Allowing users to choose other operating systems (OS) at bootup is a security risk because the other operating systems can be used to bypass or defeat Windows security.
To set the boot timeout using Bootcfg from a Windows XP/2003 system, start a command prompt and enter the following:
Bootcfg /timeout 0
Related solution: | Found on page: |
---|---|
Displaying the Boot.ini using Bootcfg | 28 |
To set the boot timeout using KiXtart, proceed as follows :
Create a new directory to store all files included in this example.
Download and extract the latest version of KiXtart, from http://www.kixtart.org, to the new directory.
Select StartRun and enter "kix32 scriptfile. "
Here, scriptfile is the full path of the new directory from step 1 and file name of a script file that contains the following:
$File = "C:\boot.ini" $RCode = SetFileAttr($File,128) WriteProfileString( $File , "boot loader", "timeout", "0") $RCode = SetFileAttr( $File ,1)
This script first clears any file attributes on BOOT.INI, modifies the boot timeout, and then marks the file as read-only.
Related solution: | Found on page: |
---|---|
Setting File or Folder Attributes | 60 |
To set the boot timeout to zero using WMI, proceed as follows:
Create a new directory to store all files included in this example.
Download and install the latest version of Windows Script Host, from http://www.microsoft.com, to the new directory.
Select StartRun and enter "cscript scriptfile .vbs."
Here, scriptfile is the full path and file name of a script file that contains the following:
On Error Resume Next Computer = InputBox("Enter the computer name", "Boot Timeout" , "localhost") Set Boot = GetObject("winmgmts:{impersonationLevel= impersonate}!\" & Computer & "\root\cimv2"). ExecQuery("select * from Win32_ComputerSystem") For each Item in Boot Item .SystemStartupDelay = 0 Item .Put_() Next
Note | The highlighted code above must be placed on one line. |
By default, Windows 2000 includes three environment subsystems: OS/2, POSIX, and Win32 subsystems. Originally developed by Microsoft, OS/2 is IBM's operating system for the personal computer. POSIX stands for Portable Operating System Interface for Unix and is a set of interface standards used by developers to design applications and operating systems.
Win32 is the main subsystem used by Windows, whereas the others are merely present for compatibility with other operating systems and applications. To remove the POSIX and OS/2 subsystems from the command line, proceed as follows:
Create a new directory to store all files included in this example.
Start a command prompt and enter " scriptfile. bat."
Here, scriptfile is the full path of the new directory from step 1 and file name of a script file that contains the following:
@ECHO OFF RMDIR /Q /S " %WINDIR% \System32\OS2" DEL /F /Q " %WINDIR% \SYSTEM32\PSXDLL.DLL" DEL /F /Q " %WINDIR% \SYSTEM32\PSXSS.EXE" DEL /F /Q " %WINDIR% \SYSTEM32\POSIX.EXE" DEL /F /Q " %WINDIR% \SYSTEM32\PSXSS.EXE" DEL /F /Q " %WINDIR% \SYSTEM32\OS2.EXE" DEL /F /Q " %WINDIR% \SYSTEM32\OS2SRV.EXE" DEL /F /Q " %WINDIR% \SYSTEM32\OS2SS.EXE" ECHO REGEDIT4 > C:\OS2.REG ECHO [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ OS/2 Subsystem for NT] >> C:\OS2.REG REGEDIT /S C:\OS2.REG DEL /F /Q C:\OS2.REG
Note | The highlighted code above must be placed on one line. |
Administrative shares are hidden shares created by the system to allow administrators to access files remotely. Although these shares are hidden, they are no secret to the savvy user and should be removed for maximum security. To remove administrative shares, proceed as follows:
Create a new directory to store all files included in this example.
Download and install the latest version of Windows Script Host, from http://www.microsoft.com, to the new directory.
Select StartRun and enter "cscript scriptfile .vbs."
