Securing Windows

Introduction

There are two ways to reduce security issues when running Windows: Either by running it natively, or running it on top of a virtualizer.

Things to do when running Windows Natively

Hardware

• In BIOS, enable SMART to monitor hard-disks, and temperature monitoring for all devices (CPU, hard-disks, etc.)
• Enable NAT router to only allow required network connections

Software

1. When pulling a new Windows PC out the box, do no connect it to the Net, and clone its partitions to a DVD or external drive that will be put in a safe place in case you need to reinstall Windows to a pristine state
2. In addition to the NAT router, Windows should have a software firewall to check outgoing connections
3. Anti-malware software with automatic, daily update of its virus dictionary and system check
4. web proxy like Privoxy to remove suspicious stuff in web pages
5. If not using online services like Gmail, SPAM filter like POPFile
6. Use two accounts: Administrative account to manage software, and regular account to use software
7. Enable Windows Update
8. Do not run programs that you don't know to be safe. Besides regular executable files like EXE, COM, or BAT, this also includes attachments that can contain executable code like DOC, XLS, SCR, or PIF. Set up your antivirus to scan attachments before they are listed in your e-mail client, and set up your e-mail application so that it doesn't execute attachments unless you double-click on them
9. Keep daily backups of your data (documents, e-mail addresses, etc.), on a removable media like a USB key, and a remote server. SyncBack is a recommended backup software for Windows
10. Make regular restoration points

Running Windows through a virtualizer

Windows network ports

• 135: DCE endpoint resolution (epmap) = portmap
• 137: NetBIOS name service = WINS (Windows Internet Naming Service) server for a NetBIOS network
• 138: NetBIOS datagram service = used by the SMB (Server Message Block) browser service
• 139: NetBIOS Session = used for Windows File and Printer Sharing, extremely dangerous on any machine connected to the Internet unless the owner knows how to run it securely
• 445: Microsoft-ds (Server Message Block) = SMB can run directly over TCP/IP, without NetBT by using this service

Resources

• WinXP SP2 = security placebo? By Thomas C Greene