Jun 23

Windows Desktop Security Tips - Seven Tips to Keep Your Windows Desktop Locked Down Tight

Everybody likes to moan about Microsoft products (I do, too), but there are a number of security options available with the Windows operating system that are really quite phenomenal. As an administrator, you have the ability to control just about every aspect of the user's working environment, network or local. Windows is not famous for having a lot of effective default security settings to choose from, however and the Windows desktop is easily open to abuse because of this - if not tweaked properly.

This can be easily achieved by taking a few simple precautions, however. And here is a small collection of seven of my favorite Windows lockdown tips.

Tip 1: Keep your Email in simple text format. It's this simple: there is no way to stop all of that spam, adware, spyware and hacking if you don't give yourself a push and configure your mail as text. The mails containing HTML content might be beautiful to look at, but you are opening the door to abuse and trouble.

Tip 2: Don't keep potentially dangerous files closed for business. Have you ever stopped to think about locking away the System32 folder from Joe User? You ought to. There are way too many executable files in there that he or Joe Intruder can exploit. Just remove the unnecessary permissions.

Tip 3: Put the registry off-limits. Nobody needs to fool around with the registry, ever. Well, nobody except you, that is. Take the time to block access to potentially dangerous registry keys. These include the auto-run keys and startup folders - favorites for those who like to fiddle around with your system. Simply use the NTFS permissions to limit access to these files. Lock out the possibility of making file associations while you are at it. Make a list of types of files you do not want to run on your systems then take away their read and write permissions using NTFS (a group policy would be the best policy here).

Tip 4: Turn off unneeded services. The fewer services you have running on a system the less area of attack you leave open to those who wish to do you harm - or to those who play around with their systems as a hobby. You know, less is more. If you don't need the service, turn it off. You can also run the services you need on non-default ports. This makes it harder for hackers to get at and exploit the services that have to run.

Tip 5: Only allow booting from the primary hard drive disk. If you take away the possibility to boot from diskette, for instance, you take away the possibility of using many forms of hacking and cracking (password) programs. Boot viruses are then no longer possible. Remember to prevent allowing the possibility of changing this (or the boot sequence) by applying a secure BIOS password.

Tip 6: Never allow a user to login with administrator's rights. Most things that go wrong on a system have to do with the fact the user can simply do too much. Some time it is necessary to give a user local administration rights in order that he or she can install new software, for example. But if you don't take these rights away afterwards, you are opening up the door for calamity. Now any new program can be installed, without your permission or without your knowledge. And in the end, if you can't stop unauthorized programs from being installed and executed, you can't guarantee security on that system.

Tip 7: Rename your administrator account. And while we're at it with the administrators rights… Don't forget to also rename your administrator account. Most attackers are looking to exploit the administrator account and if they know what the name of the account is, half (okay, maybe a third) of the battle is won. Rename all sensitive accounts while you are at it. And then, "just for fun", create bogus accounts for the accounts you have just renamed and audit these for attempted access.

That should do it - for now! You may not be able to achieve absolute security by utilizing these lockdown tips - nobody will ever achieve absolute security, of course - but you can at least rest assured that, for the time being at least, you have made it next to impossible for malicious intruders to exploit these tightly-secured systems.