32 Steps to PC Security

Taking the following steps will repair all of the major flaws known to exist in Microsoft Windows operating
systems. Unlike signature-based protection, these repairs will fix the problem, so that all attacks capitalizing
on a specific vulnerability are stopped, not just attacks with known signatures.

Today’s security solutions mix firewalls, anti-virus software, patches, detectors, host and network intrusion
prevention and all manor of encryption to achieve a high level of security. This layered approach has proven
to be the only viable solution to Internet connected computing. Unfortunately, this approach creates a great
deal of complexity. Is your firewall configured properly? Is your anti-virus software up to date? Do you have
the latest service pack for your operating system? Taking the following steps will help to keep your computer
secure even if other security measures fail.

The last four steps listed below require the Samurai application, and all of the steps below can be
automatically performed by the Samurai application. If you want to avoid the possibility of corrupting your
registry, and want the ability to undo any security setting, I suggest using Samurai rather than performing
these steps manually.

Step 1
Disable known insecure ActiveX controls.

This step disables the use of insecure ActiveX controls. The registry key
“HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility” must be
updated with the GUID’s of known insecure controls that do not affect normal
operation when disabled. The GUIDs are:

// ADODB control
{00000566-0000-0010-8000-00AA006D2EA4}
// Shell.Application
{13709620-C279-11CE-A49E-444553540000}
// AnchorClick DHTML Behavior
{8856F961-340A-11D0-A96B-00C04FD705A2}
// Image Control 1.0 (uses asycpict.dll)
{D4A97620-8E8F-11CF-93CD-00AA00C08FDF}
// DHTML Editing Control
{2D360201-FFF5-11D1-8D03-00A0C959BC0A}
// JView Profiler
{03D9F3F2-B0E3-11D2-B081-006008039BF0}
// Microsoft preloader
{16E349E0-702C-11CF-A3A9-00A0C9034920}

REFERENCES:
How to stop an ActiveX control http://support.microsoft.com/kb/240797
ADODB Control http://support.microsoft.com/default.aspx?kbid=870669
Shell Application http://www.windowsitpro.com/Article/ArticleID/43261/43261.html
AnchorClick DHTML Behavior https://lists.aas.duke.edu/pipermail/ntgroup/2000-
September/000013.html
Image Control http://cert.uni-stuttgart.de/archive/bugtraq/2004/10/msg00143.html
DHTML Edit Control http://www.kb.cert.org/vuls/id/39965
JView Profiler http://www.microsoft.com/technet/security/Bulletin/MS05-037.mspx
Microsoft Preloader http://support.microsoft.com/default.aspx?scid=kb;en-
us;231452&sd=tech

Step 2
Disable the AIM URL protocol handler.

This step prevents the use of the AIM URL protocol by replacing the insecure
ActiveX GUID with a harmless substitute, in this case the HTML Help GUID is
used. The AIM URL protocol is not required for normal operation and does not
affect AOL Instant Messaging.

The registry key is “HKCR\PROTOCOLS\Handler\aim”.

The registry value is “CLSID”.
The registry data should be changed to 3050F406-98B5-11CF-BB82-00AA00BDCE0B

REFERENCE:
AOL Instant Messenger Buffer Overflow
http://www.governmentsecurity.org/archive/t10639.html

Step 3
Prevent anonymous sessions.

This step prevents the use of anonymous sessions by setting the registry value
“HKLM\System\CurrentControlSet\Control\Lsa\restrictanonymous” to true. This
setting will not become active until the machine is rebooted.

REFERENCE:
Null Session Vulnerability http://msdn.microsoft.com/library/default.asp?
url=/library/en-us/xpehelp/html/xeconreducenullsessionvulnerability.asp

Step 4
Disable automatic file open from explorer.

This step prevents Explorer from opening files without first prompting the user.
This is accomplished by masking all auto open bits in EditFlags values of
registry keys located in:
HKLM\Software\Classes,
HKLM\Software\Classes\Shell\Open,
HKLM\Software\Classes\CLSID,
HKCU\Software\Classes,
HKCU\Software\Classes\Shell\Open
HKCU\Software\Classes\CLSID.

The Automatic Open bit is the first bit (0x01) so mask with 0xfe.

