os hardening
DESCRIPTION
VIA REGEDIT GPEDIT CMD SHELLTRANSCRIPT
WINDOWS 7 – DISABLE SIMPLE FILE SHARING
ay032011 By default Windows 7 will use a Wizard to assist sharing folders with other users on the local network, however the wizard does not assign the correct permissions rendering the folder difficult to work with.
Open My Computer,
Click on the “Organise” toolbar
Choose the “Folder and Search Options” menu
On the Folder Options dialog box, click the View tab.
Scroll to the bottom of the Advanced Settings list
Remove the tick from “Use Sharing Wizard”
DISABLE NETWORK SHARING VIA GPEDIT.MSC
In the navigation pane, open the following folders: Local Computer Policy, User Configuration,Administrative Templates, Windows Components, and Network Sharing.
In the details pane, double-click Prevent users from sharing files within their profile
Do one of the following:
o To enable the Group Policy setting, and disable the user's ability to share files, click Enabled.
o To disable the Group Policy setting, and enable the user's ability to share files, click Disabled.
TO DISPLAY HIDDEN FILES AND FOLDERS
For Windows Vista, Windows 7, and Windows Server 2008
1. Start Windows Explorer, you can do this by opening up any folder.
2. Click Organize.
3. Click Folder and search options.
4. Click the View tab.
5. Scroll down until you notice Hide extensions for known file types, un-check
this line by clicking the check box.
Note To hide file name extensions, check this line.
6.
7. Click OK
ADDING MESSAGES TO WINDOWS 7'S LOGON SCREEN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Sy
stem
Add text to legalnoticecaption and legalnoticetext
OR
Type secpol.msc in Start Search and hit Enter to open the Local Security Policy
Expand Local Policies
SelectSecurity options
In the RHS pane, double click Interactive logon: Message text for users attempting to log on.
In the provided box, type the message you want to appear.
TRACKING LOGONS
Right-click anywhere inside the System key and select New| DWORD (32-bit) Value.
When the new value appears, type DisplayLastLogonInfo and press Enter twice. When
the Edit DWORD dialog box appears, simply type a 1 in the Value Data text box
CHANGE THE LAUNCH DIRECTORY TO SHOW ALL DRIVES IN WINDOWS EXPLORER
To change the launch folder default in Windows Explorer, modify the target path to be
this command:
%SystemRoot%\explorer.exe /e,::{20D04FE0-3AEA-1069-A2D8-08002B30309D}
CHANGE THE NAME OF THE ADMINISTRATOR
wmic UserAccount where Name="Administrator" call Rename Name="new-name"
DISABLE FIREWALL
netsh firewall set opmode disable
RENAME ADMINISTRATOR ACCOUNT
Computer Configuration > Windows Settings > Security Settings > Local Policies >
Security Options".
DISABLE WELCOME SCREEN
Computer Configuration > Windows Settings > Security Settings > Local Policies >
Security Options". And select Interactive logon: Do not display last user name and
click onProperties
PASSWORD POLICY
Computer Configuration\Windows Settings\Security Settings\Account Policies\Password
Policy\ :Enforce password history
ACCOUNT LOCKOUT POLICY
computer Configuration\Windows Settings\Security Settings\Account
Policies\Account Lockout Policy\
HOW TO ENABLE ACCOUNT AUDITING SETTINGS
Click Start and type secpol.msc, then hit Enter, the Local Security Policy window will be
displayed, now navigate to Local Policy > Audit Policy and right click the Audit account
logon events policy option and choose Properties.
CLEAR VIRTUAL MEMORY PAGE FILE
COOKIE HANDLING IN IE 8
Open Internet Options | Privacy, click on the Advanced button.
Place a check in "Override automatic cookie handling". Uncheck "Always allow session cookies"
Set "First Party Cookies" to Block, set "Third Party Cookies" to Block.
Note: you will need to manually Allow certain cookies, you should add: "*.microsoft.com" (no quotes) to the "Always Allow" list to avoid any problems with
Windows Update or the many other Microsoft sites, including the MSKB which requires Cookies to be accepted. I would recommend adding any sites that you frequent such as Banking, and any sites that require you to log in, (Social Networking) etc.
You'll find that after a while this only requires a very short list.
DELETE COOKIES IN INTERNET EXPLORER 8
1. Open Internet Explorer by clicking the Start button , and then clicking Internet Explorer.
2. Click the Safety button, and then click Delete Browsing History.
3. Select the check box next to Cookies.
4. Select the Preserve Favorites website data check box if you do not want to delete the cookies associated with websites in your Favorites list.
5. Click Delete.
NTLM HASH ETC
Under Local Policies → Security, set "Network security: Do not store LAN Manager hash" to
"Disabled". Optionally, adjust "Network security: LAN Manager authentication level" to accept and/or send LM in addition to NTLM. (Note that this is very insecure and must be reverted after tests.)
CLEAR DOCUMENT HISTORY
ACTION CENTRE MESSAGES
Open the Action Center and select Change Action Center Settings in the left pane.
Deselect all the items and click OK. The Action Center will no longer to have any
problems to report.
PORT OPEN
C:'WINDOWS>netstat -an |find /i "listening"
C:'WINDOWS>netstat -an |find /i "ESTABLISHED"
CREATE A ADMIN ACCOUNT FROM COMMAND LINE
net user kaalu test_123 /add
net localgroup administrators kaalu /add
HOW TO MAKE YOUR PC SLIGHTLY MORE SAFE?
Go to http://winhelp2002.mvps.org/hosts.htm and download the host file and replace your existing
hosts file with this one.
HOW TO FLUSH DNS FROM CMD?
View the DNS resolver cache by entering, “ipconfig /displaydns” at the command prompt followed by
clicking the “Enter” key.
Enter “net stop dnscache” or “sc servername stop dnscache” at the command prompt followed by
pressing the “enter” key on your computer. DNS caching will be disabled until the next time the
computer is restarted or rebooted. In order to make the change permanent, the DNS Client Service
will need to be changed to disabled using the Microsoft Service Controller or Services tool.
DISABLE AUTOPLAY
HIDING TEXT INSIDE A TEXT FILE
more anupam.txt
echo kela hai zindagi>anupam.txt:secret
more<anupam.txt:secret
CIPHER COMMAND
C:\anupamtemp>cipher /e anupamtemp
C:\anupamtemp>cipher /w:anupamtemp
CONVERT COMMAND
C:\>CONVERT C:/FS:NTFS
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre
ntVersion\Policies\Explorer
in right-side pane, create a DWORD value NoViewOnDrive and set its value acc. to ur requirements as given in following list:
Code:
A: 1
B: 2
C: 4
D: 8
E: 16
F: 32
G: 64
H: 128
I: 256
J: 512
K: 1024
L: 2048
M: 4096
N: 8192
O: 16384
P: 32768
Q: 65536
R: 131072
S: 262144
T: 524288
U: 1048576
V: 2097152
W: 4194304
X: 8388608
Y: 16777216
Z: 33554432
ALL: 67108863
DISABLE USB/CD
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor
steps:1. Click Start, and then click Run.
2. In the Open box, type regedit, and then click OK.
3. Locate, and then click the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor
4. In the right pane, double-click Start.
5. In the Value data box, type 4, click Hexadecimal (if it is not already
selected), and then click OK.
you can disable the CD drive and USB in the BIOS or go to
regedit:
Hkey_Local_machine\system\CurrentControlSet\services\cdrom\start
1=eable, 0=disable
hkey_local_machine\system\CurrentControlSet\devices\usbstor\start
3=enable, 4=disable