How does one secure windows in the long term?

  • Thread starter Thread starter Colin
  • Start date Start date
C

Colin

After having some problems updating my win2k PC to from sp3 to sp4, and being
left PC-less for a few days, I started wondering about using windows in a much
more secure way. I don't think I can figure this out though, that's where the
experts in this group come in!

The way that windows ultimate boot CD (ubcd4win.com) works is fascinating - here
is a legal copy of windows, with tons of useful software, that works pretty
securely and is based on win-os. If there are any virus/spyware/corruption type
problems, just reboot and the system is as good as new again.

Why can't I set up my PC like that? Here's what I think my PC would look like:

1st partition with an updated install of widows so you can make the second
partition and have a MS license
2nd partition, read only, ubcd4win.com type install on it and USB no-install
type software, say stuff from www.portablefreeware.com
3rd partition for data files

Can someone generate a set of tools/tutorial or guide to be able to setup a PC
like this? Or suggest a better way of achieving a reasonable secure windows
system.

TIA for your comments

Colin
 
1st partition with an updated install of widows so you can make the second
partition and have a MS license
Click to expand...

There's the first problem, Colin, all those crying women. Corrupts the
platters, rust you know.
 
After having some problems updating my win2k PC to from sp3 to sp4, and being
left PC-less for a few days, I started wondering about using windows in a much
more secure way. I don't think I can figure this out though, that's where the
experts in this group come in!

The way that windows ultimate boot CD (ubcd4win.com) works is fascinating - here
is a legal copy of windows, with tons of useful software, that works pretty
securely and is based on win-os. If there are any virus/spyware/corruption type
problems, just reboot and the system is as good as new again.

Why can't I set up my PC like that? Here's what I think my PC would look like:

1st partition with an updated install of widows so you can make the second
partition and have a MS license
2nd partition, read only, ubcd4win.com type install on it and USB no-install
type software, say stuff from www.portablefreeware.com
3rd partition for data files

Can someone generate a set of tools/tutorial or guide to be able to setup a PC
like this? Or suggest a better way of achieving a reasonable secure windows
system.

TIA for your comments

Colin
Click to expand...
http://www.ntsvcfg.de/ntsvcfg_eng.html
 
Hi Colin,

You could try http://unattended.msfn.org

Why what you wish for will never be:

Because microsoft keeps making the OS more complicated to ensure that
it does not become an appliance*. You would have to make a full time
career of trying to figure out how the microsoft operating system works
(or sort of figure it out anyway).

*strategy: make OS require support. then you have specialized windows
support people... these make good lobbyists. people work hard on their
own systems as well, so that spending a couple hundred on the windows
operating system does not seem too steep, since it is correlated with
their own time. and so on...

Spacey
 
Utter rubbish.
Click to expand...

No, he's correct. The Windows development team made too many design
decisions in favour of usability over security for Windows as it exists
today to be able to be secured - even a standalone NT box only rates B
on the US Government security scale. (Many Unix variants have a A3 or
A2 rating, either standalone or with an Internet connection.)

I have no data about what security rating Win2k or XP have, if any.
(Then again, XP is still too new to have a security rating...)
 
Colin <[email protected]> wrote:
Click to expand...
After having some problems updating my win2k PC to from sp3 to sp4, and being
left PC-less for a few days, I started wondering about using windows in a much
more secure way. I don't think I can figure this out though, that's where the
experts in this group come in!
Click to expand...
The way that windows ultimate boot CD (ubcd4win.com) works is fascinating - here
is a legal copy of windows, with tons of useful software, that works pretty
securely and is based on win-os. If there are any virus/spyware/corruption type
problems, just reboot and the system is as good as new again.
Click to expand...
Why can't I set up my PC like that? Here's what I think my PC would look like:
Click to expand...
1st partition with an updated install of widows so you can make the second
partition and have a MS license
2nd partition, read only, ubcd4win.com type install on it and USB no-install
type software, say stuff from www.portablefreeware.com
3rd partition for data files
Click to expand...
Can someone generate a set of tools/tutorial or guide to be able to setup a PC
like this? Or suggest a better way of achieving a reasonable secure windows
system.
Click to expand...

