System Hardening Tools

Currently have Harden-it and Windows Worms Doors Cleaner. I was thinking of adding Safe XP. Has anyone used this one for any length of time and are there any problems with the first two (compatibility)?

 

I currently have all three installed and also have Secure-IT and Samurai as well. I'm not aware of any problems due to too many tweaks, but I'm a compulsive tweaker so the more the merrier as far as I'm concerned.

That said, this PC is rock-solid and fast, so it can't be too unhappy.

 

Thanks - Does Safe XP use any system resouces (monitors system)?

 

safe xp is a very nice program. no issues at all with it.

there is a newcomer on the way, I saw it at majorgeeks.
Nlite - beta but the features are looking great
http://www.nliteos.com/

xpy worked flawlessly too on my computer, the same program as safe xp
http://xpy.whyeye.org/

Nlite needs M$ Net framework so for a lot of users it will be a no-go but anyway I like the features.

 

nope it disables/deletes unnecessary processes, it disables built in features and addons from xp that are hard to disable or uninstall.

The idea is to minimise the leaking, making it more secure and your computer will be faster too cause of the disabling of unnecessary processes like windows time, Security Center and whatever other processes.
You can undo the harm if you save/backup your config how you have it right now. If you aren't happy with the results you can go back to your primary backup.
cheers

 

Thanks Infinity - I think I'll give it a try.

 

Hi... Could you tell us more about samurai? Never heard of it... Any link or tips?
Thanks

 

Sure - there was a recent thread here on Wilders at https://www.wilderssecurity.com/showthread.php?t=105296 with much information including some download sources.

It's a nice small yet effective hardening tool, with no resource-usage implications.

 

I use Safexp.Noticed that if you untick "browse in new process" IE uses explorer to run and not Iexplore.

This disables IE to run "Sandboxed" under Sandboxie or "Untrusted" under Defensewall.

 

I would recommend taking things slow when you're first getting into hardening. Use one app at a time, not all at once. Use one and then wait a while to make sure that it hasn't disabled anything that you need. It's a lot easier to figure out which tool is potentially causing problems that way. It is a very good idea to set a System Restore point if you're running Windows XP, or backup your registry with something like ERUNT if you're using an earlier version of Windows, before making changes. You could also use something like the older freeware version of Total Uninstall that will let you undo just the changes made by the hardening tools, without affecting any changes made since by other software.

Also keep in mind that the paid tools are going to have a lot more time devoted to the making of that program, along with the benefit of support. Paid programs are always going to be safer than freeware ones, and usually have better options for rolling back the changes that they have made.

Personally I use WWDC and Harden-It, along with commercial tools. You can get a free copy of Computer Security Tool (current version, but no updates) at http://www.got-beta.com/ (if the forum page comes up blank, just do a forced reload by holding the left CTRL key while clicking Reload, or hold the SHIFT key while clicking Refresh in IE). The beta for the next version is also there (must be registered to view the forum), and free licenses are given to active and helpful testers. (Just be aware that beta means it's unfinished software.. you are given a free license in return for helping the developer find bugs and get them worked out. If you're looking to just evaluate the program, you should go with the current release version.)

I will also note here that there is some question about the legitimacy and quality of the code for Samurai, I would recommend that non-techy users stick with Secure-It or the commercial tools. Secure-It does most of the things covered by Samurai anyway, and the rootkit protection is handled much better by a program like Prevx1, ProcessGuard, Safe'n'Sec, AppDefend, DefenseWall, UnHackMe/RegRun Platinum, or other similar programs.. these programs are also much more thorough, provide greater protection for a wider range of malware, have support, and have no question about their quality.

SafeXP has been mostly fine for me, however it has proven to be a little buggier than the others. It's not so buggy that I wouldn't recommend it, but I would definitley recommend that you create a system restore point, or registry backup, before doing so.. but that goes with any of the tools.

Hopefully these warnings don't sound too discouraging, that's not the intent I've just seen too many people download several tools and use them all at once, only to have something not work the way they need it to, and because they did everything all at once it becomes a nightmare to try to figure out what setting is causing the problem. If you take some basic precautions and take things slow, there shouldn't be any real problem. Just be sure that everything works the way you need it to before using another tool.

Remember, you're making changes to the way your system is configured (disabling components), that means that some things are not going to work the way they did. There's a whole lot of things that you can possibly disable, the goal is to just disable the things you don't use/need.

