Strict Standards: Non-static method AL_HELPER::SetupPaths() should not be called statically in /home/software/public_html/windowsxp/init.php on line 15
Harden XP Part1

Still have a problem? Ask for help at our discussion forum.

Advanced Search
Article Options
Popular Articles
  1. Handwrite for MSN Messenger
  2. Win2000 Logon Screen
  3. The difference between 64 and 32 bit processors
  4. Windows XP FAQ T
  5. Windows XP FAQ P
No popular articles found.

 »  Home  »  Security  »  Harden XP Part1
Harden XP Part1
By  Super Admin  | Published  02/25/2005 | Security | Rating:
Harden XP Part1

Personally i like windows xp for its drivers and compattibillity , configurablility and looks.What i certainly dont like is the huge amount off  build in features (flaws) like remote desktop connection , etc making xp vulnerable in its default state. My goal is to display the  fast security options and emphasizing what the side effects / advantages  are, and then let u see some additional security settings with the use off the build in mmc ( microsoft management console) and the default

security templates which is allready present at every XP box.

In my opinion, u don't have to read a whole security book with average page lenght off 500 for some sec settings which would fit on 1 page.

1) disable netbios over tcp/ip   {no side effect unless u using netbios names}

   goto start--->control panel ---->network and internet connections

   --->network connections

   right click on your (local , whatever u use) connection and goto properties

   right click tcp/ip goto options , click on advanced and select  the tab WINS, clear the disable  netbios over tcp/ip checkbox.

2) While being there you might ass well  disable (better uninstall)

    client for microsoft networks and file and printer sharing.

   Really the only thing you need is tcp/ip ( the standard internet protocol)

  this might affect sharing files with icq or msn, aim etc, which is bad anyway. Kazaa and overnet file sharing programs remain unaffected by this



3)Change your computer name to something less usual like a underscore

4)goto start ---> run and  press browse

  browse to C:\WINDOWS\system32\ddeshare.exe

and press enter, disable all mentioned shares present, like the hearts (port 135), blackjack etc, ever wondered where this port 135 comes from ?

6)Regedit part

 goto start--->run and enter "regedit"

before going any further make a backup off the registry by exporting the current registry settings under file--->export etc

goto HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset\Control\Lsa\restrictanonymous

double click on this reg key and enter the the value 2

this disables totally  null session enumeration (nobody can't enumerate

accounts etc)

restrictanonymoussam should be at value 1 , can't go to a higher value



click on  the + in front off LanManServer and click on Parameters

on the right half off the regeditor double click on NullSessionPipes

Delete everything what's there as value

Same goes for lanmanworkstation

8) goto


double click on EnableIcmpRedirect and enter the value 0 ( disabled)

same goes for DeadGwDetect

double click on EnableSecurityFilters and enter the value 1 ( enabled)


export ( save) your new registry settings to a floppy , for later use .


Windows XP Professional

9) goto start--->run  and enter mmc

this will open the microsoft management console

goto File--->Add/Remove Snap-in..

goto Add and select the snap-in's  1) security templates

                                                     2) security   configuration and analysis

once done corect u should see 2 windows:

one named console 1 and one named Console Root\Security Templates

right click on Security Configuration  and Analysis and goto open database

in the new window just enter a nonexistant name and u will see a new screen coming up with the standard security templates , like securews

(secureworkstation) hisecws, etc , click on securews and open it

Right click on Security Configuration and Analysis and goto

Analyze computer now

after the pc finished analysing the local sec policy

u will see a similar tree structure as in regedit.

click on the + in front og  Sec... Confi... And Analy...

and goto Local Policies\User Rights Asignment

doulble click on the right side on : Deny access to this computer from ...

check : define this policy

click  on " add user group "

click advanced --->findnow

and select everyone

after this right click on Security Configuration and Analysis

goto configure computer now

exit the program and save the newly made console to whatever name u

like best.

(this is the whole procedure, as security templates are concerned)

There are a lot more settings, user right assignments etc etc

That all will be in part 2 ( I hope to finish an automated script that

does all the above and above  automatically with less user interaction)

How would you rate the quality of this article?
1 2 3 4 5
Poor Excellent
Tell us why you rated this way (optional):

Send to Author Post on Site

  • Comment #1 (Posted by an unknown user)
    Good tut, thanks :) but if you rename your computer name you will have to re-activate M$ Office, so you better have the key!
  • Comment #2 (Posted by an unknown user)
    KEWEL, I appreciate this!
  • Comment #3 (Posted by an unknown user)
    Thanks for the info, I am waiting for completion or Harden XP
  • Comment #4 (Posted by an unknown user)
    i cant access my shared drives / NAS after changing user rights assignment.... WTF!
  • Comment #5 (Posted by an unknown user)
    Full of spelling mistakes and the paths indicated for registry entry are outright erroneous! You might want to at least validate and correct plagiarized work before you publish it! Bunch of morons. It's not HKEY_LOCAL_MACHINESYSTEMCurrentControlsetControlServicesTcpipParameters but HKEY_LOCAL_MACHINESYSTEMCurrentControlsetServicesTcpipParameters Amongst other things....
Submit Comment