Download Binaries | Source

DPAPI Setup

1. Create the directory C:\DPAPI and copy the contents from the DPAPI directory (found in DPAPIBinaries.zip) into the new directory.

2. Create a local Windows account that will be used to run the Enterprise Services Application and Windows Service with the username DPAPIAccount. Make sure to uncheck the User must change password at next logon check box and check the Password never expires check box. Use the Local Security Policy tool in the Administrative Tools programs group to give the account the Log on locally and Log on as a batch job privileges.

You must log off with your current account and login as the DPAPIAccount user to create the user profile. Once you have logged in as the DPAPIAccount user you can then log off and log back in as your normal account.

3. Open a command prompt and run the following command to register the serviced component.

regsvcs C:\DPAPI\DPAPIComp.dll

4. Open the Component Services management console and navigate to the Component Services->Computers->My Computer->COM+ Applications folder. Right-click on the DPAPI Helper Application application and select the Properties menu option.

6. Click on the Identity tab and select the This user radio button. Enter the MachineName\DPAPIAccount username and password and then click on the OK button.

7. Expand the DPAPI Helper Application->Roles folder. You will need to add the users to the Roles\Users nodes that will need access to encrypt and decrypt. All users that need access to encrypt and/or decrypt must also be added to the Marshaler\Users node.

Add the MachineName\ASPNET ("NETWORK SERVICE" in IIS 6.0) user to all three groups for this example since we will test encrypting and decrypting through an ASP.NET application.

8. Open a command prompt and run the following command to install the Windows service.

installutil C:\DPAPI\DPAPIService.exe

Enter the MachineName\DPAPIAccount ("NETWORK SERVICE" in IIS 6.0) username and password and click the "OK" button.

9. Open the Services management console and start the DPAPI Service service.

10. Open the IIS management console and add a new virtual directory named DPAPIWeb.

11. Copy the contents from the DPAPIWeb directory (found in DPAPIBinaries.zip) into the new virtual directory.

12. Open http://localhost/DPAPIWeb/WebForm1.aspx in a browser and test encrypting and decrypting. Obviously, you would want to make sure that this application was not accessible outside of the local server.

The steps described below are ones I practice at work and at home. Although they directly apply to Windows XP Pro and Windows Server 2003, these steps can also be applied to some extent to other versions of Windows. Since using these, I have never had a virus, and the servers that I manage have never been penetrated even though attempts have been made.

I will continue to add items to this page as I become aware of new practices and better ways to keep Windows secure. Please feel free to send me information on ways that you keep your systems secure.

Rename Default Administrator User
Rename the default Administrator user to something else. Setup a user with the username of ‘Administrator’ and add only to the Users group. Disable this account. This will help with quickly seeing what attempts have been made to login with the ‘Administrator’ username.

Now you need to add a user that is a member of the Users group and this will become your main login. The objective of this account is to run with the least amount of privileges that are needed for the majority of operations. I am a big advocate of running with least privileges and believe there is never a good reason to have your main login be a member of the Administrators group. You can always use “Run As…” when you need to run process that require higher privileges.

Enable Auditing & Hide Last Login Username
1. Execute the Administrator Tools Local Security Policy application.
2. Expand the Local Policy node.
3. Click on the Audit Policy node.
4. Double click, or right click and select Properties, on the
‘Audit account login events’ item.

5. Check both the ‘Success’ and ‘Failure’ checkboxes.
6. Click on the OK button.
7. Click on the ‘Security Options’ node.
8. Double click, or right click and select Properties, on the
‘Interactive login: Do not display last username’ item.

9. Click on the ‘Enabled’ radio button.
10. Click on the OK button.

Hide Administrator User From Interactive Login Screen (Windows XP)
Hide the real administrator user from login screen.
1. Click on Start->Run…
2. Type ‘regedit’ and then click on the OK button.
3. Navigate to the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Special Accounts\UserList\
4. Right click on the UserList key and select the‘New->DWORD Value’ menu option.
5. For the value’s name, enter the username of the user that is a member of the Administrators group.
6. Make sure the value is set to 0.

If you are using the Windows XP "Welcome screen" then you can press CTRL+ALT+DELETE twice to open the traditional login dialog box that will allow you to enter any username.

Windows Automatic Updates
Enable Windows Automatic Updates
1.Start->Control Panel->Automatic Updates

2. Select the ‘Automatic’ option and select ‘Every day’ at an off-peak time.

Microsoft Baseline Security Analyzer
http://www.microsoft.com/technet/security/tools/mbsahome.mspx
This is an incredible tool that will analyze your system and give you a detailed report about your system’s security.

Use New Setup
Now you need to reboot and this time login with your newly created user that is a member of the Users and not Administrators group.

Visual Studio
If you are using a user that is a member of the Users group and want to use the Visual Studio .NET 2002/2003 debugger, you will need to make sure that your user is also a member of the ‘Debugger Users’ group. You will need to log off and then login. There are extra steps that need to be taken if you want to debug an ASP.NET site.