Hardening Win 2K Pro

[null]

I've created a web page which gives detailed instructions for closing
closing internet ports on Win 2K:

http://home.epix.net/~artnpeg/Win2KPro.html

Art

http://home.epix.net/~artnpeg

 

[Bob]

I've created a web page which gives detailed instructions for closing
closing internet ports on Win 2K:

http://home.epix.net/~artnpeg/Win2KPro.html

I believe it would be best if people would buy a NAT router, even if
it is for just one port. That way you can let Windows and its
applications do what they want and not worry about the outside world
getting in - unless you have a trojan that lets the outside world in.
To cover that it would be best if people would install Kerio Personal
Firewall to catch any application trying to phone home.

I have Kerio set to alert me whenever an application uses ports 135
and 445. There are a couple of apps which do, so by blocking them
internally I am supposedly preventing them from doing what they are
designed to do.

BTW, if you disable NetBIOS over TCP/IP then how can Microsoft
Networks communicate with the other machines on your LAN?


--

Map of the Vast Right Wing Conspiracy
http://home.houston.rr.com/rkba/vrwc.html

"Nothing in the world can take the place of perseverence. Talent
will not; nothing is more common than unsuccessful men with talent.
Genius will not; unrewarded genius is almost a proverb. Education
will not; the world is full of educated derelicts. Persistence and
determination alone are omnipotent."
--Calvin Coolidge

 

[null]

I believe it would be best if people would buy a NAT router, even if
it is for just one port. That way you can let Windows and its
applications do what they want and not worry about the outside world
getting in - unless you have a trojan that lets the outside world in.
To cover that it would be best if people would install Kerio Personal
Firewall to catch any application trying to phone home.

I have Kerio set to alert me whenever an application uses ports 135
and 445. There are a couple of apps which do, so by blocking them
internally I am supposedly preventing them from doing what they are
designed to do.

BTW, if you disable NetBIOS over TCP/IP then how can Microsoft
Networks communicate with the other machines on your LAN?

LOL! I guess you either didn't read my article or you can't comprehend
what you read. Obviously, disabling NetBios is not for those
interested in file/print sharing.

As I state in my article, there are two purposes. One is just
temporary. Users who don't have a hardware firewall/router can
harden after a fresh new install and then safely do a Windows Update,
download a software firewall and antivirus, etc. Then if they're
interested in file/print sharing, they can easily reverse their OS
settings.

The second purpose is for advanced users such as myself who have
no interest in file/print sharing, and who harden permanently. Such
users are far better off since we couldn't care less if our software
firewall is temporarily disabled ... if we bother to use one in the
first place. I never bother with having one running all the time, any
more than I bother having a av realtime monitor running all the time.

Art

http://home.epix.net/~artnpeg

 

[Bob]

LOL! I guess you either didn't read my article

LOL! Why should I read the article? I have seen many such articles
over the year so why read one again?


--

Map of the Vast Right Wing Conspiracy
http://home.houston.rr.com/rkba/vrwc.html

"Nothing in the world can take the place of perseverence. Talent
will not; nothing is more common than unsuccessful men with talent.
Genius will not; unrewarded genius is almost a proverb. Education
will not; the world is full of educated derelicts. Persistence and
determination alone are omnipotent."
--Calvin Coolidge

 

[James Egan]

I've created a web page which gives detailed instructions for closing
closing internet ports on Win 2K:

http://home.epix.net/~artnpeg/Win2KPro.html

It doesn't inspire confidence if you can't even spell your own name
correctly.


Jim.

 

[James Egan]

I have Kerio set to alert me whenever an application uses ports 135
and 445. There are a couple of apps which do, so by blocking them
internally I am supposedly preventing them from doing what they are
designed to do.

BTW, if you disable NetBIOS over TCP/IP then how can Microsoft
Networks communicate with the other machines on your LAN?

That's what port 445 is for. Netbios isn't essential to share files on
win2k and later.


Jim

 

[null]

It doesn't inspire confidence if you can't even spell your own name
correctly.

Well, that is funny. What's even funnier is the fact that I'm using a
wireless router/firewall, and don't have any immediate need for the
procedure.

