Here is a PRIME example of where most folks that try this test can take the result to, scoring-wise, on the CIS Tool Security Benchmark test:



99.058/100



* Not TOO shabby, eh?

(I.E.-> A NEAR 100% perfect score for a client of mine whose system I secured this week taking it from a 45/100 default score, to this one, DOUBLING its security rating per this test, & THEN some... & , in fact, it probably is a perfect score (I say that, because 4/5 things it scored me down on, I actually DID have right for this client of mine, but yet the test scores me down on them (it makes SOME errors here & there is all)))

APK

P.S.=> Placing this result here for posterities' sake and as an example of how secured a Windows system can be, per this benchmark of security test's gauge thereof... apk

I make a point of using PSI, I quite like it for a quick diagnostic of crap loaded on a PC ... but I do tend to "secure" them using me own methods.




Post away, people do read this thread.

Excellent... &, just what a body wants to see/ hear!



(It works...)

----



That's one I suggested in the content of this thread... it's a GOOD 2nd supplement (or, conversely, CIS Tool is to PSI by SECUNIA)/2nd Dr.'s Opinion, as to the security status of your PC!

Enjoy, & spread it around to OTHERS you know (friends, family, busness colleagues, etc. et al)...

APK

P.S.=> In any event?

@ People Reading:

This IS your "Iron Man Armor Online"!



So, have @ it ('snap it on') - & enjoy a F A S T E R, & FAR MORE S E C U R E online setup on your Windows NT-based OS' of today (Windows 2000/XP/Server 2003 & yes, even VISTA to a good extent) via applying CIS Tools' suggestions & my own that "layer ontop of it"...



* I am FAIRLY certain it's done - As I can't think of any more points & methods to secure your Windows NT-based rigs, & thus, I close this post off... she's all done as far as I am concerned... this same message will go across ALL others like it that I am still able to edit/add to online, @ some point today in fact... apk

To anyone using VISTA, Windows Server 2008, or the new "Windows 7" (which rocks, especially in 64-bit form)? Don't use the point I noted as this in its first sentence:

6.) USE Tons of security & speed oriented registry hacks

Not unless you ABSOLUTELY KNOW what you're doing.

(See, the older registry .reg file 'hacks' won't work that worked FINE on Windows 2000/XP/Server 2003, albeit (not all of them @ least) with VISTA, Server 2008, or the new Windows 7. So, "Steer Clear" of those on the newer MS' OS!)

Thanks!

APK

P.S.=> On that "note"? I like Windows 7, very much (again, especially in its 64-bit build), & it amazes me how F A S T it is, even with its large number of services resident + running, by default - &, when you "trim them down" even more? You get THAT MUCH FASTER! The services are now also secured better, by using "lesser privelege" user SID entities "built-in" types vs. LOCAL SYSTEM, such as NETWORK SERVICE or LOCAL SERVICE which I go into HOW TO DO IT on Windows 2000/XP/Server 2003 here (Server 2003 has much of it, as does XP, after MS did service packs + hotfixes, & Windows 2000 lacks a few "built in" entities, but you can "mock up" a lesser priveleged one easily enough to do that there also - this has put Windows on level with the likes of the BSD based MacOS X in that respect, which is GOOD!

Now, IF only MS would fix up HOSTS files being unable to use the FAR MORE EFFICIENT & FASTER "0 ip address" (pings resolve it back to 0.0.0.0 though on Windows 2000 (after service packs though, MS put it in there around SP#1-4 somewhere, so it was seen as a GOOD THING by them, because the original OEM version did not allow that, & only allowed as good as using 0.0.0.0 in a HOSTS file (which IS better than 127.0.0.1 by 2 bytes per line) but, using 0 beats them both, by large margins (making for a faster load up into RAM (be that the local DNS cache (disable that on larger HOSTS files), or, the local diskcache kernel mode subsystem)?

Windows 7 would be THAT MUCH BETTER, for both security and speed!

Well, in this case, ONLY for those that have the good sense to use a HOSTS file for added speed & security!

(FOR SPEED? BLOCK ADBANNERS (they too have been found to have malware in them for years now), & "hardcode" in your fav sites IP Address-to-DomainName/HOSTName? Well, doing that, you avoid calling out to potentially downed or compromised DNS servers (see Dan Kaminsky online for the latter, the Domain Name System has problems, even the "allegedly invulnerable" DJBDNS was found to have holes in it for security this year in fact))!

Thus, saving you between 30-x ms queries to those remote DNS servers (which CAN be logged no less as well), & instead using the speed of MEMORY/RAM (many, Many, MANY orders of magnitude faster) once the HOST file is loaded (which still occurs faster, because it would be using diskspeeds of today, which are 3-10 or more orders of magnitude faster than calling out to remote DNS servers). HOSTS use no CPU cycles, vs. DNS programs + they are EASILY EDITED vs. even other filters like IPTables in Linux (easier in notepad imo & ANYONE can do it, we all have text editors is why on ANY OS), & cost you NOTHING (many good sources for good ones too, like -> http://en.wikipedia.org/wiki/Hosts_file for starters, or SpyBot "Search & Destroy" for updates to it that block out KNOWN bad malscripted sites, or bad servers used to control "botnets" too! I could go on & on on MORE of the benefits of HOSTS, but that'll do, for now (I hope MS fixes this removal of 0, as a blocking "ip" in HOSTS in Windows 7 @ least, because it is more efficient & faster).

