New XP Pro- bare minimum configs b4 going online?

Discussion in 'other security issues & news' started by Galcoolest, Dec 1, 2004.

Thread Status:
Not open for further replies.
  1. Galcoolest

    Galcoolest Registered Member

    Joined:
    Jun 18, 2004
    Posts:
    229
    Location:
    San Francisco
    New XP Pro- bare minimum user configs b4 going online?

    I took part of this post out because I will just slipstream SP2 and hope for the best...

    Some of your probably recall what I went thru last month withHOME and why I am installing Pro after i got just plaiin fed up and quit HOME --- never figured it out, not really----

    https://www.wilderssecurity.com/showthread.php?t=53281


    But I still would like opinions on how to configure the various users just to get safe to go online in Pro - what kid of user should I create to do surfing right away? And others I should create? And permissions for them? I'm asking just the bare minimum set-up users-wise that I should do before attempting to get online. ( I have firewall, router, AV, and tons of other software - much of which I got here, and I knwo what to do with services..)

    But somehow I cannot straight on the basic user(s) I'll need with Pro to surf safely until I flesh out the users overall later on......
     
    Last edited: Dec 2, 2004
  2. nod32_9

    nod32_9 Guest

    I'm running WXP Pro SP1 (logged in as ADMINISTRATOR) without any other patches. ZA and Avast Home are the only two security proggies in this PC. This partition was created on 11/2001. No infection or security breakdown.

    Even the most proficient PC user will encounter 2-3 minor windows glitches per year. No need to waste my time repairing the problem because I already have a good image file in the HD. It takes less than 5 min to restore a good image file back to the C partition. Imaging the data is the ultimate form of security backup.

    The secret is to a stable OS is to keep the number of installed applications to an absolute minimum.

    Go into IE's security screen and set all options to HIGH or PROMPT. DO NOT allow anything to AUTO load/run. The same with unsigned/un-authenticated data.

    If a malicious application gets into your PC, then a LIMITED user account will minimize the damage to the OS. Still the goal is not to let craps bypass your FW. Next to the user, the FW is the MOST important piece of security software. If it is properly configured, then the OS should be well-protected. I do not grant SERVER right to any application.

    People place too much emphasis on the AV and other malware detectors. I only scan my incoming emails. No full-time AV protection. Folks walk down a dark alley at midnight and wonder why they got mugged!

    It's best not to use IE. If you must use IE, then make sure that you apply the critical MS security patches.

    Finally, avoid P2P programs.
     
  3. Galcoolest

    Galcoolest Registered Member

    Joined:
    Jun 18, 2004
    Posts:
    229
    Location:
    San Francisco
    https://www.wilderssecurity.com/showthread.php?t=53281

    Thank you for your advice. The link above is my very first and completely freaked out thread here- I came desparate for help I couldn't find in my other regular forums. Right after I loaded SP2 my computer running HOME XP, it (coincidentally? i dunno...) got hacked, and then destroyed from the inside out, then nothing including several low level reformats could stop the craziness. So in the thread I'm convinced I had a mythical super trojan beyond a rootkit deal-

    to make a long story short, I friggen removed HOME , installed Me again (and am on that now) bid on and won XP Pro on eBay- it got lost in the mail- got it yesterday.. and I am ready to install!

    thank you for taking the time to send your advice- you reiterated what I know to be true, except the part about your logging on normally as admin- that's what did me in with HOME, had to be part of it...

    anyway I have saved your post, and have in text form literallly scores of help stuff on pro- but now I'm a tad confused about what I thought I knew cus you say you run in Admin and I thought that was a no no with all XP OS unless absolutely necessary.... and that in Pro a yo surf as a mid-privileged character. (not available in HOME which is one of the big reasons it sucks) It's precisely this issue that your post made even more unclear, lol.

    If you want a laugh- go see just my first post and you'll see why I am 100% committed to not making a config error in Pro , getting online, and having another NIGHTMARE LIKE THAT HAPPEN AGAIN! (It never was truly ascertained what was happening despite all my efforts- but I had just had with HOME by then anyway, and finally yanked it ff my PC forever.)

    Me has been a quiet, smooth sail since- I kept threatening myslf to just stay with it ....
    https://www.wilderssecurity.com/showthread.php?t=53281
     
  4. nod32_9

    nod32_9 Guest

    Please elaborate>>>"in Pro a yo surf as a mid-privileged character. (not available in HOME which is one of the big reasons it sucks) It's precisely this issue that your post made even more unclear".

    We know that you are safe from the hacker if you use WME, correct? But if you format the same HD and replace WME with WXP Home, then the creep will be able to re-infect your PC, correct? Sounds to me like the creep is using some type of security hole in WXP (and there are many holes) to infect your system.

    1.Are you using the same type of ISP connectivity in both cases?

