UofW Computing Best Practices

UofW Computing Best Practices

Table of Contents

Introduction

In Support of University Policy

Common Threats to Computer Security
      Viruses, Worms and Trojans
             Recommended General Best Practices
      Spyware and Adware
             Recommended General Best Practices
      Phishing Scams
             Recommended General Best Practices
      Network Scans and Attacks
             Recommended General Best Practices
      Social Engineering
             Recommended General Best Practices
      Computer Theft
             Recommended General Best Practices
      Eavesdropping and Shoulder Checking
             Recommended General Best Practices
Operating Systems
      UWin Project Systems
       Password Adjustments
             Password Protected Screensaver
      Non UWin Project Systems
             Determining Risk
             General Security Settings
             Local Security Settings
                Account Policies
                Auditing
                Rights Assignments and Security Options
                Services
                Registry Settings
                Files and Utilities
       Windows 2003 Systems
       Suse Linux Systems

Accounts and Passwords
      Recommended Best Practices
E-Mail
      Recommended Best Practices
      Identifying Forged or ‘Spoofed’ Mail
             Examples
      E-Mail Encryption
          Personal E-Mail Certificates
          PGP
      E-Mail Hoaxes
      Mail Disclaimers

Web Browser Security
      Cookies
      Scripting Languages
      Recommended Best Practices

University Anti-Virus Software
      Other Malware Support
      Recommended Best Practices

Personal Firewalls
      False Sense of Security
      Recommended Best Practices

Information Confidentiality and Privacy
      Recommended Best Practices

Copyrights and Governmental Laws

Reporting UofW Security Incidents
      Types of Incidents to Report
      Reference Information

Appendix

Introduction

In recent years, and especially after 9/11, the requirement for securing electronic data and computer systems has dramatically increased. This is rightfully so and very long overdue, since threats to personal information have mutated to include new, improved techniques and different methods in a blending of attacks.

The University and its respective IT-related departments continue to take a more proactive posture to improve computer, network and data security. The implementation of a campus firewall and campus-wide desktop Anti virus software are good examples of this. Still, much more can and will be done to improve security here on campus.

While the University continues to forge ahead with such critical security initiatives, it is up to all individuals who use the resources available, understand that security goes beyond the system administrator; it is everyone’s responsibility.

This set of documents was created to assist employees and students associated with the University to protect the computer systems they use and to be aware of some common threats that jeopardize the safety of the data stored on them. There are both technical and non-technical references on increasing a computer security posture and maintaining it, with emphasis on some services and programs specific to the University.

These documents should not be considered an all-inclusive “geek” manual on security, but rather a good stepping-stone to a heightened level of awareness. References to further (technical) security reading can be found in the appendix.

Questions or comments regarding these documents or their content are welcome. Please note that these documents, like security, are continually changing. It is therefore recommended that the content be reviewed periodically.

Mark Rogowski

top

In Support of University Policy

The UofW Acceptable Computing Use Policy contains a list of simple to understand statements that help to govern general computer use on campus. They define what is “acceptable” to the University as they relate to the needs and requirements of the University community.

There are fundamental and conceptual differences when classifying “acceptable” and “unacceptable” computing use, which most often, swings from one extreme to another. Statements describing unacceptable use can be straightforward like “don’t break equipment”, but can also be subtle enough to cause users some confusion. For example, what you may find to be acceptable web browsing or E-Mail attachments can be construed as unacceptable or offensive to others. The same may go for computing equipment, applications and facilities.

The following list clarifies the term “unacceptable use” of University computing resources:

Unauthorized access, modification, destruction, copying or disclosure of data not owned by you.

Physical abuse, removal, or modification of computing equipment owned by the University.

Attempts to obtain access to someone else's accounts or data.

The sharing of your personal account or disclosure of your, or someone else's passwords.

Unauthorized copying of copyrighted materials, data or software.

Use of University computing resources for personal financial gain.

Harassment, including sexual harassment, of others through the use of University resources.

Knowingly releasing, or attempting to release malicious code such as a virus, Trojan horse, or worm into any part of the University's computing facilities.

Propagation of hate literature, junk mail, chain letters or undue use of profanity through electronic means.

Use of applications that consume high amounts of network bandwidth such as network gaming and peer-to-peer file sharing.

Use of Internet Relay Chat (IRC) as a communication method.

top

Common Threats to Computer Security

Viruses, Worms and Trojans

At one time, viruses were extremely limited in the functions they could perform and scope in which they operated in.   They spread mostly through the sharing of disk media, which meant their impact was limited to small pockets of systems. The growth of the Internet and expansion of services like E-Mail and peer-to-peer file sharing has seen a rapid changes and growth of virus-like code being released. Exponential growth in virus sophistication has skyrocketed over the last 3-4 years, and their ability to replicate and spread across entire networks and the Internet occur within hours or even minutes.

Many viruses attack users through “social engineering” techniques, like disguising themselves as cute or useful programs. Others take advantage of specific vulnerabilities identified in operating systems and programs. They are normally released before the software makers are able to write and release patches for their programs and distribute them to end-users.

Thanks to advanced programming techniques, viruses today have the capability of performing one or more of the following functions on systems it infects:
    - Monitor system functions, execute commands, open “back doors” to the system
    - Hide themselves from the average computer user and shut down services running on the system including                 Anti virus software
    - Delete operating system files or other personal data files
    - Consume system resources, disk space, CPU cycles, slowing the performance
    - Expose and steal private and confidential data, log user credentials such as passwords and credit card                     information
    - Spy on network traffic, and record private communications
    - Spread themselves using advanced network scanning techniques and built-in mail engines
Recommended General Best Practices

Obtain a licensed copy of Anti-virus software and make sure that the software is always up to date.

Make sure that your Anti-virus software is always running and that it is set up to automatically start on system boot-up.

Before clicking on any E-mail attachment, make sure that the attachment is something you were expecting. Do not blindly click on any attachment.

Scan all files you receive as e-mail attachments before opening them.

Before using any media given to you by someone else, scan it for virus infections. Viruses can and still are transmitted on readable media including diskettes, CDs, USB memory cards, and other types of memory media such as SmartMedia.

As a general rule, you should only download files from trusted sites.

Back up important files regularly.

Make sure that your Operating System and any software you use is up-to-date. Install patches made available from vendors of your software.

If you receive an E-Mail about a virus from a friend or colleague, do not forward it to anyone. More often than not, these messages turn out to be a virus hoax. Forwarding hoaxes on to friends and colleagues causes unnecessary stress on both recipients and support resources combating virus infections.

top

Spyware and Adware

Similar to viruses, Spyware and Adware take on their own identities due to the increased reports and widespread usage as monitoring and content delivery tools. This is something that the typical Anti-virus vendors have basically ignored until now, and are currently playing catch-up in efforts to fight this next-gen threat.

Adware are scripting components that normally get delivered through web services as part of a web site’s built-in scripting code. They appear as pop-ups in Internet browsers selling wares or pointing users to download “helpful plug-ins”.

Spyware (much more threatening) are software components that may get delivered to user’s systems through Adware scripts, be embedded in peer-to-peer applications like Kazaa and Grokster, or show up as Trojans through some other delivery method.

Spyware (and Adware) are generally designed to push information to the end user like banner ads and services. Many of these are designed to perform other duties such as:
    - Running as background services, and logging information about the user’s browsing habits
    - Overwriting the Internet browser’s home page settings with sites leading to advertising or pornographic web        sites (also known as browser hijacking)
    - Acting as Trojans to monitor network communication and the user’s keystrokes
    - Recording personal information such as credit cards and bank account information, and sending this                    information to the Spyware writer

Currently, the main focus of Spyware is on pornographic web sites where the owners garner revenues from banner ads and delivering back-end programs. This trend is changing however, and we are seeing increased numbers of legitimate web sites making use of Spyware and Adware to help generate profits (AOL for example).

Spyware usage is increasing, and careful attention must be paid to identify it and combat it’s effects.

Recommended General Best Practices

Many newer Anti-virus packages come with Anti-Spyware components built in. Obtain a licensed copy of Anti-virus software and make sure that the software is always up to date.

Obtain a licensed (or freeware) copy of Anti-Spyware software, and make sure this package remains updated. Scan for Spyware regularly.

If your browser doesn’t already have one, obtain a licensed (or freeware) copy of a browser pop-up killer. Using this program will minimize the amount of banner ads you will see, and thus minimize the chances of accidentally clicking on them.

Consider using an alternate web browser besides Internet Explorer. IE runs with system level privileges and is prone to many of the scripting attacks Spyware and Adware use.

Customize your web browser to restrict the use of Java, JavaScript, ActiveX controls and cookies.

Refrain from using peer-to-peer applications like Kazaa and Grokster. These packages come with Spyware built in (Bonzi Buddy, etc.). The peer-to-peer network nowadays is loaded with Trojans and other virus-like code. It’s just not worth the risk anymore.

Watch E-Mail attachments – Spyware is known to propagate through mail. Scan all attachments before opening them.

Adware and Spyware can be launched through automated scripts, even in E-Mail. Avoid opening SPAM and other mail from untrusted sites.

Watch browsing habits. A majority of Spyware comes from pornography sites and sites that allude to shareware, software piracy and software crack sites.

Keep your operating system and browser patched and up to date. Download and install new browser versions as they become available. Many times the new version fixes issues not addressed through patching.

top

Phishing Scams

Also known as “carding”, Phishing is a form of social engineering whereby unsuspecting computer users are tricked into providing personal information to other parties who claim to be legitimate. Personal information Phishers find useful can be basic, like the contents of a resume where full name, address and social insurance number is provided. More popular Phishing scams are monetary-based, where credit card and bank account numbers are requested.

