Carolyn's most popular book, in 4th edition now!
For advanced hacker studies, read Carolyn's
|
| Subscribe to Happy Hacker |
| Visit this group |
More March 2000 Windows Digest...Part 1 of securing your Windows NT Server through the use of your registry editor (applies to Windows NT 4.0 only)
I've received a number of e-mails from readers asking about what steps they can take to secure their Windows NT Server. Well than this section would be devoted to you. I will provide some information regarding certain registry keys that can be added or existing registry keys that can have their values changed resulting in a more secure Windows NT Server. This section will mention a few of critical registry keys that can be added or changed to assist us in securing our Windows NT Terminal Server that we created earlier in "Project Plan in a Box". At this point you can either read on or reference the Microsoft Knowledge Base Article Q198771. Below is a reprint of relevant sections from that knowledge base article. I mention a few other registry keys you can make changes to, to further enhance security on your Windows NT Server.
You can invoke your registry editor by running the command "REGEDT32" from your "RUN" box under your start bar. Always ensure you have a backup of your registry before you go playing around in your registry.
It should be noted that if you used the ADM files from the Zero Administration Kit many of the functions listed in the Knowledge Base Article can be implemented through the Policy Editor.
*******************************Q198771*********************SUMMARY
=======
Windows NT security makes it possible to lock down a desktop so a given user has access to only one or a few specific programs. On a public kiosk computer, it is often important that user access be restricted. This article explains the steps that need to be taken to implement this.
1. Create a text file named Lockout.reg. You can cut and paste the following text:
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000095
"NoFind"=dword:00000001
"NoFolderOptions"=dword:00000001
"NoDesktopUpdate"=dword:00000001
"NoFavoritesMenu"=dword:00000001
"NoRecentDocsMenu"=dword:00000001
"NoSetActiveDesktop"=dword:00000001
"NoDesktop"=dword:00000001
"NoSetFolders"=dword:00000001
"NoSetTaskbar"=dword:00000001
"NoSaveSettings"=dword:00000001
"NoClose"=dword:00000001
"NoNetHood"=dword:00000001
"NoRun"=dword:00000001
"NoDrives"=dword:00000000
"NoTrayContextMenu"=dword:00000001
"NoViewContextMenu"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableLockWorkstation"=dword:00000001
"DisableTaskMgr"=dword:00000001
"DisableChangePassword"=dword:00000001
2. Determine what drives you want the user to be able to access, and then change the value of the "NoDrives" line accordingly. For example:
To give access to only drive C -> "NoDrives"=dword:fbffff03
To give access to drives C and D -> "NoDrives"=dword:f3ffff03
To give access to drives A to F -> "NoDrives"=dword:c0ffff03
3. Determine if you want a compact disc to start automatically when you place it in the CD-ROM drive. If you do not want this to happen, change the
"NoDriveTypeAutoRun" to:
"NoDriveTypeAutoRun"=dword:b5000000
4. Determine if you want to enable the user to log off or to shut down the computer. You can disable these by adding one or both of these two lines:
"NoClose"=dword:00000001
"NoLogoff"=dword:00000001
5. Create a new user with User Manager. Set up the menu structure that you want the user to see. This can be done by adding and removing short cuts from the
<Windows NT>\Profiles\%USERNAME% and the <Windows
NT>\Profiles\All Users folders. For example:
C:\WINNT\Profiles\NewUser and C:\WINNT\Profiles\All Users.
6. Log on as the new user and set up the environment (screen savers, background, and so on).
7. Find the file you created in the steps above and double-click it.
8. Log back on as the user. You will notice that the desktop is empty and the start menu only has the shortcuts that you configured in step 4. As stated in article Q182439 "How to Disable Start\Help," it is impossible to remove the help item from the start menu. You can disable this by creating a text file named Windows.hlp and copying it over the existing file in the <WindowsNT>\System32 folder.
MORE INFORMATION
================
Here is a description of the items discussed above:
Item Description
---- -----------
NoDriveTypeAutoRun Prevents CD-ROM drive from running automatically.
NoFind Removes Find command from Start menu.
NoFavoritesMenu Removes the Favorites folder from the Start menu.
NoRecentDocsMenu Removes the Documents command from the Start menu.
NoSetActiveDesktop Remove the Active Desktop item from the Settings menu.
NoDesktop Hide all items on desktop.
