securing wireless networks | updates as needed

wireless networks are on the rise. wireless allows freedom of movement of computers(laptops) while retaining(within range) the network connection. wireless is "quick & easy" to setup as no wiring is required. however wireless is currently expensive relative to wired (~4x the price), vunerable to (strong)frequency saturation interference, data transmissions are accessible off-site and wireless is currently slower than 100/1000 wired networking

like it or not, wireless will continue to rise. i take the stance that if its wireless, its like hanging your hub and cables out of the window for anybody to access. thus i have worked on securing a network as if somebody(unauthorized) has a machine connected. wep will not stop somebody for that long - thus assume readable

this guide is intended for small networks, some methods can be used in larger situations, perhaps in slightly different ways. some methods maynot be suited to your setup also, so adapt as needed. for increased security, much/all remote management is disabled, for larger networks(20+) this maynot be an option. remember if you do not explain to your users in their language and possibly demonstrate the risks, they will not understand the why -> no why = whynot something else = possible insecurities. in this guide a certain level of trust is assumed between users

small typical setup: netbios file sharing is used to exchange files around. an internet connection is provided by a modem/idsn in one of the machines and proxied to the network - supplying http, https, pop, smtp, ssh and ftp (more services could be added, but these are the basics)

what follows are a series of suggestions that interlock with each other to create a secure system, they are not in any order so read all and understand before attempting

due to the width of this layout and the length of some command/registry keys there maybe some <br>'s or wrapping in place where something should be one long string. if a registry key: keyname\...<br>...\subkeyname format will be used.

any mention of commercial products is done freely and only from current experience, there maybe much better/more suited products available

disable drive$ and winnt$ shares

(2k/xp)start -> run -> regedit -> browse to: hkey_local_machine\system\currentcontrolset\services\lanmanserver\parameters\ -> (rightclick)-> new -> dword -> name: autosharewks -> leave data as: 0

these shares are not required and could be an network entry point if an administrator level password is compromised

rename the builtin administrator and guest account

(2k/xp)start -> run -> lusrmgr.msc -> f2/rename
(2k)start -> run -> secpol.msc -> \local policies\security options\rename x account
(xp)start -> run -> secpol.msc -> \local policies\security options\accounts: rename x account
suggest appending an extended character to stop the linux boot disk used in an average way from resetting the pwd

these are two known default usernames - testing for weak account passwords requires a username to start with

use ntlm for network authentication

(2k)start -> run -> secpol.msc -> \local policies\security options\lan manager authentication level = send ntlm response only
(xp)start -> run -> secpol.msc -> \local policies\security options\network security: lan manager authentication level = send ntlm response only

lm is alittle weak if hashes are captured and ntlm2 appears to have some problems 2k<->xp

use tcp/ip filtering

(2k/xp)start -> settings -> control panel -> network connections -> (rightclick)wireless network/local area connection -> properties -> (select) internet protocol (tcp/ip) -> properties -> advanced -> options -> (select) tcp/ip filtering -> properties. check enable tcp/ip filtering (all adaptors) settings as follows:

client machines = (permit only)tcp_ports=139 (permit only)udp_ports=500 (permit only)ip_protocols=50
equals: (some)netbios traffic, ipsec key exchange and ipsec traffic respectfully

server(with the proxied internet connection) = (permit all)tcp_ports (permit only)udp_ports=500 (permit only)ip_protocols=50
the reason for permit all is ftp needing to connect to temp range ports after connection. if ftp is not used then ports allowed would probably be: 22(ssh) 25(smtp) 80(http/https) 110(pop) and 139(netbois)

firewalls tend to filter low down where ipsec traffic has not been decrypted

use full disk encryption

product suggestion: safe guard easy by utimaco(.com)

when setting up a new system on a machine some people use one large partition that fills the entire disk and store the system file and their data files within. backup to another storage mediam is a good idea incase the disk is damaged physically or at a software level or if the machine is stolen/lost. as most people know a newly installed systems tend to run fairly well, but over time it can sometimes become alittle slow with various updates/breaks etc, thus it is good idea to create a full backup or image of the new system so it can be quickly restored. product suggestion: norton ghost from - due to compression it is adviseable to ghost before applying the encryption. ghosting to a cd is a good idea, however keeping a copy of the ghosted system on the disk is perhaps better in some situations - this requires that you create two partitions. two paritions has always seemed sensible to me c:=os d:=data if the system goes down, you can ghost from the data partition and access all your user data from d: on restore and not have to refer to the last backups, which could potentially lose a small amount of data. this is where the two different full disk encryption setup occur:

(a)one/two partitions fully encrypted
(b)two partitions; c:os encrypted only
system is ghosted to another disk in another machine or to a dos/ghost supported mass storage device locally, the image is then (possibly)copied to cd.

all user data is backed up to another device, either removeable or network

-> all system is restored from cd or another disks hdd and the last user data backup is copied back. full disk encryption is applied again.
system is ghosted to d: and perhaps copied to another location

all user data is stored on d:data and copied to another storage device or network.

