Enterprise Desktop.com

Top 5 registry keys for Windows XP

By Eric Schultze

Whenever I interviewed systems administrators who said they were fluent with Windows XP, I always ask them "What's your favorite registry key?" Most of the time, I'd get a blank look.

With that, I present my favorite five registry keys, which can help secure your systems.

 

  1. My favorite registry key is "Hidden." Adding this registry value will remove an XP computer from the network browse list. This can help prevent casual users on the network from discovering selected machines in the Network Neighborhood view. I like to use this on my own computer as well as other critical laptops and desktops that I don't want other people to poke and prod.
    Key: HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters
    Add Value: hidden
    Type: REG_DWORD
    Data: 1
    0 The computer's name and comment can be viewed by other computers. (default)
    1 The computer's name and comment cannot be viewed by other computers.
  2.  

  3. Each Windows XP system automatically creates a share for each drive letter on the computer. These shares are only available remotely to users with administrative access. However, in some instances, it may be handy to remove these "auto admin shares" from being created. If you simply right-click on the share and remove it in Explorer, the share will come back the next time the computer is started. By setting the AutoShareWks key () you can prevent these shares from being created.
    Key: HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters
    Value: AutoShareWks
    Type: REG_DWORD
    Data: 0
    0 Disables creation of the shares
    1 Enables creation of the shares (default)
  4.  

  5. My third favorite registry key is NoLMHash. This registry setting instructs the computer to not save the LanMan hash of your password on your computer. The LanMan hash is an extremely weak representation of your password and can weaken the overall password posture of your computer. By disabling the storage of the LanMan hash on all desktop systems, you can significantly improve the security of your network. Alternatively, you can run the thrashlm tool to remove the LM hashes from your computer.
    Key: HKLM\System\CurrentControlSet\Control\LSA\Parameters
    Value: NoLMHash
    Type: REG_DWORD
    Data: 1
    0 Stores the LanMan password hash (default)
    1 Disables storage of the LanMan password hash
  6.  

  7. Closely related to No. 3 is CachedLogonsCount (). Each user account and password that is used to log onto the domain from your computer is cached locally on your system. This makes it possible to log onto your computer with your domain account when your machine isn't on the network. While a useful function, the cached passwords can be obtained using a password-cracking tool. It's best to limit the number of cached logons when possible. The other option is to run a trashpwhist tool to wipe the cached passwords from your machine.
    Key: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
    Value: CachedLogonsCount
    Type: REG_SZ
    Data: 1
    0 No user accounts or passwords are cached
    1-50 Number of user accounts and passwords to cache (default is 10)
  8.  

  9. If you're concerned about users visiting malicious websites or rogue SMBRelay servers on your internal network, it may be best to enable the key RequireSecuritySignature. This will prevent successful exploitation for all variants of credential reflection attacks.
    Key: HKLM\System\CurrentControlSet\Services\LanManServer\Parameters
    Value: RequireSecuritySignature
    Type: REG_DWORD
    Data: 1 (enable)
    0 SMB signing is not required (default)
    1 SMB signing is required

The above keys can be rolled out via Group Policy settings or individually via a .reg file that is executed on each machine. Although there is no silver bullet set of registry keys to securing your XP systems, implementing these five registry keys on your XP systems can help ensure the security of your network. Remember, fully test these registry settings before rolling them out to your enterprise.

 

ABOUT THE AUTHOR:   
 
Eric Schultze
Eric Schultze is an independent security consultant who most recently designed Microsoft patch management solutions at Shavlik Technologies. Prior to Shavlik, Schultze worked at Microsoft, where he helped manage the security bulletin and patch release process. Schultze likes to forget that he used to work as an internal auditor on Wall Street.
 


 

23 Sep 2009

All Rights Reserved, Copyright 2008 - 2024, TechTarget | Read our Privacy Statement