Here, scriptfile is the full path and file name of a script file that contains the following:
On Error Resume Next Set SHELL = CreateObject("WScript.Shell") Set Drives = FSO.Drives For Each Drive in Drives SHELL .Run "NET SHARE " & Drive & "\ /D", 0, False SHELL .Run "NET SHARE " & Drive & "\WINNT /D", 0, False Next
Warning | Certain programs use administrative shares and might not work if they are removed. |
Related solution: | Found on page: |
---|---|
Removing Shares | 159 |
Administrative tools, such as User Manager and REGEDT32, should be locked down for administrative access only. To lock down various administrative tools, proceed as follows:
Create a new directory to store all files included in this example.
Copy XCACLS.EXE from the Windows 2000 resource kit to the new directory.
Start a command prompt and enter " scriptfile. bat."
Here, scriptfile is the full path of the new directory from step 1 and file name of a script file that contains the following:
@ECHO OFF XCACLS " %WINDIR% \POLEDIT.EXE" /G Administrators:F;F /Y XCACLS " %WINDIR% \REGEDIT.EXE" /G Administrators:F;F /Y XCACLS " %WINDIR% \SYSTEM32\CACLS.EXE" /G Administrators:F;F /Y XCACLS " %WINDIR% \SYSTEM32\CLIPBRD.EXE" /G Administrators:F;F /Y XCACLS " %WINDIR% \SYSTEM32\NCADMIN.EXE" /G Administrators:F;F /Y XCACLS " %WINDIR% \SYSTEM32\NTBACKUP.EXE" /G Administrators:F;F /Y XCACLS " %WINDIR% \SYSTEM32\REGEDT32.EXE" /G Administrators:F;F /Y XCACLS " %WINDIR% \SYSTEM32\RASADMIN.EXE" /G Administrators:F;F /Y XCACLS " %WINDIR% \SYSTEM32\RDISK.EXE" /G Administrators:F;F /Y XCACLS " %WINDIR% \SYSTEM32\SYSKEY.EXE" /G Administrators:F;F /Y XCACLS " %WINDIR% \SYSTEM32\USRMGR.EXE" /G Administrators:F;F /Y XCACLS " %WINDIR% \SYSTEM32\WINDISK.EXE" /G Administrators:F;F /Y
Note | The highlighted code above must be placed on one line. Although this script prevents an ordinary user from accessing these tools, they could always bring them in and run them from an alternate source, such as a floppy disk. |
Related solution: | Found on page: |
---|---|
Modifying NTFS Permissions | 157 |
Every time someone logs on to the network with an administrator account, it creates a big security risk. Malicious ActiveX components from the Web, Trojan horses, or even a hidden batch file can wipe out an entire server, database, and more when run under administrative privileges. If you think about it, you don't really need administrative privileges when you are checking your mail or surfing the Net. A common solution to this security problem is to log on with a regular user account and use a utility to run trusted applications under the security context of an administrative account.
A security context specifies all the rights and privileges granted to a user. For administrators, this security context allows them to manage users, groups, trusts, and domains. The process of switching to the security context of another user is known as impersonation. Impersonation is mostly used by system services.
Windows 2000/XP/2003 includes the utility RUNAS.EXE, which allows users to run applications under the security context of a different user. This utility is integrated into the Windows shell, which allows you to set up shortcuts to utilize the RUNAS utility. The basic syntax of the RUNAS utility is:
RUNAS / commands program
Here, program is the shortcut, Control Panel applet, MMC console, or application to run. The available commands are:
/ENV ”Keep the current environment
/NETONLY ”Specifies for remote access only
/PROFILE ”Loads the specified user's profile
/USER: username ”Specifies the username to run application as. Valid name formats are domain\user or user@domain
Note | Once you have entered the command, you will be prompted for the password associated with the account. |
To start an instance of User Manager using an administrator account called ADMIN@MYDOMAIN.COM, enter the following:
RUNAS /USERNAME:ADMIN@MYDOMAIN.COM USRMGR
The SECEDIT.EXE utility is the command-line version of the Microsoft security configuration editor that allows you to run security configuration and analysis from the command line.
