Tweaking Optimizing Windows.pdf - GEGeek

More documents

Recommendations

Info

To configure security zone settings: - On the Tools menu of Internet Explorer, click Internet Options, and then click the Security tab. - Click a security zone to select it and view its current settings. - Change the following settings as necessary: - Security Level. To change the security level for the selected zone to High, Medium, Medium-low, or Low, move the slider. The onscreen description for each level can help you decide which level to select. Sites. To add or remove Web sites from the zone, click the Sites button, and then click the Add or Remove button to customize your list of sites for the selected zone. Custom Level. For more precise control of your security settings, click the Custom Level button, and then select the options you want. For more detailed instructions, please see Setting up Security Zones. 63. Be Paranoid Don't panic, but be paranoid all the time. Take every security concern or oddball alert seriously. SECURING INTERNET INFORMATION SERVER (IIS) 1. Get these tools MS IIS lockdown tool Microsoft has released a new security tool that makes it simple to secure an IIS 4.0 or 5.0 web server. The tool, known as the IIS Lockdown Tool, allows web servers to quickly and easily be put into the right configuration - in which the server provides all of the services the administrator wants to provide, and no others. Customers can use this tool to instantly protect their systems against security threats that target web servers. The tool offers two operating modes. The default is Express Lockdown which, with a single mouse click, configures the server in a highly secure way that is appropriate for most basic web servers. For administrators who want to pick and choose the technologies that will be enabled on the server, the tool offers an Advanced Lockdown mode. A comprehensive help system provides information and recommendations for selecting the best configuration, and an undo facility allows the most recent lockdown to be reversed. Wondering whether it’s worth the time to use the tool? Consider this: a web server configured using the Express Lockdown would be completely protected against Code Red and virtually all known security vulnerabilities affecting IIS 4.0 and 5.0 - even without the patches for these vulnerabilities. I do, of course, recommend that all customers, even those running locked-down servers, continue to stay current on all security patches, but this vividly illustrates the value of the tool. http://search.microsoft.com/ Urlscan Security Tool Urlscan is a powerful security tool that works in conjunction with the IIS Lockdown Tool to give IIS Web site administrators the ability to turn off unneeded features and restrict the kind of HTTP requests that the server will process. By blocking specific HTTP requests, the Urlscan security tool prevents potentially harmful requests from reaching the server and causing damage. www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/tools/urlscan.asp 2. Set appropriate ACLs on virtual directories Although this procedure is somewhat application-dependent, some rules of thumb apply: File Type CGI (.exe, .dll, .cmd, .pl) Script files (.asp) Include files (.inc, .shtm, .shtml) Access Control Lists Everyone (X) Administrators (Full Control) System (Full Control) Everyone (X) Administrators (Full Control) System (Full Control) Everyone (X) Administrators (Full Control) System (Full Control) Static content (.txt, .gif, .jpg, .html) Everyone (R) Administrators (Full Control) System (Full Control) 3. Recommended default ACLs by file type Rather than setting ACLs on each file, you are better off creating new directories for each file type, setting ACLs on the directory, and allowing the ACLs to inherit to the files. For example, a directory structure might look like this: C:\inetpub\wwwroot\myserver\static (.html) C:\inetpub\wwwroot\myserver\include (.inc) C:\inetpub\wwwroot\myserver\script (.asp) C:\inetpub\wwwroot\myserver\executable (.dll) C:\inetpub\wwwroot\myserver\images (.gif, .jpeg) Also, be aware that two directories need special attention:
C:\inetpub\ftproot (FTP server) C:\inetpub\mailroot (SMTP server) The ACLs on both these directories are Everyone (Full Control) and should be overridden with something tighter, depending on your level of functionality. Place the folder on a different volume than the IIS server if you're going to support Everyone (Write), or use Windows 2000 disk quotas to limit the amount data that can be written to these directories. 4. Set appropriate IIS Log file ACLs Make sure the ACLs on the IIS-generated log files (%systemroot%\system32\LogFiles) are: Administrators (Full Control) System (Full Control) Everyone (RWC) This is to help prevent malicious users from deleting the files to cover their tracks. 5. Enable logging Logging is paramount when you want to determine whether your server is being attacked. You should use W3C Extended Logging format by following this procedure: Load the Internet Information Services tool. Right-click the site in question, and choose Properties from the context menu. Click the Web Site tab. Check the Enable Logging check box. Choose W3C Extended Log File Format from the Active Log Format drop-down list. Click Properties. Click the Extended Properties tab, and set the following properties: Client IP Address User Name Method URI Stem HTTP Status Win32 Status User Agent Server IP Address Server Port The latter two properties are useful only if you host multiple Web servers on a single computer. The Win32 Status property is useful for debugging purposes. When you examine the log, look out for error 5, which means access denied. You can find out what other Win32 errors mean by entering net helpmsg err on the command line, where err is the error number you are interested in. 6. Disable or Remove All