-> the system parition is reformatted and ghosted from d:data - all user data is still accessible on d:data. full disk encryption is applied to c:os again.

one problem with (b) is that the data on d: will be unprotected by the encryption. however a virtually encrypted volume will be stored on d:data and the ghost could be created before sensitive data is added, this maybe anonying on restore, thus the .gho file could be encrypted with a dos command line encryption program. product suggestion: tiny idea - from a very simple program to use - to encrypt: idea3c + 2kpro.gho enter/verify password - to decrypt: idea3c - 2kpro.gho enter/verify password. encryption overwrites the existing file, keeping it secure, but vunerable to corruption if the power is lost while de/encrypting. the encryption process is very fast, in one test 300mb of data were en/decrypted in ~11minutes - it is highly advisable to load smartdrv before running idea3c, since in an identical test as before, but without smartdrv the time was ~38minutes

setting up safe guard easy:
firstly disable any bios antivirus such as trend chipawayvirus - it will complain. this setup was done for v3.10.2 service release 1, there maybe some differences with the current version.

installation type = complete system
secure auto logon (uncheck)
configuration file wizard (uncheck)
respsonse code wizard (uncheck)
define system setting interactively

select encryption mode:
the 'standard' mode encrypts complete hard disks
the 'partitioned' mode encrypts hard disk partitions
the 'boot protection' encrypts special areas of hard disk partition

if (a) chose either standard or partitioned(encrypt all partitions)
if (b) chose partitioned

workstation settings: review all settings, the defaults are quite sensible though

setup user configuration: pay close attention here - this is the user accounts required at bootup and configuration later in the windows gui. unfortunately the user system cannot be renamed or removed -> system\password settings\password definition\ - set a decent password (<=16char)

delete the existing default user account and create a new one for the regular windows user. set a decent password or temp password for the user to change later

setup encryption: expand hard disk drives
-> algorithm -> select a suitable one eg: aes-256
-> key -> random key/or type a key(<=32char) -> set key -> ok
-> drives -> double click on the system drive c: - a key should appear next to the partition

setup master boot record: review all settings, the defaults are quite sensible though
install - yes, i want to reboot the computer now

the computer will reboot normally and then reboot again at bootexecute - at logon another dialog will appear indicating the disk encryption process - logon and the encryption process will begin. this may take awhile depending on the partition/disk size - though its pretty quick considering. once finished and when you reboot next, the sge logon will appear, after the bios post. at next windows logon a dialog will appear asking if you want to backup the kernel and copy the safeguard easy emergency tools - highly recommended this is - backup to a bootable floppy. adminstration of the user account and other settings can be done via the start menu - login as system

when some thing goes wrong or you want to restore the ghost image - boot from a fd/cd -> fdisk/mbr -> use fdisk or part241 to recreate the c:os partition, format and reboot from fd/cd - decrypt the gho file and ghost from d: to c: reboot into the os. perhaps add any updates that you would like to keep when you next ghost again - reghost and encrypt the gho file. reapply full disk encryption

prevents system compromises when the machine is powered down

setup a internet proxy

if you have a couple of users it is practical to use a proxy so that all can access the internet. although xp has some interent sharing features they do not seem to work on 2k. product suggestion: winroute lite by kerio technologies is good nat(proxy) unfortunately nat doesn't seem to work over an ipseced network so a proper proxy is need for now. product suggestion: ccproxy by youngzsoft(.net) very simple program to use - though alittle resource editing improves appearances. on thing to note that even with auto disconnect some very messed up connections can keep to connection open, so check for this when first using

-> options ->
mail = checked
dns = checked
remote dial-up = checked
auto hide = checked
port map = i added the ip of my hosting company, tcp and local/remote port 22 for ssh
http/rtsp = checked = 80
secure = checked = 80
ftp(web) = checked = 80 (unsure if this really works, or is it just me here?)
ftp = checked = 21
autodetect = checked
nt service = checked
advanced = isp setup in network connections - add the username and password here also
ide disconnect minutes = 5
enable autodial = checked - also for web/mail/ftp (the custom ssh port map will not start a connection so you will need to tigger it)
miscellaneous -> web sites for online checking = .
-> account -> new -> add all machines with names, ips and macs here -> permit category: permit only - auth type: ip+mac

the client settings:

internet explorer and outlook(express) are considered insecure to me. if you must use them, configure them to the securist possible settings and use av and keep them constantly up-to-date. not that they are "bad" browsers/email clients, it just that there seem to be a worryingly number of exploits/slowpatches for these pieces of software.

