Whenever I interviewed systems administrators who said they were fluent with Windows XP, I always ask them "What's your favorite registry key?" Most of the time, I'd get a blank look.
With that, I present my favorite five registry keys, which can help secure your systems.
- My favorite registry key is "Hidden." Adding this registry value will remove an XP computer from the network
browse list. This can help prevent casual users on the network from discovering selected machines
in the Network Neighborhood view. I like to use this on my own computer as well as other critical
laptops and desktops that I don't want other people to poke and prod.
Add Value: hidden
0 The computer's name and comment can be viewed by other computers. (default)
1 The computer's name and comment cannot be viewed by other computers.
- Each Windows XP system automatically creates a share for each drive letter on the computer.
These shares are only available remotely to users with administrative access. However, in some
instances, it may be handy to remove these "auto admin shares" from being created. If you simply
right-click on the share and remove it in Explorer, the share will come back the next time the
computer is started. By setting the AutoShareWks key () you can prevent these shares from being created.
0 Disables creation of the shares
1 Enables creation of the shares (default)
- My third favorite registry key is NoLMHash. This registry setting instructs the computer to not save the LanMan hash
of your password on your computer. The LanMan hash is an extremely weak representation of your
password and can weaken the overall password posture of your computer. By disabling the storage of
the LanMan hash on all desktop systems, you can significantly improve the security of your network.
Alternatively, you can run the thrashlm tool to remove the LM hashes from your computer.
0 Stores the LanMan password hash (default)
1 Disables storage of the LanMan password hash
- Closely related to No. 3 is CachedLogonsCount (). Each user account and password that is used to log onto the
domain from your computer is cached locally on your system. This makes it possible to log onto your
computer with your domain account when your machine isn't on the network. While a useful function,
the cached passwords can be obtained using a password-cracking tool. It's best to limit the number
of cached logons when possible. The other option is to run a trashpwhist tool to
wipe the cached passwords from your machine.
Key: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
0 No user accounts or passwords are cached
1-50 Number of user accounts and passwords to cache (default is 10)
- If you're concerned about users visiting malicious websites or rogue SMBRelay servers on your
internal network, it may be best to enable the key RequireSecuritySignature. This will prevent successful exploitation for all
variants of credential reflection attacks.
Data: 1 (enable)
0 SMB signing is not required (default)
1 SMB signing is required
The above keys can be rolled out via Group Policy settings or individually via a .reg file that is executed on each machine. Although there is no silver bullet set of registry keys to securing your XP systems, implementing these five registry keys on your XP systems can help ensure the security of your network. Remember, fully test these registry settings before rolling them out to your enterprise.
|ABOUT THE AUTHOR:|
| Eric Schultze
Eric Schultze is an independent security consultant who most recently designed Microsoft patch management solutions at Shavlik Technologies. Prior to Shavlik, Schultze worked at Microsoft, where he helped manage the security bulletin and patch release process. Schultze likes to forget that he used to work as an internal auditor on Wall Street.
This was first published in September 2009