Lastly, I'll give a vote for nLite, and you actually don't have to download the full .NET framework anymore. If you go to the download page, you'll see that they have the .NET framework runtime 2.0 (23mb), or the alternative runtime which is only 6.63mb. I've been using it for some time now and it's truely awesome. Besides having the ability to remove unnecessary components, you can also apply tweaks, integrate service packs, patches, and drivers, and make a fully automated install so that all you have to do to format is put the disk in the drive and reboot.. come back 20-30 mins later and it's done! It can save a whole lot of time the next time you format.

 

Downloaded and ran Safe XP tonight. It reverted some of the disabled settings in WWDC. I just went with the recommended settiings for now with Safe XP. Reset the WWDC settings rebooted and everything running smooth (so far). I made a scereenshot .JPG of my settings before i changed to the recommended settings so I know which were changed. Good point from Notok about setting a restore point for anything new you try.

 

Notok - Any advantages of Computer Security Tool over Safe XP?

 

CST has more tweaks than safe xp like changing associations for dangerous file types like .reg, .wsf, etc. however i like teh fact that safexp is free and u just need to run it once. for CST, if u trial it, u cant uninstall it otherwise the tweaks will be undone. and if i havent already done so, i recommend u try it. its a very nice tool.

 

Might give it a spin. Is the cost one time or yearly?

 

Just so you know I'm not ignoring your post, WFUser beat me to it and said it perfectly SafeXP does have some options for specific programs, like IE, Outlook/OE, WMP, etc., that CST doesn't have, however, so it might be worth a look.. I would just do so after using CST since CST is going to make a back up of any of the changes it makes, etc.

 

Thanks Notok.

 

Do any of these products indicate which vulnerabilities are being corrected?

I'd like to see within the application a list of exploits that are being blocked. Preferably, the list should be cross-referenced to SANS or a reliable 3rd party, like the listing at Secunia.com. That way I know that every known, unpatched flaw has been addressed.

Spiff5000

 

PreEmpt does that, but I think they're the only one.. part of their marketing campaign.

 

Indeed. I've spent the last few days surfing the web and cannot find anything like it. Computer Security Tool has similarities, many of the scanned items are intended to harden known exploits, but, unlike PreEmpt, it doesn't automatically update and protect new vulnerabilities nor does it control workstations from an admin console - both of which I need for my work environment.

I read an SEC filing yesterday from Pivx that stated 3 Directors resigned. Their telephone line is still out of order. Damn. I hate to see good software ruined by bad management.

Spiff5000

 

What options do you have enabled on Samurai and do you have all recommended settings on Secure-It. I think there maybe an overlap of certain things using these two programs.

dja2k

 

Yes, there is overlap, but I'm selective when applying such applications' settings so that fact shouldn't cause me any problems. Since these apps are really meant for experienced tweakers, they shouldn't really get into the "wrong hands" to cause any trouble.

 

Yes I know that and I agree also, Like Notok said in another post, Samurai is for experienced users and Secure-it for beginners. With that said, all I wanted to know is what options did you setup in Samurai when you had already applied Secure-it with the recommended settings?

dja2k

 

I tried Samurai a while ago. I'd like to give it a go again, but... alas... the web site seems to be offline. Is every maker of hardening software doomed to go out of business

Spiff5000

 

I don't see Secure-It as a beginners tool, and the program itself warns you when you run it that it's for experienced and advanced users. Still, that's another issue.

I applied virtually all of Samurai's settings, except for stopping the BITS service, as far as I recall. A lot of the settings can be duplicated without detriment since if two applications disable a service, no harm can result. The danger when there's an overlap is the toggling of a function or service status, which as far as I can tell, hasn't happened. All I can say for certain is that my PC runs very quickly and is extremely stable, which is a prerequisite. If any of the hardening had compromised that aspect, I'd have reversed it out straight away.

Being sensible about all this, hardening is fine as long as it leaves the PC usable. Losing sight of this is probably easy, leaving you with such tight security in palace that nothing can endanger it, yet no useful work can be done either. Somewhere in the middle ground is a sensible compromise which I always aim for.

 

The only thing you have to watch out for is that some of the tools will record the previous state before making a change.. so if you choose the option to disable a service that's already been disabled, than the "previous" state will still be disabled if you need to change it back. Secure-It (which I say is easier because it gives more information while you're actually making the changes, so a little more suitable for beginners.. plus the question as to the quality in the rootkit protection, etc., in Samurai doesn't really make it suitable for those that may not be able to recover from a disaster, IMO) is a little different in this regard because it can set things back to the system default if you go through it again. It's still a safer bet to go through the tools one at a time, if something gets disabled that you need, it's much easier to troubleshoot just one program than several.