The basic syntax to run an analysis using SECEDIT is as follows:
secedit /analyze / commands
Here, the available commands are:
/DB filename ”Required, specifies the database to compare against
/CFG filename ”Valid with /DB , specifies the security template to be imported
/LOG logpath ”Specifies the log file to use
/VERBOSE ”Specifies to include more detail to the log or output
/QUIET ”Runs the analysis with no screen or log output
Here is an example to run a system analysis against the high security template for a domain controller:
Secedit /analyze /DB " %WINDIR% \Security\Database\hisecdc.sdb" /CFG " %WINDIR% \Security\Templates\hisecdc.inf" /LOG " %WINDIR% \Security\Logs\hisecdc.log" /VERBOSE
Note | The code above must be placed on one line. |
To reapply a local or user policy, start a command prompt and enter the following:
SECEDIT /REFRESHPOLICY policy/ENFORCE
Here, /ENFORCE forces the policy to be reapplied, even if no security changes were found.
Note | For Windows XP/2003, the GPUpdate command is the preferred method to reapply a group policy. |
The basic syntax to apply a security template using SECEDIT is as follows:
secedit /configure / commands
Here, the available commands are:
/AREAS name ”Specifies the specific security areas to apply, where name is:
FILESTORE ”Local file security
GROUP_MGMT ”Group settings
REGKEYS ”Local registry security
SECURITYPOLICY ”Local or domain policy
SERVICES ”Local services security
USER_RIGHTS ”User's rights and privileges
/ CFG filename ”Valid with /DB ; specifies the security template to be imported
/ DB filename ”Required; specifies the database containing the template to be applied
/ OVERWRITE ”Valid with /CFG ; specifies to overwrite templates in the database
/LOG logpath ”Specifies the log file to use
/VERBOSE ”Specifies to include more detail to the log or output
/QUIET ”Runs the analysis with no screen or log output
When you upgrade from Windows NT to Windows 2000, the security settings on the system are not modified. This means none of the intended Windows 2000 security settings are implemented. To apply the Windows 2000 basic security settings, start a command prompt and enter the following:
Secedit /configure /db " %WINDIR% \Security\Database\basicwk.sdb" /cfg " %WINDIR% \Security\Templates\basicwk.inf" /log " %WINDIR% \Security\Logs\basicwk.log" /verbose
Note | The code above must be placed on one line. |
The basic syntax to export security settings using SECEDIT is as follows:
secedit /export / commands
Here, the available commands are:
/AREAS name ”Specifies the specific security areas to export, where name is:
FILESTORE ”Local file security
GROUP_MGMT ”Group settings
REGKEYS ”Local registry security
SECURITYPOLICY ”Local or domain policy
SERVICES ”Local services security
USER_RIGHTS ”User's rights and privileges
/DB filename ”Required; specifies the database containing the template to be exported
/CFG filename ”Valid with /DB ; specifies the security template to export to
/MERGEDPOLICY ”Valid with /CFG ; specifies to overwrite templates in the database
/LOG logpath ”Specifies the log file to use
/VERBOSE ”Specifies to include more detail to the log or output
/QUIET ”Runs the analysis with no screen or log output
Here is an example of how to export the local registry security area to the registry template:
Secedit /export /mergedpolicy /db " %WINDIR% \Security\Database\security.sdb" /cfg " %WINDIR% \Security\Templates\registry.inf" /log " %WINDIR% \Security\Logs\registry.log" /verbose
The built-in NET command has an ACCOUNTS parameter to modify the password and logon requirements for the local computer or a specified domain. The basic syntax of the NET ACCOUNTS utility is:
NET ACCOUNTS / commands
Here, the available commands are:
/DOMAIN ”If used, performs the specified operations on the primary domain controller of the current domain; otherwise , performs the operations on the local computer.
/FORCELOGOFF: min ”Sets the number of minutes before a user session is terminated where min is either the number of minutes or NO to specify no forced logoff .
/MAXPWAGE: days ”Specifies the maximum duration a password is valid where days is either the number of days (1 through 49,710) or UNLIMITED to set no maximum time.
/ MINPWAGE: days ”Specifies the minimum duration before a user can change his or her password, where days is either the number of days (1 through 49,710) or UNLIMITED to set no time limit. This value must be less than the MAXPWAGE .