What worries me some though even more on SECURITY though?

This, on Windows VISTA, Server 2008, & Windows 7's Firewall:

http://www.rootkit.com/newsread.php?newsid=952

PERTINENT EXCERPT/QUOTE:

"BTW, the firewalls based on NDIS v6, which was introduced in Windows Vista, are much easier to unhook and bypass."

That was a DIRECT QUOTE from said URL I just posted from rootkit.com ... & it 'worries me' some. I have confronted MS tech people & mgt. on this, to no avail... I don't know WHY they won't answer either - I am only asking WHY the thing with HOSTS was done, no answers, & pointed out to them what ROOTKIT.COM said above, many times (on MSDN, @ INTEL, @ /. with a user there named "Fordecker" who is a senior MS development mgr. for Windows no less, & also on the "Engineering Windows 7" blog by S. Sinofsky, a "Big Man" @ MS on Windows no less)... apk

Worried about being 1 of the 7++ million PC's infected/infested by the "CONFICKER" worm, per this article today @ /. (SLASHDOT)?

----

After 1 Year, Conficker Infects 7M Computers:

http://it.slashdot.org/article.pl?sid=09/10/30/223238

----

Ok then, so you are apparently concerned, if you have read this far already!

Well, then here is a way to test yourself to see if you are infected/infested. Click on the URL below, & just literally see for yourself, here:

----

http://www.confickerworkinggroup.or...cfeyechart.html

----

(And, good luck, hope you're not infested/infected (I wasn't thank goodness!)).

APK

P.S.=> ... & it truly is, as EASY as it gets (it's called the "conficker eye chart", & IF you can see all 6 pictures, then you are NOT infected, but if you cannot? It means it is quite possible you have been infected by this machination known as "conficker")... apk

Am I infected? Dunno.

Years ago, all of us young ne-er-do-wells used to sit on plastic chairs in the reception area of The Seamans Hospital in the heart of Greenwich and hope that we didn't need a massive injection of penicillin but usually we did.

The permissive society deffo had drawbacks

The Seamans Clinic is now part of Greenwich University which teaches music and the particular part where our lower regions were inspected and swabbed now holds trumpet practice. There has to be a joke there somewhere.

We were never able to test ourselves to see if we were infected. This was left to an elderly doctor in a long white gown who always looked like he'd just swallowed a wasp and seemed to imply we had the morals of an alley-cat.

He was probably right, sad to say, and the injection caused limping for at least 48 hours.

Happy days

If you're infected now, it may very well kill you. What a strange state of affairs.

Well, you CAN find out IF you are, via that page... it is, after all, what it is all about (to test yourself, in a VERY easy manner).

NOW, if you cannot reach that site (which has happened to folks today per this exchange I had on another forums -> http://amazingtechs.com/index.php?s...&st=30&start=30 )

It only means that the testing site has been "/.'d" (too many requests by users to that server, it happens, almost like a DOS/DDOS really, every website server has limits, which yes, can be RAISED by most site admins in fact, in the board engine's config files (usually)).

Still, if you show up "infested" Guys, there are cures, such as this list:

http://www.google.com/search?hl=en&...G=Google+Search



* Hope you're not, & hope if you are, you can remove it via said lists of removal tools is all!

APK

P.S.=> Onwards & upwards... apk

Hi Apk!
I really appreciate your work here, this is just what I was looking for. Just encountered a crazy virus, Virut.NBP, in my friends computer, messed up everything, no antivirus can do anything against it, I have to reinstall the whole system as the best advice found on forums about it. So now I dont want to mess around, better build up a secure system to save time and trouble in the future.
I wanted to ask you some questions.
What would you say to be the first main steps to secure a vista or win 7 based home-user system, I mean most important? You already explained everything in your above posts in detail, but what are the main first steps before logging into the internet (I will download the required soft through another system, my friends computer was set up one week ago, without any security measures except windows firewall, and now it will not boot up even)? And then I will go through your posts in detail to figure out the rest.
And is there any latest software updates, since your first posts were almost one and half years ago, any new stars on the market?
And what would be most carefree setup for a person who is not used to deal with all the antivirus/firewall alerts, to make it easier for him?

Thanks for your help and guide.

Regards,
Srivas

Btw. CIS tool is not a freeware, is there any other program to benchmark your level of security?

It used to be free, I guess it's not now... try:

BELARC ADVISOR

or

"SCW" (security configuration wizard) which is an addon for Windows Server 2003, possibly VISTA, & for sure Windows 7 (you add it in CONTROL PANEL, Add-remove WINDOWS components).

Microsoft ALSO OFFERS "Microsoft Baseline Security" but, iirc, it depends on various services running (not EXACTLY sure which ones anymore, but iirc, they are one that use NTLM (lanman/netbios type sharing being working & Client for MS networks active in your network connection, + File & printer sharing AND server service + workstation service active)

I believe I noted SCW, but only for Windows Server 2003 earlier in this post (I did) but it exists for Windows 7 now, standard, apparently (I installed it on Windows 7 64 bit pro so it does exist for it too).



APK