Secure thinkpads..............

[dd]

Hi

Any valuable suggestions on how to make thinkpads running XP more secure?

Regards

[mattfromomaha]

Physically or data-wise?

I have a cable lock that I use to chain it down when I travel (and try not to let it out of my sight).

For software, I use the Windows password, ZoneAlarm, several Ad-aware-like scanners, Symantec Corporate AntiVirus.

I do have the Security chip built in to my system. Does anyone use it and the associated software? What are your experiences - worth the effort to set up? Also, how does it work on a domain (about 1/3 of our machines are new ThinkCentres with the chip, the other 2/3 are Compaq machines being replaced over the next couple of years) when you log onto both machines running the security chip and password manager as well as machines w/o it?

[dd]

Hi

Where does the cable lock attach to?

Additionally, I am interested in making my laptop as secure as possible when connected to the internet.

I have heard about hidden shares and suchlike, but am still learning..........

thanks

[jdhurst]

1. As has been mentioned, use strong anti-virus, firewall, and spyware tools (Symantec, Ad-Aware, Zone Alarm, BlackICE are all examples). Keep them up-to-date.
2. Turn off simple file sharing in Windows. Do not permit file sharing and printing except behind a secure firewall.
3. Use a hardware firewall (NAT works well in conjunction with a software firewall). LinkSys, Netgear, Netopia, etc all make decent routers that serve as firewalls.
4. Turn off (or set to prompt) the Active-X controls in Internet Explorer. Set security settings to high if possible.
5. Do not use P2P services like Kazaa or distributed filesharing that make your PC open to the world.
6. Make sure you use your PC in a secure way (you are part of the security picture).
... JDHurst

[dd]

jdhurst

I will heed your good advice

Thanks

dd

Aberta?

[T41mbi]

OK First things first, leave the IBM Security chip alone its useless, do a search on the forum and read my previous thread.

DD, here are some security tips:

#1, and the most important, download and install a firewall. Use www.firewallguide.com to choose a secure firewall, make sure you "harden" your firewall... their is a good guide on proxyblind.org on harden Zone Alarm have a look in the tutorials section. This is step #1 for making your internet connection more secure

#2, In control pannel, go to your network connections icon and click the properties of your any/all of your network connections. You can pretty much remove all those unneccessary serverices, especially file sharing etc... Everything except TCP/IP i suggest uninstall. In my network connections properties i have only TCP/IP active, and Client for Microsoft networks installed but unactive (I need it for PGP)

#3, Click TCP/IP Properties, advanced, Wins ---> Untick enable LMHOSTS lookup, and make sure in netbios settings you set it to disable! Very important. This is a big security hole.

#4, Harden your Microsoft Internet Explorer settings, disable java/active X control (you can do this through zone alarm) and go to tools, internetoptions, advance -----> Untick all that "install on demand stuff" - do a serach this has been discussed plenty over the net.

#5, Get a good Trojan defense suite, DiamondCs TDS-3 is without a doubt the most advanced and effective. A good anti-virus program (NAV), a good spyware program (spybot, adaware). Keep them updated and perform full system scans once a week. Make sure you learn how to use them properly.

#6, Also go to "black vipers" site, i dont have the URL on me but he tells you which windows services are not needed> People running all types of stupid windows services (all on by default) are a bunch of sitting ducks.. he has the information on his site on how to disable it etc...

#7 Use encryption to secure your data. PGP Disk is free. Depending on how important your data is, presume "top secret" always use AES (strongest) with at least 14 characters password, including $%^&*

#8, USE YOUR BIOS PASSWORD! Turn it on!

#9, Disable guests accounts on Windows and add a strong password to your user account. Atleast 12 characters. Dont give yourself administrator access unlesss you need it. Put normal accesss for "DD" and if you ever need to install something switch over to Admin. Put a 8-12 character password on the DD account and a 14-28 character on the admin account.

#7, Avoid using Microsoft Outlook express, if you can, stick web-based.

Search around the net for "harden windows XP" etc... to get some more indept tutorials

visit security forums, www.security-forums, www.wilderssecurity.com and use the search function to get your questions answered

[dd]

T41mbi

WOW!!!!!!!!!!!!!

Thankyou very much indeed for taking time out to reply with such a detailed response.
It really must have taken you some time to list such a comprehensive set of instructions.