/ MINPWLEN: length ”Specifies the minimum password length.
/ SYNC ”Forces backup domain controllers to synchronize their password and logon requirements with those set on the primary domain controller.
/UNIQUEPW: changes ”Specifies that users cannot repeat the same password for the specified amount of password changes (0 through 24).
For example, to modify the logon and password requirements using the NET ACCOUNTS command, you would enter the following command:
NET ACCOUNTS /DOMAIN /MAXPWAGE:30 /MINPWAGE:UNLIMITED /MINPWLEN:14
Note | The highlighted code above must be placed on one line. |
Tip | When the administrator has specified a forced logoff, the user receives a warning that a domain controller will force a logoff shortly. |
Active Directory Services Interfaces provides another medium to control security. In Chapter 9, you learned how to manage shares, groups, and user accounts through ADSI. In the following section, you will learn how to manage security through ADSI.
For maximum security, you should set your domain password minimum length to the maximum value, 14. To set the minimum password length for the domain using ADSI, proceed as follows:
Create a new directory to store all files included in this example.
Download and install the latest version of ADSI and Windows Script Host, from http://www.microsoft.com, to the new directory.
Select StartRun and enter "cscript scriptfile .vbs."
Here, scriptfile is the full path and file name of a script file that contains the following:
On Error Resume Next Set objDomain = GetObject("WinNT:// Domain ") objDomain .Put "MinPasswordLength", max objDomain .SetInfo
Here, domain is the name of the domain, and max is the maximum password length to set. Again, you should set max equal to 14 for maximum security.
For maximum security, you should implement a policy to force users to change their password regularly. To set the password age for the domain using ADSI, proceed as follows:
Create a new directory to store all files included in this example.
Download and install the latest version of ADSI and Windows Script Host, from http://www.microsoft.com, to the new directory.
Select StartRun and enter "cscript scriptfile .vbs."
Here, scriptfile is the full path and file name of a script file that contains the following:
On Error Resume Next Set objDomain = GetObject("WinNT:// Domain ") objDomain .Put "MinPasswordAge", Min * (60*60*24) objDomain .Put "MaxPasswordAge", Max * (60*60*24) objDomain .SetInfo
Here, domain is the name of the domain; min is the minimum duration in days before a user can change his or her password; and max is the maximum duration in days a password is valid. The formula 60 x 60 x 24 is the calculation from seconds to days (60 seconds x 60 minutes x 24 hours).
For maximum security, you should implement a policy to force users to select passwords different from their previous passwords. To set the unique password duration for the domain using ADSI, proceed as follows:
Create a new directory to store all files included in this example.
Download and install the latest version of ADSI and Windows Script Host, from http://www.microsoft.com, to the new directory.
Select StartRun and enter "cscript scriptfile .vbs."
Here, scriptfile is the full path and file name of a script file that contains the following:
On Error Resume Next Set objDomain = GetObject("WinNT:// Domain ") objDomain .Put "PasswordHistoryLength", min objDomain .SetInfo
Here, domain is the name of the domain, and min is the minimum number of passwords used before a user can repeat that previous password. The formula 60 x 60 x 24 is the calculation from seconds to days (60 seconds x 60 minutes x 24 hours).
For maximum security, you should implement a policy to lock out accounts after a certain number of bad attempts. To implement an account lockout policy using ADSI, proceed as follows:
Create a new directory to store all files included in this example.
Download and install the latest version of ADSI and Windows Script Host, from http://www.microsoft.com, to the new directory.
Select StartRun and enter "cscript scriptfile .vbs."
Here, scriptfile is the full path and file name of a script file that contains the following:
On Error Resume Next Set objDomain = GetObject("WinNT:// Domain ") objDomain .Put "MaxBadPasswordAllowed", Max objDomain .SetInfo
Here, domain is the name of the domain. The formula 60 x 60 x 24 is the calculation from seconds to days (60 seconds x 60 minutes x 24 hours).
It's good practice to regularly search the domain for locked-out accounts. To search for locked-out accounts using ADSI, proceed as follows:
Create a new directory to store all files included in this example.
