Friday, June 27, 2008

5 top Security Registry tweaks


1. Disable hidden administrative shares

Even if you haven’t shared any of your files or folders, an administrator (or anyone who knows a valid username and password for an account you’ve given administrative privileges) can remotely access your data by using the hidden administrative shares that XP creates by default. There is an administrative share for every drive on your system, but it doesn’t show up in the network browse list (My Network Places) because it has been marked as hidden by appending a dollar sign ($) to the end of the drive letter. You can delete these shares, but XP will just grow them back the next time you reboot. To prevent this, disable administrative shares by performing the following registry edit:
1. In your registry editor, navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\lanmanager\parameters.
2. In an empty portion of the right details pane, right-click and select New | DWORD Value.
3. Rename the new value AutoShareWks.
4. Double-click the new value and enter 0 in the Value Data field.

2. Don’t show the last logon name
If you’ve elected to use the standard logon dialog box instead of the Welcome screen, or if the XP computer is joined to a domain, XP tries to be helpful by displaying the account name of the last user who logged onto the computer; you only have to type in the password. However, this is a security issue because it gives a hacker half of the information needed to log on. Why make it easier? Of course, you should already have renamed the administrator account and disabled the guest account so a hacker won’t have those account names to use. The next step is to disable the display of the last logged-on user. Here’s how:
1. In your registry editor, navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System.
2. In an empty portion of the right details pane, right-click and select New | DWORD Value.
3. Rename the new value dontdisplaylastusername.
4. Double-click the new value and enter 1 in the Value Data field.

3. Control what applications a user can run If you’re sharing an XP computer with someone else and you’re the administrator, you can restrict the other user(s) to running only applications you specify. This can be particularly useful when sharing the computer with a young family member or if your computer must be used by guests. Here’s the procedure:
1. In your registry editor, logged on with the account you want to restrict, navigate to: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer.
2. In an empty portion of the right details pane, right-click and select New | DWORD Value.
3. Rename the new value to RestrictRun.
4. Double-click the new value and enter 1 in the Value Data field. (You can modify this to allow all applications to run by changing the value to 0).
5. Create a new subkey named RestrictRun.
6. Create a new string value for each application you want to allow. Name each string value as a consecutive number.
7. Set the Value Data for each string value as the name of an application you want to allow (this should be the executable program name, such as explore.exe for Windows Explorer).
8. Reboot the computer to apply the change.
Warning
Don’t apply this policy to yourself or you may not be able to run the programs you need to in order to administer the computer—and if you can’t run the registry editor, you won’t be able to change the policy.

4.Disable saved password for dialup networking.

It’s handy for users not to have to enter their passwords each time they start a dialup networking session, but it can also be a security risk to have Windows save the password, since anyone else can start a session, too. To disable the saved password function for DUN, do the following:
1. In your registry editor, navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters.
2. If the entry DisableSavePassword doesn’t already exist, right-click in an empty portion of the right details pane and select New | DWORD Value.
3. Rename the new value to DisableSavePassword.
4. Double-click the new value (or if it already existed, just double-click it now) and enter 1 in the Value Data field to prevent Windows from saving the DUN password. If you want to enable saving of passwords later, you can do so by setting the value to 0.

5.Prevent access to specific drives
You can prevent users from viewing and accessing the files and folders on specific drives using Windows Explorer, My Computer, or the Run command. They will not be able to map a network drive or use the DIR command to get a list of directories on the drive. This is a good way to add a layer of protection to a drive on which you store sensitive data. (You should also use access controls/permissions and encrypt the data if it’s extremely sensitive.)
1. In your registry editor, logged on with the user account you want to restrict, navigate to: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer.
2. Right-click in an empty portion of the right details pane and select New | DWORD Value.
3. Rename the new value NoViewOnDrive.
4. Double-click the value and set the view to Decimal. In the Value Data field, add the following number(s) to hide the corresponding drive(s): A: 1, B: 2, C: 4, D:8, E:16, F: 32, G: 64, H:128, I: 256, J: 512, K: 1024, L: 2048, and so on, multiplying by 2 to get the next numbers for the rest of the alphabet

No comments:

Post a Comment

Recent Posts