TechSapphire Saturday, 2024-10-12, 0:45 AM
Site menu
Login form
News
Play Games
  • Deep Freeze
  • Ice Slide
  • Gyroball
  • Fat Fish
  • Bush Royal Rampage
  • System

    1. Disable Storage of Credentials and .NET Passwords (Windows XP)

    This setting controls the storage of authentication credentials and .NET passwords on the local system. By disabling this feature, passwords will not be stored.

    Create a new DWORD value, or modify the existing value called 'DisableDomainCreds' using the settings below.

    Settings:
    System Key: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
    Name: DisableDomainCreds
    Type: REG_DWORD (DWORD Value)
    Value: (0 = enable storage (default), 1 = disable storage)

    2. Disable System Restore Tools and Settings (Windows XP)

    System Restore allows users to revert Windows settings and configuration changes to an earlier point in time (called Restore Points). This tweak can be used to restrict user access to the System Restore tools and settings.

    Disable System Restore on Start Menu
    Create a new DWORD value called "DisableSR" and set it to "1" to disable the System Restore tools on the Start menu (Start > Programs > Accessories > System Tools > System Restore).

    Restrict Access to System Restore Settings
    Create a new DWORD value called "DisableConfig" and set it to "1" to disable System Restore Settings link in the System Restore interface and the Control Panel > System > System Restore page.

    Changes take effect immediately.

    Note: These settings will not stop Windows from making automatic System Checkpoints, but will disable access to restore them.


    Settings:
    System Key: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
    Name: DisableConfig, DisableSR
    Type: REG_DWORD (DWORD Value)
    Value: (1 = enable restriction)

    3. Configure Windows Software Update Services (Windows 2000/XP)

    These settings allow you to configure Windows client machines to use custom Microsoft Software Update Services (SUS) located on an internal corporate network instead of the Windows Update Internet site.

    Open your registry and find or create the key below.

    [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU]

    Create a new DWORD value called "UseWUServer" and set it to "1" to use custom update servers or delete the value to use the default Internet site.

    Then open the key

    [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate]

    and create two new string values called "WUServer" and "WUStatusServer", set these values to the names of the custom update servers (e.g. "http://intranetupdate").

    Note: Information in Microsoft Software Update Services (SUS) can be found online at http://www.microsoft.com/windows2000/windowsupdate/sus/

    Settings:
    System Key: [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate]
    Name: UseWUServer, WUServer, WUStatusServer

    4. Restrict Shortcut and WinHelp Commands (Windows NT/2000/XP)

    This restriction can be used to specify which directories contain Help files that can use the Shortcut and WinHelp commands. By clearing this setting you can also completely disable the help commands on the system.

    Create a new Expanded String value, or modify the existing value called 'HelpQualifiedRootDir' using the settings below.

    Note: With features in HTML Help, you can run executable programs from a help (.chm) file. The Shortcut command is used to run an executable program that is external to the Help file. The WinHelp command is used to run Winhlp32.exe to display a Winhelp (.hlp) file. This article describes how to restrict the Help files that are allowed to use the Shortcut and WinHelp commands.

    Settings:
    System Key: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
    Name: HelpQualifiedRootDir
    Type: REG_EXPAND_SZ (Expanded String Value)
    Value: Allowed Help File Directories (semi-colon delimiter)

    5. Secure Access to Removable Drives (Windows NT/2000/XP)

    This setting determines whether the ability to access removable drives is available to other users.

    Create a new string value, or modify the existing value, called "AllocateDASD" and set it according to the table below.

    • 0 - Administrators only
    • 1 - Administrators and power users
    • 2 - Administrators and the interactive user

    Settings:
    System Key: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    Name: AllocateDASD
    Type: REG_SZ (String Value)


    6. Restrict the Language and Locale Region (Windows 2000/XP)

    This restriction is used to set the language used in menus and dialog boxes in Windows and prevent users from changing it. When enabled the system disables the menus and dialog boxes in the Regional Options in Control Panel.

    Create a new DWORD value called "MultiUILanguageID" and set it to a value from the table below to restrict the system to that language.