NoSetFolders Remove folders from Settings/Start menu.
NoSetTaskbar Remove Taskbar from Settings/Start menu.
NoSaveSettings Does not save settings at exit.
NoClose Disables Shut Down command.
NoNetHood Hides Network Neighborhood.
NoRun Removes Run command from Start menu
NoDrives Hides drives in My Computer.
NoTrayContextMenu Removes context menus for tray including the Start
button, tab control, and clock.
NoViewContextMenu Removes the context menu when you right-click the
desktop, or when you right-click Explorer in the
results pane.************************************EOF****************************************
One of the things that SP3 brought to Windows NT was an oversight whereby unauthenticated remote users could gain access to a computer's Registry under the "Everyone" group. That is any authenticated user could gain access to a remote machines registry. We can restrict this "anonymous" access to our servers Registry by modifying two values in the key:
HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
First you need to define a REG_DWORD named "RestrictNullSessionAccess" provide a decimal value of "1", secondly add the string "WINREG" to the multistring value named "NullSessionPipes".
For more information about "Restricting Who can Access the Registry Remotely" see the following.
[Kbase] Q143138, Q126645, and Q143474By default, guest and unauthenticated users can read the System and Application logs. You can prevent this by creating a value named "RestrictGuestAccess" with a REG_DWORD value of 1 in the Registry keys:
HKLM\System\CurrentControlSet\Services\EventLog\Application
HKLM\System\CurrentControlSet\Services\EventLog\SystemApplying the above mentioned registry change should have no adverse effect on the machines operation, but in theory should help protect from a intruder enumerating system information through the System and Application logs.
By default, Windows NT displays the previous account name on the logon window. You can prevent this by creating a value named "DontDisplayLastUserName" with a REG_SZ value of "1" in the below mentioned registry key:
HKLM\SOFTWARE\Microsof\Windows NT\Current Version\Winlogon.
For even more information regarding securing your Windows NT Server you may want to look at the C2 Configuration Utility that accompanies the NT Resource Kit. If you encounter problems using the C2 Configuration Utility when using Windows Terminal Server Edition than take a look at KLB Article Q216081.
I also recommend reading KLB Article Q186569 entitled "Security Configuration in Terminal Server."
So now you're asking yourself, "Why all this fuss about locking down our Terminal Server we created for Kiosks." Simply put, you should be securing all your servers to begin with, the fact that these kiosks will be placed in publicly accessible areas and require no user authentication demands that every measure be taken on the Terminal Server side to secure this box. The Kiosks are interfacing with the Terminal Server, which resides on our network. Do to the fact that the kiosks are in a public area an do use autologon in the event that we did have a network penetration as a result of the Kiosks an audit of the security log is not going to provide us with a unique user ID as a suspect. In addition to locking down the Terminal Server you may consider placing surveillance cameras in and around your Kiosk as a physical deterrent.
to happy hacker,
I enjoy reading your articles and guides but somtimes i get confused and was wondering if you can explain it for me. Anyway, I was wondering how would I get into my other pc which is on my secong floor of my house? it would have
to be like hacking into it but i don't know how. would i have to get the ip number then telnet it or something? with all due respects i would appreciate it very much if you can explain the steps and what i would have to do to get
into my other computer using my old one.thank you very much,
Fontero[Editors Note: Fontero, it really depends on exactly what information you would be requiring from your other computer. If you simply wanted access to the files and folders on your other machine you may consider an Ethernet Network and enabling file sharing on your second PC upstairs. You could then create drive mappings to folders on your second computer. This would likely be the easiest way.]
Hello Ms.Meinel,,
i was curious about two things, one pertaining to the other.
1)How can i view the contents of a dos window that has scrolled by. For instance, goto your command prompt, and type "net /?" (windows platform, c:\windows is working directory)
you get half of the syntax help....
2)What is the syntax of net?
thanks
EnPhorSeR
[Editors Note: Well I certainly am not Ms. Meinel, however I am your Windows digest editor so let me see if I can assist you. Well I will answer your question two different ways. I understand that you are using either Windows 95 or 98 sense you said your working directory is c:\Windows . However there might be some NT users out their with the same issue. Regardless of the OS one solution will work in both you can use a little tip that I actually didn't know about until I began using Unix. Try the following syntax. If C:\Windows is your working directory type Net /? |more (that line is the shift <backslash>, its referred to as the "pipe symbol") You will notice that it lists the syntax of the "net" command and when ordinarily the text would have scrolled off your window or screen it simply says "-more-", at this point you can read the syntax.