    2.Are you the only person that has physical access to this PC?

    3.Do you have to load ANY software before you can connect to the internet?

    Do you have a zip version of FF? If not, then you need to download it from the Mozilla website.

    If you download the latest WXP BIOS flash from the DELL website and use this software to flash the BIOS, then the BIOS is clean.

    If you do a "low-level" format of the HD, and then create one large FAT32 primary C partition, then the HD is clean.

    If you remove the nickel-sized battery on the motherboard for one day, then you will reset the CMOS.

    Remove all USB and Zip drives. The creep cannot store data in the floppy drive, video card, sound card, modem card, mouse and keyboard.

    We now have a clean PC. Connect only the mouse, monitor, and keyboard to the PC. Install WXP (Home or Pro). Download WXP drivers only from the DELL website. WXP should auto load the appropriate drivers for your DELL 4100. Now is the time to image your operating system if you have access to an imaging software. Reboot and install the ZA FW. Proper configuration is CRITICAL. You also need to tweak the security settings in windows, IE, and Outlook Express.

    Extract the Firefox zip file, go to the Mozilla folder and click on Firefox.exe to launch the browser. You don't need to install FF. Tweak the security settings in FF.

    Create a Dial Up Networking account which will permit you to connect to the internet via the 56K modem. Do not launch IE or OE yet. We're not going to install the broad band modem at this stage.

    Note that we have only added the FW and the FF browser to this PC. Verify that you can connect to Wilders with FF. Reboot and take a second image file of this OS.

    Try this setup for a few days. If all is well, then I'd add the AV and start using the email program. Avoid the use of P2P proggies. I'm not a big fan of instant messaging, either. Some newer AVs will also include IM scanning as part of the protection.

    I will be happy to provide phone support over the weekend (free long distance). We should be able to block this hacker from your PC if we systematically eliminate each mode of infection with the aid of the imaging software. Create the image file of your OS and then make the change. The image file will allow you to restore the PC to a time when it was not infected with the bug. This is much more efficient than reloading windows.
     
  5. Galcoolest

    Galcoolest Registered Member

    Joined:
    Jun 18, 2004
    Posts:
    229
    Location:
    San Francisco
    Thanks Nod for taking the time to respond like that . However, I am on top of a lot of that already. Please read the original posting stuff linked to in the above post of mine. Nod- I did all I could do at the time - and the issue is now different. I flashed BIOS, etc etc. And I do use FF. And will continue to do so.

    And while in Me all is hunky dory. Hardly a hit on the firewall thanks to the router, clean sweeps of all spyware infiltration , viruses, etc. It's been quiet and wonderful. I appreciate the drastic steps you have told me about, but I think I should give a clean install of PRO a chance to see what happens before I freak out and go to those extremes. I mean, it should be pretty clear right away if something is amiss, and then I can simply undo it, and follow your "way,way extreme to the bones cleanup" Right?

    What I want to know is when I install Pro (and that sentence you had questions about got mangled-sorry) don't I want to create a non-admin, non-limited middle-privileged "power-user" or whatever they call it in Pro (still haven't loaded it, so unsure of the moniker- too busy today)-- meaning a user that is not available in HOMe- cus there you have admin or limited users , period. A user inbetween the 2 extemes?
    PS- NOD- please PM with the phone number- I would appreciate talking with you about this-- and actually, PM me, I'll PM back right away with email also. Thanks again- your help is terrific!
     
    Last edited: Dec 3, 2004
  6. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    The default 'user accounts' control panel item in XP Pro is the same way as in Home. You can go into the Administrative Tools and start "computer managment", open "local users and groups", highlight "users" and change the group your user account is a part of (ie "power user"), however you have to do this before you change your services settings, as the console needs the Workstation service (I don't think black viper mentions this, but it can, and should, be turned off unless something you use needs it) and a couple others running to access the group membership settings.

    Alternatly you can paste the following into notepad, save it as "useraccounts2.reg" and run it to have a better "user accounts 2" in your control panel that gives you better control of these things:
     
    Last edited: Dec 3, 2004
  7. Galcoolest

    Galcoolest Registered Member

    Joined:
    Jun 18, 2004
    Posts:
    229
    Location:
    San Francisco
    Thanks so much Notok for that fabulous clarification and advice. I have saved everyone's great input into permanent files that are coming off of here before I wipe the baby, so that I can re-read everything BEFORE I jump on the net. And I archived all the great stuff you folks taught me earlier in a recent thread about how to set up Pro to be able to review the advice offline before I dare hook up to the world!

    Thanks again all of you! (Notok- bless ya buddy!)
     
  8. nod32_9

    nod32_9 Guest

    Perhaps I'm placing too much faith in my images files. To this date, I have yet to encounter a major security breakdown with W2K and WXP (SP1 and no additional patch). That's approximately 21,000 hours of internet connection.