product suggestion: opera(.com) a small, fast browser with intergrated email client. opera has always been a favourite - since it started out there have been very few security risks and those that were discovered were acknowledged and very quickly patched. spend some time configuring the layout as there are alot of options. vist for a better look also, personally phoenity 2.8 is very nice. opera -> file -> preferences -> proxy servers -> enter in the http and https settings. opera -> mail -> new account -> (select) regular e-mail (pop) -> next -> enter your name and email address -> next -> login name = username#remotepopserver eg: foo# - password = whatever -> next -> incoming and outgoing mail server = the ip of the proxy -> finish. opera -> email -> manage accounts -> select your account -> edit -> check the settings -> servers - outgoing smtp server: enter username: #remotestmpserver and the logon password.

since ftp does not seem to work too well in the browser a stand alone ftp client is required. this is alittle anonying, the fact that one would need to switch programs to access a ftp download, however many downloads are provided via http and connecting to some ftp servers is quite interesting - there are normally other files and folders accessible that maybe of use. product suggestion: ws_ftp from ipswitch(.com) -> wsftp -> enter in the general imformation as standard, anonymous if no logon details -> firewall -> check use firewall -> enter the ip of the proxy here and the port number 21 -> firewall type = user with no logon.

ssh - for securely accessing server for running command and doing secureftp. product suggestion: securefx from vandyke(.com) simply enter in the ip of the proxy and the port mapping will forward on the request.

one thing about having an intenet connection is keeping it clean - ie no unwanted traffic triggering the dialup or leaking information and wasting time. though the machines are considered secure there are some very anonying windows components that like to gossip online particularly xp. this should only be a problem if you configured internet options in control panel/internet explorer to point to the proxy or dial a connection.

afew such items:
xp: start -> search -> for files or folders -> change preference -> change internet search behaviour -> check classic internet search (&google)
xp: hkey_local_machine\software\microsoft\windows\currentversion\policies\...
xpsp1: hkey_local_machine\system\currentcontrolset\services\mrxdav\start=4
xp: simply pressing f1 on the desktop/within windows explorer - "the did you know?" section
2k/xp: due to the "intergration" of windows explorer with internet explorer and the lack of dns due to disabled netbios broadcast all ips of local machine that are going to be accessed for netbios shares will need there ips entered here: -> start -> run -> inetcpl.cpl -> connections -> lan settings -> advanced -> exceptions - do not use proxy server for addresses beginning with: - strangely ie does not use the proxy if on the local machine if connected, causing the proxy to drop the connection.
2k/xp: start -> run -> sysdm.cpl -> automatic updates = disabled - disable the service also.
xp: timedate.cpl -> internet time -> uncheck automatically synchronize with an internet time server
xp: shutdown and disabled the windows messenger program

use wep encryption

i chose netgear(ma401/ma311) 802.11b wireless cards, included with the drivers is a wep configuration program - though xp has some wep configuration builtin. select 128bit for the keylength/encryption. use a secure "random" key, such as: 8E,0D,79,05,6C,26,D9,D1,72,8C,AA,23,DA. the key is stored here hkey_local_machine\system\currentcontrolset\control\class\...
...\{4d36e972-e325-11ce-bfc1-08002be10318}\0000(+1dec)\ and here: hkey_local_machine\software\netgear\wlan\profiles\ - pci=plaintext(in class) pcmcia=encryption(strength unknown) - setup auditing for failed access and allow only administrator/system access to this (sub)keys. in the configuration set a custom/network wide network name(ssid) and set the network mode to ad-hoc (or peer-to-peer)

wep is considered alittle insecure, but its a good idea to implyment it and update the keys regularly since there are static and network wide trust is assumed.

do not display last username

(2k)start -> run -> secpol.msc -> \local polices\security options\do not display last user name in logon screen = enabled
(xp)start -> run -> secpol.msc -> \local polices\security options\interactive logon: do not display last user name in logon screen = enabled

previous logon usernames could be viewed

use 128 bit encryption

apply the high encryption floppy disk, download the standalone update, install sp4 or update ie browser to version 6.

40/56bit is alittle weak for efs/ssl - if used in ie.

update syskey to mode 2

(2k/xp)start -> run -> syskey -> update -> (check)password startup.

some bypass methods exist if syskey is stored locally and not all laptops have floppy drives

use fixed ip addresses

(2k/xp)start -> settings -> control panel -> network connections -> (rightclick)wireless network/local area connection -> properties -> (select) internet protocol (tcp/ip) -> properties -> (select) use the following ip address. internal network ip can be in the following ranges: - - -
set subnet mask:

there are weaknesses in dhcp and it keeps machines independant

require crtl+alt+del to logon

(2k)start -> run -> secpol.msc -> \local polices\security options\disable ctrl+alt+del requirement for logon = disabled
(xp)start -> run -> secpol.msc -> \local polices\security options\interactive logon: do not require ctrl+alt+del = disabled

keeps password more secure

keep two accounts: user account for real use and an administrator to administer settings/updates only