    Language Decimal Hexadecimal
    Arabic 1025 0x401
    Brazilian 1046 0x416
    Chinese (Simplified) 2052 0x804
    Chinese (Traditional) 1028 0x404
    Czech 1029 0x405
    Danish 1030 0x406
    Dutch 1043 0x413
    English (Default) 1033 0x409
    Finnish 1035 0x40b
    French 1036 0x40c
    German 1031 0x407
    Greek 1032 0x408
    Hebrew 1037 0x40d
    Hungarian 1038 0x40e
    Italian 1040 0x410
    Japanese 1041 0x411
    Korean 1042 0x412
    Norwegian 1044 0x414
    Polish 1045 0x415
    Portuguese 2070 0x816
    Russian 1049 0x419
    Spanish 3082 0xc0a
    Swedish 1053 0x41D
    Turkish 1055 0x41f


    Settings:
    User Key: [HKEY_CURRENT_USER\Software\Policies\Microsoft\Control Panel\Desktop]
    Name: MultiUILanguageID
    Type: REG_DWORD (DWORD Value)
    Value: Language Identifier

    7. Disable Group Policy Objects
    (Windows 2000/XP)

    This setting is used to disable the use of group policy objects on the local computer.

    Create a new DWORD value, or modify the existing value called 'DisableGPO' using the settings below.

    Settings:
    System Key: [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System]
    Name: DisableGPO
    Type: REG_DWORD (DWORD Value)
    Value: (0 = default, 1 = disable group policy)

    8. Change Default Administrator Ownership
    (Windows XP)

    Windows XP may assign the ownership of some file system objects to the Administrator account, instead of the Administrators group. This behaviour may not be desirable where there are multiple administrative users.

    Create a new DWORD value, or modify the existing value called 'NoDefaultAdminOwner' using the settings below.

    Settings:
    System Key: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
    Name: NoDefaultAdminOwner
    Type: REG_DWORD (DWORD Value)
    Value: (0 = disabled, 1 = default)

    9. Reboot Windows After a Crash (Windows NT/2000/XP)

    This parameter controls whether Windows should automatically reboot after a system failure or if the blue crash screen should be displayed.

    Create a new DWORD value, or modify the existing value called 'AutoReboot' using the settings below.

    Settings:
    System Key: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl]
    Name: AutoReboot
    Type: REG_DWORD (DWORD Value)
    Value: (0 = disabled, 1 = auto reboot)
      
    10. Configure Windows Script Signature Security (All Windows)

    This setting is used to define whether trusted and untrusted scripts should be executed when using signature verification. By requiring a signature the system will only execute scripts from verified authors.

    Create a new DWORD value, or modify the existing value called 'TrustPolicy' using the settings below.


    Settings:
    User Key: [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script Host\Settings]
    Name: TrustPolicy
    Type: REG_DWORD (DWORD Value)
    Value: "0" = all, "1" = prompt, "2" = only trusted

    11. Secure Access to Floppy Drives (Windows NT/2000/XP)

    This setting determines whether data in the floppy disk drive is accessible to other users.

    Because the floppy disk drive is a volume, by default it is shared as an administrative share on the network. If the value of this entry is 1, the floppy disk drive is allocated to the user as part of the interactive logon process and, therefore, only the current user can access it. This prevents administrators and remote users (and even the same user at a different workstation) from accessing the drive while the current user is logged on. The drive is shared again when the current user logs off.

    Value Meanings:

  • '0' = Floppy disks in the floppy disk drive can be accessed by all administrators in the domain.
  • '1' = Only the user logged on locally can access data on the floppy disks in the floppy disk drive.
  • Note: This value entry satisfies, in part, the C2 security requirement that you must be able to secure removable media.


    Settings:
    System Key: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    Name: AllocateFloppies
    Type: REG_SZ (String Value)
    Value: (0 = enabled, 1 = disabled)

    12. Secure Access to CD-ROM Drives (Windows NT/2000/XP)

    This setting determines whether data in the CD-ROM drive is accessible to other users.

    Because the CD-ROM drive is a volume, by default, it is shared as an administrative share on the network. If the value of this entry is 1, the CD-ROM drive is allocated to the user as part of the interactive logon process and, therefore, only the current user can access it. This prevents administrators and remote users (and even the same user at a different workstation) from accessing the drive while the current user is logged on to the computer. The drive is shared again when the current user logs off the computer.