Now, off to have a look at some of those webpages that you mentioned.........



dd

[T41mbi]

I forgot a to metion a few things

Disable remote assistance and desktop sharing by right clicking my computer, then properties. Its in the system restore, and remote tab

[T41mbi]

also port 5000 is a [censored] to close.... you cant even get a firewall to close this port... you dont need this port open, and it leaves you open to trojans etc.. so best close it using this instruction
http://www.tweakxp.com/tweak124032.aspx

[Leon]

T41mbi, by the power vested in me, I hereby appoint you official Security Officer of this forum ... seriously, I am well versed in this area, and your help and suggestions are both "right on target" and appreciated by all.... one more hint.... go to www.grc.com and run all the tools/tests that you find there....

[T41mbi]

thnx

and yeah run your firewall through Shields UP test on GRC every now and again but their are some more comprehensive firewall testing methods on the firewall tab on the link i gave in tip #1

i forget to say to disable remoate assistance in my computer properties

while your their turn of system restore which hogs a few gigs and use IBM RR 4.0 instead, try to keep your backups on an external storage medium

[T41mbi]

****VERY IMPORTANT****

I keep forgetting a few things here and their, ill post them as they come to mind. One thing that is very very important to secure your computer while you are using the Wi-Fi protocols, is to turn off ad-hoc, to avoid people connecting directly to your laptop, you only want to allow access from your laptop to access points and want to disable computer-computer (ad hoc) network connections.

You can do this by clicking properties on your wireless conection, and going to advanced tab, and then click advance button at the bottem. Dot infrastructure access network access only.

[Matt_]

[...]#9, Disable guests accounts on Windows and add a strong password to your user account. At least 12 characters. Don't give yourself administrator access unlesss you need it. Put normal accesss for "DD" and if you ever need to install something switch over to Admin. Put a 8-12 character password on the DD account and a 14-28 character on the admin account.

I read through this thread and also this one and this Microsoft Knowledge Base Article. I guess I don't have a clear understanding of the differences among Admin access, the primary user account, and a guest account.
My first experience with XP was with a Dell 8600 laptop (during the time that I had it before returning it). I remember that I had to go through several steps immediately after turning it on for the first time.
I was given the choice of creating additional accounts besides the one for myself. I had had the impression that the primary user's account has full Admin access and that any other additional accounts that are set up are "guest accounts". The reason I had this impression is that I could change any of the XP settings that I wanted.
Before I turn on my T42 that I just received, I wanted to find out ahead of time how best to proceed.
Unfortunately, the Microsoft article did a poor job for me in clarifying what a guest account is, how it is different from an Admin account, and how those differences are important security-wise.
Although I don't anticipate anyone other than family members using my computer, I had a vague idea that a reason why a guest account/non-admin account would be useful to set up is that, while I am online, it would prevent someone else on the internet from gaining enough control of my computer that he could change important XP settings that are only Admin-accessible.

Thank you in advance for your time and help

[T41mbi]

Your pretty much got it correct.

When installing Windows XP I suggest NOT adding any extra account, just add the primary which is a requirement, and add the rest later.

Make sure you password your Administrator + Primary user account with strong passwords.

Their isn't much differences between the Admin/Primary user account as they both share the same privilidges by default (administrative). Guest account is obviously a very limited account where users will be unable to alter/install/uninstall anything in the windows environment.

And yes you are correct in your assumption to why you should limit your privlidges when online, so if someone gains access to your account they won't be able to do much.

You should only give yourself admin privlidges when you need to install/uninstall/alter settings in windows.

You can configure/alter/ account policies in administrative tools once you have installed windows.

[Matt_]

Thank you for your help. It's been hard having to wait on turning on the new laptop until after I can ask my questions, but I would rather try as best as possible to get things right the first time around rather than later on having to alter/undo things.

I've spent some time re-reading your posts in this thread, and I've put together comments (from diff. posts) that I wanted to respond to.

You should only give yourself admin privlidges when you need to install/uninstall/alter settings in windows.

You can configure/alter/ account policies in administrative tools once you have installed windows.

Their isn't much differences between the Admin/Primary user account as they both share the same privilidges by default (administrative). Guest account is obviously a very limited account where users will be unable to alter/install/uninstall anything in the windows environment.

