getting better score with belarc advisor

is there any utility that can help you better secure your PC without having to change all the settings manually?

CIS offers some security templates, but they warn that it could break functionality.

i was looking for a program that could prompt for each change and provide simple details or info. something like harden-it or secure-it but for windows xp pro security.

 

Would love one myself. I think MS has one, "Security Baseline Analyzer"......? (not sure if it will change settings as much as point out potential weaknesses.)How ever, just by the nature of the beast, Win XX thru XP, almost anything you do can break functionality. Many security related programs\settings are like that sorry to say.

 

I created security template myself many times, but it never did, what it had to.

I use mostly registry setting to set up about 95% settings after clean instal. Some of them are Belarc related like: Password Policies, Event Log Policies, Anonymous Account Restrictions, Security Options (all except renaming Admin & Guest), Additional Security Settings (most of them). I have to set up manually only Audit and Account Policies & User Rights, the rest is fine by default, although I do not set up things like File and Registry Permissions, because I consider it useless, I put all those aplications to blocked in firewall and to Service Permisssion, I have all bad services disabled (by registry of course). If you want to make a list, I will do it. By the way, all my reg settings are in this file (ods & xls in 7z), you can review it and use it at will.

 

thats a lot of changes thetom_sk.

if i wanted to make some of these changes, how could i have a registry file out of the some of the setting in the excel spreadsheet?

 

Create txt - open it and add anything you want - close - change its extension to ".reg" - run.

Windows Registry Editor Version 5.00 - this must be at the beginning, like this (Event Log set up):

Code:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog]
"Start"=dword:00000002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application]
"RestrictGuestAccess"=dword:00000001
"MaxSize"=dword:01400000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security]
"RestrictGuestAccess"=dword:00000001
"MaxSize"=dword:05000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System]
"RestrictGuestAccess"=dword:00000001
"MaxSize"=dword:01400000

Here is my reg file (DO NOT ADD TO REGISTRY), set it to open with Notepad and you can edit it.

 

i have to delete any comments after the numbers right?

and for teh changes in [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters], are these the same things that harden-it would change?

 

Yes, just copy, what you need, only from the line B.
Belarc should show, when the settings are properly set up.
I would sugest to backup whole registry before making any changes:
Start - Run - regedit - File - Export - Save (it will take a min or two).

 

good news. after picking and choosing what i needed and importing the registry entries, my cis benchamrk score went from 3.96 to 4.79.

 

Congrats and Good Luck (whatever happens).

 

another boost. a few other changes got me to 6.46. i need to figure the registry keys for them tho.

 

Yeah I know, they are not at one place and I did not write the best descriptions.

 

its not the descriptions. some of the changes i had to do manually but i dont know their registry keys.

 

Some things do not exists in registry, only in ini files or somewhere else.

Eg I can set up IE completelly via reg file (disable addons, cookies & trusted zone exceptions, etc), but I have to add/remove favorites manually, because they are stored on HDD like files.

 

most of the Local Security Settings are in teh registry tho, arent they?

 

Well, it is possible, registry denies Full Control permission to some keys by default.
So maybe it is hidden somewhere in the registry, but there is no helpfull guide online.

 

i did not know there was a hidden portion of the registry. thanks anyways.