If your press "space" it will scroll down another page or you can press "enter" to move down one line at a time. If your using Windows NT you can use the following example or as I prefer try this. Start à Run à Type "cmd" in your run box. You should get a DOS prompt to open up in a windows mode on your desktop. At this point right click over the upper left corner of the window about where the "X" would be if it were on the left side of the top of the window. A menu box appears should appear select "properties".
You should now have a box with a title similar to "C:\winnt\System32\cmd.exe" Properties. In Windows 2000 Server final release I have the following tabs, Options, Font, Layout, and Colors. I would select the "Layout" tab where I can now change the screen buffer size, window size and windows position. I leave my Width at 80 Height at 35 than I change my buffer to a height of 350 or so.
This being complete I click OK and choose to save these settings to all future windows with the same name. I now have a scroll bar off to the right of my window that I can use to scroll up to view whatever it is that scrolled off my screen. The height buffer size will determine how many lines of text you can scroll up.
To answer your second question the exact syntax of net is different depending on what net function you want to invoke. On a high level it would be "net <function> <options>" For Net Use it would be:
Net USE [devicename | *] [\\computername\sharename[\volume] [password | *]
[/USER:[domainname\]username]
[/USER:[dotted domain name\]username]
[/USER:[username@dotted domain name]
[[/DELETE] | [/PERSISTENT : {YES | NO}]
NET USE {devicename | *} [password | *] /HOME
NET USE [/PERSISTENT:{YES | NO}]
]In an effort to bring you as much unique content as possible I've taken to writing as many articles myself as possible. This takes a substantial amount of time; this digest alone represents about 40+ man-hours. Please understand if I run a few days behind. I try to get Digests out around the end of month, but being as I volunteer my time to put these together I put them out as time allows. After a quick post I made regarding much of my time being consumed by the MMORPG EverQuest I was flooded with e-mails. Interestingly I received more e-mails in one day regarding EverQuest than I did in the 5 weeks between Windows Digests.
One popular question that I received more often than not was "Does EverQuest run under Windows 2000". The answer "YES", I am running Windows 2000 Advanced Server and EverQuest runs quite well. To my knowledge DirectX7 is currently supported by Windows 2000 and unlike previous versions of NT DirectX updates will be available. I have encountered an "occasional" glitch under Windows 2000 that was not present in Windows 95/98. Every once in a great while (read: Every 4 hours or more) EverQuest will completely lock-up although background applications continue to run fine. I'm not exactly sure what is causing this but I suspect it may simply be a heat issue.
I'm using Index Server to catalog my 6 9gig Cheetah Drives (These suckers run HOT!) and coupled with other background process (winamp,etc) I think the disk swapping becomes a bit much and the drive just shuts down. I can't confirm this yet but that is my guess atm. Until I can convince Verant to give me a DLL that will spit out debugging information for me I won't know the exact cause. If anybody else is running Windows 2000 Advanced Server and runs EverQuest on this platform and does NOT experience this issue please drop me a line. So far EverQuest runs pretty well using a TNT2 Card under Win2K.
Those of you who caught my radio interview for "The Webmaster Show", I hope it provided some insight. I learned a pretty good lesson, be prepared for any question or surprise they may throw at you. I had a list of questions I would answer so I had prepared to speak on those particular topics, in all actuality they brought a person in on the line from Trend Micro and had me discuss Virus's/Trojan's and whether or not AntiVirus companies place enough emphasis on detecting and cleaning Trojans. My answer of course was "NO".
.... .- .--. .--. -.-- .... .- -.-. -.- . .-. -.. .. --. . ... -
This is a list devoted to *legal* hacking! If anyone plans to use any
information in this Digest or at our Web site to commit crime, go away! We=like to put computer criminals behind bars where they belong!
Email addresses:
Windows Editor Greggory Peck wineditor@happyhacker.org
Networking Editor neteditor@techbroker.com
Unix Editor Mike Miller unixeditor@techbroker.com
Clown Princess Carolyn Meinel To Subscribe computer program antionline-subscribe@onelist.c=
om
To Unsubscribe computer program
antionline-unsubscribe@onelist.com
List owner John Vranesevich jp@antionline.comHappy Hacker is part of a 501 (c) (3) tax deductible organization