Phishing goes back a long way. Due to technology limitations, Phishing scams targeted only a small or select group of computer users. Today they are widespread, and with the Internet being a driving force in computer technology, methods of Phishing scam delivery are numerous. A large majority of scams make their way through E-Mail, taking on the identity of a legitimate company or banking institution. Other attack methods or "vectors" becoming more popular include Instant Messaging and IRC.

In the case of a Phishing scam delivered through E-Mail for example, an unsuspecting user would receive a specially crafted E-Mail (usually html-based) from what appears to be like a bank or some other on-line service. There are usually statements made in the mail referring to some technical issues with the computer user's account. The mail instructs the user to go to the company’s web site to clear up the issue, and provides a web link for "quick" access.

Once there, the user sees what looks like the company's web site, complete with company banners, logos, contact information, etc. There are usually forms made available for the user to input personal information such as name and address, a credit card number, and other financial information. Unbeknownst to the user, the web site they just visited is likely a hacked web server somewhere halfway around the world, and the web pages are carefully crafted duplicates of the legitimate organization.

Phishing scams are on the rise, and are becoming more sophisticated. They are also becoming more difficult to detect. Some of the best (or more successful) Phishing scams created to date have been crafted to look like such companies as:
    - Ebay
    - Microsoft
    - PayPal
    - AOL
    - Hotmail
    - CitiBank
    - Amazon

Recommended General Best Practices

Companies like banks and custom pay shopping sites normally don’t ask you for financial information through E-Mail. If you deal with companies that do, ensure that the E-Mail is personalized (directed to you only).

If links are provided in E-Mail, do not click on them. Instead, manually log into the web service by typing the web site url directly into your web browser.

Do not fill out any forms embedded in E-Mail.

Ensure that you are using a secure web site (HTTPS) when entering financial information, such as credit card numbers. Verify the security certificate provided by the site, and make sure the certificate matches the site name or url.

Log into your on-line accounts regularly to make sure nothing out of the ordinary has happened.

Always log out of on-line accounts when finished.

Consider installing a web browser tool bar that protects you from known Phishing sites.

Ensure your web browser has all updated security patches.

top

Network Scans and Attacks

Scans of network and Internet connected computer systems is usually considered a precursor to a network-based attack. Scans are performed on systems to determine what services or “ports” are open on the machine. The more ports that open on a computer, the higher the chance that vulnerabilities can be found for the service running on those ports. If an exploit is used against a vulnerable service or port and is successful, the system falls victim to whatever that exploit does.

A vulnerable system can be exploited to perform any of the following actions:
    - Crash the running service leaving it inoperable
    - Open up a “back door” with administrative rights for the attacker to remotely connect to
    - Launch programs or scripts as part of its “payload” to perform certain functions
    - Turn the victim computer into a “zombie”, where the system becomes part of a large group of other exploited         systems – normally used in a “distributed denial of service” (DDOS) attack on web site of the attacker’s             choice
    - Record and report back private or critical information as part of an espionage mission

Many network scans are scripted, and may be the result of a virus or worm trying to replicate itself. Other scans can be actual attackers trying to find out more information about computer systems. These scans may be more selective in nature, targeting only specific systems and services. They may also be slower in frequency to help avoid detection by Intrusion Detection Systems.

Network scans are almost a daily routine on the Internet these days, but they are no less threatening as anything else in computing.

Recommended General Best Practices

Obtain a personal firewall product (hardware or software-based) for your computer.

Make sure your operating system and programs are up to date and have all security patches applied.

Make sure you have disabled all unnecessary services on your system.

top

Social Engineering

Social Engineering is more art than science, and deals specifically with the manipulation of one’s trust in what another person is saying or doing. The intention is to obtain some type of personal, private or corporate information, such as user accounts, financials, or even corporate trade secrets as part of an espionage mission.

This is more an internal company threat than it is external. Attackers using Social Engineering techniques can trick assistants, the technical Help Desk, or other coworkers into believing they are someone they aren’t. For example, an attacker can phone the Help Desk and disguise herself as a professor who has just come off a sabbatical and has forgotten her computer account password.

By feeding the Help Desk assistant some basic information like a legitimate name, phone number and office location (usually very easily obtainable) the Help Desk assistant believes or ‘trusts’ that the person he is speaking to is in fact, the professor. The assistant then generates a new account password and provides it to the attacker.

Some information gathering is normally performed prior to a Social Engineering attack. Necessary information for a successful attack can be gathered from papers in a wastebasket (dumpster diving), a phone book, personal or corporate websites – anywhere there is content to be acquired. Attack delivery is usually over the phone where voices can be disguised, but successful engineering can be performed through E-Mail messages and actual physical appearances made by the attacker.

It is difficult to identify a Social Engineering attacker because these people are very good at it (ever hear of Kevin Mitnick?). Falling victim to engineering doesn’t happen often, but when it does there are usually serious repercussions.

Recommended General Best Practices

Always ask for additional verification from anyone you don’t personally know who makes a request for private information.

Ask for a return phone number and phone the person back to verify identity. If possible, verify the name to the number in a phone book or other sources as well.

Never divulge a password over the phone.

If acts of intimidation are used (forceful voice over the phone, threats, etc.), deny all requests until further proof or verification can be obtained.

Insist that the individual come to you in person to get the information requested.

Ask for identification if someone you don’t recognize shows up at your office door.

Keep confidential papers in a secured area, free of prying eyes.

Shred paper with confidential information.

Erase magnetic media when not required. Physically destroy old media that cannot be erased.

top

Computer Theft

Advances in technology have seen computers getting smaller and portable. Desktop PC’s are less than half the size they were five years ago. Laptops are smaller and lighter; PDA’s and cell phones are able to store more personal information and perform more functions. This result has seen an increase in exposure of personal information resulting from computer theft. Since these devices are more powerful and can hold more data capacity than a few years ago, users are storing more personal information on them. It’s logical to do so.

Private information can, and often does get stored in various locations on a computer. This could include web browser cache files, E-Mail Inboxes, and custom ‘preference’ settings within third party programs. Many times, the average user may not be aware this information actually exists on the system, let alone knowing where it is stored.

If a computer was ever stolen and the thief turned out to be computer savvy, she may have access to a treasure house of confidential data – not only the company reports generated that day, but possibly even credit card information from an on-line web transaction that was done a week before.

Recommended General Best Practices

If a laptop or small footprint computer is used, consider getting a security cable and secure it to the desk. This will not completely protect the system from theft, but it will slow a thief down considerably.

Keep the computer out of direct sight from doorways and windows.   The fewer people who know its there, the safer the computer will be.

Make certain to lock the office doors and windows when leaving for the day.

Consider using a boot-level password for the computer.

Backup data on the local system periodically (every week for example). Use network server storage to save confidential documents and work-related data.

Store any backup media in a secure place, such as a locked cabinet.

Periodically clean the local system of any confidential information. Clean the browser cache of all residual files and cookies. Ensure that no personal information is stored in E-Mail Inboxes and empty the Recycle Bin.

If dealing with very private or confidential information, consider obtaining software that encrypts computer data saved on the system hard disk.

top

Eavesdropping and Shoulder Checking
Much less obvious but very effective is eavesdropping on others when they are inputting data on their computer. As more people take advantage of on-line services like banking and shopping, personal information entered into web transactions could potentially be viewed by others.

Computers more susceptible to eavesdropping are those found in common or public areas. People can fall prey to shoulder checking because these areas are normally wide open with systems crammed together in long rows. When people sit at these systems, there is often another row of public systems behind them so they don't know who is there without constantly turning around. Computer screens are larger these days and provide a much greater viewing area than they did before. For the average sized computer user, it may be difficult to completely block a screen with one’s shoulders.

Advances in cell phones, PDA's and camera technology has made the availability of extremely small monitoring devices affordable for those who wish to use them maliciously. These devices can be located anywhere on a person’s body, and are capable of high resolutions and power zooms. They have the capability of recording what is on a computer screen and what is being typed at a keyboard.

There are many other forms of eavesdropping, but it is usually the most blatant mistakes people subconsciously make that others just cannot ignore. A prime example would be something like: “…Jane, I can’t log into your computer, what’s your password again?” as John yells from across the room.

Recommended General Best Practices

Refrain from doing personal computing in open or public areas or where human traffic is high.

Shield your keystrokes with your body. Lean into the keyboard when typing in passwords.

Use a password-enabled screensaver.

If connected to the network, always log out when leaving the system for a period of time.

Consider getting a privacy screen for the monitor. These obstruct the monitors viewing capability from 30 degree or greater angles.

Avoid speaking about personal information like passwords, especially in public areas. If you have to share something private, write it down.

Never leave paperwork with personal or confidential information lying around. Always use a paper shredder when disposing of such paperwork.

top

Operating Systems
UWin Project Systems
Client operating systems currently supported by TSC is Microsoft Windows 2000 and to a much lesser extent, Windows 98. All University owned systems deployed as part of the UWin Project have been configured with Windows 2000 Professional and in a way that provides a balance between functionality and security. Much of the baseline configuration settings of Windows have already been performed, leaving very little client customization required.

Users who work with UWin systems where the base image has not been overwritten can make general administrative adjustments that will increase its secure posture.

Password Adjustments
Passwords are many times, the only line of defense into a system or application. UWin users can change network and system passwords as often as they like:

Press the <Ctrl> + <Alt> + <Del> buttons simultaneously and select “Change Password”:

In the Novell Change Password box you can select the resource you wish to make the change to. The computer icon in the box refers to the local system; the tree refers to the Novell network account (some users may only see the tree icon – any changes made in this case would apply to both the local and network account):

Good security practices would be to have separate password for the local system and for network authentication. In the event that either account is compromised, the attacker is limited to accessing that resource only.

