One of my new favorite hardening tools

http://www.sniff-em.com/secureit.shtml

-{ Quote: " System Hardening Details :

· Local Machine Zone (My Computer) Hardening : This option hardens the Local Zone for all the users on this machine. The gracious local Zone settings are often exploited by worms and other mal ware. Important feature, hardens the system against future unknown exploits.

· Disable dangerous File handlers
- ms-its; ms-itss; its; mk;local; sysimage. Disables Cross domain attacks by malware downloading and executing code with local user privileges.

· Hide Administrative shares : Hides $ Administrative Shares.
· Automatic Logon : If you enable automatic logon, the password is stored in the registry in plain text.
· Safe DLL Search Order : Specifies where Windows should search for components first.

· Services : Disable Remote Registry Service
Disable Lanmanserver service
Disable Task Scheduler
Disable Machine Debugger Manager service
Disable NetDDE service
Disable Messenger service
Disable Universal Plug and Play Device Host

· Disable DCOM : The Distributed Component Object Model (DCOM/RPC) is a protocol that enables software components to communicate directly over a network. Some worms (MSBlaster..) exploit DCOM to propagate.

· Local LMHash Caching : The LM hash is relatively weak compared to the NT hash, and it is therefore prone to fast brute force attack. Therefore, you may want to prevent Windows from storing an LM hash of your password.

· Disable PCT 1.0 : Microsoft IIS Web servers that have SSL installed and PCT enabled but have not applied the patch from April of this year, Microsoft security bulletin MS 04-011, are likely to be targeted for this exploit.

· Disable Shell.Explorer Active-X : Disabling the Shell.Explorer ActiveX object prevents IE exploits from referencing local directories in a window object. This is an proactive measure and it protects against any future break in through this vector.

· Disable Active-X Image Control : Disabling the Active-X Image Control object prevents exploits through this control. Click More information for details about this.

· Disable Shell.Application : Several IE exploits are based on this interface, ADODB.Stream amongst others, disabling this feature also may disable some .HTA files using Shell.Application.

· Disable Shell URL protocol handler : Several IE exploits are based on this interface, ADODB.Stream amongst others, disabling this feature also may disable some .HTA files using Shell.Application.

· Disable HTA Shell : This setting prevents HTA files in web pages or HTML based e-mail from executing. HTA files are often used by malware authors.



How much does it cost ?
Nothing, it is free." }-

Hi,

Good tool for hardening Windows.
I used recently for a friend.

There's about 6 or 7 toolls like SecureIt.
But the little problem is that some of them are available on "offensive" sites.

There's different methods to hard Windows (TCP/IP, Registry ...).
Interesting idea for special thread.

One of this tool is Zigstack(new version recently released).
I only give a link for a screeshot.
I let moderators have a look on this site for guetting their permission or not.

http://xaitax.de/bin/scr/zigstackv5.jpg

Hard your system before installing an army of protections tools.
So 100% agree with you NOTOK.

Regards

I'm trying out SecureIT now. I'll be honest, I don't know half of the things SecureIT protects. I mostly go for the recommended settings and see what happens. I would like to see this app with a checklist of protected items rather than it's continuous menu. I would also like to have the option of restoring all the original settings with one click.

I like that kind of UI better myself, SafeXP being a good example. SecureIt has some options that the others do not, however, that make it very much worth it, such as it's IE & ActiveX hardening. One thing that it does have above the others is the abilty to use it silently with commandline parameters.

Just one more goodie to throw in the toolbox :)

Hi,

I hope I'm posting in the right thread.

But for all that are using Secure It, I would like you to advise me if it would be safe to run along side all my other security apps.
I'm very interested in SI but want to get an idea first that it will not
somehow interfere with my other programs.

Oki.

Here's what I've got.