Thanks for pointing that out. I'd never have noticed in a million
years.

Art

http://home.epix.net/~artnpeg

 

[Bob]

That's what port 445 is for. Netbios isn't essential to share files on
win2k and later.

Are you implying that I can disable NetBIOS in my Win2K and still do
file/printer sharing on my LAN both ways?


--

Map of the Vast Right Wing Conspiracy
http://home.houston.rr.com/rkba/vrwc.html

"Nothing in the world can take the place of perseverence. Talent
will not; nothing is more common than unsuccessful men with talent.
Genius will not; unrewarded genius is almost a proverb. Education
will not; the world is full of educated derelicts. Persistence and
determination alone are omnipotent."
--Calvin Coolidge

 

[James Egan]

Are you implying that I can disable NetBIOS in my Win2K and still do
file/printer sharing on my LAN both ways?

Yes.

Browsing the network in windows explorer still needs netbios but if
you know what you're connecting to you can connect directly without
it.


Jim.

 

[kurt wismer]

I believe it would be best if people would buy a NAT router, even if
it is for just one port. That way you can let Windows and its
applications do what they want and not worry about the outside world
getting in

disagreed... sometimes the connection goes down and stays down and the
only way to rule out the possibility that your router has gone belly up
is to take it out of the equation... (speaking as someone who's had the
misfortune of actually having their router go belly up)

therefore you need the redundancy you get from hardening the OS config...

 

[null]

disagreed... sometimes the connection goes down and stays down and the
only way to rule out the possibility that your router has gone belly up
is to take it out of the equation... (speaking as someone who's had the
misfortune of actually having their router go belly up)

therefore you need the redundancy you get from hardening the OS config...

Thanks for another reason for hardening I might add to my article.
This is somewhat along the same lines as those posts I've seen on the
virus newsgroups where someone posts, "I just disabled my firewall for
a short time and took malware hits". There seems to be a belief that
with dialup service and/or just brief connections to the internet you
are safe without a firewall or hardening. This belief is one of the
dangerous and false beliefs floating around and being spread around.

Art

http://home.epix.net/~artnpeg

 

[Bob]

Thanks for another reason for hardening I might add to my article.
This is somewhat along the same lines as those posts I've seen on the
virus newsgroups where someone posts, "I just disabled my firewall for
a short time and took malware hits". There seems to be a belief that
with dialup service and/or just brief connections to the internet you
are safe without a firewall or hardening. This belief is one of the
dangerous and false beliefs floating around and being spread around.

That's why you should have a NAT router, even if only one port.

My son attended the university and lived in the dorm the first year.
He had a 1-port Linksys. He was able to hack into everyone's
transmissions but they could not hack him. He would go to their room
and tell them about what they wrote in email - it would freak them
out. His purpose was to educate them.

The number one defense is NAT. There is no reason to turn it off. I
have used the Linksys since the first days of cable Internet and have
never once bypassed it. I can see all the attempts to probe my machine
from the logger. That is enough to tell me never to turn the Linksys
off. I would have to recable the setup and take others off the LAN to
bypass it, so it will never happen.

A Linksys BEFSR-41 is under $50 and even if you don't need 4 ports now
it is a good idea to get it because you will have the ability to set
up a LAN later. The savings over the 1-port (if they are even
available anymore) is negligible.

There is no excuse anymore not to have hardware NAT in between your
gateway and your machine(s). Plugging up holes in Windows, while a
good thing, is not enough.





--

Map of the Vast Right Wing Conspiracy
http://home.houston.rr.com/rkba/vrwc.html

"Nothing in the world can take the place of perseverence. Talent
will not; nothing is more common than unsuccessful men with talent.
Genius will not; unrewarded genius is almost a proverb. Education
will not; the world is full of educated derelicts. Persistence and
determination alone are omnipotent."
--Calvin Coolidge

 

[James Egan]

That's why you should have a NAT router, even if only one port.

My son attended the university and lived in the dorm the first year.
He had a 1-port Linksys. He was able to hack into everyone's
transmissions but they could not hack him. He would go to their room
and tell them about what they wrote in email - it would freak them
out. His purpose was to educate them.