Password Protected Screensavers
To ensure systems are not tampered with when left for short periods, screensavers can be enabled and passwords applied to them. If enabled, the password would be that of the local system account.

To apply a password-enabled screensaver:
- Select Start => Settings => Control Panel => Display
- Chose the Screen Saver tab at the top of the box. Chose a screensaver from the drop down list and insert a check mark in the box named “Password protected”
- Adjust the wait time for the screensaver to engage. If you are dealing with sensitive information on your computer and want to ensure it is not accessed, a good wait time setting would be 5 minutes. Otherwise, 10 – 15 minutes is sufficient.

top

Non UWin Project Systems
Individuals who do not have UWin Project systems or who overwrite the UWin standard image with their own customized version of Windows 2000 Pro face the responsibility of making sure the system is configured and secured properly. This rule also applies to system administrators of Windows 2000 network servers.

This section provides both the end user and system administrator (herein called “administrator”) a set of procedures on how to harden the security posture of a Windows 2000 operating system. Security controls listed will apply to both servers and workstations based on their “risk” levels.

Determining Risk
Prior to any proposed Windows 2000 deployment, a quick system risk evaluation can be performed. This is where three key components that define the protection of data stored or accessed on the system (confidentiality, integrity, and availability requirements), are weighed against threats to the system (internal, external, natural, and malicious), vulnerabilities of the system (including current and potential future vulnerability), and the exposure to the threat (Internet facing, other security controls).

Overall risk to a system can be calculated using the following equation:
        Risk = Vulnerabilities x Exposure

Threats are not normally factored into the risk total simply because they never do cease – threats are always present in some form. Therefore, as vulnerabilities and the rate of exposure increases, so does the risk.

Risk can be classified at three levels with varying impacts:

High Risk – Where the exploitation of a vulnerability will adversely affect the system, resources around the system and/or cause significant damage or harm to other assets and impacts the reputation of the department or University.

Medium Risk – Where the exploitation of a vulnerability will moderately impact the system and resources around it causing some loss or damage to assets, and may affect the reputation of the department or University.

Low Risk – Where there is probable chance for exploitation of a vulnerability, or in the case of successful exploitation, causes little or no direct damage to the system. This indicates that the administrator and/or management be made aware of the issue and implement corrections through standard procedures.

The following chart shows good examples of risk classifications of systems based on their function and sensitivity (type of information stored on them):

Purpose General Risk Rating

Internet Mail Server, Web Server, DNS Server(Sensitive and Internet Facing)
HIGH

HR Database, Financials, Classified Research Server HIGH

Firewall, Proxy Server HIGH

DHCP Server, Internal Mail Server (behind firewalls or other security controls), Mobile Laptops MODERATE

Development Server (Internal behind firewalls and other security controls), File and Print Servers MODERATE

General Use Desktop (behind Firewalls and other security controls) MODERATE

Isolated Systems where network access controls allow for no incoming service request LOW

Systems protected by a comprehensive security suite that includes workstation firewalls, intrusion detection, and constant monitoring with quick response time to incidents. LOW

Open access “public” systems protected by a security suite that includes fully customized application hardening, snapshot system protection and constant monitoring with quick response time to incidents. LOW

General Security Configurations

R = Recommended / Required
O = Optional

Action
Description
Workstation
Server

Install Anti Virus software
Should be installed on all systems
High Risk Systems - R
Med Risk Systems - R
Low Risk Systems - R
High Risk Systems - R
Med Risk Systems - R
Low Risk Systems - R

Format or convert all drives to NTFS
Using NTFS will increase security of the file system through ACLs and special permissions
High Risk Systems - R
Med Risk Systems - R
Low Risk Systems - O
High Risk Systems - R
Med Risk Systems - R
Low Risk Systems - R

Configure system for Windows Update
All systems should be configured to receive updated patches. For workstations, Windows Update can be configured to automatically install; servers should be configured to prompt the administrator to install them
High Risk Systems - R
Med Risk Systems - R
Low Risk Systems - R High Risk Systems - R
Med Risk Systems - R
Low Risk Systems - R

Do not allow automatic logons for the administrator account
This is an option for stand-alone or home systems. It should never be used for servers or higher risk workstations.
High Risk Systems - R
Med Risk Systems - R
Low Risk Systems - O High Risk Systems - R
Med Risk Systems - R
Low Risk Systems - R

Rename Administrator account and create a dummy account with no privileges
This will minimize risk of brute force scripting attacks on the Administrator account and will provide a good method to track attacks against the system.
High Risk Systems - R
Med Risk Systems - R
Low Risk Systems - O High Risk Systems - R
Med Risk Systems - R
Low Risk Systems - R

Create separate accounts for each user of the system and assign them to the User or Power User group
Administrative privileges are not required for daily or general use. Doing this also ensures accountability between users is maintained.
High Risk Systems - R
Med Risk Systems - R
Low Risk Systems - O High Risk Systems - R
Med Risk Systems - R
Low Risk Systems - R

Local Security Settings

Account Policies
Control Panel => Administrative Tools => Security Policy => Account Policies => Password Policies

Action
Description
Workstation
Server

Set password length to 6 characters (minimum)

The longer the password, the more difficult it is to guess.

High Risk Systems - R
Med Risk Systems - R
Low Risk Systems - R High Risk Systems - R
Med Risk Systems - R
Low Risk Systems - R

Set a maximum password age on all accounts

This will enforce the periodic changing of passwords on local accounts. Suggestions for high risk systems use 60 days; for medium risk systems use 120 days; for low risk systems use 180 days.

High Risk Systems - R
Med Risk Systems - R
Low Risk Systems - O

High Risk Systems - R
Med Risk Systems - R
Low Risk Systems - R

Control Panel => Administrative Tools => Security Policy => Account Policies => Account Lockout Policy

Action
Description
Workstation
Server

Enable account lockout threshold

Enable this to stop "brute force" password attacks on accounts. Recommended threshold setting for all risk systems is 5.

High Risk Systems - R
Med Risk Systems - R
Low Risk Systems - O

High Risk Systems - R
Med Risk Systems - R
Low Risk Systems - R

Enable account lockout duration

The account lockout duration sets the amount of time the account remains inactive. Recommended settings is 30 minutes for low risk systems and 60 minutes for medium and high risk systems.

High Risk Systems - R
Med Risk Systems - R
Low Risk Systems - O

High Risk Systems - R
Med Risk Systems - R
Low Risk Systems - R

Auditing
Control Panel => Administrative Tools => Security Policy => Local Policies => Audit Policy

Action
Description
Workstation
Server

Set account logon events to Success and Failure
This will track account login and logout activities.
High Risk Systems - R
Med Risk Systems - R
Low Risk Systems - O
High Risk Systems - R
Med Risk Systems - R
Low Risk Systems - R

Set audit account management to Success and Failure
This will track general Administrative functions like account creations.
High Risk Systems - R
Med Risk Systems - O
Low Risk Systems - O
High Risk Systems - R
Med Risk Systems - R
Low Risk Systems - O

Set audit logon events to Success and Failure
This will track logon events and is good reference for forensic analysis in the event of a system compromise.
High Risk Systems - R
Med Risk Systems - R
Low Risk Systems - R
High Risk Systems - R
Med Risk Systems - R
Low Risk Systems - R

Set audit policy change to Success and Failure
This will act as an early warning to indicate that logging has stopped.
High Risk Systems - O
Med Risk Systems - O
Low Risk Systems - O
High Risk Systems - R
Med Risk Systems - R
Low Risk Systems - O

Set audit system events to Successs and Failure
This will track the launching and shutting down of services. Provides good reference for troubleshooting of problems and aids forensic analysis.
High Risk Systems - R
Med Risk Systems - O
Low Risk Systems - O
High Risk Systems - R
Med Risk Systems - R
Low Risk Systems - R

Rights Assignments and Security Options
Control Panel => Administrative Tools => Security Policy => Local Policies => User Rights Assignment

Action
Description
Workstation
Server

Restrict ability to shut down the system to Administrators and Backup Operators

Only higher level accounts should have this ability.

High Risk Systems - O
Med Risk Systems - O
Low Risk Systems - O

High Risk Systems - R
Med Risk Systems - R
Low Risk Systems - R

Control Panel => Administrative Tools => Security Policy => Local Policies => Security Options

Action
Description
Workstation
Server

Set additional restrictions for anonymous connections to not allow enumeration of SAM accounts and shares
Windows allows anonymous users to query for account and group information by default. Hackers use this to obtain more information on the system. This adjustment controls this procedure.