(2k/xp)start -> run -> lusrmgr.msc

if unwanted code is run by the logged on user eg, via browser it will run with restricted privilges

setup a passworded screen saver

(2k/xp)start -> run -> desk.cpl -> screen saver -> (select)one and (check)password protected/on resume, password protect. set the wait to an appropraite length of time eg, 5mins. n.b: the lock does not activate untill approx 5 seconds after the screensaver begins.

unattended machines that have not been crtl+alt+del->lockcomputer or win+l are a risk to bypassers

use a firewall

product suggestion: visnetic by deerfield(.com)
the new version 2 has some slight problems(imo), suggest using the previous version 1.2 availabled here:

view -> settings
startup -> (check) start visnetic firewall automatically
shutdown -> (uncheck) confirm firewall shutdown
when running -> filter
when not running -> block all traffic (this feature is a major reason why this product was chosen - most firewalls do not load quick enough)

wirless network/local area connection -> configuration -> (check)filter traffic on this adaptor -> advanced:
common protocols = (check)block and log
all other ip protocols = (uncheck)block and do not log (you may want to log here, but ipsec traffic will fill the logs)
other protocols = (check)block and do not log (you may want to log here)

rules -> udp -> new -> description: ipsec key exchange - protocol this rule applies to: udp - filter data going: in&out - disabled = unchecked
local address must match: my address (or address/mask= your ip/ - local port must be: one number: 500
remote address must match: address range (enter the range of your network) - remote port must be: one number: 500
block incoming fragments: checked
when a packet matches: allow - logging: log

additional rules for the machine with the internet proxy on:
dial-up adaptor -> configuration -> (check)filter traffic on this adaptor -> advanced:
common protocols = (check)block and log
all other ip protocols = (check)block and log
other protocols = (check)block and log

rules -> arp -> new -> description: arp - protocol this rule applies to: arp - filter data going: in&out - disabled = unchecked
local address must match: my address
remote address must match: all address
rule applies always
when a packet matches: allow - logging: log

rules -> udp -> new -> description: dns - protocol this rule applies to: udp - filter data going: in&out - disabled = unchecked
service = dns (options are automatically selected - review) change address must match to address range and enter your isps dns range.
block incoming fragments: check
when a packet matches: allow - logging: log

rules -> tcp -> new -> description: ftp temp range - protocol this rule applies to: tcp - filter data going: in&out - disabled = unchecked
local address must match: my address - local port must be: 1024-65535
remote address must match: all addresses - remote port must be: 1024-65535
block incoming fragments: check - block incoming connections: check
when a packet matches: allow - logging: log

rules -> tcp -> new -> description: ftp & ssh - protocol this rule applies to: tcp - filter data going: in&out - disabled = unchecked
service = ftp client (options are automatically selected) change remote port to: in the range: 21 to 22
block incoming fragments: check - block incoming connections: check
when a packet matches: allow - logging: log

rules -> tcp -> new -> description: smtp - protocol this rule applies to: tcp - filter data going: in&out - disabled = unchecked
service = email(smtp) (options are automatically selected - review)
block incoming fragments: check - block incoming connections: check
when a packet matches: allow - logging: log

rules -> tcp -> new -> description: http - protocol this rule applies to: tcp - filter data going: in&out - disabled = unchecked
service = web browsing (http) (options are automatically selected - review)
block incoming fragments: check - block incoming connections: check
when a packet matches: allow - logging: log

rules -> tcp -> new -> description: pop3 - protocol this rule applies to: tcp - filter data going: in&out - disabled = unchecked
service = email (pop3) (options are automatically selected - review)
block incoming fragments: check - block incoming connections: check
when a packet matches: allow - logging: log

rules -> tcp -> new -> description: https - protocol this rule applies to: tcp - filter data going: in&out - disabled = unchecked
service = secure http (options are automatically selected - review)
block incoming fragments: check - block incoming connections: check
when a packet matches: allow - logging: log

filters the connection online and safeguards the local network connetion while starting up and running, stopping arp/netbios spoofed traffic. these counter measures need to be worked around

importing arp tables

make list of the mac addresses and their respective ip of all the machines that you want to communicate with on the local network. create a batch file like this:

arp -s 00-09-5b-40-9f-2f
arp -s 00-09-5b-54-cc-56
arp -s 00-09-5b-54-cc-6e

save to c:\windows\system32\grouppolicy\machine\scripts\startup\
(2k/xp)start -> run -> gpedit.msc -> \computer configuration\windows settings\scripts(startup/shutdown)\ -> (doubleclick)startup -> add -> browse -> select the batch file -> ok.

spoofed arp packets can disable networking at startup and/or stop a connection when running, plus be the start of other compromise

netbios file sharing

due to the restrictions set by the firewall, local network access will be alittle different. access will be direct via mapped drives, (this is because of the freezes when folder-upping a \\machine\ via explorer to a workgroup that doesn't really exist. mapped drives can be accessed via command line, though they can freeze for a short time on remote lose of connection. work out which machines need to communicate for shared files with each other. for each one create batch file as follows - customize:

<!-- begin join tosh (host os is xp) -->
@echo off
if exist z: goto connected
echo Connecting to Tosh...
net use /persistent:no Z: \\\sharename /user:tosh\administrator pass >nul
if not exist z: goto failed
if exist z: echo Successfully Connected.
explorer.exe z:
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\...
...\## /v _LabelFromReg /t REG_SZ /d Tosh /f >nul
goto exit
echo Connection to Tosh failed
<!-- end join tosh (host os is xp) -->

for 2k, copy reg.exe from c:\windows\system32\ on xp and place in c:\winnt\system32\
<!-- begin join gigahertz (host os is 2k) -->
@echo off
if exist z: goto connected
echo Connecting to Gigahertz...
net use /persistent:no z: \\\sharename /user:gigahertz\administrator pass >nul
if not exist z: goto failed
if exist z: echo Successfully Connected.
explorer.exe z:
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\...
...\MountPoints\Z\_LabelFromReg /v Cache /t REG_BINARY /d 470069006700610068006500720074007a00 /f >nul
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\..
...\MountPoints\Z\_LabelFromReg /v Version /t REG_DWORD /d 3 /f >nul
goto exit
echo Connection to Gigahertz failed
<!-- end join gigahertz (host os is 2k) -->

if you do not want to include the password, replace line4 like so: net use Z: \\\one /user:libretto\administrator * (remember that local logon credentails will be attempted first adding to unwanted failures in the audit logs. the batch file are to stored in an encrypted volume with/without efs, so including the password should not be a problem. create a favorites shortcut in windows explorer to this batch file for quick access, giving the shortcut the name of remote machine. also change the icon to something nice ie mstsc.exe - or customize: example 470069006700610068006500720074007a00 = the name of the machine, that will be the drive label in explorer - text is in unicode(hex)

do not use the same password to logon locally as to logon remotely - if the other machine is compromised, your machine will remain secure.

spoofed packets could be sent to netbios broadcast. broadcast packets are not secured with ipsec

deny enumeration of accounts and shares

(2k)start -> run -> secpol.msc
-> \local policies\security options\additional restrictions for anonymous connections = do not allow enumeration of sam accounts and shares

(xp)start -> run -> secpol.msc
-> \local policies\security options\network access: do not allow anonymous enumeration of sam accounts and shares = enabled

usernames and share names can be retrieved remotely without authenticating this way

additional auditing and registry permissions

(2k/xp)start -> run -> secpol.msc
-> \local policies\audit policy\audit account logon events = success=checked - failure=checked
-> \local policies\audit policy\audit account management = success=checked - failure=checked
-> \local policies\audit policy\audit object access = success=unchecked failure=checked

(2k)start -> run -> regedt32 -> browse to the following keys:
(xp)start -> run -> regedit -> browse to the following keys:
-> hkey_local_machine\software\policies\microsoft\windows\ipsec\policy\local\
-> hkey_local_machine\software\netgear\
-> hkey_local_machine\system\currentcontrolset\control\class\{4d36e972-e325-11ce-bfc1-08002be10318}\xxxx\

the first registry key holds the ipsec keys. the second and third hold the wep keys. the location will vary - check. xxxx will be something like 0010 (incrementing by 1 decimally) check the string value driverdesc within for your wireless card.

(2k)for each respective key -> security -> permissions -> advanced -> (uncheck)allow inheritable permissions from parent to propagte to this object -> remove -> add -> select(separately) the builtin administrator and system accounts -> ok -> apply onto: this key and subkeys - permissions: (check all under)allow -> ok.
auditing -> add -> select: everyone -> ok -> apply onto: this key and subkeys - auditing: (check all under)failed -> ok/ok

(xp)for each respective key (rightclick) -> permissions -> advanced -> (uncheck)inherit from parent the permissions entries that apply to child objects. include these entries explicity defined here -> remove -> add -> advanced -> find now -> select(separately) the builtin administrator and system accounts -> ok -> apply onto: this key and subkeys - permissions: full control: allow -> ok.
auditing -> add -> advanced -> find now -> select: everyone -> ok/ok -> apply onto: this key and subkeys - auditing: full control: failed -> ok/ok.

setup an auditlog/permissions on sensitive objects for during/post(possible) compromises. using full object access produces way too many entries(file/regmon style) in event log thus only very specific things can be logged effectively which is a major disappointment

(use) antivirus(av) software

i have never really been a fan of av. stop viruses running in the first place was my stance and i have never had a problem, most av are not good enough anyhow as they rely on software signatures via numerous updates. if you chose to run dodgy/untrusted programs then strongly consider running av. product suggestion: avp from kaspersky(.com)

rouge programs could compromise system security

disabled infrared ports(laptops)

(2k/xp)start -> run -> devmgmt.msc -> infrared devices\%modelname%\ -> (rightclick)disable -> yes.

