Configuring Windows
Configuring Windows properly (Windows 7, 8, 10 and Server Editions) involves many facets. First, disable unnecessary services, configure the registry correctly, enable firewall, configure the browser correctly, and many more.
Accounts, Users, Groups and Passwords
Windows system comes with many default user accounts and groups. Attackers when launching initial attacks rely on this as starting point i.e. crack passwords for those accounts and gain easy access to a server/network. To improve security posture, simply rename or disable (if not required) these default accounts.
Administrator Accounts
- The default administrator account has administrative privileges. Administrators should disable this account.
- Administrative privilege account is needed to maintain server. So, add a new account and give that account administrative privileges.
- Do not create an account with self explanatory admin names. The whole point of creating a new admin account is that a hacker should not be able to identify which username has administrative privileges.
Other Default Accounts
Identify default accounts and change/alter such accounts.
- IUSR_{{Machine name}}: A default user account created for IIS i.e. IUSR_ and machine name.
- ASP.NET: Machine running ASP.NET has a default account created for web application.
- Database accounts: Many relational database management systems, such as SQL Server, create default user accounts.
When a new account is created, always follow the principal of least privilege. Assign only privileges needed to perform the job
Setting Security Policies
Setting appropriate security policies is the next step in hardening.
Password Security Policies
First, setting secure password policies. The default settings are not secure (see the table below).
Policy | Recommendation |
Enforce password history | 1 password remembered |
Maximum password age | 42 days |
Minimum password age | 0 days |
Minimum password length | 0 characters |
Passwords must meet complexity requirements | Disabled |
Store password using reversible encryption for all users in the domain | Disabled |
The table below shows the recommendations of Microsoft and the National Security Agency.
Policy | Microsoft | NSA |
Enforce password history | 3 passwords | 5 passwords |
Maximum password age | 42 days | 42 days |
Minimum password age | 2 days | 2 days |
Minimum password length | 8 characters | 12 characters |
Passwords must meet complexity requirements | No recommendation | Yes |
Store password using reversible encryption for all users in the domain | No recommendation | No recommendation |
An appropriate password policy depends greatly on your requirements. If you are protecting high value assets, you must target towards greater security.
Account Lockout Policies
These policies determine number of failed login attempts, and duration of account lockout. The default Windows settings are
Policy | Default Settings |
Account lockout duration | Not defined |
Account lockout threshold | 0 invalid logon attempts |
Reset account lockout counter after | Not defined |
These default policies are not secure. The recommendations from Microsoft and National Security Agency
Policy | Microsoft | NSA |
Account lockout duration | 0, indefinite | 15 hours |
Account lockout threshold | 5 attempts | 3 attempts |
Reset account after | 15 minutes | 30 minutes |
Registry Settings
The Windows Registry is a database used to store settings and options for Microsoft Windows operating systems. This database contains critical information and settings for all the hardware, software, users, and preferences on a particular computer. Whenever users are added, software is installed or any other change is made to the system (including security policies), that information is stored in the registry.
Registry Basics
Since XP, the physical files that make up the registry are stored in %SystemRoot%\System32\Config. Since Windows 8, the file has been named ntuser.dat. Anyway, registry cannot be directly edited. A tool regedit.ext (regedit32) must be used for editing purpose.
A system might have additions, but five are the primary folders containing information necessary for your system to run. These are the core registry folders
- HKEY_CLASSES_ROOT: This branch contains all of your file association types, OLE information, and shortcut data.
- HKEY_CURRENT_USER: This branch links to the section of HKEY_USERS appropriate for the user currently logged on to the PC.
- HKEY_LOCAL_MACHINE: This branch contains computer-specific information about the type of hardware, software, and other preferences on a given PC.
- HKEY_USERS: This branch contains individual preferences for each user of the computer.
- HKEY_CURRENT_CONFIG: This branch links to the section of HKEY_LOCAL_MACHINE appropriate for the current hardware configuration.
Restrict Null Session Access
A null session is Windows’ way of designating anonymous connections. Null sessions are a significant weakness that can be exploited through the various shares that are on the computer. This should be handled properly.
Modify null session access to shares on the computer by adding RestrictNullSessAccess, a registry value that toggles null session shares on or off to determine whether the Server service restricts access to clients logged on to the system account without username and password authentication. Setting the value to “1” restricts null session access for unauthenticated users to all server pipes and shares except those listed in the NullSessionPipes and NullSessionShares entries.
Key Path: HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer
Action: Ensure that it is set to: Value = 1
Restrict Null Session Access Over Named Pipes
The null session access over named pipes registry setting should be changed. This helps to prevent unauthorized access over the network. To restrict null session access over named pipes and shared directories, edit the registry and delete the values, as shown below.
Key Path: HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer
Action: Delete all values
Restrict Anonymous Access
The anonymous access registry setting allows anonymous users to list domain user names and enumerate share names. It should be shut off. The possible settings for this key are:
- 0—Allow anonymous users
- 1—Restrict anonymous users
- 2—Allow users with explicit anonymous permissions
Key Path: HKLM\SYSTEM\CurrentControlSet\Control\Lsa
Action: Set Value = 2
Remote Access to the Registry
Remote access to the registry is another potential opening for hackers. Only administrators should have remote access to the registry. In latest version of windows this is off by default but still make sure it is. If possible, disallow remote access to the registry for any person. Completely blocking remote access to the registry is certainly more secure. To restrict network access to the registry:
1. Add the following key to the registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg.
2. Select winreg, click the Security menu, and then click Permissions.
3. Set the Administrator’s permission to Full Control, make sure no other users or groups are listed, and then click OK.
4. Recommended Value = 0
Services
A service (daemons in linux/unix) is a program that runs without direct intervention by the computer user. E.g. Internet Information Services, FTP Service, and many system services. If you are not using a service, disable/shut-down.