High Risk Systems - R
Med Risk Systems - R
Low Risk Systems - R
High Risk Systems - R
Med Risk Systems - R
Low Risk Systems - R

Set allow system to be shutdown without having to login to Disabled
Adjusting this will prevent the system to be shut down by unauthorized parties.
High Risk Systems - O
Med Risk Systems - O
Low Risk Systems - O
High Risk Systems - R
Med Risk Systems - R
Low Risk Systems - R

Set amount of idle time before disconnect to 15 minutes
For Windows servers, idle connections are disconnected, reducing a potential denial of service attach.
High Risk Systems - O
Med Risk Systems - O
Low Risk Systems - O
High Risk Systems - R
Med Risk Systems - R
Low Risk Systems - R

Set automatically log off users to Enabled
In a Windows server environment where policy dictates, this will enforce the disconnection of users at certain times.
High Risk Systems - O
Med Risk Systems - O
Low Risk Systems - O
High Risk Systems - R
Med Risk Systems - O
Low Risk Systems - O

Set clear virtual memory pagefile when system shuts down to Enabled
Pagefiles can contain sensitive information such as passwords and private data.
High Risk Systems - R
Med Risk Systems - O
Low Risk Systems - O
High Risk Systems - R
Med Risk Systems - R
Low Risk Systems - O

Set disable Ctrl+Alt+Del to Disabled
Using the Ctrl+Alt+Del function will ensure automated scripts are not used by users or attackers.
High Risk Systems - R
Med Risk Systems - R
Low Risk Systems - O
High Risk Systems - R
Med Risk Systems - R
Low Risk Systems - R

Set do not display last username on logon to Enabled
Showing the last username provides a target path for an attacker to use against the system.
High Risk Systems - R
Med Risk Systems - R
Low Risk Systems - O
High Risk Systems - R
Med Risk Systems - R
Low Risk Systems - R

Set message text for users attempting to log on to a customized departmental message
This will enforce that unauthorized access to the system is considered trespassing.
High Risk Systems - R
Med Risk Systems - O
Low Risk Systems - O
High Risk Systems - R
Med Risk Systems - R
Low Risk Systems - O

Set message title for users attempting to log on to a customized departmental title
This will enforce that unauthorized access to the system is considered trespassing.
High Risk Systems - R
Med Risk Systems - O
Low Risk Systems - O
High Risk Systems - R
Med Risk Systems - R
Low Risk Systems - O

Set number of previous logons in cache to 0
Only applicable in a domain environment, setting this will not store passwords in the system registry.
High Risk Systems - O
Med Risk Systems - O
Low Risk Systems - O
High Risk Systems - R
Med Risk Systems - O
Low Risk Systems - O

Set prevent users from installing printer drivers to Enabled
In a high risk environment, this should be a task dedicated to Administrators.
High Risk Systems - R
Med Risk Systems - O
Low Risk Systems - O
High Risk Systems - R
Med Risk Systems - O
Low Risk Systems - O

Set prompt user to change password before expiration to 14 Days
Where policy dictates a password change, this is a good reminder to users that they will need to change their password.
High Risk Systems - R
Med Risk Systems - O
Low Risk Systems - O
High Risk Systems - R
Med Risk Systems - O
Low Risk Systems - O

Set Recovery Console: allow automatic administrative logon to Disabled
This is used in troubleshooting when systems cannot restart.
High Risk Systems - R
Med Risk Systems - O
Low Risk Systems - O
High Risk Systems - R
Med Risk Systems - R
Low Risk Systems - O

Set rename Administrator account to a custom name
This will stop automated or manual brute force attacks on the Administrator account. Create a dummy Administrator account and assign it no privileges.
High Risk Systems - R
Med Risk Systems - R
Low Risk Systems - R
High Risk Systems - R
Med Risk Systems - R
Low Risk Systems - R

Set rename Guest account to a custom name
The Guest account is disabled by default however, unauthorized users will not know the real name of the account should it become enabled.
High Risk Systems - R
Med Risk Systems - R
Low Risk Systems - R
High Risk Systems - R
Med Risk Systems - R
Low Risk Systems - R

Set restrict CDROM and Floppy access to locally-logged on users to Enabled
In Windows networking environments, this will prevent any remote access to removable media devices.
High Risk Systems - R
Med Risk Systems - O
Low Risk Systems - O
High Risk Systems - R
Med Risk Systems - R
Low Risk Systems - R

Set Secure Channel: digitally encrypt secure channel data (when possible) to Enabled
In high risk domain environments, this is used when negotiating for a domain account.
High Risk Systems - R
Med Risk Systems - O
Low Risk Systems - O
High Risk Systems - R
Med Risk Systems - O
Low Risk Systems - O

Set Secure Channel: digitally sign secure channel data (when possible) to Enabled
In high risk domain environments, this is used when negotiating for a domain account.
High Risk Systems - R
Med Risk Systems - O
Low Risk Systems - O
High Risk Systems - R
Med Risk Systems - O
Low Risk Systems - O

Set send unencrypted passwords to connect to third-party SMB servers to Disabled
In a Windows networking environment, sending clear text passwords runs the risk of being read by attackers.
High Risk Systems - R
Med Risk Systems - R
Low Risk Systems - R
High Risk Systems - R
Med Risk Systems - R
Low Risk Systems - R

Set strengthen default permissions of global system objects to Enabled
Any discretionary controls placed on shares, semaphores and devices will be available to Administrators who did not create the object as read-only.
High Risk Systems - R
Med Risk Systems - R
Low Risk Systems - R
High Risk Systems - R
Med Risk Systems - R
Low Risk Systems - R

Services
Increase security by disabling as many services as possible. The following is a list of common services found on Windows systems that can be customized.

Control Panel => Administrative Tools => Services

Service Name
Description
Workstation
Server

Clipbook
Allows clipbook viewing from remote systems
Disable
Disable

Computer Browser
Used to display shares and services in a Windows network environment
Disable
Manual or Disable for high security risk systems

DHCP Client
Obtains a network IP address from a server providing a range of addresses.
Automatic for most general purpose systems
Disable - static IP address should be used

Fax Service
Built-in faxing capabilities.
Disable
Disable

Indexing Service
Provides fast file access through indexes. Exploits exist for this service
Manual
Disable unless absolutely necessary

Internet Connection Sharing
Provides the ability to share a modem or network connection to multiple computers.
Disable
Disable

Messenger
Controls network messages sent by Administrators or other users on the network.
Disable
Disable

NetMeeting Remote Desktop Sharing
Allows remote NetMeeting users to take control of the desktop.
Disable
Disable

NT LM Security Support Provider
Provides backward compatibility for legacy RPC-based applications.
Disable if not absolutely necessary
Disable if not absolutely necessary

Remote Registry Service
Allows administrative control to the local system registry.
Disable if not absolutely necessary
Manual or Disable for high security risk systems

Routing and Remote Access
Provides routing for networks.
Disable
Disable

Server
Provides network-based services like file and remote printing.
Disable if present
Automatic (disable if not absolutely necessary)

Telephony
Supports telephone-based applications and VOIP
Disable if present
Disable if present

Telnet
A legacy service that allows remote connection and command-line shell services
Disable
Disable

Simple TCP/IP Helper Service
Legacy services that are vulnerable to a variety of attacks.
*
Disable

TCP/IP Print Server
Provides remote print sharing
Disable if present
Disable if not absolutely necessary

FTP Service
Usually installed with IIS Server. Provides remote connection file transfers.
*
Disable or remove if present

Trivial FTPD
A service that is widely used by attackers to spread code.
*
Remove if present

Registry Settings
The following settings can be applied to the system registry to harden its security posture. Registry entries will have to be created where none exist.

Location
Registry Entry
Format
Value
Comments
Apply This To

HKLM\System\CurrentControlSet
\Services\Tcpip\Parameters
EnableICMPRedirect
SynAttackProtect
EnableDeadGWDetect
EnablePMTUDiscovery
KeepAliveTime
DisableIPSourceRouting
TcpMaxConnectResponseRetransmissions
TcpMaxDataRetransmissions
PerformRouterDiscovery
TCPMaxPortsExhausted
DWORD
DWORD
DWORD
DWORD
DWORD
DWORD
DWORD
DWORD
DWORD
DWORD
0
2
0
0
300,000
2
2
3
0
5
These settings harden the TCP/IP stack making the system resilient to Denial of Service attacks.
All Windows servers facing the Internet

HKLM\System\CurrentControlSet
\Services\AFD\Parameters
DynamicBacklogGrowthDelta
EnableDynamicBacklog
MinimumDynamicBacklog
MaximumDynamicBacklog
DWORD
DWORD
DWORD
DWORD
10
1
20
20000
For web servers, these settings will help the server to handle half-open HTTP and FTP requests.
All Web and FTP servers

HKLM\System\CurrentControlSet
\Services\Netbt\Parameters
NoNameReleaseOnDemand
DWORD
1
This setting protects against NetBIOS attacks where an attack forces the system to reveal its NetBIOS name. Administrators of WINS services should be careful with this setting.
All servers and High Risk workstations

HKLM\System\CurrentControlSet
\Control\FileSystem
NtfsDisable8dot3NameCreation
DWORD
1
This disables the use of 8.3 filename conventions. Using this will not allow an attacker to access long filenames using short naming standards.
High Risk servers

HKLM\SOFTWARE\Microsoft\Windows
\CurrentVersion\Policies\Explorer
NoDriveTypeAutoRun
DWORD
0xFF
This will disable the Autorun feature on CDROM drives to prevent any malicious code from automatically launching.
High Risk servers

HKLM\SYSTEM\CurrentControlSet
\Control\Session Manager\SubSystems
Remove 'Optional', 'OS2' and 'Posix' keys
*
*
This will remove the OS2 and POSIX subsystems.
High Risk servers and workstations

HKLM\SYSTEM\CurrentControlSet
\Services\lanmanserver\parameters
RestrictNullSessAccess
DWORD
1
This setting will restrict null access to any shares on the system.
All servers and workstations

HKLM\SYSTEM\CurrentControlSet
\Services\lanmanserver\parameters
Remove 'NullSessionPipes' and 'NullSessionShares' keys
*
*
This setting will restrict null access to any shares on the system.
All servers and workstations

Files and Utilities
The following list of files are included in the system environment path and are often used by hackers to circumvent system security. If not required, the files should be placed in a directory that is only accessible by the Administrator:

CMD.EXE
FINGER.EXE
NBTSTAT.EXE
NETSTAT.EXE
RSH.EXE
RCP.EXE
ROUTE.EXE
TELNET.EXE
TFTP.EXE
TRACERT.EXE
COMMAND.COM
NET.EXE
IPCONFIG.EXE
PING.EXE
REGEDIT32.EXE

The following files and directories pertain to the OS2, POSIX and DOS subsystems. They can be deleted on High Risk systems and servers:

DOS Directory and Files (if exists)
OS2 Directory and Files (if exists)
OS2.EXE
OS2SRV.EXE
OS2SS.EXE
NETAPI.OS2
POSIX.EXE
PSXDLL.DLL
PSXSS.EXE

top

Windows 2003 Systems
Coming soon.
top

Suse Linux
Coming soon.
top

Accounts and Passwords
Trust plays a very important role when accounts are created on servers and the information handed out to account holders. The administrator providing access to the server or service “trusts” that the person authenticating to the system is the true account owner. This trust must exist for the simple fact that the administrator is not and cannot be present to witness the user logging in. It is part of the Identity Management model that the user’s account credentials (username and password) are not shared with others.