Prior to this thread, I was unaware of this stuff -- but it's sinking in now. So, when I turn on the laptop and give a name to the primary user, that account by default has admin priviledges ? The next step then that I am not clear on is that it sounds like there's some way to quickly swap in and out between admin-mode and non-admin-mode ?
And besides what you mentioned for what you can do in admin mode, I assume software can not be installed in non-admin-mode ?
Will there be something on the screen to indicate which mode you are in ? e.g. if I had had it in one setting for a long time and then, say, went on-line and couldn't remember which mode I were in, it'd be nice if there were some way to (quickly) double-check the mode to see if it's the one I want to be in.
And so, it's because the primary user can switch between the two modes (e.g. putting it into non-admin mode before turning the laptop over to another user) that it isn't necessary to create a guest account ? A guest account is just redundant ?

Before submitting this reply, I tried to further research this, and I've managed to further bewilder myself (admin mode only acessible in safe mode ?)

OK First things first, leave the IBM Security chip alone its useless, do a search on the forum and read my previous thread.

#8, USE YOUR BIOS PASSWORD! Turn it on!


Disable guests accounts on Windows and add a strong password to your user account.

At least 12 characters. Dont give yourself administrator access unlesss you need it. Put normal accesss for "DD" and if you ever need to install something switch over to Admin.

Put a 8-12 character password on the DD account and a 14-28 character on the admin account.

Make sure you password your Administrator + Primary user account with strong passwords.

First thing is that it sounds like all of these different passwords can be turned on/changed at some later time and that I won't be prompted to create them immediately during the steps I have to go through when I turn on my laptop for the very first time ? (I read on this forum (1 , 2 , 3) where to turn on admin password)
And there are a total of *three* passwords that I can opt to have (the BIOS, the admin-mode and the non-admin-primary-user-mode) ?
Here's something regarding these passwords that I don't understand. We discussed earlier the advantage of being in the non-admin mode while being on-line so that it will restrict the damage an internet bad guy can do. But if for right now I will be using the laptop just in my house, what advantage (while on the internet) does having a password offer -- as long as I'm on the internet and in non-admin-mode, an internet bad guy can't switch my laptop into admin-mode, can he ?
And there isn't any danger of being in admin mode while in my house off-line, is there ?

And regarding your comment on the security chip, am I going to be asked by the laptop to do anything involving it after I turn on the laptop for the first time ?

Thank you again

[T41mbi]

So, when I turn on the laptop and give a name to the primary user, that account by default has admin priviledges ?

yes

The next step then that I am not clear on is that it sounds like there's some way to quickly swap in and out between admin-mode and non-admin-mode ?

sort of its moderately fast you will see an option is users/accounts in the control pannel i believe called "use fast user switching"

I assume software can not be installed in non-admin-mode ?

Their are alot more user properties than simply "admin mode" and "non admin mode" e.g., power user

and its all customizable

Will there be something on the screen to indicate which mode you are in ?

well nothing integrated into windows but you can leave your self a reminder of what mode your in by the type of desktop wallpaper you have or something... but if you try to do something e.g. install software and your in guest mode it will simply say "you dont have account privlidges to perform this task"

st thing is that it sounds like all of these different passwords can be turned on/changed at some later time and that I won't be prompted to create them immediately during the steps I have to go through when I turn on my laptop for the very first time ?

correct

And there isn't any danger of being in admin mode while in my house off-line, is there ?

obviously their is no danger if from an online attacker if your computers not online

nd regarding your comment on the security chip, am I going to be asked by the laptop to do anything involving it after I turn on the laptop for

no , and forget the security chip its rubbish

-------------------

you seem to be placing way to much emphasis on the login settings i hope you are paying the issues this much attention

[selvan777]

Here are my security tweaks. Also, I'd recommend using these protective tools: Lavasoft Ad-aware, Spybot Search & Destroy, PestPatrol, ZoneAlarm, PeerGuardian, and Norton AntiVirus. I wouldn't surf without them.

Has anyone tried using Absolute Protect or something similar that's also free?

[Peter_S]

....can be found at the following link:
http://www.uksecurityonline.com/husdg/w ... /wxpp2.php

[selvan777]

Thanks, you can also find many more sites.

[Matt_]

Thank you for clarifying things for me and taking the time to help me, T41mbi. I didn't realize that I was giving the impression of overfocusing or overthinking the matter -- I have an inquisitive mind so my approach to things is to get a broad understanding of how things work.