I was thinking about this in another thread. This is a pretty drastic
answer. I don't see any real weak points in it though. It will be a
pain to update apps and definitions though.

This will be a dual boot system. After setting it all up, updating
Windows, etc., set all apps to read and write data from a dedicated
data partition. Then image the clean install.

http://clonezilla.sourceforge.net/

http://drbl.sourceforge.net/

These tools will allow you to boot up into linux, format your Win
drive and apply the clean image each boot. Then it will boot up from
the clean drive.

It's a bunch of work. It requires a Win boot partition, a linux boot
and swap, an image partition and a data file partition at the very
least.

When done, a simple but lengthy boot will repair anything done since
the last boot.
 
You can do pretty much the same thing from the previous post by
booting up to the UBCD4Win, format C:, and applying the clean image
created beforehand.
 
On that special day, Colin, ([email protected]) said...
After having some problems updating my win2k PC to from sp3 to sp4, and being
left PC-less for a few days, I started wondering about using windows in a much
more secure way.
Click to expand...

Use this script

http://www.ntsvcfg.de/ntsvcfg_eng.html

it closes all services down which aren't necessary for running
NT/2K/XP, so that less "services" are there, listening to everything
that might com from the 'net (and getting hijacked by buffer overflows,
like with the RPC/DCOM and lsass vulnerabilities)

It is maybe not a panacea, but helps a lot.

Edit: I see, Kerodo is recommending this link, too.


Gabriele Neukam

(e-mail address removed)
 
Thanks for the link - I have skimmed through the page. I guess I better follow
all those steps - on the week end, or maybe next time the pc breaks. Why
doesn't windows install with all those settings in the first place?
Click to expand...

As I mentioned earlier, the default choice when they designed Windows
was usability, not security...
 
Here is Black Viper's page, at the top of the Service Configurations
tables, he lists a lot of different users requirements. Example,
settings for gamers .

http://dhost.info/PRIVOXY-FORCE/kyeu/mirror/blackviper/WIN2K/servicecfg.htm
Click to expand...



Thanks for all your replies! After reading the responses here's what I think
I'll do:

1) Create an unattended install CD as per http://unattended.msfn.org
(or maybe not.. do it later, just use the current install)

2) partition the drive into 3: OS, data and USB no-install programs

3) Run the non-essential services script http://www.ntsvcfg.de/ntsvcfg_eng.html

4) Change the documents and settings to another drive for all users
http://support.microsoft.com/?kbid=322014

5) install all the programs I use

6 )copy the old user data into the data partition

7) create an image of the OS and USB program partitions (I have another 1-1
backup process for data)

8) intend to use ubcd4win.com to restore the images.


Hmmm. I'm disheartened. Just thinking about the way my 2 PC's are right now
this will take ages to implement and debug... [issues will be: Drive letters,
setting up twice(2 PC's), wondering how successful 4) is will be, separating the
install/no-install programs in "program files"....]

Colin
 
Colin said:
Thanks for all your replies! After reading the responses here's what I think
I'll do:

1) Create an unattended install CD as per http://unattended.msfn.org
(or maybe not.. do it later, just use the current install)

2) partition the drive into 3: OS, data and USB no-install programs

3) Run the non-essential services script http://www.ntsvcfg.de/ntsvcfg_eng.html

4) Change the documents and settings to another drive for all users
http://support.microsoft.com/?kbid=322014

5) install all the programs I use

6 )copy the old user data into the data partition

7) create an image of the OS and USB program partitions (I have another 1-1
backup process for data)

8) intend to use ubcd4win.com to restore the images.
Click to expand...

Colin;

Thanks for the summary. Even though I won't be doing all of what you've
written, some of these steps are now on my to-do list.

thx again,
-Sparky
 
Thanks for the link - I have skimmed through the page. I guess I better follow
all those steps - on the week end, or maybe next time the pc breaks. Why
doesn't windows install with all those settings in the first place?
Click to expand...

Perhaps because M$ find they can sell upgrades at exorbitant prices.
 
Back
Top