REFERENCE:
Microsoft Windows XP Registry Guide
http://www.microsoft.com/mspress/books/index/6232.asp

Step 5
Stop the Background Intelligent Transfer Service.

This step stops the Background Intelligent Transfer Service. This service is not
required for normal operation and can be abused to allow full control of a host
machine from a remote computer. If the service is stopped, features such as
Windows Update, and MSN Explorer will be unable to automatically download
programs and other information. If this service is disabled, any services that
explicitly depend on it may fail to transfer files if they do not have a fail
safe mechanism to transfer files directly through IE in case BITS has been
disabled.

This service must be running to perform Windows updates.

REFERENCE:
Background Intelligent Transfer Service
http://msdn.microsoft.com/library/default.asp?url=/library/en-
us/bits/bits/bits_start_page.asp

Step 6
Disable dangerous URL protocols.

This step disables the use of insecure URL types "ms-its”, "ms-itss", "its",
"mk" and "local" by removing the type entries from the
“HKLM\Software\Classes\Protocols\Handler” and “HKCR\Protocols\Handler” registry
keys. These URL types are used in Cross-Domain Scripting Exploits.

REFERENCES:
Outlook Express Vulnerability http://www.risksecure.com/bugarticle/12")
HTML Help Vulnerability http://msmvps.com/donna/archive/2004/04/09/4818.aspx

Step 7
Prevent Denial of Service attacks.

This step helps to prevent “SYN Flood” and “Path MTU” Attacks from disabling
TCP/IP by setting the "SynAttackProtect" and “EnablePMTUDiscovery” values of the
"HKLM\SYSTEM\CurrentControlSet\Services\TcpIp\Parameters" registry key. The
SynAttackProtect value is set to 2, which adds additional delays to connection
indications and allows TCP connection requests to timeout quickly when a SYN
attack is in progress. The EnablePMTUDiscovery value is set to 0 (disabled),
which prevents the Path Maximum Transmission Unit from being set low enough to
disrupt TCP/IP.

REFERENCE:
How to harden the TCP/IP stack http://support.microsoft.com/default.aspx?
scid=kb;en-us;Q315669&sd=tech

Step 8
Disable insecure job icon handlers.

This step disables dynamic icon handlers for (.job) JobObject files by removing
the "IconHandler" keys from "HKCR\JobObject\shellex" and
"HKLM\SOFTWARE\Classes\JobObject\shellex". Dynamic job icon handlers are not
required for normal operation and can be abused to allow full control of a host
machine from a remote computer.

REFERENCE:
Microsoft Security Bulletin MS04-022
https://www.microsoft.com/technet/security/bulletin/MS04-022.mspx

Step 9
Set and secure "My Computer" zone.

This step secures “My Computer Zone” by resetting the values of the registry key
“SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0”. These
special settings prevent many vulnerabilities including MS05-001, MS05-008 and
MS05-014. The settings are:

1001 Download signed ActiveX controls Disable

1004 Download unsigned ActiveX controls Disable
1200 Run ActiveX controls and plug-ins Allow
1201 Initialize and script ActiveX controls not marked as safe Disable
1400 Active Scripting Allow
1402 Scripting of Java applets Disable
1405 Script ActiveX controls marked as safe for scripting Allow
1406 Access data sources across domains Disable
1407 Allow paste operations via script Disable
1601 Submit non-encrypted form data Disable
1604 Font Download Disable
1605 Run Java Disable
1606 User Data persistence Disable
1607 Navigate sub-frames across different domains Disable
1608 Allow META REFRESH Disable
1609 Display mixed content Disable
1800 Installation of desktop items Disable
1802 Drag and drop or copy and paste of files Allow
1803 File Download Disable
1804 Launching programs and files in an IFRAME Disable
1E05 Software channel permissions 196608

REFERENCES:
How to strengthen the Local Machine Zone
http://support.microsoft.com/kb/833633/EN-US/
Introduction to URL Security Zones http://msdn.net/library/default.asp?
url=/workshop/security/szone/overview/overview.asp

Step 10
Disable dangerous .grp file conversions.

This step disables the insecure association between “.grp” files and
“MSProgramGroup” by deleting both registry keys from HKCR.