Many systems become compromised as a result of account sharing. It is the sole responsibility of the account holder to ensure this does not happen.

Recommended Best Practices

Never share your account or password with anyone else, including relatives, friends, colleagues, supervisors or even the system administrators.

When you are assigned a temporary password, make sure you change it immediately.

Never use passwords that are easy to guess or that can be somehow associated with you.

Do not use obvious, trivial or predictable passwords. Prime examples of these are simple dictionary words (such as “password”, “secret”, “computer”), names of people, places, pets, your login ID, birth date, etc.

Do not write down or store passwords on your computer or computer media. If you have to log your password, make sure that the paper it is written on is stored in a secure and safe place, like a sealed envelope in a locked filing cabinet.

Never use the same password twice. When you are selecting a new password, choose one that is quite different from your previous password.

Passwords should be changed frequently. The shorter the life of a password, the better it is. Some systems force users to change their password at predetermined intervals.

Password length should be at least five characters. The longer a password is, the harder it is to guess.

Passwords should contain a combination of alphabetic, numeric and special characters.

top

E-Mail
E-Mail is a double-edged sword. It has become a standard method of communication and the number one choice for network and Internet users alike. E-Mail has gained notoriety in that many organizations and government bodies acknowledge digitally signed E-Mail to be as valid as a hand-written signature on a document. In some circumstances, E-Mail is also permissible in a court of law. Yet, the protocol has changed very little with the advances in technology and as a result, E-Mail is used as a delivering resource for malicious activities.

As with everything, there are associated risks when dealing with computers - E-Mail even more so. Here are a few examples users should remember when using E-Mail for communications:
    - E-Mail does not guarantee end-to-end transfer of content. What could be sent via E-Mail may never reach             the intended recipient.
    - E-Mail does not guarantee privacy. It can be intercepted in transit, be sent to the wrong recipient by                     accident, or be disclosed inadvertently. If intercepted, E-Mail can be forged or manipulated in a way that             the recipient can be mislead by its content.
    - E-Mail content can easily be misinterpreted. A joking statement passed through E-Mail may be construed as         hostile because emotions cannot be conveyed accurately enough.
    - E-Mail is often stored permanently or archived by many organizations for any future legal use.
    - E-Mail can be easily transferred to others, or printed and left where others may view it’s content.
    - E-Mail is often used by hackers to transfer malicious code like viruses and worms.
    - E-Mail has become a major tool for spreading unwanted bulk mail like SPAM.

Recommended Best Practices

Understand the risks associated with using electronic mail to discuss personal, confidential or sensitive information.

Double-check the recipient's address before sending a message.

Communicate via E-Mail only those things you're comfortable having forwarded.

Avoid using E-Mail for particularly sensitive matters.

Avoid using e-mail for time sensitive messages.

Take time to make sure the message is clear and concise, and cannot be misconstrued.

Be careful about leaving programs operational and/or documents visible when your computer is unattended.

Make use of screen savers with private passwords or automatic sign-off.

Empty your Inbox regularly to avoid exceeding your quota. Transfer messages you want to keep from your Inbox to other folders, or to your computer's hard drive.

Unsubscribe from any mailing lists that no longer interest you. Lists generate a huge amount of mail traffic.

Don’t attach very large files to e-mail messages. Generally, attachments should be less than one megabyte. Explore alternatives like SSH to send files larger than this.

Do not participate in chain letters. It's not only illegal but it’s also not a good idea as it ties up valuable network resources.

Learn to recognize virus hoaxes that circulate via e-mail, and don't pass them on.

Make sure your computer is protected from e-mail viruses.

Never click on an attachment unless your Anti-virus software has scanned the message.

If you were not expecting an attachment, it’s best to just delete the message and the attachment.
Some virus programs change the extension of the attachment so as to disguise its real purpose so you also need to be careful about attachments such as GIFs and JPEGs.

If you receive advertising and other SPAM messages asking you to reply to the message to unsubscribe, be careful before replying to the messages. If the message is from a company that you are aware of, for example a software vendor or a department store, unsubscribing will usually work. Otherwise, simply delete or filter the SPAM.

Set up your e-mail program to filter SPAM directly to your trash can.

top

Identifying Forged or ‘Spoofed’ Mail
E-Mail arriving as SPAM or being generated by virus-infected systems is most often forged in an attempt to hide the systems generating it. What normally gets changed are the ‘From’ and ‘To’ fields of the mail itself and are usually replaced by some bogus name. In many cases, both of these fields have the recipients name appended. This leaves the victim wondering if her computer actually generated the mail or not.

A relatively easy way to determine the true sender of forged mail is to look at the headers. Headers are small bits of information appended to mail that list the path the mail takes to its destination. This would include the sending system (by IP address, hostname or both) and all mail servers used to forward the mail.

For example, the University GroupWise E-Mail system appends header information as a separate attachment named ‘Mime.822’. Mime will list all mail content including message body, sending host and date stamps. You can view Mime.822 information by selecting File => Attachments => View in the opened mail:

Selecting the Mime.822 file will reveal the header information and the mail content in text only:

E-Mail Header Example 1
The following example is the header of a simple SPAM mail:

        Return-path: <igbreieo@pdiusa.com>
        Received: from io.uwinnipeg.ca [142.132.1.12]
        by ds1.uwinnipeg.ca; Tue, 22 Jun 2004 00:13:23 -0500
        Received: from pdiusa.com (ool-18baf696.dyn.optonline.net [24.186.246.150])
        by io.uwinnipeg.ca (8.12.10/8.12.10) with SMTP id i5M5DNAG009875
        for <m.rogowski@uwinnipeg.ca>; Tue, 22 Jun 2004 00:13:24 -0500 (CDT)
        Message-Id: 200406220513.i5M5DNAG009875@io.uwinnipeg.ca

The recipient (.m.rogowski@uwinnipeg.ca) received this message at 12:13AM from the sender (igbreieo@pdiusa.com). The sender used the host
‘ool-18baf696.dyn.optonline.net’ with an IP address of 24.186.246.150.

This example does not provide evidence of forgery. It is possible that the system listed (24.186.246.150) did indeed send the mail. This system could be the actual spammer’s system, or it could be a zombie system that has fallen prey to a worm designed to act as a mail relay.

E-Mail Header Example 2
This next example shows clear-cut evidence of forgery:

        Return-path: <kotsinga@singnet.com.sg>
        Received: from io.uwinnipeg.ca [142.132.1.12]
        by ds1.uwinnipeg.ca; Fri, 11 Jun 2004 22:33:18 -0500
        Received: from smtp25.singnet.com.sg (smtp25.singnet.com.sg [165.21.101.224])
        by io.uwinnipeg.ca (8.12.10/8.12.10) with ESMTP id i5C3XDAG014292
        for <m.rogowski@uwinnipeg.ca>; Fri, 11 Jun 2004 22:33:14 -0500 (CDT)
        Received: from boalxeiw (hs1180.singnet.com.sg [165.21.202.204])
        by smtp25.singnet.com.sg (8.12.11/8.12.11) with SMTP id i5C3OPG4027200;
        Sat, 12 Jun 2004 11:24:26 +0800
        Date: Sat, 12 Jun 2004 11:24:25 +0800
        Message-Id: <200406120324.i5C3OPG4027200@smtp25.singnet.com.sg>
        FROM: "MS Corporation Customer Services" <qrgiwnqlqygzry@updates_ms.net>
        TO: "Microsoft Client" <anvttd@updates_ms.net>
        SUBJECT: Current Net Patch

This example shows that the recipient (m.rogowski@uwinnipeg.ca) received mail from a sender at "MS Corporation Customer Services" about an important security patch. The list of ‘Received from’ sections shows the original host (usually the last listing is the offending one):

Received: from io.uwinnipeg.ca [142.132.1.12] – University mail server
Received: from smtp25.singnet.com.sg (smtp25.singnet.com.sg [165.21.101.224]) – an intermediate mail server
Received: from boalxeiw (hs1180.singnet.com.sg [165.21.202.204]) – the originator of the mail

This is clearly not Microsoft, yet the sender of the mail, likely a worm on an infected computer, was able to modify the ‘From’ field to try and hide itself. This mail came with an attachment, and was automatically filtered by the University mail server for fear that it could be a virus – and it definitely was.

Receiving forged mail can be tricky to identify and track down. Here are some simple tricks to weed out forged mail:

If the mail has your name in it’s ‘From’ field and you receive it, or if your name shows up in both ‘To’ and ‘From’ fields, there’s a high probability it is forged.

