Rebuild Microsoft Windows XP SP2 - Hardened, comments needed

[mattv]

Hi all,

I am trying to collate various information around the net on how to
rebuild XP hardened. Please see below my list so far. I would
appreciate any comments, feedback or additions that could help me on
this journey.

Cheers

Rebuild Microsoft Windows XP SP2 - Hardened

1. Disconnect network cable
2. Install OS
3. Patch OS (download before rebuild)
4. Adjust swap file - stripe across drives and fix size
5. Disable error reporting
6. Disable TCP/IP
a. Disable netbios over tcp/ip {no side effect unless u using
netbios names} goto start--->control panel ---->network and internet
connections --->network connections right click on your (local ,
whatever u use) connection and goto properties right click tcp/ip goto
options , click on advanced and select the tab WINS, clear the
disable netbios over tcp/ip checkbox.
7. Disable (better uninstall) client for microsoft networks and file
and printer sharing.
8. Harden OS
a. Update Hosts File
b. Disable the Guest Account & Extra accounts
c. Uncheck Indexing Tab
d. Disable admin shares
e. Disable the welcome Screen
f. Password protect accounts
g. Set Clear virtual memory page file
h. Turn off Simple File sharing
i. Disable Services
i. Alerter
ii. Application Layer Gateway Service
iii. ClipBook
iv. Computer Browser
v. Distributed Link Tracking Client
vi. Distributed Transaction Coordinator
vii. DNS Client
viii. Error Reporting Service
ix. Fast User Switching Compatibility
x. FTP Publishing service
xi. Indexing Service
xii. IMAPI CD-Burning COM
xiii. IPSEC Services
xiv. Messenger
xv. Net Logon
xvi. NetMeeting Remote Desktop Sharing
xvii. Network DDE
xviii. Network DDE DSDM
xix. Network Location Awareness
xx. Network Provisioning Service
xxi. Performance Logs and Alerts
xxii. QoS RSVP
xxiii. Remote Registry
xxiv. Routing and Remote Access
xxv. Secondary Logon
xxvi. Server
xxvii. Smart Card
xxviii. Smart Card Helper
xxix. SNMP Service
xxx. System Event Notification
xxxi. TCP/IP NetBIOS Helper
xxxii. Telnet
xxxiii. Terminal Services
xxxiv. Uninterruptible Power Supply
xxxv. WebClient
xxxvi. Wireless Zero Configuration
xxxvii. WMI Performance Adapter
9. Install graphics driver
10. Install Utilities
a. IZARC
b. CCleaner
11. Install Internet utilities
a. Firefox
12. Install multimedia apps
a. Nero
b. DVD Shrink
13. Install security applications
a. CCleaner
b. Windows defender
c. AVG Free
d. AVG anti Spyware
e. Sandboxie
f. Spybot
g. Ad Aware
h. Spyware Guard
i. A2 Free
j. Heidi Eraser
k. Sunbelt Personal Firewall
l. Safe XP
m. MRU blaster
n. XP Antispy
14. Prevent not-needed programs from starting up
a. Run > msconfig > Start-up > Uncheck unneeded start-up items

 

[DL]

Amongst that extensive list I saw no mention of updating/installing mobo
chipset & other drivers

 

[Guest]

I'm no expert but see if any of these are worth adding - though some may be
outdated:
- Enable security logging, which is disabled by default
- Increase event log sizes, esp Security Event log
- Completely remove JavaVM (try to obtain removal tool, if you can)
- Remove/disable/neuter/unregister/... Messenger, Adobe Flash
- Disable "Synchronize offline web pages" in IE (on MSIE Tools menu,
"synchronize...")
- Block installation of unsiged drivers
- Change default action for .reg files to "Edit"
- Not sure how you chose which services to disable, but consider also
disabling these until you need them:
SSDP Discovery Svc, UPnP Device Host, RPC Locater Svc, Remote Desktop
Help Session Mgr, Remote Access Auto Connection Mgr, Portable Media Serial No
Svc, HID Input Svc, COM+ System App, Windows Image Acquisition, Themes, (all
depending on your needs, of course)
- Are you sure you want to disable System Event Notification?
- Forget msconfig. Get the Autoruns tool from msft Sysinternals
(http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/Autoruns.mspx)
and use it to check for/disable suspicious startup items. Eventually you'll
want the whole suite
(http://www.microsoft.com/technet/sysinternals/Utilities/SysinternalsSuite.mspx) which are all great.
- For Firefox, grab the add-on called "NoScipt" (http://noscript.net/). Can
be config'd to block everything until you say okay (javascipt, java,
plug-ins, active-x, ...) .
- Download/install Windows Installer 3.1 before applying hotfixes. Not a
security issue, but without it the hotfix dates won't show in Add/Remove
progams Cpl)

If you haven't wiped out your original installation yet, grab a copy of
wpa.dbl and wpa.bak from windows\system32 folder. Someone else can explain
this better since I haven't tried it yet, but presumably it can spare you
some headaches in reactivating windows.

Hi all,

I am trying to collate various information around the net on how to
rebuild XP hardened. Please see below my list so far. I would
appreciate any comments, feedback or additions that could help me on
this journey.

Cheers

Rebuild Microsoft Windows XP SP2 - Hardened

<<snipped>>