Tweaking Optimizing Windows.pdf - GEGeek

More documents

Recommendations

Info

Clean-installed Windows 2000 systems have secure default ACLs on the registry. However, upgrades from previous versions (e.g., Windows NT 4) do not modify the previous security settings and should have the default Windows 2000 settings applied. Refer to to Default Access Control Settings in Windows 2000 document on the Microsoft TechNet Security Web site for details on the default Windows 2000 registry ACLs and how to make any necessary modifications. Restrict access to public Local Security Authority (LSA) information You need to be able to identify all users on your system, so you should restrict anonymous users so that the amount of public information they can obtain about the LSA component of the Windows NT Security Subsystem is reduced. The LSA handles aspects of security administration on the local computer, including access and permissions. To implement this restriction, create and set the following registry entry: Hive HKEY_LOCAL_MACHINE \SYSTEM Key CurrentControlSet\Control\LSA Value Name RestrictAnonymous Type REG_DWORD Value 1 Set stronger password policies Use the Domain Security Policy (or Local Security Policy) snap-in to strengthen the system policies for password acceptance. Microsoft suggests that you make the following changes: Set the minimum password length to at least 8 characters Set a minimum password age appropriate to your network (typically between 1 and 7 days) Set a maximum password age appropriate to your network (typically no more than 42 days) Set a password history maintenance (using the "Remember passwords" option) of at least 6 Set account lockout policy Windows 2000 includes an account lockout feature that will disable an account after an administrator-specified number of logon failures. For maximum security, enable lockout after 3 to 5 failed attempts, reset the count after not less than 30 minutes, and set the lockout duration to "Forever (until admin unlocks)." The Windows NT Server Resource Kit includes a tool that allows you to adjust some account properties that aren't accessible through the normal management tools. This tool, passprop.exe, allows you to lock out the administrator account: The /adminlockout switch allows the administrator account to be locked out Configure the Administrator account Because the Administrator account is built in to every copy of Windows 2000, it presents a well-known objective for attackers. To make it more difficult to attack the Administrator account, do the following both for the domain Administrator account and the local Administrator account on each server: Rename the account to a nonobvious name (e.g., not "admin," "root," etc.) Establish a decoy account named "Administrator" with no privileges. Scan the event log regularly looking for attempts to use this account. Enable account lockout on the real Administrator accounts by using the passprop utility Disable the local computer's Administrator account. Remove all unnecessary file shares All unnecessary file shares on the system should be removed to prevent possible information disclosure and to prevent malicious users from using the shares as an entry to the local system. Set appropriate ACLs on all necessary file shares By default all users have Full Control permissions on newly created file shares. All shares that are required on the system should be ACL'd such that users have the appropriate share-level access (e.g., Everyone = Read). Note The NTFS file system must be used to set ACLs on individual files in addition to share-level permissions. Install antivirus software and updates It is imperative to install antivirus software and keep up-to-date on the latest virus signatures on all Internet and intranet systems. More security antivirus information is available on the Microsoft TechNet Security Web site. Install the latest Service Pack Each Service Pack for Windows includes all security fixes from previous Service Packs. Microsoft recommends that you keep up-todate on Service Pack releases and install the correct Service Pack for your servers as soon as your operational circumstances allow. The current Service Pack for Windows 2000, SP2, is available on the Microsoft Web site. Service Packs are also available through Microsoft Product Support. Information about contacting Microsoft Product Support is available on the Microsoft Web site. Install the appropriate post-Service Pack security hotfixes Microsoft issues security bulletins through its Security Notification Service. When these bulletins recommend installation of a security hotfix, you should immediately download and install the hotfix on your member servers. Additional security settings There are additional security features not covered in this document that should be leveraged when securing servers running Windows 2000. Information about these security features such as Encrypting File System (EFS), Kerberos, IPSEC, PKI, and IE security is available on the Microsoft TechNet Security Web site. 61. Windows XP Baseline Security Checklist Important The purpose of these checklists is to give instructions for configuring a baseline level of security on Windows XP computers. This guide does not provide a complete list of all security features provided in Windows XP, or how to use them. These checklists contain information about editing the registry. Before you edit the registry, make sure you understand how to restore it if a problem occurs. For information about how to do this, see online Help for Registry Editor.
