Keeping Windows Secure

Introduction
I am constantly looking for the best ways to keep Windows secure against potential attacks and exploits. I have used Windows XP since RC1 and because I also manage multiple Windows Server 2003 servers, security is always the first step I take after installing Windows XP/Server.

The steps described below are ones I practice at work and at home. Although they directly apply to Windows XP Pro and Windows Server 2003, these steps can also be applied to some extent to other versions of Windows. Since using these, I have never had a virus, and the servers that I manage have never been penetrated even though attempts have been made.

I will continue to add items to this page as I become aware of new practices and better ways to keep Windows secure. Please feel free to send me information on ways that you keep your systems secure.

Rename Default Administrator User
Rename the default Administrator user to something else. Setup a user with the username of ‘Administrator’ and add only to the Users group. Disable this account. This will help with quickly seeing what attempts have been made to login with the ‘Administrator’ username.

Now you need to add a user that is a member of the Users group and this will become your main login. The objective of this account is to run with the least amount of privileges that are needed for the majority of operations. I am a big advocate of running with least privileges and believe there is never a good reason to have your main login be a member of the Administrators group. You can always use “Run As…” when you need to run process that require higher privileges.

Enable Auditing & Hide Last Login Username
1. Execute the Administrator Tools Local Security Policy application.
2. Expand the Local Policy node.
3. Click on the Audit Policy node.
4. Double click, or right click and select Properties, on the
‘Audit account login events’ item.

5. Check both the ‘Success’ and ‘Failure’ checkboxes.
6. Click on the OK button.
7. Click on the ‘Security Options’ node.
8. Double click, or right click and select Properties, on the
‘Interactive login: Do not display last username’ item.

9. Click on the ‘Enabled’ radio button.
10. Click on the OK button.

Hide Administrator User From Interactive Login Screen (Windows XP)
Hide the real administrator user from login screen.
1. Click on Start->Run…
2. Type ‘regedit’ and then click on the OK button.
3. Navigate to the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Special Accounts\UserList\
4. Right click on the UserList key and select the‘New->DWORD Value’ menu option.
5. For the value’s name, enter the username of the user that is a member of the Administrators group.
6. Make sure the value is set to 0.

If you are using the Windows XP "Welcome screen" then you can press CTRL+ALT+DELETE twice to open the traditional login dialog box that will allow you to enter any username.

Windows Automatic Updates
Enable Windows Automatic Updates
1.Start->Control Panel->Automatic Updates

2. Select the ‘Automatic’ option and select ‘Every day’ at an off-peak time.

Microsoft Baseline Security Analyzer
http://www.microsoft.com/technet/security/tools/mbsahome.mspx
This is an incredible tool that will analyze your system and give you a detailed report about your system’s security.

Use New Setup
Now you need to reboot and this time login with your newly created user that is a member of the Users and not Administrators group.

Visual Studio
If you are using a user that is a member of the Users group and want to use the Visual Studio .NET 2002/2003 debugger, you will need to make sure that your user is also a member of the ‘Debugger Users’ group. You will need to log off and then login. There are extra steps that need to be taken if you want to debug an ASP.NET site.