REFERENCES:
Vulnerability in Windows http://www.derkeiler.com/Mailing-Lists/Securiteam/2004-
10/0041.html ")
Common File Extensions http://www.theoreticalreality.com/html/extensions.html

Step 11
Disable the Guest Account.

This step disables the guest account by removing account registry keys “V” and
“F” from “SAM\SAM\Domains\Account\Users\000001F5”. The guest account is not
required for normal operation and can be used by privilege escalation exploits
to gain full administrative control of a machine.

REFERENCES:
Delete Windows Guest Account http://www.derkeiler.com/Mailing-
Lists/securityfocus/focus-ms/2001-10/0215.html
Hide/Delete the Guest Account http://www.winguides.com/forums/showflat.php?
Cat=&Board=brdNewTweaks&Number=70039&page=0&view=collapsed&sb=6&part=

Step 12
Disable the HTML Application MIME type.

This step disables the HTML application type by removing the “application/hta”
registry key from both “HKCR\MIME\Database\Content Type” and
“HKLM\SOFTWARE\Classes\MIME\Database\Content Type”.
REFERENCES:
Introduction to HTML Applications http://msdn.microsoft.com/library/default.asp?
url=/workshop/author/hta/overview/htaoverview.asp
Application/HTA Vulnerability http://www.kb.cert.org/vuls/id/865940

Step 13
Secure HTTP configuration parameters.

This step adjusts registry values under the “HKLM\

System\CurrentControlSet\Services\\HTTP\Parameters” key to secure HTTP from many
common vulnerabilities. The settings are:

"AllowRestrictedChars" 0
"EnableNonUTF8" 1
"FavorUTF8" 1
"MaxConnections" 0x7fffffff
"MaxEndpoints" 0
"MaxFieldLength" 16384
"MaxRequestBytes" 16384
"PercentUAllowed" 1
"UrlSegmentMaxCount" 255
"UriEnableCache" 1
"UriMaxUriBytes" 262144
"UriScavengerPeriod" 120
"UrlSegmentMaxLength" 260

REFERENCES:
Registry Settings for IIS http://support.microsoft.com/?kbid=820129
IIS 6.0 Security http://www.securityfocus.com/infocus/1765

Step 14
Stop the Windows Indexing Service.

This step stops the Windows Indexing Service. This service is not required for
normal operation and can be abused to allow full control of a host machine from
a remote computer.

REFERENCES:
Indexing Service
http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-
us/Default.asp?url=/resources/documentation/Windows/XP/all/reskit/en-
us/prkc_fil_gglv.asp
Indexing Service Buffer Overflow http://secunia.com/advisories/13802/
Microsoft Security Bulletin MS05-003
http://www.microsoft.com/technet/security/bulletin/MS05-003.mspx

Step 15
Disable null session License Logging.

This step disables insecure nullSession license logging by removing "LLSRPC"

from the “NullSessionPipes” value of the
“HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters“ registry key.

REFERENCE:
Microsoft Security Bulletin MS05-010
http://www.microsoft.com/technet/security/bulletin/MS05-010.mspx
Step 16
Prevent LSASS (Sasser based) exploits.

This step repairs a well-known LSASS vulnerability by setting the LSASS

dcpromo.log file to “read only”. The dcpromo.log file can be found in the system
directory under the “debug” directory.

REFERENCES:
How to prevent a Sasser infection
http://www.microsoft.com/cze/security/incident/sasser_script_dcpromo.mspx
Microsoft Security Bulletin MS04-011
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

Step 17
Stop the Windows Messaging Service.

This step stops the Windows Messaging Service. This service is not required for
normal operation and can be abused to allow full control of a host machine from
a remote computer. This step does not affect Instant Messaging services.

REFERENCES:
Windows Messenger Service Exploit
http://www.more.net/security/advisories/2002/021025.html
Windows Messenger http://www.microsoft.com/windows/messenger/

Step 18
Stop the Net DDE Service.

This step stops the Network Dynamic Data Exchange Service. This service is not
required for normal operation and can be abused to allow full control of a host
machine from a remote computer.