Sample Applications Samples are just that, samples; they are not installed by default and should never be installed on a production server. Note that some samples install so that they can be accessed only from http://localhost, or 127.0.0.1; however, they should still be removed. The following lists the default locations for some of the samples. Sample Virtual Directory Location IIS Samples \IISSamples c:\inetpub\iissamples IIS Documentation \IISHelp c:\winnt\help\iishelp Data Access \MSADC c:\program files\common files\system\msadc - Remove the IISADMPWD Virtual Directory This directory allows you to reset Windows NT and Windows 2000 passwords. It is designed primarily for intranet scenarios and is not installed as part of IIS 5, but it is not removed when an IIS 4 server is upgraded to IIS 5. It should be removed if you don't use an intranet or if you connect the server to the Web. Refer to Microsoft Knowledge Base article Q184619 for more information about this functionality. - Remove Unused Script Mappings IIS is preconfigured to support common filename extensions such as .asp and .shtm files. When IIS receives a request for a file of one of these types, the call is handled by a DLL. If you don't use some of these extensions or functionality, you should remove the mappings by following this procedure: - Open Internet Services Manager. - Right-click the Web server, and choose Properties. - Click Master Properties - Select WWW Service, click Edit, click HomeDirectory, and then click Configuration - Remove these references: If you don't use... Web-based password reset Internet Database Connector (all IIS 5 Web sites should use ADO or similar technology) Server-side Includes Internet Printing Index Server Remove this entry: .htr .idc .stm, .shtm, and .shtml .printer .htw, .ida and .idq
Page 1 and 2:
Mr.X.'s TWEAKING AND OPTIMIZING WIN
Page 3 and 4:
-Msdownld.tmp This one needs manual
Page 5 and 6:
If you have Windows 95/NT you can e
Page 7 and 8:
BootKeys=1 BootMenu=0 BootMenuDefau
Page 9 and 10:
Settings\Cache\History] "CachePath"
Page 11 and 12:
Similarly, open Internet Explorer,
Page 13 and 14:
g - Restart your computer once step
Page 15 and 16:
38. Keep IE crash free Here's a tip
Page 17 and 18:
44. Switch off Dos memory manager D
Page 19 and 20:
Data: D:\WIN95 58. Clear Recent Doc
Page 21 and 22:
Click on the property tab for this
Page 23 and 24:
Right-click in the right hand pane
Page 25 and 26:
By the use of this client software,
Page 27 and 28:
8. Want Real mode DOS back in Windo
Page 29 and 30:
Recommendation: This service will f
Page 31 and 32:
detect and/or recognize your hardwa
Page 33 and 34:
It should almost certainly benefit
Page 35 and 36:
Click start. click settings. click
Page 37 and 38:
Click Analyze, click ok, click Acti
Page 39 and 40: Nonbrowser. A nonbrowser is configu
Page 41 and 42: Private IP Addressing (APIPA) for p
Page 43 and 44: provides protected storage for sens
Page 45 and 46: If the service is turned off, RIS i
Page 47 and 48: enables NetBIOS name resolution. Pr
Page 49 and 50: 11. Adaptive Menus Microsoft Office
Page 51 and 52: 3. Speed up Internet Explorer 6 Fav
Page 53 and 54: Note that in doing this, you are co
Page 55 and 56: claimed for a ‘fixed’ page file
Page 57 and 58: When a NTFS drive is formatted it b
Page 59 and 60: Goto above key in registry and you
Page 61 and 62: To get Admin account on the "Welcom
Page 63 and 64: • Security is not opening attachm
Page 65 and 66: is not acceptable, and that anythin
Page 67 and 68: [-HKEY_LOCAL_MACHINE\System\Current
Page 69 and 70: exists on your NT machine (this key
Page 71 and 72: - Not found in a dictionary - Not d
Page 73 and 74: Alt - 119 = w Alt - 120 = x Alt - 1
Page 75 and 76: Alt - 0166 = ¦ Alt - 0167 = § Alt
Page 77 and 78: 11. Remove the default administrato
Page 79 and 80: These logs can contain sensitive da
Page 81 and 82: Right-click in the right hand pane,
Page 83 and 84: 57. Temporarily Assign Yourself Adm
Page 85 and 86: Install the appropriate post-Servic
Page 87 and 88: Windows XP Home Edition Configurati
Page 89: Caution If your computer is not in
Page 93 and 94: MBR Work - www.terabyteunlimited.co
Page 95 and 96: Extreme Tech www.extremetech.com Fi
Page 97 and 98: IconFactory.com www.iconfactory.com
Page 99 and 100: Cable Modem Tips http://homepage.nt
Page 101 and 102: _Google _Google Image Search _Googl
Page 103 and 104: Boot other device This feature dete
Page 105 and 106: feature is a little different from
Page 107 and 108: ypass the compensation circuit and
Page 109 and 110: Therefore, using the latest video B
Page 111 and 112: So, for optimal performance, you sh
Page 113 and 114: second clock cycle before sending t
Page 115 and 116: SDRam RAS precharge time This featu
Page 117 and 118: The shorter the delay, the earlier
Page 119 and 120: CPU level 1 cache The modern proces
Page 121 and 122: MPS 1.1 was the original specificat
Page 123 and 124: Please note that even if you don't
Page 125 and 126: Advanced Settings tab of the associ
Page 127 and 128: However, this is not a surefire way
Page 129 and 130: This feature allows you to manually
Page 131 and 132: doubling the bandwidth of the proce
Page 133 and 134: When this feature is enabled, the s
Page 135 and 136: VLink 8X support V-Link refers to V
Page 137 and 138: You will notice that the interrupts
Page 139 and 140: AMD OVERCLOCKING - changing the mul
Page 141 and 142:
Examples of terminology used You wi
Page 143 and 144:
are much easier to use. No matter w
Page 145 and 146:
Hard drive limitations Overclocking
Page 147 and 148:
5.0x 500Mhz 560Mhz 620Mhz 665Mhz 5.
Page 149 and 150:
If you see copper, you've gone too
Page 151 and 152:
"PC" specification that SDRAM uses
Page 153 and 154:
Benchmarks allow you to measure you
show all

Tweaking Optimizing Windows.pdf - GEGeek

Create successful ePaper yourself

Delete template?

Save as template?