Windows XP Home Edition Configuration Checklist Details - Verify that all disk partitions are formatted with NTFS - Protect file shares - Use Internet Connection Sharing for shared Internet connections - Enable Internet Connection Firewall - Use account passwords - Use the "Make Private" feature - Install anti-virus software and updates - Keep up-to-date on the latest security updates Windows XP Professional Configuration Checklist Details - Verify that all disk partitions are formatted with NTFS - Protect file shares - Use Internet Connection Sharing for shared Internet connections - Enable Internet Connection Firewall - Use software restriction policies - Use account passwords - Disable unnecessary services - Disable or delete unnecessary accounts - Make sure the Guest account is disabled - Set stronger password policies - Set account lockout policy - Install anti-virus software and updates - Keep up-to-date on the latest security updates XP HOME EDITION CHECKLIST Verify that all disk partitions are formatted with NTFS NTFS partitions offer access controls and protections that aren't available with the FAT, FAT32, or FAT32x file systems. Make sure that all partitions on your computer are formatted using NTFS. If necessary, use the Convert utility to non-destructively convert your FAT partitions to NTFS. Protect file shares Windows XP Home Edition uses a network access model called "Simple File Sharing," where all attempts to log on to the computer from across the network will be forced to use the Guest account. This means that network access through Server Message Block (SMB, used for file and print access), as well as Remote Procedure Call (RPC, used by most remote management tools and remote registry access) will only be available to the Guest account. In the Simple File Sharing model, file shares can be created so that access from the network is read-only, or access from the network is able to read, create, change, and delete files. Simple File Sharing is intended for use on a home network and behind a firewall, such as the one provided by Windows XP. If you are connected to the Internet, and are not operating behind a firewall, you should remember that any file shares you create might be accessible to any user on the Internet. Use Internet Connection Sharing (ICS) for shared Internet connections Windows XP provides the ability to share a single Internet connection with multiple computers on a home or small business network through the ICS feature. One computer, called the ICS host, connects directly to the Internet and shares its connection with the rest of the computers on the network. The client computers rely on the ICS host computer to provide access to the Internet. Security is enhanced when ICS is enabled because only the ICS host computer is visible to the Internet. To enable ICS, right-click an Internet connection in Network Connections, click Properties, click the Advanced tab, and then select the appropriate check box. You can also configure ICS by using the Home Networking Wizard. For more information about ICS, see Help and Support Center in Windows XP. Enable Internet Connection Firewall (ICF) Designed for use in the home or small business, Internet Connection Firewall (ICF) provides protection for Windows XP computers that are directly connected to the Internet, or for the computers or devices connected to the Internet Connection Sharing host computer that is running ICF. The Windows XP ICF makes use of active packet filtering, which means that ports on the firewall are dynamically opened only for as long as necessary to enable you to access the services you're interested in. To enable ICF, right-click an Internet connection in Network Connections, click Properties, click the Advanced tab, and then select the appropriate check box. You can also configure ICF by using the Home Networking Wizard. For more information about ICF, see Help and Support Center in Windows XP. Use account passwords Passwords should be assigned to individual accounts on Windows XP Home Edition computers that are accessed by multiple people who want to protect their data from each other. Windows XP home users get separate but accessible file storage by default, with optional password protection. When