Whenever I interviewed systems administrators who said they were fluent with Windows XP, I
always ask them "What's your favorite registry key?" Most of the time, I'd get a blank look.
With that, I present my favorite five registry
keys, which can help secure your systems.
- My favorite registry key is "Hidden." Adding this registry value will remove an XP computer from the network
browse list. This can help prevent casual users on the network from discovering selected machines
in the Network Neighborhood view. I like to use this on my own computer as well as other critical
laptops and desktops that I don't want other people to poke and prod.
Key: HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters
Add Value: hidden
Type: REG_DWORD
Data: 1
0 The computer's name and comment can be viewed by other computers. (default)
1 The computer's name and comment cannot be viewed by other computers.
-
- Each Windows XP system automatically creates a share for each drive letter on
the computer. These shares are only available remotely to users with administrative access.
However, in some instances, it may be handy to remove these "auto admin shares" from being created.
If you simply right-click on the share and remove it in Explorer, the share will come back the next
time the computer is started. By setting the AutoShareWks key () you can prevent these shares from being created.
Key: HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters
Value: AutoShareWks
Type: REG_DWORD
Data: 0
0 Disables creation of the shares
1 Enables creation of the shares (default)
-
- My third favorite registry key is NoLMHash. This registry setting
instructs the computer to not save the LanMan hash of your password on your computer. The LanMan
hash is an extremely weak representation of your password and can weaken the overall password
posture of your computer. By disabling the storage of the LanMan hash on all desktop systems, you
can significantly improve the security of your network. Alternatively, you can run the thrashlm tool to remove
the LM hashes from your computer.
Key: HKLM\System\CurrentControlSet\Control\LSA\Parameters
Value: NoLMHash
Type: REG_DWORD
Data: 1
0 Stores the LanMan password hash (default)
1 Disables storage of the LanMan password hash
-
- Closely related to No. 3 is CachedLogonsCount (). Each user account and password that is used to log onto the
domain from your computer is cached locally on your system. This makes it possible to log onto your
computer with your domain account when your machine isn't on the network. While a useful function,
the cached passwords can be obtained using a password-cracking tool. It's best to limit the number
of cached logons when possible. The other option is to run a trashpwhist tool to
wipe the cached passwords from your machine.
Key: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Value: CachedLogonsCount
Type: REG_SZ
Data: 1
0 No user accounts or passwords are cached
1-50 Number of user accounts and passwords to cache (default is 10)
-
- If you're concerned about users visiting malicious websites or rogue SMBRelay
servers on your internal network, it may be best to enable the key RequireSecuritySignature. This will
prevent successful exploitation for all variants of credential reflection attacks.
Key: HKLM\System\CurrentControlSet\Services\LanManServer\Parameters
Value: RequireSecuritySignature
Type: REG_DWORD
Data: 1 (enable)
0 SMB signing is not required (default)
1 SMB signing is required
The above keys can be rolled out via Group Policy settings or individually via a .reg file that
is executed on each machine. Although there is no silver bullet set of registry keys to securing
your XP systems, implementing these five registry keys on your XP systems can help ensure the
security of your network. Remember, fully test these registry settings before rolling them out to
your enterprise.
ABOUT THE AUTHOR: |
|
Eric Schultze
Eric Schultze is an independent security consultant who most recently designed Microsoft patch
management solutions at Shavlik Technologies. Prior to Shavlik, Schultze worked at Microsoft, where
he helped manage the security bulletin and patch release process. Schultze likes to forget that he
used to work as an internal auditor on Wall Street. |
|