ZA (free)
Avast (free)
Winpatrol
Prevx
SpywareBlaster
SpywareGuard
IE-Spyad
CWshredder
Ad-Aware
Spybot-SD/ w. Teatimer
~~~~~~~~~~~~~~~~
Also have Script Defender, but will uninstall as I think it isn't
installed correctly.

Also would like to add a-squared one of these days.


What is your opinion ?

All feedback is very much appreciated.

SecureIt just disables/configures insecure parts of Windows, so it shouldn't conflict with any other security apps.

Yes, that makes sense. I just wanted to be sure.

Thank's Notok !

thanks Notok just loaded up Secure-It 1.0. and Harden-it . Surfing on simplicity I am quite happy with having the recommended settings available. Loads up easily and no conflicts with existing apps so far.

I have another question please:


What exactly is the " Universal Plug and Play Device Host" and what is it for ?


I a long time ago noticed it on the GRC - Site, but dum dum me didn't take the time to throughly read about it.

(ADD is haunting me at times.....::) )

Thank's.

I have been using Secure-It without any problems, but chose not to apply the "Disable potential intrusion binaries" option since it requires disabling Windows File Protection (http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/system_file_protection.mspx). A better solution would be to use Process Guard (free or full) to block the execution of wscript.exe, cscript.exe, ftp.exe, and tftp.exe.

Nick

Ok. I just downloaded. So far so good.

I noticed though that all my sites in the "Trusted Zone" are gone..and "Internet Zone" is in my opinion down to "open doors".
Is this normal and intended or would I just have to reset my own "higher" settings again ?

I only use IE for windows updates but I checked and my Internet Zone is set at "medium" I have no sites in the "trusted" any ways . In my restricted zone is "http://related.msn.com" only. Im using firefox though.

good sites there spanner
not sure what you guys are running on .... but with xp and ie 6 and latest updates the settings are reasonably tidy by default. I recommend also http://www.blackviper.com/index.html for hardening up the system (xp) . safe xp is also useful http://www.theorica.tk/ and definitely have a play with firefox just for the hell of it. ( I highly recommend that you download, install and give FireFox a try. I have been using this browser with no problems. Spyware? Adware? Pop-Ups? Changing of your home page? Security problems? No issues with FireFox. Some people have spent lots of $ on getting rid of those same problems.
back to the topic of the thread .... you might email the developer Nat (Thierry Zoller) at ThierryZoller@Sniff-em.com with your issue and see what he says regarding this that you have found. I think he would appreciate any feedback.

Update of the program:

New in version 1.2 (14/01/2005) :
· Bug Fix : EnableMulticastForwarding corrected.
· Feature added : Restrict Anonymous Access
· Feature added : Restrict Anonymous access to SAM
· Feature added : Disable Everyone Includes Anonymous
· Feature added : Show only new updates to this version.
· Feature added : Revert to default Windows settings optiona added.

http://www.sniff-em.com/harden-it.shtml

-{ Quote: "Ok. I just downloaded. So far so good.

I noticed though that all my sites in the "Trusted Zone" are gone..and "Internet Zone" is in my opinion down to "open doors".
Is this normal and intended or would I just have to reset my own "higher" settings again ?" }-

Heh you notice that too huh?

It actually conflicts with software such as spywareblaster and IEspyad that put sites into your restricted zone.

IE will now read from

HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains

instead of

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains

So the restricted sites put into IE by IEspyad or spywareblaster arent used now.


If you manually add sites you will see they appear in the above area.

If you have this problem, you can use IEspyad2. No work around for spywareblaster yet.

what about Harden-It?
Features :
· Harden your server's TCP and IP stack
· Protect your servers from Denial of Service and other network based attacks
· Enable SYN flood protection when an attack is detected
· Set the threshold values that are used to determine what constitutes an attack



these first too are for servers.
· Harden your server's TCP and IP stack
· Protect your servers from Denial of Service and other network based attacks

it says it protects against SYN flood too, that's for a server too, isn't it?. a client sends a server a SYN packet, then the server sends a SYN-ACK message back. i know Nmap has a SYN option, but i've never used it so i don't really know more then that.

what about "Set the threshold values that are used to determine what constitutes an attack" is that for a server too? thanks.

Yikes, this thread kinda took off! :D