REFERENCE:
Unchecked Buffer in NetDDE http://www.kb.cert.org/vuls/id/640488

Step 19
Disable the Private Communication Transport.

This step disables the PCT protocol by removing both the “Client” and “Server”
registry keys under
“HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT
1.0”. The PCT protocol is not required for normal operation and can be abused to
allow full control of a host machine from a remote computer.

REFERENCES:
Securing IIS http://www.networkworld.com/columnists/2004/0503internet.html
How to disable PCT http://support.microsoft.com/default.aspx?scid=kb;en-
us;187498

Step 20
Disable the Remote Data Services Datafactory.
This step disables 3 insecure RDS datafactory objects; RDSServer.DataFactory,
AdvancedDataFactory and VbBusObj.VbBusObjCls by removing the corresponding
registry keys from
“HKLM\System\CurrentControlSet\Services\W3SVC\Parameters\ADCLaunch”. These
objects are not used in normal operation and will not affect other Remote Data
Services.

REFERENCES:
Security Implications of RDS http://support.microsoft.com/kb/q184375/
Unauthorized ODBC Data Access http://www.winguides.com/security/display.php/4/

Step 21
Stop the Remote Registry Service.

This step stops the Remote Registry Service. This service is not required for
normal operation and can be used to remotely reconfigure a host machine from a
remote computer. Some services need remote access to the registry to function
correctly. For example, the Directory Replicator service and the Spooler service
when connecting to a printer over the network require access to the remote
registry.

REFERENCE:
Glossery of Windows Services
http://www.microsoft.com/windows2000/techinfo/howitworks/management/w2kservices.
asp

Step 22
Disable RPC based DCOM.

This step disables the DCOM client protocol of the Remote Procedure Call
protocol by setting “HKLM\Software\Microsoft\OLE\EnableDCOM” to “N” and removing
any data in “HKLM\Software\Microsoft\Rpc\DCOM Protocols”. The Client DCOM
portion of RPC is not required for normal operation and can be abused to allow
full control of a host machine from a remote computer. This setting will not
become active until the machine is rebooted.

REFERENCES:
Microsoft Security Bulletin MS03-026
http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx
Microsoft Security Bulletin MS03-039
http://www.microsoft.com/technet/security/bulletin/MS03-039.mspx
Microsoft Security Bulletin MS04-012
http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx

Step 23
Delete the backup password file.

Many Windows operating systems save a backup copy of the SAM file in the repair
directory under the system directory. This file contains SMB username and
password data that can be decoded by utilities such as JohnTheRipper to retrieve
valid login information. The backup file is only used for emergency backup and
is not required for normal operation.

REFERENCE:
Protection of the Administrator Account http://support.microsoft.com/?
kbid=223301
Step 24
Disable the Shell URL protocol handler.

The step disables the Shell protocol handler by replacing the insecure ActiveX
GUID found at “HKCR\PROTOCOLS\Handler\shell\CLSID” with a harmless substitute,
in this case the HTML Help GUID. The Shell URL protocol is not required for
normal operation and can be abused to allow full control of a host machine from
a remote computer.

The registry key is “HKCR\PROTOCOLS\Handler\shell”.

The registry value is “CLSID”.
The registry data should be changed to 3050F406-98B5-11CF-BB82-00AA00BDCE0B

REFERENCE:
The Shell URL Protocol Problem
http://assert.uaf.edu/classes/pres/wheeler/Wheeler.htm

Step 25
Disable the Universal Plug and Play Service.

This step stops the Simple Service Discovery Protocol, which disables Universal
Plug and Play. The SSDP service is not required for normal operation and can be
abused to allow full control of a host machine from a remote computer. This step
does not affect local Plug and Play operation.

REFERENCES:
Microsoft Security Bulletin MS01-059
http://www.microsoft.com/technet/security/bulletin/MS01-059.mspx
UnPlug n Pray http://grc.com/unpnp/unpnp.htm")
UPnP Forum http://www.upnp.org/

Step 26
Block unsolicited inbound Internet traffic.

This step blocks incoming Internet traffic by enabling the registry value
“HKLM\System\CurrentControlSet\Services\TcpIp\Parameters\
EnableSecurityFilters”. This setting only affects inbound traffic. This setting
will not become active until the machine is rebooted.

