Yes, this is spam, and a bit long. My only defense is that one of the MSUNAG members at Friday's meeting suggested I post this, so here it is. These are my notes on setting up Windows XP machines. They are a mess, as they are written just to prompt my own memory and I have done nothing to fix them up for others to understand -- after all, this stuff is all in flux, and by the time I got these cleaned up they would be obsolete. Anyway, comments are welcome. -- David McFarlane, Research Technology Specialist Dept. Psychology, Michigan State University [log in to unmask] www.msu.edu/~mcfarla9 Voice: (517) 353-0799 Fax: (517) 353-1652 ------------------------ File: #tech\sysopXP.txt Date: 13 Aug 2004 DKM - computer name, workgroup - User Accounts: Administrator, Lab, DKM - ICF / Tiny PFW - IE, NAV, ICMP Echo, Trusted - ports: x135 (DCOM), UDP 137 (Name), x UDP 138 (Datagram), TCP 139 (Session), 445 (SMB over IP) - Language Bar Context > Settings... > Settings tab > Language Bar... > [] Show the Language bar on the desktop - remove Microsoft Java Virtual Machine (JVM) (CoolWebSearch exploit) - rundll32 advpack.dll,launchinfsection java.inf,uninstall - delete \win\java, etc... - delete registry keys... - Display Settings: - screen resolution, color quality - Appearance > Effect... > [] Hide underline - Start/Taskbar properties: - Taskbar: [] Group similar taskbar buttons [?] Hide inactive icons - Start Menu: Advanced... > Customize > General > Show on Start Menu: [] E-mail: Outlook - Windows Explorer: Tools > Folder Options... > View tab - [] Automatically search for network folders and printers - [x] Show Control Panel in My Computer - simple file sharing - turn off default file sharing of C$? - disable Null sessions? - banish Outlook - services.msc - grc.com utilities: XPDite, UnPnP, Shoot The Messenger, DCOMBob - TweakUI (system vs. user settings?): - General: [x] Show Windows version on desktop (user) - Explorer: [] Prefix "Shortcut to" on new shortcuts (user) [x] Use Classic Search in Explorer (user) - Taskbar & Start Menu Start Menu: [] Tiny PFW, Spybot, TweakUI (user) - Desktop: [x] Internet Explorer, [x] My Computer, [x] My Network, [x] Recycle (user) - My Computer: [x] Control Panel (user) - Logon: [] Show 'DKM' on Welcome screen (system) - Autologon: ... (enter [blank] pw!) (system) - regedit - "Browse with PaintShop Pro" - NAV - SpyBot, AdAware, etc. (system vs. user settings?) - HiJackThis - System Restore - dhcp.msu.edu - remove IE, replace w/ Firefox - browser settings - Firefox (by user) - bookmark pages ... - View > Toolbars ... - Bookmarks > Manage Bookmarks ... - Tools > Options... - General: Home Page - Privacy: [] Remember Passwords - IE (by user) - Security "Zones" (security levels, sets of security settings that can be applied to sites) (what does "local intranet" zone mean?) - disable *all* ActiveX - disable Active scripting, Scripting of Java applets - User Authentication/Logon? - local machine zone (in registry)? - for Windows Updates: Trusted Sites = http://*.windowsupdate.microsoft.com, http://*.windowsupdate.com - favorites, home page - Shields Up test - Windows [Auto] Updates - My Computer > Properties > Automatic Updates - policy editor (gpedit.msc)? - disable Windows Scripting Host? Fixing malware: Things to do, places to look, tools to use - send to someone who's supposed to know this stuff (i.e., not me)! - netstat -a ... - net view ? - System Restore - turn off/on System Restore - Add/Remove Programs - remove/replace IE - hosts file - NAV - HijackThis - Sysinternals: Autoruns, Process Explorer, PsKill - Spybot (instead of msinfo32), AdAware, etc. - sysedit - regedit - ...\Run* - ...open/shellex - svchost (view with tasklist /svc) - HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Svchost - HKLM\System\CurrentControlSet\Services\... - ShellServiceObjectDelayLoad - InProcServer32 - IE settings? - security zones/settings - ActiveX - Browser Helper Objects (BHOs)? - services.msc - regsvr32 /u /s known-bad.dll Places for malware to launch/hide: - config.sys - autoexec.bat - win.ini - StartUp Folders - registry - ... Run... - ...open/shellex - svchost - ShellServiceObjectDelayLoad - InProcServer32 - IE settings? - Browser Helper Objects (BHOs)? - services.msc - hosts file - *.hta, *.js, *.jse, *.vbs, *.vbe, *.shs Places to keep up w/ info: - www.cert.com - isc.incidents.org (Internet Storm Center of SANS) - www.cexx.com (CounterExploitation) - securityfocus.com - research.pestpatrol.com - scumware.com - www.grc.com (Gibson Research Corporation) - 2600 - www.phrack.com services.msc x Alerter Application Layer Gateway Service Application Manager Automatic Updates Background Intelligent Transfer Service x Clipbook COM+ Event System COM+ System Application Computer Browser Cryptographic Services DHCP Client Distributed Link Tracking Client Distributed Transaction Coordinator DNS Client x Error Reporting Service Event Log Fast User Switching Compatibility x Fax Service ? Help and Support Human Interface Device Access [disabled by default] IMAPI CD-Burning COM Service x Indexing Service Internet Connection Firewall (ICF)/Internet Connection Sharing (ICS) ? IPSEC Services IPv6 Internet Connection Firewall Logical Disk Manager Logical Disk Manager Administrative Service x Machine Debug Manager x Messenger MS Software Shadow Copy Provider x Net Logon x NetMeeting Remote Desktop Sharing Network Connections x Network DDE x Network DDE DSDM Network Location Awareness (NLA) NT LM Security Support Provider x Performance Logs and Alerts Plug and Play ? Portable Media Serial Number Service Print Spooler Protected Storage [used by auto-complete] x QoS RSVP Remote Access Auto Connection Manager Remote Access Connection Manager ? Remote Administrator Service x Remote Desktop Help Session Manager Remote Procedure Call (RPC) Remote Procedure Call (RPC) Locator x Remote Registry ? Remote Task Manager Service Removable Storage x Routing and Remote Access [disabled by default] ? RunAs Service Secondary Logon Security Accounts Manager Server Shell Hardware Detection x Smart Card x Smart Card Helper x SSDP Discovery Service System Event Notification System Restore Service Task Scheduler x TCP/IP NetBIOS Helper [? was auto] ? Telephony x Telnet ? Terminal Services [need for fast user switching?] Themes x Uninterruptible Power Supply x Universal Plug and Play Device Host x Upload Manager Volume Shadow Copy WebClient Windows Audio Windows Image Acquisition (WIA) Windows Installer Windows Management Instrumentation Windows Management Instrumentation Driver Extensions ? Windows Time x Wireless Zero Configuration x WMI Performance Adapter Workstation