failures. This is not an option in Windows 2000 professional in a standalone configuration. Next enable account lockout on the real Administrator accounts by using the passprop utility from resource kit and disable the local computer's Administrator account. 21. Enable Auditing Use Auditing - heavily if Internet connected. Read your logs daily. Use them as a guide, however don't blindly trust that every action is in the logs, and every action reflected in the logs should not be taken at face value. INVESTIGATE ODD THINGS. Enable auditing and create a separate administrators account for auditing purposes only. For the highest security use separate administrator account for auditing this allows other administrators to be audited as well. Only enable auditing on the events you need because every item audited increases overhead. 1. Open User Manager or User Manager for Domains. 2. Create a new account. For example, auditor. 3. Make sure auditor is a members of the Administrators group and Domain Admins. 4. Click Policies. Click Audit. 5. Click Audit These Events 6. Select the events your wish to audit. 7. Click ok. 8. Click Policies. 9. Click User Rights. 10. Select Manage Auditing and security log.
11. Remove the default administrators group. 12. Add the account used for auditing. 13. Click ok. 22. Group Policy Editor On 2000 and XP you can use the group policy tool to restrict access. If you would like to limit or control just about every aspect of your computer you can use a great tool called the group policy editor. Click Start and select Run. Type gpedit.msc in the text box and click on OK. The group policy editor will load. Navigate through the folders and you will discover hundreds of items that you can limit access to and control. 23. Security Templates This applies to 2000 and XP. During installation, a set of standard security settings is applied to the system: these settings are known as a security template. To get a detailed analysis of the security settings on your machine, open the MMC and select Add/Remove Snap In from the Console Menu. Click on the Add button, and select the Security Configuration and Analysis, and Security Templates snap-ins. If you view the Security Templates option, you will see a list of the basic security templates that are available to your system. You can view the security settings that each individual template applies by clicking on the plus sign next to each template. The basicwk template is the default workstation security template, the hisecws template provides higher security workstation settings while the compatws template provides maximum compatibility for non-Windows 2000 certified applications. The template named Setup Security is the default setup template, by double-clicking on this you can see a list of the security settings that this template applies under each section of the system, i.e. Account Policies, Local Policies, Event Log, Restricted Groups, System Services, Registry and File System. Double clicking on each individual item will give you more detailed information on that particular setting. For example under the default Setup Security template, if you look under Account Policies, then Password Policy you will see the security setting for the system passwords. To view the settings that are currently applied to your machine, right click on Security Configuration and Analysis and select Analyse Computer Now. To apply a different template, right-click on Security Configuration and Analysis and select Import Template. You can then choose from the selection of standard templates. You can also modify an existing template to your chosen settings, then choose Export Template and save it as a new template. 24. Disable or delete Unnecessary Accounts You should review the list of active accounts (for both users and applications) on the system in the Computer Management snap-in, and disable any non-active accounts, and delete accounts which are no longer required. 25. Set account lockout policy Windows 2000 and XP includes an account lockout feature that will disable an account after an administrator-specified number of logon failures. For maximum security, enable lockout after 3 to 5 failed attempts, reset the count after not less than 30 minutes, and set the lockout duration to Forever (until admin unlocks). The Windows NT Resource Kit includes a tool that allows you to adjust some account properties that aren't accessible through the normal management tools. This tool, passprop.exe, allows you to lock out the administrator account: The /adminlockout switch allows the administrator account to be locked out 26. Require CTRL-ALT-DEL before login In 2000 and XP under Control Panel/Users & Passwords ensure that the "Users must enter a user name and password" box is checked, and under the Advanced tab, that "Require users to press CTR-ALT-DEL before logging on" is checked. 