REFERENCE:
EnableSecurityFilters
http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-
us/Default.asp?url=/resources/documentation/Windows/2000/server/reskit/en-
us/regentry/33568.asp

Step 27
Disable Distributed Web Authoring.

This step disables the Distributed Web Authoring service by setting the
"DisableWebDAV" value of the
"HKLM\System\CurrentControlSet\Services\W3SVC\Parameters" registry key. This
service is not required for normal operation and can be abused to allow full
control of a host machine from a remote computer.

REFERENCES:
How to disable WebDAV http://support.microsoft.com/default.aspx?scid=kb;en-
us;241520
Microsoft Security Bulletin MS03-007
http://www.microsoft.com/technet/security/bulletin/MS03-007.mspx

Step 28
Disable the Windows Internet Naming Service.

This step disables the Windows Internet Naming Service. This service is not
required for normal operation and can be abused to allow full control of a host
machine from a remote computer.

REFERENCES:
Windows Internet Naming Service
http://www.microsoft.com/windows2000/techinfo/howitworks/communications/nameadrm
gmt/wins.asp
Microsoft Security Bulletin MS04-006
http://www.microsoft.com/technet/security/bulletin/MS04-006.mspx

The last four security solutions are best implemented using the Samurai
application due to functional component requirements. These components must be
registered and loaded using stringent Windows guidelines and as such are not
well suited to the manual application of security settings.

Step 29
Check FRAME/IFRAME NAME field.

This solution registers an HTML filter that checks for FRAME and IFRAME tags
with overly long NAMEs. The filter removes overly long names from the HTML
stream to prevent a well-publicized buffer overflow. This can only be
accomplished with the Samurai HIPS.

REFERENCES:
Microsoft Security Bullitin MS04-040
http://www.microsoft.com/technet/security/bulletin/ms04-040.mspx
FRAME/IFRAME Buffer Overflow http://www.kb.cert.org/vuls/id/842160

Step 30
Check image files for correctness.

This solution hooks various system calls to block Animated Cursor (.ANI) and
GDI+ (.JPG) files containing buffer overflow exploits. Only files with embedded
buffer overflows will be blocked from image processing. Properly formatted ANI
and JPG files will not be affected by this solution. This can only be
accomplished with the Samurai HIPS.

REFERENCES:
Microsoft Security Bulletin MS05-002
http://www.microsoft.com/technet/security/bulletin/MS05-002.mspx
Microsoft Security Bulletin MS04-028
http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx
Step 31
Block Internet Explorer Popups.

This solution adds a popup-blocking feature to Internet Explorer. When enabled,

a “Popup Blocker” selection is added to the Internet Explorer context menu
(right click anywhere in IE). The initial setting blocks popups and sounds an
alarm when popups are blocked. Either option can be modified from the context
menu. When popups are blocked, links to popups are also blocked, you must hold
down the CRTL key to temporarily bypass popup blocking. This can only be
accomplished with the Samurai HIPS.

Popups can be more than just annoying; they can lead to security breaches. To
prevent vulnerability you should accustom yourself to using a popup blocker. All
popup blockers indicate when they are blocking a popup and give you the
opportunity to temporarily bypass blocking. The predominant convention to bypass
blocking is to hold down the Ctrl key while clicking on a link to a popup. This
bypass feature is required for many Internet based applications and is often
required to follow links while navigating the Internet. Though keeping your
speaker on and listening for the popup blocker may seem intrusive at first, you
will quickly become accustomed to this necessary precaution.

REFERENCES:
Popup attacks http://www.theregister.co.uk/2004/06/30/ie_malware_attack/
Hijacking Popups http://www.pcworld.com/news/article/0,aid,118878,00.asp

Step 32
Clear existing rootkits and prevent future loading.

This solution hooks system calls to prevent the loading of rootkits and
refreshes the kernel’s system call table to clear existing rootkits. This
solution also contains a user interface that informs the operator when attempts
are made to load device drivers during normal operation. This can only be
accomplished with the Samurai HIPS.

REFERENCES:
Rootkit.com http://www.rootkit.com/index.php

I hope this helps,

TurboTramp