The simple nat device is no protection at all if someone is listening
in on the network transmissions. All it does is strip off the pc's
private ip address and replace it with its own. The packet contents
are still there to be intercepted.


Jim.

 

[null]

There is no excuse anymore not to have hardware NAT in between your
gateway and your machine(s). Plugging up holes in Windows, while a
good thing, is not enough.

That's incorrect. Hardening is sufficient. And people need to be
warned to never disable the firewall in the LynkSys WRT54G(S) because
that opens up ports 80 and 443 even on a hardened OS.

I use my LynKSys wireless only because I want to share my DSL service
between two machines. But it opens up other kinds of security issues.
If I didn't want connection sharing, and only had one machine to be
concerned with, I'd go back to hardening only, and not use a router.
That's the way I ran for years on Win 98 and Win ME. At most, I used
Sygate free sw firewall as a check. But it's unwise to be dependent on
a sw firewall... just as it's unwise to be dependent on realtime
antivirus.

Art

http://home.epix.net/~artnpeg

 

[Al Dykes]

The simple nat device is no protection at all if someone is listening
in on the network transmissions. All it does is strip off the pc's
private ip address and replace it with its own. The packet contents
are still there to be intercepted.


Jim.

A NAT device protects the computers that are behind it, not the
packets that come from thise computers, Unless you are using the VPN
feature common in most small routers these days. With a VPN, SSH, or
a HTTPS web sites the data is encrypted.

 

[Bob]

That's the way I ran for years on Win 98 and Win ME.

You ran Win98 and WinMe for years???


--

Map of the Vast Right Wing Conspiracy
http://home.houston.rr.com/rkba/vrwc.html

"Nothing in the world can take the place of perseverence. Talent
will not; nothing is more common than unsuccessful men with talent.
Genius will not; unrewarded genius is almost a proverb. Education
will not; the world is full of educated derelicts. Persistence and
determination alone are omnipotent."
--Calvin Coolidge

 

[James Egan]

That's incorrect. Hardening is sufficient. And people need to be
warned to never disable the firewall in the LynkSys WRT54G(S) because
that opens up ports 80 and 443 even on a hardened OS.

You say hardening is sufficient and then in the very next sentence
describe a scenario where it is insufficient.

Are you talking about some weird uPNP feature? Assuming uPNP is off
(default) on your router, how is it supposed to know the address of
the pc it is trying to sabotage by opening up those ports? These
routers don't forward (setup) packets unless you tell them to and give
them destination forwarding addresses.



Jim.

 

[null]

You say hardening is sufficient and then in the very next sentence
describe a scenario where it is insufficient.

You took my statement out of contextand twisted it. The comparison of
the router to hardening was obviously (to any sane person) exclusive,
not inclusive.

Are you talking about some weird uPNP feature? Assuming uPNP is off
(default) on your router, how is it supposed to know the address of
the pc it is trying to sabotage by opening up those ports? These
routers don't forward (setup) packets unless you tell them to and give
them destination forwarding addresses.

Both UPnP and Remote Management are disabled on my router. When I
disable its firewall, port scans show both 80 and 443 https open.

If you have a solution for this, let us know. It's a well known
problem with LynkSys (and maybe others, I dunno).

Art

http://home.epix.net/~artnpeg

 

[Bob]

LynkSys

Is English your second language?

The word is Linksys.


--

Map of the Vast Right Wing Conspiracy
http://home.houston.rr.com/rkba/vrwc.html

"Nothing in the world can take the place of perseverence. Talent
will not; nothing is more common than unsuccessful men with talent.
Genius will not; unrewarded genius is almost a proverb. Education
will not; the world is full of educated derelicts. Persistence and
determination alone are omnipotent."
--Calvin Coolidge

 

[James Egan]

Both UPnP and Remote Management are disabled on my router. When I
disable its firewall, port scans show both 80 and 443 https open.

Unless you explicitly forward the ports, though, any incoming setup
packets will just be dropped and are therefore not the risk you
suggested.

The same reason it is more secure to work behind the router than to
connect your 'hardened' machine directly to the Internet.


Jim.