-{ Quote: "What exactly is the " Universal Plug and Play Device Host" and what is it for ?" }- This was made to make installing network devices easier. For instance if you got a new router, UPnP would pick it up and configure your system for it automatically. Unfortuantely this would allow a hacker to do the same thing. "So you wanna join the network? Here, let me help!" Routers and such are easy enough to install on their own, I wouldn't think this would make things all that much easier, and the risk is just too great.

-{ Quote: "I have been using Secure-It without any problems, but chose not to apply the "Disable potential intrusion binaries" option since it requires disabling Windows File Protection. A better solution would be to use Process Guard (free or full) to block the execution of wscript.exe, cscript.exe, ftp.exe, and tftp.exe." }-That and/or a script blocker. Scriptrap, Script Defender, WormGuard, RegRun's runguard, etc, are all good options. For users that don't want to run such things, or don't know about them, it may not be a bad option, although you're right that disabling WFP isn't the best way to go. Hopefully the developer can get it to re-enable it again after making the change.

-{ Quote: "I noticed though that all my sites in the "Trusted Zone" are gone..and "Internet Zone" is in my opinion down to "open doors".
Is this normal and intended or would I just have to reset my own "higher" settings again ?" }-Good catch, I hadn't noticed that. Definitely worth mentioning to the developer. However if you already have a highly restricted Internet Zone, I don't know how much additional protection you would really get from such lists. If you already restrict your Internet Zone more than SecureIt does, there's no reason to leave it turned down. Of course using an alternate browser is always the best way to resolve these things ;D

-{ Quote: " I recommend also http://www.blackviper.com/index.html for hardening up the system (xp) . safe xp is also useful http://www.theorica.tk/ and definitely have a play with firefox just for the hell of it. ( I highly recommend that you download, install and give FireFox a try. I have been using this browser with no problems. Spyware? Adware? Pop-Ups? Changing of your home page? Security problems? No issues with FireFox. Some people have spent lots of $ on getting rid of those same problems.
back to the topic of the thread .... you might email the developer Nat (Thierry Zoller) at ThierryZoller@Sniff-em.com with your issue and see what he says regarding this that you have found. I think he would appreciate any feedback." }-Couldn't agree more on all points, worth a second mention IMO.

-{ Quote: "what about Harden-It?" }-I doubt it would hurt anything to run it, although I think the protection it offers is most relavant to servers as it would mainly cover attacks personally directed at you by hackers rather than automated attacks by things like worms. It may be a good idea if you use things like IRC, though.

I'm glad everyone likes this thing. It may not be a total solution, but it's a good way to start when securing your system.

Wouldn't it be better for newbies just to run DSOstop, HTAstop, WMPscriptfix, WWDC, Bugoff and perhaps Safexp? It seems like all these additional programs, like secure it and harden it Zigstack and others, are unnecessary and rather confusing for beginners and can cause changes that may cause problems for them. Also the apps I mentioned can be easily disabled with just one click, ok sometimes a couple clicks.

Hi,

***Iceni60, Windows works like an "hidden" server.
So just a paper about hardening Windows against networks attacks like Syn's ones: http://www.secinf.net/windows_security/Hardening_Windows_NT_Against_Attack.html

Or this one: http://www.securityfocus.com/infocus/1729


***For hardening Windows, there's the old and manualy method.

It's sometimes better for learning and knowledge.
From a french paper (but in english):

http://www.hsc.fr/ressources/breves/min_srv_res_win.en.html.en


***There's also many others tools to hard Windows' security(like gkweb's one):

*Zigstack (a screenshot in my previous post):

http://www.securiteam.com/tools/5EP091FC0C.html

*Xpliser (i don't give the direct link because it' an offensive site):

What it changes:

http://www.securiteam.com/tools/5EP081FCKI.html

http://theinsider.deep-ice.com/readme.txt

*Xpy: http://xpy.whyeye.org/

*Xpanti-spy:
http://xp-antispy.org/content/view/17/47

Nice Week-End

Regards

From the Secure-it newsletter
Today a security vulnerability was published concerning the

Microsoft NetDDE Service, the vulnerability consists of a remotely exploitable Buffer Overflow. The systems affected are NT/2000/XP/2003 Server.



Secure-it 1.22 protected you from this exploit PRIOR to the exploit itself being found. (If you set the recommnded Settings). Thierry Zoller recommends using the Secure-It EXPERT mode and to disable the NETDDE service until a patch is published.



More information about the vulnerability:

http://www.ngssoftware.com/advisories/netddefull.txt