    The use of a limited WXP account will only provide you with a false sense of security. If this person is as good as you make him to be, then a LIMITED account isn't going to prevent him from wrecking your PC. You're running as an "administrator" in WME, yet you're immune from this hacker. Again, I believe the root cause of these problems can be linked directly to how you configure WXP (home or pro) and the FW's security settings.



    I'm posting the "User account types" guide from WXP Pro SP1 (haven't checked SP2 but I suspect it's going to be the same as SP1):

    There are two user account types. Computer administrator accounts allow the user to change all computer settings. Limited accounts allow the user to change only a few settings, as shown in the table below.

    Limited:
    -Change your own picture
    -Create, change or remover your own password.

    Perhaps you could provide a link that will illustrate the use of a 3rd account type in WXP Pro.


    I concur with you that my recommendation is a little extreme. However, it's best to do it right the first time. You should, at minimum, image the OS prior to internet access. No need to work hard when you can work smart! I would trade 3 hours vs. 5 minutes any day of the week.
     
  9. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Here is User Accounts 2 along with the MMC interface for user settings:
     

    Attached Files:

    Last edited: Dec 3, 2004
  10. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    And here's a small peek at a few of the more granular changes that can be made in gpedit.msc (in the right pane, to the right of the settings is where you put in what user groups have rights to perform the specified actions, cut out in this pic)
     

    Attached Files:

  11. nod32_9

    nod32_9 Guest

    I don't think I will want to get too cute with this level of detailed adjustment because I don't know the method of attack used by this hacker. If you want to split hair, there are Adminstrators, Backup Operators, Guests, Network Configuration Operators, Power Users, Remote Desktop Users, Replicator, Users, HelpServicesGroups and a bunch of tweakable options for some configurations.

    We didn't have this problem with WME. Therefore, the proper course of action is to prevent this creep from entering your PC. Restricting what you can do in windows is NOT a permanent solution.
     
  12. Galcoolest

    Galcoolest Registered Member

    Joined:
    Jun 18, 2004
    Posts:
    229
    Location:
    San Francisco
    Nod 32-
    Many folks here feel that I was imagining thing things after I eradicated the "live hacker"- I dunno- if you read that whole thread then you can decide what you think- but subsequently i posted this:

    https://www.wilderssecurity.com/showthread.php?t=54759

    in which I tried to convince myself that some of the guys here were right- it was config problem. You're the only who believes it could be a true bas**rd that will get right on me again when I re-enter the net on XP Pro. Believe me, I'm saving your opinion and tactics in case an obvious strangeness starts happening again.
    Surely I won't load ANYTHING but the OS and the DSL and router software (which I must have to get online)- and this after I do all the pre-accessing stuff that's been advised. And I'll sit back and watch the kinds of places that all the craziness was going on in HOME- weird users and permissions, drivers and programs being loaded, et al.
    I do know that one of the primary tricks used was to tweak ZA and NAV to read to me, the naive user, that all was well- when in fact, both were completely non-functional. I have bought Outpost and am good buddies with an admin over there (he laughs-told ya so) so that will be good, and I'm on the fence about NAV vs. AVG, etc. Using AVG free v.7 right now and like it- I'd get the paid version though...
    Anyway- rather than hyperventilate before a crisis, and considering my load-on will be minimal, I think I'll wait on doing all the stuff you mentioned until I have reason to freak again! But thank you so much for your thorough plan of attack should I get to the point that I need it!

    Notok-

    those screenshots were VERY helpful --- gosh you can rig up SO much more in Pro than HOME! Again, I bagged HOME finally (after threatening to do so long before my infiltration) becuase of its usage and security config limitations. Alas, I'm so happy on Me- so simple and quiet- I keep putting off going thru the hassles of wiiping and installing again. I will, for sure, but probably not today! Thanks for the fab info and assistance!!!!! :-*
     
  13. nod32_9

    nod32_9 Guest

    Spent 13 years working with the brightest group of people in the world, so I never discount a customer's complaint. If you are not the only individual with access to this PC, then you may consider locking out the PC when it is not in use. Yes, a removable quick-release internal HD bracket would do the trick. I know...conspiracy theory. Husband/BF/roommates...they're all suspects.

    Make sure the router software is clean (factory label) before you load it to the OS. I applaud your move to AVG or any well-know FREE AV solution. I prefer Avast Home over AVG. Again, it's a personal thing, plus I like the lightning fast Avast virus definition updates. NAV is bad news.

    I think Outpost is more suited for the tweakers. It's much easier to get it right with ZA Pro 4.0 or 4.5. These earlier version of ZA are lighter than current release of Outpost.
     
Loading...
Thread Status:
Not open for further replies.