    Value Meanings:

  • '0' = Compact discs in the CD-ROM drive can be accessed by all administrators in the domain.
  • '1' = Only the user logged on locally can access data on the compact discs in the CD-ROM drive.
  • Note: This value entry satisfies, in part, the C2 security requirement that you must be able to secure removable media.


    Settings:
    System Key: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    Name: AllocateCDRoms
    Type: REG_SZ (String Value)
    Value: (0 = enabled, 1 = disabled)

    13. Specify Executable Files to be Lauched by Winlogon (Windows NT/2000/XP)

    This setting specifies a list of executable files to be run by Winlogon in the system context when Windows starts.

    Create a new String value, or modify the existing value called 'System' using the settings below.


    Settings:
    System Key: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    Name: System
    Type: REG_SZ (String Value)
    Value: (default = lsass.exe)

    14. Secure Network Access to the Windows Registry (Windows NT/2000/XP)

    Windows supports accessing a remote registry via the Registry Editor across a network. The default setting allows for users to connect and modify data within the remote registry.

    By creating the new key listed below, or modifying the existing key if it already exits, it is possible to control access to the registry remotely.

    Use REGEDT32 to modify the permissions on the key below to suit your security requirements, the permissions on this key represent the remote access permissions to the registry.


    Settings:
    System Key: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg]

    15. Restrict Access to Base System Objects (Windows NT/2000/XP)

    In Windows the core operating system libraries are kept in virtual memory and shared between the programs running on the system. This has exposed a vulnerability that could allow a user to gain administrative privileges on the computer the user is interactively logged onto.

    To enable stronger protection on system base objects such as the KnownDLLs list, change the value of 'ProtectionMode' to equal '1' in the registry key below.


    Settings:
    System Key: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]
    Name: ProtectionMode
    Type: REG_DWORD (DWORD Value)
    Value: (0 = disabled, 1 = enabled)

    16. Specify a Replacement GINA Authentication DLL (Windows NT/2000/XP)

    Windows is shipped to load and execute the standard Microsoft GINA DLL (Graphical Identification and Authentication dynamic-link library) called MSGina.dll. You can specify a replacement GINA DLL using this setting.

    Create a new String value, or modify the existing value called 'GinaDLL' using the settings below. 


    Settings:
    System Key: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    Name: GinaDLL
    Type: REG_SZ (String Value)

    17. Restart the Shell Automatically (Windows NT/2000/XP)

    By default if the Windows user interface or one of its components fails, the interface is restarted automatically, the can be changed so that you must restart the interface by logging off and logging on again manually.

    Create a new DWORD value, or modify the existing value called 'AutoRestartShell' using the settings below.

    Settings:
    System Key: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    Name: AutoRestartShell
    Type: REG_DWORD (DWORD Value)
    Value: (0 = disable, 1 = enabled)

    18. Prompt for Password on Resume (Windows XP)

    This setting allows you to configure the computer to always lock and require a password after resuming from hibernate or suspend mode.

    Create a new DWORD value, or modify the existing value called 'PromptPasswordOnResume' using the settings below.

    Settings:
    User Key: [HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System\Power]
    System Key: [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System\Power]
    Name: PromptPasswordOnResume
    Type: REG_DWORD (DWORD Value)
    Value: (0 = no prompt, 1 = prompt)


    19. Restrict Access to the Event Logs (Windows NT/2000/XP)

    The Windows event log contains records documenting application, security and system events taking place on the machine. As these logs can contain sensitive data this tweak allows you to restrict access to administrators and system accounts only.

    Under this key are three sub-keys: Application, Security and System. These subkeys represent each section of the event log. To restrict access to each section create a new DWORD value of 'RestrictGuestAccess' under each sub-key and set it to equal '1'. To restrict access to only certain sections, then only add the value to that specific key.


    Settings:
    System Key: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog]
    Name: RestrictGuestAccess
    Type: REG_DWORD (DWORD Value)
    Value: (0 = guest access, 1 = restricted access)


    Categories
    Programming [27]
    Tips for programming
    Security [2]
    Security Tips
    Google [1]
    Use google faster then ever you use
    Project [14]
    HTML [2]
    Electronics [0]
    Data Structure [0]
    Database [16]
    SQL SERVER
    SSRS [1]
    Sql Server Reporting Services
    Copyright MyCorp © 2024