ir is not considered a major risk, but if its not going to be used: disable it

enforce decent passwords

(xp/xp)start -> run -> secpol.msc -> \account policies\password policy\
-> minimum password length = passwords must be at least: 8 characters
-> passwords must meet complexity requirements = enabled

weak passwords are a major risk - as are strong ones that are written down(insecurely) so choose carefully

restrict which programs can run

(2k)allowed programs are set on a user basis. since users do not have permission to set the values themselves you will need to load their personal registry hive or the default user hive(if restricted profile are to be created after - it would be advisabled to do both, since a new (insecure)profile maybe created if there was a problem with the orginal one). start -> regedt32 -> switch to the hkey_users on local machine window -> (select)the hkey_users key -> registry -> load hive -> browse to the user profile in c:\documents and settings\%username%\ or browse to the default user profile in c:\documents and settings\default user\ -> select and open ntuser.dat -> for the key name use the username/default(orwhatever) -> the hive should load as a subkey of hkey_users

browse to hkey_users\%whatever%\software\microsoft\windows\currentversion\...
...\policies\explorer\ -> edit -> add value -> value name: restrictrun - data type: reg_dword - ok -> data: 1 - ok. this is the on/off switch for this setting, 1=enabled 0=disabled. edit -> add key -> keyname: restrict run - leave class blank - ok.

browse to hkey_users\%whatever%\software\microsoft\windows\currentversion\..
...\policies\explorer\restrictrun\ -> edit -> add value -> the value name can be whatever you want, suggest using decimally incrementing numbers - data type: reg_sz - ok -> the string value should be name of the executeable file that you want to allow to run eg: notepad.exe - ok. repeat this paragraph step adding all allowed program. when finished select the key hkey_users\%whatever% -> registry -> unload hive -> yes.

explorer.exe and userinit.exe do not have to be added. this is because explorer.exe is stated as the shell, and userinit.exe is launched through it - thus setting the shell to cmd.exe makes the restriction obsolete. the shell setting is located here: hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon\shell=explorer.exe(probably) taskmgr.exe is allowed to override setting restrictrun and run. on running programs the system will check the filename with the restrictrun key list - this means that other files can easily be renamed to match a file in the allowed list(the shell name cannot be used). this setting is not that secure at all, but it may stop some. creative use of ntfs permissions maybe the way to go

(xp)the previously mentioned restrictrun can also be applied to xp, however xp adds a more secure method
start -> run -> secpol.msc -> \software restriction policies\ -> if: no software restriction policies defined -> rightclick on the key - create new policies. doubleclick enforcement -> probably a good idea to change the lower option so that the restrictions do not apply to local administrators, since these policies cannot(possible, though not intended perhaps) be applied to individual users. ok -> \software restriction policies\security levels\ -> rightclick disallowed -> set as default -> yes. \software restriction policies\additional rules\ -> rightclick the key or right side -> new hash rule.. -> browse -> browseto/select the allowed exe file -> open -> security level: unrestricted - good idea to set a description as the program path and name for reference later - ok. repeat this last step to include all program allowed to run by the user. note very carefully that in this case you must add the shell program here, if you are sticking to explorer.exe then remember to add it and userinit.exe - if you are denied logon and/or access to change the policy, reboot into safemode and login as administrator. some services may need to be added also, check the event log after applying this policy. with service pack 1 the .lnk extension needs to be removed for shortcuts to function \software restriction policies\ -> doubleclick designated file types -> select the lnk entry -> delete -> yes -> ok. taskmgr.exe also needs to be added as it cannot function via shortcut keys but can if run directly in explorer. probably a good idea to run process explorer from sysinternals(.com) before setting up this policy to determine all exe files requiring to be added

stops unwanted programs from running, like viruses or backdoors etc

use ipsec

(2k/xp)this can be configured via gui -> start -> run -> secpol.msc -> \ip security policies on local computer\ though i find it quicker via cmd. 2k download ipsecpol_setup.exe from microsoft: - xp on the oem cd \support\tools\ (good idea to copy/install them to the system32 folder) -> read through the entire help files(ipsecpol-d.htm and/or ipseccmd/ipsecpol /? >ipsec.txt) to understand all the settings. first remove all the preset ipsec policies etc, this can be done via the gui, but some entries remain, thus use the registry -> start -> run -> regedit -> browse to: hkey_local_machine\software\policies\microsoft\windows\ipsec\policy\local\ delete the string value activepolicy if present and the delete all the subkeys (appended by a gui: ipsecpolicy, ipsecnfa, ipsecnegotiationpolicy, ipsecisakmppolicy, ipsecfilter) -> start -> run -> cmd. ipsec can be made secure by either 3 ways. 1. active directory default (kerberos v5 protocol) 2. use a certificate from this certification authority (ca) 3. use this string (preshared key) - since this is for small networks, preshared key is preferable. the length and complexity you set is up to you, but i use 16 bytes(128bit) of random hex data(much can be used: 60,000 bytes). this shared key can be set network wide, but for security reasons, i prefer to set, along with an ip filter a different key for each machine that one machine will communicate with. if one machine is compromised, the remaining network traffic will remain secure, even though the wep keys will be known(which they probably will anyhow)

machine 1. gigahertz running xp with ip of
machine 2. libretto  running 2k with ip of