you create a password for yourself, Windows offers to lock down your "My Documents" folder, as well as any subfolders. That way, if you have a password and want privacy, you will be protected from other non-administrator users of the computer. Assigning account passwords will also prevent anyone from simply walking up to the computer and using it. Use the "Make Private" feature In the simple file sharing model, Windows does not directly expose the complexity of managing file access control lists to the user. Instead, the user interface features an option called "make private" which, when selected for a folder, will modify the underlying access control for that folder so that other non-administrative users cannot access it. This feature only works if the file system is NTFS. Install anti-virus software and updates
Page 1 and 2:
Mr.X.'s TWEAKING AND OPTIMIZING WIN
Page 3 and 4:
-Msdownld.tmp This one needs manual
Page 5 and 6:
If you have Windows 95/NT you can e
Page 7 and 8:
BootKeys=1 BootMenu=0 BootMenuDefau
Page 9 and 10:
Settings\Cache\History] "CachePath"
Page 11 and 12:
Similarly, open Internet Explorer,
Page 13 and 14:
g - Restart your computer once step
Page 15 and 16:
38. Keep IE crash free Here's a tip
Page 17 and 18:
44. Switch off Dos memory manager D
Page 19 and 20:
Data: D:\WIN95 58. Clear Recent Doc
Page 21 and 22:
Click on the property tab for this
Page 23 and 24:
Right-click in the right hand pane
Page 25 and 26:
By the use of this client software,
Page 27 and 28:
8. Want Real mode DOS back in Windo
Page 29 and 30:
Recommendation: This service will f
Page 31 and 32:
detect and/or recognize your hardwa
Page 33 and 34:
It should almost certainly benefit
Page 35 and 36: Click start. click settings. click
Page 37 and 38: Click Analyze, click ok, click Acti
Page 39 and 40: Nonbrowser. A nonbrowser is configu
Page 41 and 42: Private IP Addressing (APIPA) for p
Page 43 and 44: provides protected storage for sens
Page 45 and 46: If the service is turned off, RIS i
Page 47 and 48: enables NetBIOS name resolution. Pr
Page 49 and 50: 11. Adaptive Menus Microsoft Office
Page 51 and 52: 3. Speed up Internet Explorer 6 Fav
Page 53 and 54: Note that in doing this, you are co
Page 55 and 56: claimed for a ‘fixed’ page file
Page 57 and 58: When a NTFS drive is formatted it b
Page 59 and 60: Goto above key in registry and you
Page 61 and 62: To get Admin account on the "Welcom
Page 63 and 64: • Security is not opening attachm
Page 65 and 66: is not acceptable, and that anythin
Page 67 and 68: [-HKEY_LOCAL_MACHINE\System\Current
Page 69 and 70: exists on your NT machine (this key
Page 71 and 72: - Not found in a dictionary - Not d
Page 73 and 74: Alt - 119 = w Alt - 120 = x Alt - 1
Page 75 and 76: Alt - 0166 = ¦ Alt - 0167 = § Alt
Page 77 and 78: 11. Remove the default administrato
Page 79 and 80: These logs can contain sensitive da
Page 81 and 82: Right-click in the right hand pane,
Page 83 and 84: 57. Temporarily Assign Yourself Adm
Page 85: Install the appropriate post-Servic
Page 89 and 90: Caution If your computer is not in
Page 91 and 92: C:\inetpub\ftproot (FTP server) C:\
Page 93 and 94: MBR Work - www.terabyteunlimited.co
Page 95 and 96: Extreme Tech www.extremetech.com Fi
Page 97 and 98: IconFactory.com www.iconfactory.com
Page 99 and 100: Cable Modem Tips http://homepage.nt
Page 101 and 102: _Google _Google Image Search _Googl
Page 103 and 104: Boot other device This feature dete
Page 105 and 106: feature is a little different from
Page 107 and 108: ypass the compensation circuit and
Page 109 and 110: Therefore, using the latest video B
Page 111 and 112: So, for optimal performance, you sh
Page 113 and 114: second clock cycle before sending t
Page 115 and 116: SDRam RAS precharge time This featu
Page 117 and 118: The shorter the delay, the earlier
Page 119 and 120: CPU level 1 cache The modern proces
Page 121 and 122: MPS 1.1 was the original specificat
Page 123 and 124: Please note that even if you don't
Page 125 and 126: Advanced Settings tab of the associ
Page 127 and 128: However, this is not a surefire way
Page 129 and 130: This feature allows you to manually
Page 131 and 132: doubling the bandwidth of the proce
Page 133 and 134: When this feature is enabled, the s
Page 135 and 136: VLink 8X support V-Link refers to V
Page 137 and 138:
You will notice that the interrupts
Page 139 and 140:
AMD OVERCLOCKING - changing the mul
Page 141 and 142:
Examples of terminology used You wi
Page 143 and 144:
are much easier to use. No matter w
Page 145 and 146:
Hard drive limitations Overclocking
Page 147 and 148:
5.0x 500Mhz 560Mhz 620Mhz 665Mhz 5.
Page 149 and 150:
If you see copper, you've gone too
Page 151 and 152:
"PC" specification that SDRAM uses
Page 153 and 154:
Benchmarks allow you to measure you
show all

Tweaking Optimizing Windows.pdf - GEGeek

Create successful ePaper yourself

Delete template?

Save as template?