Encrypting File System
Windows has offered the Encrypting File System (EFS), which is based on public key encryption and takes advantage of the CryptoAPI architecture in Windows 2000. With this system, each file is encrypted using a randomly generated file encryption key. Make use of this.
Security Templates
To make all these steps easy, use security templates. A security template contains hundreds of possible settings that can control a single or multiple computers. Security templates can control areas such as user rights, permissions, and password policies, and they enable administrators to deploy these settings centrally by means of Group Policy Objects (GPOs).
The following is a partial list of the security templates that you will find in this folder:
- Hisecdc.inf: This template is designed to increase the security and communications with domain controllers.
- Hisecws.inf: This template is designed to increase security and communications for client computers and member servers.
- Securedc.inf: This template is designed to increase the security and communications with domain controllers, but not to the level of the High Security DC security template.
- Securews.inf: This template is designed to increase security and communications for client computers and member servers.
- Setup security.inf: This template is designed to reapply the default security settings of a freshly installed computer. It can also be used to return a system that has been misconfigured to the default configuration.
**HIGH CREDIT SCORES SSN FULLZ AVAILABLE**
ReplyDelete>For tax filling/return
>SSN dob DL all info included
>For SBA & PUA filling
>Fresh spammed & Fresh database
**TOOLS & TUTORIALS AVAILABLE FOR HACKING SPAMMING CARDING CASHOUTS CLONING**
=>Contact 24/7<=
Telegram> @killhacks
ICQ> 752822040
Skype> Peeterhacks
FRESHLY SPAMMED
VALID INFO WITH VALID DL EXPIRIES
*All info included*
NAME+SSN+DOB+DL+DL-STATE+ADDRESS
Employee & Bank details included
CC & CVV'S ONLY USA AVAILABLE
SSN+DOB
SSN+DOB+DL
High credit fullz 700+
(bulk order negotiable)
*Payment in all crypto currencies will be accepted
->You can buy few for testing
->Invalid info found, will be replaced
->Serious buyers contact me for long term business & excellent profit
->Genuine & Verified stuff
TOOLS & TUTORIALS AVAILABLE FOR
(Carding, spamming, hacking, scripting, scam page, Cash outs, dumps cash outs)
Ethical Hacking Tools & Tutorials
Kali linux
Facebook & Google hacking
SQL Injector
Bitcoin flasher
Viruses
Keylogger & Keystroke Logger
Logins Premium (Netflix, coinbase, FedEx, PayPal, Amazon, Banks etc)
Paypal Logins
Bulk SMS Sender
Bitcoin Cracker
SMTP Linux Root
DUMPS with pins track 1 and 2 with & without pin
Smtp's, Safe Socks, rdp's, VPN, Viruses
Cpanel
Php mailer
Server I.P's & Proxies
HQ Emails Combo (Gmail, yahoo, Hotmail, MSN, AOL, etc)
->Serious buyers are always welcome
->Big discount in bulk order
->Offer gives monthly, quareterly, half yearly & yearly)
->Hope we do a great business together
CONTACT 24/7
Telegram> @killhacks
ICQ> 752822040
Skype> Peeterhacks
Myclassnotes: Hardening Windows Operating System >>>>> Download Now
ReplyDelete>>>>> Download Full
Myclassnotes: Hardening Windows Operating System >>>>> Download LINK
>>>>> Download Now
Myclassnotes: Hardening Windows Operating System >>>>> Download Full
>>>>> Download LINK sT
QUALITY SSN DOB DL HIGH CREDIT SCORES Leads
ReplyDeleteCC with CVV Fullz (USA, UK, CANADA)
Tutorials & E-Books For Ethical Hacking
Tools For Everything You Need
I'm On Telegram = @killhacks & I C Q = 752822040
Stuff available for
(Spamming, Carding, Ethical Hacking, LINUX, Programming, Scripting, etc. )
Deals in all kind of Tools, Tutorials, E-books, Leads/Fullz/Pros
Availability 24/7
FASTEST DELIVERY
Build Your Own Business with proper guide & Legit Tools
Always glad to serve
GOOD LUCK
Here I'm:
I C Q = 752822040
Tele-gram = @killhacks
WA/TG = +92 317 272 1122
ReplyDeleteTG/ICQ = @killhacks
exploit.tools 4u at gmail dot com
Wickr/Skype = @peeterhacks
Hello To All !
Stuff we're offering :
SSN DOB DL Fullz with High CS 700+
CC Fullz with CVV+SSN info & address (all USA banks)
Dumps with pin & complete dumps using tutorials for cash outs
Business EIN fullz fresh
Full packages with all related & necessary tools & Tutorials
Hacki-ng, Spamm-ing, C-arding, Spying, Cloning
Working Loan Methods with all info
Hey Guy's very fresh fullz & Tools are now available.
We're offering bulk fullz & Many packages in offers.
If you wanna learn anything regarding Hac-king, Carding, Applying Loan Online,
Spa-mming, Filling for benefits.
We'll provide you fresh & legit stuff with proper guidance & assistance.
Other tools are also available
Just try our services at once
you'll never be disappointed
For further info
Feel Free to ping us