(runon gigahertz machine) ipseccmd -w REG -r "libretto" -p "securenet" -f -n ESP[3DES,SHA]300S/20480KPFS -a PRESHARE:"BCDF5F434956FA182E5C1B4FDDBC89B7" -lan -1s 3DES-SHA-2 -1p -1k 300S -x

(runon libretto machine) ipsecpol -w REG -r "gigahertz" -p "securenet" -f -n ESP[3DES,SHA]300S/20480KPFS -a PRESHARE:"BCDF5F434956FA182E5C1B4FDDBC89B7" -lan -1s 3DES-SHA-2 -1p -1k 300S -x

this will setup/assign a secure channel between the two computers. to add other computer simply vary the machine names, ip address and preshared key and run on both. probably a good idea to update these keys, to narrow the window of ipsec decodeable transmissions from a rouge computer that has matched the key and is running netcocoon analyzer review the policy via gui. (delete the dynamic entry via registy)

wep will be broken at some point, ipsec encrypts and signs *most* (all(not key exchange) allowed traffic on this network setup) packets so that an unauthorized third party cannot read or modify them. software developers: make an ipsec plugin for 9x - it will do well

use file encryption

2k and xp have file encryption builtin to the file system, it enables file contents to be secured via certificate and the users logon password. users simply start using encryption and the keys are automatically created. unfortunatley there are some draw backs to efs, particulary in cross 2k/xp computers. examples: extra users cannot be added easily in 2k that are allowed to decrypt a file. even if users are added in xp, and the certificate installed on another machine the files cannot be opened via the network in xp, files have to be backed up and copied accross and then decrytped - a major draw back to the ease in 2k. 2k has a weakness in the authentication in that the encryption relies on the syskey not the password, thus it could be changed and access to the files granted, the counter is to set syskey in mode 2, though this maynot be pratical if more than one person is using the computer. yfi: cached domain logins are *believed* to be securer though recently todd sabin made a program called hashpipe (not publicly released) to dump domain credentials - we are dealing with small, non-domain networks here though. in 2k there has to be a recovery agent setup for efs to function, (by default this is the builtin administrator) which could be a security problem though a new recovery agent could be setup only via a public key .cer file and the pfx destroyed. xp uses a different encryption algorithm with sp1 by default which 2k cannot understand, there are setting to keep the older one though. another drawback is you cannot setup a folder within which efs is automatically(prompt ok?) removed, thus if you want to share some files in a different folder you have to manually unencrypt them on copying them to the shared folder. if you do decide to use efs make sure that you backup your cer/pfx files to a secure third party media - make sure you check that they work before trying to restore later

because of the slight drawbacks in efs i would recommend a different form of encryption. product suggestion: pgpdesktop from pgp(.com) - pgp provides good tried and tested encryption. files can be encrypted separately, or in archives, text can be encrypted and signed for email etc - and for securing files locally, a virtual volume can be created, which is an encrypted file, that holds a file system within, that can be mounted as a dirve or folder. the file system handles just like a ordinary drive, thus shares can be added to folders. like efs, remember to backup your secure keyrings - suggest backup/store on virtual drive(use conventional encryption on the drive) another advantange with encrypted volumes is backup, simply unmount the drive while logged on and copy one large file to another lcoation. one large file is much quicker than many small ones, due to file system handling. pgp really is very simple to setup(thus no step-by step) and is an exceedingly good program

if full disk encryption or ipsec is compromised or you want to communicate content securily with users outside of the network, file/text encryption/signing will keep whats needs to be secure, secure

update the remaining user rights assignment

just some extra updates to security that are prefered -> start -> run -> secpol.msc or regedit

\local policies\user rights assignment\access this computer from the network = list only specifc users
\local policies\user rights assignment\backup files and folders = nobody
\local policies\user rights assignment\change system time = specific administrator
\local policies\user rights assignment\deny access to this computer from the network = guest
\local policies\user rights assignment\deny local locally = guest
\local policies\user rights assignment\log on locally = specific users
\local policies\user rights assignment\shutdown the system = specific users

\local policies\security options\(devices:) prevent users from installing printer drivers = enabled
\local policies\security options\(devices:) restrict cd-rom access to locally logged-on user only
\local policies\security options\(devices:) restrict floppy access to locally logged-on user only
\local policies\security options\network access: named pipes that can be accessed anonymously = remove all
if 2k delete this value: hkey_local_machine\system\currentcontrolset\services\lanmanserver\parameters\...
\local policies\security options\network access: remotely accessible registry paths = remove all
if 2k delete this value: hkey_local_machine\system\currentcontrolset\control\..
\local policies\security options\network access: shares that can be accessed anonymously = remove all
if 2k delete this value: hkey_local_machine\system\currentcontrolset\services\lanmanserver\parameters\...
...\ nullsessionshares
\local policies\security options\(shutdown:) clear virtual memory pagefile (when system shuts down) = enabled