If your friends receive strange mail from you and you did not send them mail, it is most probably forged and can be deleted.

If you have reservations of doubts about sent or received mail, look through the headers to track down the sending system. Make certain that your Anti virus software is up to date and scan all mail attachments.

top

E-Mail Encryption

Inter-office mail sent using the campus GroupWise system is encrypted and protects from external modification and prying eyes. This encryption is removed when an E-Mail message is sent from GroupWise to other mail servers on campus and across the Internet. To help increase end-to-end privacy of E-Mail through encryption, such as to external mail servers or Internet recipients, third party encryption applications and certificates can be used.

Sending encrypted E-Mail can be a confusing and daunting task to manage. To successfully send encrypted mail, both the sender and recipient must share cryptographic codes such as certificates or keys in order to encrypt and decrypt the mail content. This is normally done prior to actually encrypting and sending the mail. This means that both sides must have encryption software installed on their systems – something not everyone has.

For reasons of complexity, there is no direct technical support for E-Mail encryption other than what is currently provided by the standard GroupWise setup at the University. However, this should not deter those who wish to obtain third party certificates or incorporate cryptography when sending E-Mail – especially when mail content is confidential.

Personal E-Mail Certificates

Personal encryption certificates that plug into the native GroupWise client software can be obtained through a variety of companies, including Thawte, Verisign and Comodo (some are free, others are not). E-Mail-based certificates can be imported into the system through Internet Explorer and are accessible through the Tools Menu => Internet Options => Content => Certificates:

GroupWise will automatically pick these certificates up and offer them for use through the native GroupWise client software. By selecting the Tools => Options => Certificates section under GroupWise, the third party certificate can be selected as a default:

The option to send digitally signed or encrypted mail using the third party certificate can be used through the standard GroupWise “Mail To” box. As stated previously, the recipient’s encryption certificate would have to be stored prior to sending an encrypted mail:

PGP

Another method of encrypting E-Mail is through a software standard called PGP (Pretty Good Privacy). This third party encryption software when purchased, plugs directly into the GroupWise native client software, encrypting and decrypting E-Mail on the fly:

There is currently no technical support for PGP on campus. Users of PGP software are urged to get familiar with the techniques of using PGP with mail applications like GroupWise before using the package.

top

E-Mail Hoaxes

Hoaxes are usually forms of social engineering that prey on wary computer users by telling them their systems are in jeopardy if they don’t do what is outlined in the mail. Hoaxes periodically make their rounds, claiming to be from a trustworthy source such as an Anti virus company, or simply forwarded by a friend who has fallen victim to the hoax itself.

For as convincing as they may sound, E-Mail hoaxes have some tall-tail signs that make them pretty easy to identify:
    - Many hoaxes are written in caps, which depicts the sender yelling (e.g. “PLEASE READ THIS!”).
    - The hoax speaks of some tragic event that just happened to the sender of the mail (e.g. “ALL MY FILES             WERE DELETED!”).
    - In sheer panic, the hoax tells you to forward it on to warn others.
    - You may see a pile of E-Mail addresses in the “To” field, depicting that this is an issue that everyone should         be made aware of.
    - The hoax may talk about a virus that no Anti virus software can detect, but yet the sender of the mail                     happened to identify it.

Best practices for dealing with hoaxes are:

Always classify mail from unknown senders that explain detrimental effects to computer systems to be a potential hoax.

Periodically check Internet hoax lists for newly identified hoaxes. All major Anti virus software companies post them.

After checking hoax lists if you are still unsure whether the mail is fake, delete it. If it was legitimate, you will find out from a more trusted source.

top

Mail Disclaimers

Disclaimers attached to E-Mail messages are normally introduced by management to ensure good governance of corporate services. Often, companies view disclaimers as being legally binding, and thus tend to fill the disclaimer with threatening legal statements and other mumbo-jumbo. To date however, E-Mail disclaimers have never been tested in court, so there is no way to determine if these statements are in fact binding on the recipient.

Until there’s such a precedent set, disclaimers can be little more than suggestions to the recipient not to disclose or disseminate the mail content if she received it by accident, or to notify the sender about the mishap in sending the mail.

There is currently no University policy on the use (or non use) of E-Mail disclaimers. The University community can use disclaimers provided their content does not imply that the University will automatically enforce any misuse of mail content.

Some helpful suggestions for creating and using E-Mail disclaimers are:

Place the disclaimer at the beginning of the mail and not the end. The disclaimer is useless if the recipient has already read the contents of the mail.

Focus the disclaimer content on requests rather than demands. Terms like “strictly prohibited” implies that the recipient falls under your policy domain and they must comply or else, when in fact they don’t.

Include a request to notify you if the mail they receive is in error. This is a sign of proper netiquette and good faith.

If you must send confidential information in E-Mail, encrypt it using a third party encryption utility to ensure the recipient you are sending it to is the right one.

top

Web Browser Security

Next to E-Mail, the web browser is likely the most widely used application on a computer these days. Unfortunately, It has also become one of the biggest threats to personal privacy. Viruses, Spyware and malicious web sites make up only a few of these threats to browser security. Other methods of compromising privacy are Cookies and complex scripting technology offered through Java applets, JavaScript and ActiveX protocols.

Cookies

Cookies are small text files that are sent to your system from web sites you visit. The contents and usage of these files vary, and can contain reference information such as dates and times you visited the site. Other usages for cookies include holding customized settings you create when visiting web sites that are adjustable, such as web portals.

For example, major sites like MSN, Yahoo and Netscape have portal-like qualities allowing you to customize what it is you want to see every time you visit that site. By customizing the ‘look and feel’ of the portal, the style and layout of the page will remain the same. These settings are saved as cookies on your system, and will tell the web site what your content preferences are.

Cookies are sometimes used to track your browsing habits in an attempt to deliver web content that you might find appealing, such as banner ads. If you frequent a web site, a customized cookie could report all other sites you visited beforehand. The originating web site would then read the content from this cookie and then deliver relevant banner ads based your browsing habits.

Other examples would include financial institutions or pay sites where you provide personal information such as credit card or account numbers. Sometimes, the site will ‘customize’ the settings by delivering cookies to your system with this information contained within it. In many cases, they warn you ahead of time regarding the usage of cookies to store this type of information.

Cookie management can be configured within your web browser to allow all, block all, or prompt you each time a cookie is being set to you. For Internet Explorer, this setting can be adjusted through Tools Menu => Privacy => Advanced. A safe rule to follow is to allow first party cookies and block third party cookies. Note that setting this may break some web site functions:

For Mozilla, these adjustments can be done through Edit Menu => Preferences => Privacy & Security => Cookies. A safe setting would be to enable cookies from the originating web site only. Note that setting this may break some web site functions:

Management of cookies through prompting can become a problem, as all sites nowadays deliver at least one cookie through the browser. Getting prompted for each cookie may be painstaking.

Scripting Languages

Java, JavaScript and ActiveX controls are used to enhance one’s web experience. They provide automation, helper controls and functions for web-based programs, etc. What many don’t realize is that code written using these protocols is executable at the local system. This means that malicious scripts written in Java or ActiveX can be automatically downloaded and run on the local machine – many times without the user knowing it.

ActiveX is a Microsoft technology, designed to work with Microsoft products (Internet Explorer - IE). Since IE operates at system level with full administrative privileges, ActiveX has the capability to create, modify and delete local files and perform other actions that an administrator can. This threat makes hostile ActiveX controls extremely damaging, and is one method of how Spyware, Adware and or forms of malware get loaded on systems.

Java and JavaScript is less dangerous than ActiveX, but not totally immune to exploit. Java code launched on systems normally doesn’t have the access rights to the local system as ActiveX has. Versions of Java are freely downloadable (from Sun Microsystems) and will run independently from the browser software, reducing the threat even further.

Customizing your browser can minimize the threat of hostile code reaching your system. Java and ActiveX can be either fully enabled, disabled, or you can be prompted when a Java or ActiveX control gets downloaded. All three settings balance security with functionality. If they were fully disabled, many web sites may not work properly, or at all.

Scripting Customization – Internet Explorer

For Internet Explorer, go under the Tools Menu => Internet Options => Security. Selected the Internet Zone and chose the Custom Level button at the bottom. Security settings of ActiveX and Java can be adjusted according to your preference:

Adjusting these settings will stop or restrict the use of scripting languages within IE, however, another option is to completely disable all scripting from the Internet Zone and populate the list of trusted web sites you normally access under the Trusted Sites zone:

Customize Internet Zone and disable all scripting:

Select the Trusted Zone and add the sites you trust:

It’s important to note that many sites rely on scripting for proper functionality (such as Windows Update). Users must be prepared to add sites you trust into the IE Trusted Zone regularly. This could become a task that is performed every time IE is used to browse the Internet.

Scripting Customization – Mozilla

Mozilla cannot interpret ActiveX controls – only Java and JavaScript. To adjust these settings, go under the Edit Menu => Preferences => Advanced. You can enable or disable Java here:

For JavaScript, Select the Scripts and Plugins section to tailor the settings:

Recommended Best Practices

Ensure you are running the latest version of browser and keep the patches up to date.

Ensure your operating system is patched and up to date.

Obtain Anti virus software and make sure it is loaded and running at all times. Keep the software updated with pattern files and patches.

Consider using a third party Anti Spyware program if your Anti virus does not have a Spyware engine. Keep it updated and periodically scan the system for malware.

If your browser doesn’t already have one, obtain a licensed (or freeware) copy of a browser pop-up killer. Using this program will minimize the amount of banner ads you will see, and thus minimize the chances of accidentally clicking on them.