27. Don't Display Last User Name at logon Either use TweakUI and clear the checkmark next to Clear Last User at logon in the Paranoia tab or utilise a registry entry. Enabling this will blank the username box on the logon screen. Preventing people that are logging on from knowing the last user on the system and also from preventing account lockouts for the wrong person. Win9x Settings Key: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Winlogon] Value Name: DontDisplayLastUserName Data Type: REG_SZ Data: (1=enable, 0=disable) NT Settings Key: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] Value Name: DontDisplayLastUserName Data Type: REG_SZ Data: (1=enable, 0=disable) If that doesn't fix it, follow this solution (make sure you have a note of all your ISP usernames and passwords) First, delete your .PWL file from the C:\WINDOWS folder. Next, delete the equivalent entry from C:\WINDOWS\SYSTEM.INI's [Password Lists] section. Next, open Control Panel > Network and ensure Windows Logon is installed and that it is the Primary Network. Reboot. When asked for a username and password, enter your usual username and hit Return. Do NOT enter a password- leave it blank. Hit Return to confirm the blank password. That's the last time you'll be asked to logon to Windows. When you logon to your ISP, you'll have to enter your username and password, but once connection is established, these will be remembered for future logons, provided you checkmark the appropriate box, of course. If you're on a LAN, use Client for Microsoft Networks, instead. You will need to use Tweak UI's Logon instead. If you WANT to logon, but can't, remove the following registry value:
Page 1 and 2:
Mr.X.'s TWEAKING AND OPTIMIZING WIN
Page 3 and 4:
-Msdownld.tmp This one needs manual
Page 5 and 6:
If you have Windows 95/NT you can e
Page 7 and 8:
BootKeys=1 BootMenu=0 BootMenuDefau
Page 9 and 10:
Settings\Cache\History] "CachePath"
Page 11 and 12:
Similarly, open Internet Explorer,
Page 13 and 14:
g - Restart your computer once step
Page 15 and 16:
38. Keep IE crash free Here's a tip
Page 17 and 18:
44. Switch off Dos memory manager D
Page 19 and 20:
Data: D:\WIN95 58. Clear Recent Doc
Page 21 and 22:
Click on the property tab for this
Page 23 and 24:
Right-click in the right hand pane
Page 25 and 26: By the use of this client software,
Page 27 and 28: 8. Want Real mode DOS back in Windo
Page 29 and 30: Recommendation: This service will f
Page 31 and 32: detect and/or recognize your hardwa
Page 33 and 34: It should almost certainly benefit
Page 35 and 36: Click start. click settings. click
Page 37 and 38: Click Analyze, click ok, click Acti
Page 39 and 40: Nonbrowser. A nonbrowser is configu
Page 41 and 42: Private IP Addressing (APIPA) for p
Page 43 and 44: provides protected storage for sens
Page 45 and 46: If the service is turned off, RIS i
Page 47 and 48: enables NetBIOS name resolution. Pr
Page 49 and 50: 11. Adaptive Menus Microsoft Office
Page 51 and 52: 3. Speed up Internet Explorer 6 Fav
Page 53 and 54: Note that in doing this, you are co
Page 55 and 56: claimed for a ‘fixed’ page file
Page 57 and 58: When a NTFS drive is formatted it b
Page 59 and 60: Goto above key in registry and you
Page 61 and 62: To get Admin account on the "Welcom
Page 63 and 64: • Security is not opening attachm
Page 65 and 66: is not acceptable, and that anythin
Page 67 and 68: [-HKEY_LOCAL_MACHINE\System\Current
Page 69 and 70: exists on your NT machine (this key
Page 71 and 72: - Not found in a dictionary - Not d
Page 73 and 74: Alt - 119 = w Alt - 120 = x Alt - 1
Page 75: Alt - 0166 = ¦ Alt - 0167 = § Alt
Page 79 and 80: These logs can contain sensitive da
Page 81 and 82: Right-click in the right hand pane,
Page 83 and 84: 57. Temporarily Assign Yourself Adm
Page 85 and 86: Install the appropriate post-Servic
Page 87 and 88: Windows XP Home Edition Configurati
Page 89 and 90: Caution If your computer is not in
Page 91 and 92: C:\inetpub\ftproot (FTP server) C:\
Page 93 and 94: MBR Work - www.terabyteunlimited.co
Page 95 and 96: Extreme Tech www.extremetech.com Fi
Page 97 and 98: IconFactory.com www.iconfactory.com
Page 99 and 100: Cable Modem Tips http://homepage.nt
Page 101 and 102: _Google _Google Image Search _Googl
Page 103 and 104: Boot other device This feature dete
Page 105 and 106: feature is a little different from
Page 107 and 108: ypass the compensation circuit and
Page 109 and 110: Therefore, using the latest video B
Page 111 and 112: So, for optimal performance, you sh
Page 113 and 114: second clock cycle before sending t
Page 115 and 116: SDRam RAS precharge time This featu
Page 117 and 118: The shorter the delay, the earlier
Page 119 and 120: CPU level 1 cache The modern proces
Page 121 and 122: MPS 1.1 was the original specificat
Page 123 and 124: Please note that even if you don't
Page 125 and 126: Advanced Settings tab of the associ
Page 127 and 128:
However, this is not a surefire way
Page 129 and 130:
This feature allows you to manually
Page 131 and 132:
doubling the bandwidth of the proce
Page 133 and 134:
When this feature is enabled, the s
Page 135 and 136:
VLink 8X support V-Link refers to V
Page 137 and 138:
You will notice that the interrupts
Page 139 and 140:
AMD OVERCLOCKING - changing the mul
Page 141 and 142:
Examples of terminology used You wi
Page 143 and 144:
are much easier to use. No matter w
Page 145 and 146:
Hard drive limitations Overclocking
Page 147 and 148:
5.0x 500Mhz 560Mhz 620Mhz 665Mhz 5.
Page 149 and 150:
If you see copper, you've gone too
Page 151 and 152:
"PC" specification that SDRAM uses
Page 153 and 154:
Benchmarks allow you to measure you
show all

Tweaking Optimizing Windows.pdf - GEGeek

Create successful ePaper yourself

Delete template?

Save as template?