Post edited 04:45 – 28/05/2010 by Panuary
While there are many features of the Windows OS that are useful, many of them are left dorment and take up space, while active it eats away at your RAM, dumps logs of your activities, facilitates drive-by downloads, provides another avenue for crackers or black-hat hackers to intrude/infiltrate your system, and sometimes lets them get right under (or through) your firewall/security system (especially in the case of the BITS service). Worst of all is unbeknownst to the user, Windows can also install patches and collect data covertly without notifying the user as seen in the 2006, 2008-09 incident where Windows was under the scrutiny of the public eye for the installation of a patch (Windows systems were vulnerable for 17 years before it came to light).
——————————————————————————————————–
Here are some tools that I find have been useful to make it your Windows OS less visible on the Internet, particularly from those zombies controlled by bot nets and those who lurk in the dark net.
The Windows Worm Door Cleaner is a non-installable application that closes and prevents access to the most commonly targetted ports which are open by default. These are 135 (RPC), 137-139 (file-sharing), 445 (Server Message Block: SMB) and the Windows Messenger service port (SPAM).
Simply execute and restart. It was hosted on the firewallleaktester website, but now is provided on other security webportals.
Here is the download link and the checksum verification code:-
http://hotfile.com/dl/45142301…..c.exe.html (51, 232 bytes)
MD5checksum: 999f6e5c8d5c81f48afbdab7f8777323 wwdc.exe
To verify that the vulnerable Windows ports are closed, open a Command Prompt window (cmd.exe or conhost.exe for Windows 7) and type:
netstat -aonbv, or
if you are not operating with Administrator privileges:
netstat -aon
This will list all the "listening" ports on your computer.
———————————————————————————————————
For people finding it difficult to close port 135, you can use the tool created by the Gibson Research Center called the DCOMBobulator.
This will effectively close port 135, stopping one more port that an intruder might get into your system.
Here is the download link and checksum verification code:-
http://hotfile.com/dl/45143403…..b.exe.html (29, 696 bytes)
MD5checksum: bd10d5383d9f1851cca46d4a5f5f4c03 DCOMbob.exe
I am certain every person in the IT security industry has heard of the Conficker worm, also referred to as Downadup. To prevent the B variant, you need to set a rule to block the Conficker entry, essentially securing the RPC service.
Simply open a Command Prompt window and enter the entries below where [X:\>] refers to your drive letter:-
X:\>netsh>rpc
X:\>netsh rpc>filter
X:\>netsh rpc filter>add rule layer=um actiontype=block
X:\>netsh rpc filter>add condition field=if_uuid matchtype=equal data=4b324fc8-1670-01d3-1278-5a47bf6ee188
X:\>netsh rpc filter>add filter
X:\>netsh rpc filter>quit
Basically "actiontype=block" is a rule that will block an entry on the condition (in the case that) the entry equals that data block.
Adding the filter enforces the rule.
———————————————————————————————————————
For Windows XP SP3 and Windows 7 Users – Stopping the WAT service before it logs all your activities in the Windows Registry and reports to Microsoft Servers (Enterprise, Professional and Ultimate versions)
———————————————————————————————————————
Using the Group Policy Objects (GPO) to enforce security policies is a very powerful tool – in fact, it can even stop any executable from running without your express permission
Simply execute gpedit.msc via the run command (windows button + R, or start menu)
or find it in your %systemroot%\system32 folder, or for x64, \windows\syswow64 folder
e.g. C:\Windows\System32\gpedit.msc | C:\Windows\Syswow64\
When the Microsoft Management Console (MMC) opens, navigate to Software Restriction Policy:-
Local Computer Policy > Windows Settings > Security Settings > Software Restriction Policy
Right-click on the folder and 'Add Security Policy'
Double-click on the folder 'Additional Rules' in the menu bar select Action (Alt right-key, down-key), click on New Path Rule
Under Path: type in C:\Windows\System32\Wat or C:\Windows\syswow64\Wat
(replace C:\ with the system partition drive, or simply replace it with %systemroot%\)
The Security level should be set to Disallowed (default value to prevent execution)
Restart your computer and the WAT service will no longer be running.
To undo the changes, simply remove the GPO Path Rule
————————————————————————————————————–
That's it for now. If there are any queries, please reply to this post or add me as a contact to Windows Live Messenger.
I hope there will be an OS IRC channel setup, but there can only be so much that can be done when balancing work life and real life.
Forum