Watch browsing habits. A majority of Spyware comes from pornography sites and sites that allude to shareware, software piracy and crack sites.

Never trust web links in E-Mail from unknown sources. Rather than clicking on the link, manually type the web site url in your browser and navigate through the web site to the destination.

When performing on-line transactions, or providing personal information, make certain the web site is using encryption (HTTPS). Check the validity of the encryption certificate to make sure it belongs to the web site you are visiting.

Clear your browser cache periodically.

top

University Anti-Virus Software

The University has acquired a site license of Trend Micro OfficeScan for campus workstations using Microsoft Windows. This package is centrally managed to help ensure that all connected systems receive necessary pattern file updates. When running, users of University owned computers should see the following icon in the taskbar of the computer:

If the system is not configured with OfficeScan, users can perform a remote installation by following the instructions outlines at this link (if using a UWin system, ensure you have administrative rights before attempting to do this):
http://zeus.uwinnipeg.ca

New viruses are constantly being released. Trend Micro OfficeScan updates their pattern files to compensate. Through central management, these updates are automatically "pushed" down to client systems running OfficeScan.

There is however the odd time where an OfficeScan client may not receive these updates, either due to network congestion or other technical issues. To correct this, OfficeScan has a manual update feature called ‘Update Now!’ that can be selected from the taskbar icon by alternate mouse-clicking:

By performing a manual update periodically, users will be assured they will be running the latest pattern file from Trend.

In an upcoming version of OfficeScan, Trend will include a module that scans for Spyware and other malicious programs that may come from web sites. OfficeScan will identify the program and notify the user immediately. If the virus or malware cannot be cleaned, OfficeScan may attempt to delete it.

There may be times where OfficeScan cannot delete the file because it is in use by another program or is sitting in memory (like a worm). If this happens, it is good practice to close down all applications and perform a manual scan of the system to get rid of the malware. The main OfficeScan screen is easy to navigate through to do this procedure. Launch the OfficeScan main program and select the drive you wish to scan, then press ‘Scan Drives’:

top

Other Malware Support

Ridding systems of Spyware and other malware may take more than one application. Trend OfficeScan provides protection against some Spyware and Adware, but this should not be considered inclusive. Other applications specifically designed to scan for malware can and should be used. One such product that is free of charge and very effective is Spybot S&D, available at the following web link:
http://www.safer-networking.org/

SpyBot S&D will clean systems that fall victim to known malware exploits through system registry changes and file execution. SpyBot is just like any Anti virus software - it relies on signature files to help identify malware. Periodic scans of the system should be performed and the package signature files updated:

SpyBot S&D on Campus

Spybot S&D has been set up on the main authentication server (AS) for computers connected to the Novell network. It is available for use by employees with a valid account and can be run directly from the server. Users
can scan their system at anytime by doing the following (for Windows 2000 you must have administraive privileges for SpyBot to make any major changes to the system):

    - Launch Windows Explorer and select Drive S:
    - Go to the UTILITIES\Spybot directory
    - Double-click on the file named "Spybot-Run.Bat" file

Spybot will launch, scan the system and attempt to clean any malware found. You may receive a confirmation message. Select "Don't show this message again" and then press OK:

Scanning may take some time to complete and is dependent on the speed of the computer and the amount of Spyware it finds. It may also pause for brief periods as it is scanning. Once done it will post the number of problems it fixed:

Another package widely used LavaSoft Adaware (http://www.lavasoftusa.com/). This is a manual scan only program that is quite accurate at detecting and removing malware from computers. It is licensed as freeware for personal use only, and cannot be distributed to University computers unless a separate corporate license is obtained. For home use, it is an excellent choice:

Recommended Best Practices

Ensure that Trend Micro OfficeScan software (or whatever Anti virus software you have chosen) is running and up to date with the latest pattern files.

Periodically check the taskbar for the Anti virus icon. Some malware has the capability of unloading or disabling it.

Ensure your operating system and major applications receive the latest security patches.

If using a third party Spyware scanning utility, ensure that it is updated prior to performing any manual scans.

Perform Anti virus and malware scans periodically to ensure your system is clean.

Don’t download files from untrusted web sites.

Scan incoming E-Mail file attachments.

Do not install any third party programs or “helpful plugins” that you may be prompted to install, especially if you not familiar with the web site you are visiting. For example, third party screensavers that are "free" are often riddled with embedded Spyware.

top

Personal Firewalls

When Laptop owners jump from one network to another, like from the University campus network to a wireless environment at a coffee shop, they have no idea what threats could be lingering there. The same goes for home systems plugged into high-speed connections. ISP’s generally do not filter network communications like private organizations do. This means that plugging a computer into a cable modem or DSL line not only exposes the end user to high-speed, it also exposes the system to network attacks.

Personal firewalls came on the scene a few years ago, and have ballooned as a result of high-speed Internet access like cable and DSL. The general concept behind a firewall is to effectively block all network communication coming into and going out of a system or network. Using this ‘deny all’ rule, provisions can then be set up to allow only the communications from certain services that are normally used. This may include a web browser, FTP client, mail, and network authentication to name a few.

Many Anti virus vendors are now incorporating features like personal firewall technology into their consumer-based packages to help provide computer users increased security without installing a multitude of applications Out of the box, these packages usually require some configuring, but are fairly intuitive.

A good example of Anti virus / personal firewall software is the Trend Micro PC-Cillan Internet Security package. It has Anti virus, SPAM, content filtering and a personal firewall bundled together. Configuring each component can be done through one console:

Under PC-Cillan, the personal firewall module has settings for different network environments and can be customized accordingly. For full firewall protection, the ‘Office Network’ can be selected and adjusted to a ‘High’ setting, ensuring that no unauthorized inbound or outbound communications can occur:

As with true firewalls, exceptions can be applied to the ‘deny all’ rule, such as adding web browsing, FTP, and Mail:

False Sense of Security

If a firewall is configured for maximum protection, the system becomes ‘invisible’ to other network users. Standard network-based vulnerability scans by hackers and worms will not work against a properly configured firewall. Any new outbound communications will be questioned by the firewall and in the case of Trend’s personal firewall, the user will be prompted to allow or deny that communication. This is an effective method of identifying any rogue applications and services that may be running on the system.

Users of personal firewalls (or any firewalls) should not get the sense that they are fully protected and thus secure however. Standard firewalls work at the network layer, and will inhibit network communications based on port number and protocol (e.g. HTTP-port 80, FTP-port 21, etc.). They do not filter based on the content that comes down using an application. Programs that are allowed to communicate through the firewall, like a web browser, still run the risk of being exploited.

A good example of this would be a computer running an unpatched web browser. The browser may be vulnerable to an exploit that could make it download a malicious file without the user knowing about it. If the browser is a trusted application by the firewall rules, the firewall will allow this file to be downloaded and possibly run in the background. This could potentially open a security hole, leaving the system compromised or vulnerable to further attacks.

Recommended Best Practices

Disable any unnecessary services on your machine.

Make sure the software firewall is patches and up to date

Ensure the operating system and major applications have the most recent security patches.

Use the ‘deny all’ rule, and set the firewall up to allow the applications you use access to the network/Internet. This should make your system “invisible” to the network.

Monitor firewall logs regularly. Doing this can give you a sense for certain attack patterns that are used so you can make sure they are prevented.

Do periodic scans of your system to ensure the firewall is working properly. See the appendix for references.

top

Information Confidentiality and Privacy

Electronic data and related information owned by the University should be protected when stored on personal computers, network servers and media such as diskettes, CDROM’s, etc. Precautions should be taken when transferring University data to outside organizations and across external networks.

Recommended Best Practices

Do not leave confidential or other sensitive documents out in the open or unsecured.

Make sure that all University owned reports and files are properly secured at the end of each day.

Never provide copies of University owned correspondence, directories or manuals to people outside the University unless otherwise authorized to do so.

Do not share or talk about confidential information or security procedures such as alarm systems, etc. with individuals who have no right to know about it.

Save confidential information to a personal directory on a network server rather than a local workstation.

If your PC is connected to the campus network, always remember to logout before leaving your system for any length of time.

Configure your system with a password-protected screensaver.

Dispose of confidential or sensitive information properly. Shred paper documents and carbon paper. Erase files on diskettes and rewritable CDs by formatting them or use a third party wiping utility. Be sure to delete unneeded sensitive information from personal directories on network servers.

Consider using third party encryption when sending sensitive information on media or across the Internet.

When discarding diskettes, CDs and other media, mangle or destroy them to a point they cannot be read or accessed.

Report suspicious activity or unusual happenings to management or the facility supervisor.

Remember that confidential information may be as critical to the University as physical property.

top

Copyrights and Governmental Laws

Coming soon.

top

Reporting UofW Security Incidents

All computer security incidents should be reported the administrator of the facility or to the Technology Solutions Centre Help Desk (786-9149; help.desk@uwinnipeg.ca). Contacting the Help Desk directly will enable TSC to notify the facility administrator and investigate issues in a timely manner. This minimizes any disruption to University owned systems and services.

TSC logs all technical calls including calls related to computer security. This information is compiled and reviewed periodically to determine overall health of the campus network and services.

Types of Incidents to Report
Security incidents normally reported to TSC include (but are not limited to):
    - Hacking attacks
    - Unauthorized access and use of computing resources
    - Harassment and threats through E-Mail
    - Malicious code such as Spyware and worms

Reference Information

When logging a security call, the more information that can be provided the better. In cases of hacking attempts and intrusions, providing detailed logs from systems would greatly benefit investigations. Base and/or log information should contain date and time of the attack, IP addresses, any protocols, etc.

