Yes, this is spam, and a bit long. My only defense is that one of the
MSUNAG members at Friday's meeting suggested I post this, so here it is.
These are my notes on setting up Windows XP machines. They are a mess, as
they are written just to prompt my own memory and I have done nothing to
fix them up for others to understand -- after all, this stuff is all in
flux, and by the time I got these cleaned up they would be obsolete.
Anyway, comments are welcome.
-- David McFarlane, Research Technology Specialist
Dept. Psychology, Michigan State University
[log in to unmask] www.msu.edu/~mcfarla9
Voice: (517) 353-0799 Fax: (517) 353-1652
------------------------
File: #tech\sysopXP.txt
Date: 13 Aug 2004 DKM
- computer name, workgroup
- User Accounts: Administrator, Lab, DKM
- ICF / Tiny PFW
- IE, NAV, ICMP Echo, Trusted
- ports: x135 (DCOM), UDP 137 (Name), x UDP 138 (Datagram),
TCP 139 (Session), 445 (SMB over IP)
- Language Bar
Context > Settings... > Settings tab > Language Bar... >
[] Show the Language bar on the desktop
- remove Microsoft Java Virtual Machine (JVM) (CoolWebSearch exploit)
- rundll32 advpack.dll,launchinfsection java.inf,uninstall
- delete \win\java, etc...
- delete registry keys...
- Display Settings:
- screen resolution, color quality
- Appearance > Effect... > [] Hide underline
- Start/Taskbar properties:
- Taskbar:
[] Group similar taskbar buttons
[?] Hide inactive icons
- Start Menu:
Advanced... > Customize > General > Show on Start Menu:
[] E-mail: Outlook
- Windows Explorer: Tools > Folder Options... > View tab
- [] Automatically search for network folders and printers
- [x] Show Control Panel in My Computer
- simple file sharing
- turn off default file sharing of C$?
- disable Null sessions?
- banish Outlook
- services.msc
- grc.com utilities: XPDite, UnPnP, Shoot The Messenger, DCOMBob
- TweakUI (system vs. user settings?):
- General: [x] Show Windows version on desktop (user)
- Explorer:
[] Prefix "Shortcut to" on new shortcuts (user)
[x] Use Classic Search in Explorer (user)
- Taskbar & Start Menu
Start Menu: [] Tiny PFW, Spybot, TweakUI (user)
- Desktop: [x] Internet Explorer, [x] My Computer, [x] My Network,
[x] Recycle (user)
- My Computer: [x] Control Panel (user)
- Logon: [] Show 'DKM' on Welcome screen (system)
- Autologon: ... (enter [blank] pw!) (system)
- regedit
- "Browse with PaintShop Pro"
- NAV
- SpyBot, AdAware, etc. (system vs. user settings?)
- HiJackThis
- System Restore
- dhcp.msu.edu
- remove IE, replace w/ Firefox
- browser settings
- Firefox (by user)
- bookmark pages ...
- View > Toolbars ...
- Bookmarks > Manage Bookmarks ...
- Tools > Options...
- General: Home Page
- Privacy: [] Remember Passwords
- IE (by user)
- Security "Zones" (security levels, sets of security settings
that can be applied to sites) (what does "local intranet" zone
mean?)
- disable *all* ActiveX
- disable Active scripting, Scripting of Java applets
- User Authentication/Logon?
- local machine zone (in registry)?
- for Windows Updates: Trusted Sites =
http://*.windowsupdate.microsoft.com,
http://*.windowsupdate.com
- favorites, home page
- Shields Up test
- Windows [Auto] Updates
- My Computer > Properties > Automatic Updates
- policy editor (gpedit.msc)?
- disable Windows Scripting Host?
Fixing malware: Things to do, places to look, tools to use
- send to someone who's supposed to know this stuff (i.e., not me)!
- netstat -a ...
- net view ?
- System Restore
- turn off/on System Restore
- Add/Remove Programs
- remove/replace IE
- hosts file
- NAV
- HijackThis
- Sysinternals: Autoruns, Process Explorer, PsKill
- Spybot (instead of msinfo32), AdAware, etc.
- sysedit
- regedit
- ...\Run*
- ...open/shellex
- svchost (view with tasklist /svc)
- HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Svchost
- HKLM\System\CurrentControlSet\Services\...
- ShellServiceObjectDelayLoad
- InProcServer32
- IE settings?
- security zones/settings
- ActiveX
- Browser Helper Objects (BHOs)?
- services.msc
- regsvr32 /u /s known-bad.dll
Places for malware to launch/hide:
- config.sys
- autoexec.bat
- win.ini
- StartUp Folders
- registry
- ... Run...
- ...open/shellex
- svchost
- ShellServiceObjectDelayLoad
- InProcServer32
- IE settings?
- Browser Helper Objects (BHOs)?
- services.msc
- hosts file
- *.hta, *.js, *.jse, *.vbs, *.vbe, *.shs
Places to keep up w/ info:
- www.cert.com
- isc.incidents.org (Internet Storm Center of SANS)
- www.cexx.com (CounterExploitation)
- securityfocus.com
- research.pestpatrol.com
- scumware.com
- www.grc.com (Gibson Research Corporation)
- 2600
- www.phrack.com
services.msc
x Alerter
Application Layer Gateway Service
Application Manager
Automatic Updates
Background Intelligent Transfer Service
x Clipbook
COM+ Event System
COM+ System Application
Computer Browser
Cryptographic Services
DHCP Client
Distributed Link Tracking Client
Distributed Transaction Coordinator
DNS Client
x Error Reporting Service
Event Log
Fast User Switching Compatibility
x Fax Service
? Help and Support
Human Interface Device Access [disabled by default]
IMAPI CD-Burning COM Service
x Indexing Service
Internet Connection Firewall (ICF)/Internet Connection Sharing (ICS)
? IPSEC Services
IPv6 Internet Connection Firewall
Logical Disk Manager
Logical Disk Manager Administrative Service
x Machine Debug Manager
x Messenger
MS Software Shadow Copy Provider
x Net Logon
x NetMeeting Remote Desktop Sharing
Network Connections
x Network DDE
x Network DDE DSDM
Network Location Awareness (NLA)
NT LM Security Support Provider
x Performance Logs and Alerts
Plug and Play
? Portable Media Serial Number Service
Print Spooler
Protected Storage [used by auto-complete]
x QoS RSVP
Remote Access Auto Connection Manager
Remote Access Connection Manager
? Remote Administrator Service
x Remote Desktop Help Session Manager
Remote Procedure Call (RPC)
Remote Procedure Call (RPC) Locator
x Remote Registry
? Remote Task Manager Service
Removable Storage
x Routing and Remote Access [disabled by default]
? RunAs Service
Secondary Logon
Security Accounts Manager
Server
Shell Hardware Detection
x Smart Card
x Smart Card Helper
x SSDP Discovery Service
System Event Notification
System Restore Service
Task Scheduler
x TCP/IP NetBIOS Helper [? was auto]
? Telephony
x Telnet
? Terminal Services [need for fast user switching?]
Themes
x Uninterruptible Power Supply
x Universal Plug and Play Device Host
x Upload Manager
Volume Shadow Copy
WebClient
Windows Audio
Windows Image Acquisition (WIA)
Windows Installer
Windows Management Instrumentation
Windows Management Instrumentation Driver Extensions
? Windows Time
x Wireless Zero Configuration
x WMI Performance Adapter
Workstation
