Friday, August 20, 2010

Using Registry Improve Operating System Security

Viruses and Trojans are often parasitic in the registry. Threatening the health of the operating system. How can we effectively prevent the invasion of viruses and Trojans to ensure the operation system security? I will introduce how to create a secure registry system from nine aspects service, the default settings, permissions and so on.

Security risks: In the Windows2000/XP system, the default Messenger service is active, malicious person can "netsend" command to send messages to the target computer. Target computer will receive harassment information from others and seriously affect normal use.

Solution: First, open the Registry Editor. For system services, we can manage it through registry "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices ", in which each sub-key is corresponding to the the system "services" such as "Messenger" service corresponds to the sub-key" Messenger". We only found the START key under Messenger, modify the value to 4. the service will be disabled.

2. Turn Off "Remote Registry Service"

Security risk: If a hacker connected to our computers, and computer-enabled remote registry service (RemoteRegistry), then the hacker can remotely set the registry service, so the Remote Registry service needs special protection.

Solution: We can set the startup mode of Remote Registry Service (RemoteRegistry) to Disabled.

However, after the invasion, hackers can still change the "disabled" into "auto-start". Therefore, we need to remove the service.
Find the RemoteRegistry item under registry "HKEY_LOCAL_ MACHINESYSTEMCurrentControlSet Services", right-click and Select" Delete "(Figure 1) it will not start.

Before deleted, be sure to export and save the information. When you want to use the service, simply import the saved registry file.

3. Prohibit "default share"

Security risks: we all know Windows 2000/XP/2003 default open some "sharing", which are IPC $, c $, d $, e $ and admin $. Many hackers and viruses are shared by the invasion of the default operating system.

Workaround: To prevent IPC $ an attacker should set the RestrictAnonymous to 1 in the registry
"HKEY_LOCAL_MACHI NESYSTEMCurrentControlSetControl LSA, so that you can prohibit IPC $ connection.

For c $, d $, and the default admin $ share and other types need find"HKEY_LOCAL_MACHINE SYSTEM Current Control SetServices Lanman Server Parameters"item. If the system is Windows 2000 Server or Windows 2003, need to add the key" AutoShareServer "(type" REG_DWORD ", a value of" 0 "). If the system is Windows 2000 PRO, should add the key" AutoShareWks(type" REG_DWORD ", value is" 0 ").

4. Prohibit the system privacy leaks

Security risk: when the Windows system running error, there is a DR.WATSON procedures will automatically preserved the private information system. Privacy information will be kept in user.dmp and drwtsn32.log file. An attacker can crack this program to understand the system private information. So we have to prevent information leaking out of the program.

5. Reject the malicious ActiveX controls harassment

Security risks: Many Trojan horses and viruses are hidden in Web pages by malicious ActiveX control methods to run the system without authorization procedures, so as to achieve the purpose of undermining the local system. To ensure system security, we should be privately run programs to prevent ActiveX controls.

Solution: in the registry find "HKEY_LOCAL_MACHINESOFTWAREClassesCLSID (F935DC22-1CF0-11D0-ADB9-00C04FD58A0B) ", Remove it. Through the above operation, ActiveX controls will no longer call the script without the permission.

6. To prevent the leakage of the page file

Security risks: Windows2000 page exchange documents and procedures DR.WATSON as mentioned above often become targets for hackers, because hacking is not easy to view the information in memory, and hard drive information could easily be accessed.

Solution: find ClearPageFileAtShutdown under the
"HKEY_LOCAL_MACHINE SYSTEM Current Control SetControl Session Manager Memory Management", set the value key to 1 (Figure 2). Thus, whenever restart, the system will delete the page file to prevent information leakage.

7. The password can not be automated filling

Security risk: Using Windows System surfing, often encounter the situation that the password information is automatically recorded, after re-visit the system will automatically fill in your password. This is very likely to cause leakage of your privacy information.

Solution: In "HKEY_LOCAL_MACHINE SOFTWARE Microsoft Windows Current Versionpolicies "sub-branch find network items (if not free to add), in the subkey create a new DWORD value, named disablepasswordcaching, and set the value to 1. Restart your computer, the operating system will not record your password.

8. Against the virus starts service

Security risks: Now the virus is very clever, not loaded through the registry or the item in MSCONFIG. Some high virus load through the system services.

Solution: Run "regedt32" command, Found "HKEY_LOCAL_ MACHINE SYSTEM CurrentControlSetServices "branch in the registry, and then click the menu " safe → Permissions ", in the pop-up permission settings window, click the" Add "button to import the Everyone account, then select"
Everyone "account, set " Read "permissions of the account to" Allow ", cancel its"full control"permission. Now any Trojans or viruses can not self-start system services. Of course, this method only effective the virus and Trojan that not has administrator rights.

9. Not allowed virus auto start

Solution: Run "regedt32" command, run the Registry Editor.
Find"HKEY_CURRENT_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRUN "branch,set" Read "permissions of Everyone to" allow ", the cancel" Full Control "permissions option. Viruses and Trojans can not start itself through the key.

No comments:

Post a Comment