For E-Mail based incidents, copies of saved mail including all header information would be required. To save copies in Novell GroupWise:

- Select the mail and chose ‘Save As’ under the File menu
- Chose a destination directory to save all items listed in the ‘Items to Save’ box
- Select each mail item (especially the Mime.822 file)

To save E-Mail from other third party mail clients, please refer to the help menus of that program.
top

Appendix

Reference Links

Anti Virus Software

Trend Micro:        http://www.antivirus.com
McAfee:               http://www.mcafee.com
Symantec:             http://www.symantec.com
AVG (free for personal use):        http://www.grisoft.com
Avast (free for personal use):        http://www.avast.com
On-line Anti Virus Scan (free):    http://housecall.trendmicro.com

Virus Hoax Information Sites

F-Secure (industry standard):        http://www.f-secure.com/news/hoax.htm
Symantec Hoax Listing:               http://www.symantec.com/avcenter/hoax.html
McAfee Hoax Listing:                   http://vil.mcafee.com/hoax.asp
Hoaxkill:                                       http://www.hoaxkill.com/hoaxes.html

Spyware and Adware Removers

Spybot S & D (free):       http://www.safer-networking.org
Lavasoft Adaware (free for personal use):   http://www.lavasoftusa.com
Webroot Spy Sweeper:                                http://www.webroot.com

Personal Firewalls (software)

Trend Micro:       http://www.antivirus.com
McAfee:                http://www.mcafee.com
Symantec:              http://www.symantec.com
ZoneAlarm (free for personal use):       http://www.zonelabs.com
Sygate (free for personal use):                http://www.sygate.com
On-line Vulnerability Scan (free):            http://www.grc.com

Pop-up Blockers

EMS Free Surfer II:           http://www.kolumbus.fi/eero.muhonen/FS/Support.htm
EasyBrowse:                        http://www.vrameen.com/
Pop-up Defender:               http://www.synergeticsoft.com/

Information on Phishing:   http://www.antiphishing.org

Security cables for systems:     Contact TSC for recommendations

Privacy Screens for Monitors: Contact TSC for recommendations

Erasing Software

Active Kill Disk (hard drive eraser):           http://www.killdisk.com/
AbsoluteShield (Internet trace eraser):          http://www.internet-track-eraser.com/

Random Password Generators:       http://www.winguides.com/security/password.php
                                                             http://www.techzoom.net/security-password.asp

E-Mail Encryption
PGP (commercial version):   http://www.pgp.com/
PGP (free version):                 http://www.pgpi.org/

Alternate Web Browsers
Netscape:          http://www.netscape.com
Mozilla:             http://www.mozilla.org
Firefox:           http://www.mozilla.org
Opera:              http://www.opera.com/
top

Purpose	General Risk Rating
Internet Mail Server, Web Server, DNS Server(Sensitive and Internet Facing)	HIGH
HR Database, Financials, Classified Research Server	HIGH
Firewall, Proxy Server	HIGH
DHCP Server, Internal Mail Server (behind firewalls or other security controls), Mobile Laptops	MODERATE
Development Server (Internal behind firewalls and other security controls), File and Print Servers	MODERATE
General Use Desktop (behind Firewalls and other security controls)	MODERATE
Isolated Systems where network access controls allow for no incoming service request	LOW
Systems protected by a comprehensive security suite that includes workstation firewalls, intrusion detection, and constant monitoring with quick response time to incidents.	LOW
Open access “public” systems protected by a security suite that includes fully customized application hardening, snapshot system protection and constant monitoring with quick response time to incidents.	LOW

Action	Description	Workstation	Server
Install Anti Virus software	Should be installed on all systems	High Risk Systems - R Med Risk Systems - R Low Risk Systems - R	High Risk Systems - R Med Risk Systems - R Low Risk Systems - R
Format or convert all drives to NTFS	Using NTFS will increase security of the file system through ACLs and special permissions	High Risk Systems - R Med Risk Systems - R Low Risk Systems - O	High Risk Systems - R Med Risk Systems - R Low Risk Systems - R
Configure system for Windows Update	All systems should be configured to receive updated patches. For workstations, Windows Update can be configured to automatically install; servers should be configured to prompt the administrator to install them	High Risk Systems - R Med Risk Systems - R Low Risk Systems - R	High Risk Systems - R Med Risk Systems - R Low Risk Systems - R
Do not allow automatic logons for the administrator account	This is an option for stand-alone or home systems. It should never be used for servers or higher risk workstations.	High Risk Systems - R Med Risk Systems - R Low Risk Systems - O	High Risk Systems - R Med Risk Systems - R Low Risk Systems - R
Rename Administrator account and create a dummy account with no privileges	This will minimize risk of brute force scripting attacks on the Administrator account and will provide a good method to track attacks against the system.	High Risk Systems - R Med Risk Systems - R Low Risk Systems - O	High Risk Systems - R Med Risk Systems - R Low Risk Systems - R
Create separate accounts for each user of the system and assign them to the User or Power User group	Administrative privileges are not required for daily or general use. Doing this also ensures accountability between users is maintained.	High Risk Systems - R Med Risk Systems - R Low Risk Systems - O	High Risk Systems - R Med Risk Systems - R Low Risk Systems - R

Service Name	Description	Workstation	Server
Clipbook	Allows clipbook viewing from remote systems	Disable	Disable
Computer Browser	Used to display shares and services in a Windows network environment	Disable	Manual or Disable for high security risk systems
DHCP Client	Obtains a network IP address from a server providing a range of addresses.	Automatic for most general purpose systems	Disable - static IP address should be used
Fax Service	Built-in faxing capabilities.	Disable	Disable
Indexing Service	Provides fast file access through indexes. Exploits exist for this service	Manual	Disable unless absolutely necessary
Internet Connection Sharing	Provides the ability to share a modem or network connection to multiple computers.	Disable	Disable
Messenger	Controls network messages sent by Administrators or other users on the network.	Disable	Disable
NetMeeting Remote Desktop Sharing	Allows remote NetMeeting users to take control of the desktop.	Disable	Disable
NT LM Security Support Provider	Provides backward compatibility for legacy RPC-based applications.	Disable if not absolutely necessary	Disable if not absolutely necessary
Remote Registry Service	Allows administrative control to the local system registry.	Disable if not absolutely necessary	Manual or Disable for high security risk systems
Routing and Remote Access	Provides routing for networks.	Disable	Disable
Server	Provides network-based services like file and remote printing.	Disable if present	Automatic (disable if not absolutely necessary)
Telephony	Supports telephone-based applications and VOIP	Disable if present	Disable if present
Telnet	A legacy service that allows remote connection and command-line shell services	Disable	Disable
Simple TCP/IP Helper Service	Legacy services that are vulnerable to a variety of attacks.	*	Disable
TCP/IP Print Server	Provides remote print sharing	Disable if present	Disable if not absolutely necessary
FTP Service	Usually installed with IIS Server. Provides remote connection file transfers.	*	Disable or remove if present
Trivial FTPD	A service that is widely used by attackers to spread code.	*	Remove if present

Location	Registry Entry	Format	Value	Comments	Apply This To
HKLM\System\CurrentControlSet \Services\Tcpip\Parameters	EnableICMPRedirect SynAttackProtect EnableDeadGWDetect EnablePMTUDiscovery KeepAliveTime DisableIPSourceRouting TcpMaxConnectResponseRetransmissions TcpMaxDataRetransmissions PerformRouterDiscovery TCPMaxPortsExhausted	DWORD DWORD DWORD DWORD DWORD DWORD DWORD DWORD DWORD DWORD	0 2 0 0 300,000 2 2 3 0 5	These settings harden the TCP/IP stack making the system resilient to Denial of Service attacks.	All Windows servers facing the Internet
HKLM\System\CurrentControlSet \Services\AFD\Parameters	DynamicBacklogGrowthDelta EnableDynamicBacklog MinimumDynamicBacklog MaximumDynamicBacklog	DWORD DWORD DWORD DWORD	10 1 20 20000	For web servers, these settings will help the server to handle half-open HTTP and FTP requests.	All Web and FTP servers
HKLM\System\CurrentControlSet \Services\Netbt\Parameters	NoNameReleaseOnDemand	DWORD	1	This setting protects against NetBIOS attacks where an attack forces the system to reveal its NetBIOS name. Administrators of WINS services should be careful with this setting.	All servers and High Risk workstations
HKLM\System\CurrentControlSet \Control\FileSystem	NtfsDisable8dot3NameCreation	DWORD	1	This disables the use of 8.3 filename conventions. Using this will not allow an attacker to access long filenames using short naming standards.	High Risk servers
HKLM\SOFTWARE\Microsoft\Windows \CurrentVersion\Policies\Explorer	NoDriveTypeAutoRun	DWORD	0xFF	This will disable the Autorun feature on CDROM drives to prevent any malicious code from automatically launching.	High Risk servers
HKLM\SYSTEM\CurrentControlSet \Control\Session Manager\SubSystems	Remove 'Optional', 'OS2' and 'Posix' keys	*	*	This will remove the OS2 and POSIX subsystems.	High Risk servers and workstations
HKLM\SYSTEM\CurrentControlSet \Services\lanmanserver\parameters	RestrictNullSessAccess	DWORD	1	This setting will restrict null access to any shares on the system.	All servers and workstations
HKLM\SYSTEM\CurrentControlSet \Services\lanmanserver\parameters	Remove 'NullSessionPipes' and 'NullSessionShares' keys	*	*	This setting will restrict null access to any shares on the system.	All servers and workstations