\local policies\security options\network security: do not store lan manager hash value on next password change = enabled
if 2ksp2+ add a key here called nolmhash, eg: hkey_local_machine\system\currentcontrolset\control\lsa\nolmhash\
as with xp, change the user accounts password for effect

start -> run -> lusrmgr.msc -> delete all the unnessacary accounts and groups, disable the builtin guest account

start -> run -> services.msc -> disabled and stop any unneeded services. which ones are up to you as some maybe required

makes the system more secure

simple pictorial overview

_possible_ unautherised entry points

(fast) firewall is set to allow all other ip protocols - once past wep encryption, it _maybe_ possible to send unauthorized packets that may or maynot be ipsec but effect the system in some way - ip filtering helps here. watch for ms updates in this area

(fast) firewall is set to allow udp on port 500 - once past wep encryption, the system is relying on the security of the key exchange, cannot really be secured by ip range as traffic can be capture and packets modified to match ruleset, possible audit trail via logging - file encryption/software policy may help here. watch for ms updates in this area

(slow) ipsec, though 3des/sha1 secured it is still breakable as plain text is known for some packets. ipsec just secures the packets, the same packets get sent and recieved as before, only their size is slightly increased to hold to the ipsec header. using pattern matching of packet flows, it is possible to work out what is happening on the network, eg a netbios share authentication, some of these packets have constant hex values within, thus the key could attempted to be matched for and when found applied to the rest of the packets - a fast changing key and file encryption help here

(slow) fulldisk encryption - if the computer is stolen the encryption could be bypassed via testing all possibles. decent passwords on the full disk encryption, windows logon and pgpdisk help here

and of course there is still social engineering, sholder surfing and tempest(little documentation) compromises. to counter strong rouge frequency interference, keep a couple of wired network cards and a piece of crossed linked network cable so that any critical networking can continue while you find and stop the source of the interference

if you can spot a workable/theorical security weakness in this setup, let me know ->

total cost of ownership(tco) (some business/home user differences in price)

through out this guide some products have been mentioned - this highlights the possible expense of this secure setup
currency worked out at: 1.00 gbp = 1.66225 usd and rounded

product type
product name
2kpro/xppro os - probably already installed, however
£269.08 (per machine)
£237.35 (per machine)
no demo
wireless network cards - possible already installed - though probably not.
pcmica netgear 802.11b
pci netgear 802.11b
£28.99 (per machine)
£34.99 (per machine)
no trial
full disk encryption
safe guard easy
£128.08 (per machine)
no demo
£42.08 (per machine)
£41.51 (unlimited users)
ftp client
ws_ftp pro/le
£24.03 (per machine) or free
£23.46 (per machine)
file encryption/signing
pgp personal
£30.08 (per machine)
lite demo
system backup restore
norton ghost
£42.08 (per machine)
no demo
ssh client
£36.07 (per machine)

quite expensive when you do the sums - it would be very interesting to see similar secure setups for mac & linux and their respective tco

rant section

throughout researching/testing this guide i have tried to work around various problems, however somethings have really anonyed me, in fact "i'm mad as hell and i'm not going to take it any longer!!" - microsoft software developers listen up good

xp software restriction policies needs work!! feels abit rushed - possible intergration with ntfspermission (traverse folder/execute file)? in fact they could of stuck with ntfs completely on this one and had greater flexibilty and speed as well

solve ipsec over nat or make it simpler - i believe this is being worked on

optional disable the http in 2k/xp windows explorer address bar - if i type an folder, just goto it, don't check for a website as well

enable better support for efs files over networks, encryption type used stated and changeable, in fact better efs support all round, public/private keys work great with pgp(though it is not transparant), so why did you have to mess things up?

better, simpler auditing for object access - no massive filemon style logs thanks

tweakui to cover nointernetopenwith and the systemfileassociations illogicals etc - in fact include tweakui as standard because its _needed_

disable all the non-user intiated i-want-to-connect-to-the-internet and no-i-really-want-to-connect-to-the-internet programs by default - make optional with user prompt if so before attempting to connect. this is one thing that _really_ anonys me - microsoft your doing yourself no favours here, i will simple disable/reconfigure all pieces of software that do this and use something sensible

custom drive icons for mapped drives - would be nice yes, since other drives can have custom icons. pc manufactures should create custom icons for their machines also

a local network windows update feature - sp are great because ms provides a network install that you can use on multiple machine - why oh why is this not as simple on windows update?(apart from windows 95) - there are ways around this, but it would be much better if ms sorted this out - like some av products do


wireless is quite nice, freedom alittle limited by battery lifetime, alittle expensive, awakeup call for pc/network security, perhaps not yet.
you must get permission from the respective author before reproduction