Download and install the latest version of ADSI and Windows Script Host, from http://www.microsoft.com, to the new directory.
Select StartRun and enter "cscript scriptfile .vbs."
Here, scriptfile is the full path and file name of a script file that contains the following:
On Error Resume Next Set objDomain = GetObject("WinNT:// Domain ") For Each Item in objDomain If Item .Class = "User" Then If Item .IsAccountLocked = "True" Then Wscript.Echo "Name: " & Item .Name & VBlf & _ "Bad Password Attempts: " & _ Item .BadPasswordAttempts & VBlf & _ "Last Login: " & Item .LastLogin End If End If Next
Here, domain is the name of the domain.
Related solution: | Found on page: |
---|---|
Unlocking a User Account | 219 |
Windows creates a default administrative account called "Administrator" to be the master account for that system. This account cannot be deleted, but should be renamed to foil hackers attempting to gain access through this account. To rename the administrator account using ADSI, proceed as follows:
Create a new directory to store all files included in this example.
Download and install the latest version of ADSI and Windows Script Host, from http://www.microsoft.com, to the new directory.
Select StartRun and enter "cscript scriptfile .vbs."
Here, scriptfile is the full path and file name of a script file that contains the following:
On Error Resume Next Set objDomain = GetObject("WinNT:// Computer ") Set objUser = ObjDomain.GetObject("User", "Administrator") objDomain .MoveHere objUser .AdsPath, Name
Here, computer is the name of the computer holding the account, and name is the new name to give the account.
Tip | You can use this script to rename any account simply by replacing the word ADMINISTRATOR with the user account name desired. |
It's good practice to regularly search the domain for accounts that have either been logged on for a long duration of time or have not logged on in a long time. To search for unused accounts using ADSI, proceed as follows:
Create a new directory to store all files included in this example.
Download and install the latest version of ADSI and Windows Script Host, from http://www.microsoft.com, to the new directory.
Select StartRun and enter "cscript scriptfile .vbs."
Here, scriptfile is the full path and file name of a script file that contains the following:
On Error Resume Next Days = amount Set objDomain = GetObject("WinNT:// Domain ") For Each Item in objDomain If Item .Class="User" Then DUR = DateDiff("D", Item.LastLogin, Date) If DUR > Days Then Wscript.Echo "Name: " & Item .Name & VBlf & _ "Account Disabled: " & Item .AccountDisabled & VBlf & _ "Last Login: " & Item .LastLogin & VBlf & _ "Amount of days: " & DUR End If End If Next
Here, domain is the name of the domain to search, and amount is the least number of days since the last logon.
The Microsoft Script Encoder allows you to protect your scripts using a simple encoding scheme. This encoding scheme is not intended to prevent advanced cracking techniques, but to merely make your scripts unreadable to the average user. The default supported file types are asa, asp, cdx, htm, html, js, sct, and vbs. The basic syntax of the script encoder is as follows:
SCRENC inputfile outputfile
Here, inputfile is the file to encode and outputfile is the encoded result. Microsoft Script Encoder supports many command-line parameters, as shown in Table 11.1.
Parameter | Description |
---|---|
/E extension | Specifies a known extension for unrecognized input file types |
/F | Specifies to overwrite the input file with the encoded version |
/L language | Specifies to use the scripting language Jscript or VBScript |
/S | Specifies to work in silent mode |
/X1 | Specifies not to include to @language directive to ASP files |
Warning | Always back up your scripts before encoding them. Once a script is overwritten with an encoded version, there is no way to return it to its original state. |
Some of the scripts included in previous chapters can increase your system security. These scripts are shown in Table 11.2.
Chapter | Script |
---|---|
Chapter 6 | Disabling 8.3 File Naming |
Chapter 6 | Disabling the Lock Workstation Button |
Chapter 6 | Disabling the Change Password Button |
Chapter 6 | Disabling the Logoff Button |
Chapter 6 | Modifying the Registry with REGINI.EXE |
Chapter 7 | Managing NTFS Encryption |
Chapter 7 | Modifying NTFS Permissions |
Chapter 9 | Changing the Local Administrator Password |