INTRODUCTION (afterwards, the actual steps to perform will be listed for your reference, each in their own post reply, to avoid "clutter"):

Windows CAN be secured very well, but, you have to go thru some "GYRATIONS/EFFORT" to do it, but, it IS doable (but not to any 100% levels, because again - new holes/vulnerabilities appear in the OS & its libs + apps, but this gets you closer, if not as close as a body needs to be!).

THIS IS GEARED TO "stand-alone" systems online on the internet (However - it can be adapted for LAN/WAN office or home networked environs, BUT, pay attention to step #2's 'warnings' about pulling Client For Microsoft Networks, &/or File & printer sharing - most networks require/need this)

BACKGROUND & INFORMATION + TOOLS YOU CAN USE TO HELP YOU SECURE YOUR SYSTEM:

Here I am running Windows Server 2003 SP #2, fully current patched by MS update pages, here (I check it every 2nd Tuesday of the month of course, on "Patch Tuesday's"):

http://www.microsoft.com/downloads/Browse.aspx?DisplayLang=en&nr=20&categoryid=7&sortCriteria=date&sortOrder=descending

It is a personally 'security-hardened' model I have been working on for many years, using principals I learned & used since the NT 3.5x days onward to this version of the OS: As is now?

I score an 85.760 on the CIS Tool 1.x currently as of 10/10/2007!

http://forums.techpowerup.com//attachment.php?attachmentid=10053&d=1192208359

This is up from my past score here of 76.xxx on it (default score I had prior to this security hardening via CIS TOOL & its advisements & past the 84.735 I initially hardened it up to, & later 85.185 as well), & here is how to do it!

Currently, I can go NO higher than this score of 85.760 (of 100 total) on CIS Tool 1.x for Windows, pictured here (photo proof/pictures DO say, a 1,000 words (like this post, lol)) & even IF I could get past the few areas I know are wrong (the test errs, as it does on some areas in LINUX as well), I cannot get past 88% or so, period!

================================================== ==========================
HERE ARE LINUX SCORES FROM CIS TOOL (SuSE Enterprise Linux under VMWare):
================================================== ==========================

HARDENED LINUX:

http://forums.techpowerup.com//attachment.php?attachmentid=10194&stc=1&d=1192894351

DEFAULT LINUX:

http://forums.techpowerup.com//attachment.php?attachmentid=10193&stc=1&d=1192894012

(It appears that LINUX has FAR LESS TESTED, when compared to the SIZE of the Windows tets, & Linux CAN reach 90++ scores (but there is an error in CIS TOOL preventing myself from going to a higher than 85.760 score & I have submitted the data to CIS TOOL's authors on that account WITH PROOFS, and even if I could get the few areas I am scored down on still, it would not add to past 88% or so... bug, bigtime, do the math from my score & see))

================================================== ==========================

BUT, that is a GOOD score (especially considering the default score of VISTA even, is FAR BELOW THAT! Nice part is? The techniques noted here can LARGELY APPLY TO VISTA AS WELL! Read on...)

(For CIS Tool - There are Linux, Solaris, BSD variants, & other OS models ports (some only in .pdf security guide form though, not programmatically automated yet, like MacOS X) of this are available too by the way - not really "ports" strictly speaking, they require JAVA to run)

DOWNLOAD URL FOR CIS TOOL (for multiple platforms), from "The Center for Internet Security" here:

http://www.cisecurity.org/bench.html

(IMPORTANT: This tool IS invaluable in guiding you to a more secure OS, on any OS platform really!)

APK

P.S.=> Now that the "introductory material" (tools to use, how/why, results possible, etc. et al) has been put down, here we go to the actual "meat" of the subject in my next post(s). Also - IF you have more to add to this, OR critique of my points? Please - have @ it & let 'em rip (we ALL can gain by it)... thanks! apk

================================================== ===========================================
APK 12 STEPS TO FOLLOW TO SECURE YOUR WINDOWS NT-BASED SYSTEM (2000/XP/SERVER 2003/VISTA):
================================================== ===========================================

1.) HARDENING & SECURING SERVICES HOW-TO:

Many services I do not need are either cut off OR secured in their logon entity to lower privilege entities (from default, near "ALL POWERFUL" SYSTEM, to lesser ones like NETWORK SERVICE or LOCAL SERVICE). I went at ALL of the services in Windows Server 2003 (some will not be in XP for instance, & Windows 2000 has no NETWORK SERVICE or LOCAL SERVICE as far as I know, but not sure, you can always make a limited privelege user too for this on 2000 if needed)...

I did testing to see which services could be run/logged in as LOCAL SERVICE, or NETWORK SERVICE, rather than the default of LOCAL SYSTEM (which means Operating System entity level privileges - which CAN be "misused" by various spyware/malware/virus exploits).

LOCAL SERVICE startable list (vs. LocalSystem Logon Default):

Acronis Scheduler 2 Service
Alerter (needs Workstation Service Running)
COM+ System Application
GHOST
Indexing Service
NVIDIA Display Driver Service
Office Source Engine
O&O Clever Cache
Remote Registry
Sandra Service
Sandra Data Service
SmartCard
Tcp/IP NetBIOS Helper
Telnet
UserProfile Hive Cleanup Service
Volume Shadowing Service
Windows UserMode Drivers
Windows Image Acquisition
WinHTTP Proxy AutoDiscovery Service

NETWORK SERVICE startable list (vs. LocalSystem Logon Default):

ASP.NET State Service
Application Layer Gateway
Clipbook (needs Network DDE & Network DDE DSDM)
Microsoft Shadow Copy Provider
Executive Software Undelete
DNS Client
DHCP Client
Error Reporting
FileZilla Server
Machine Debug Manager
Merger
NetMeeting Remote Desktop Sharing Service
Network DDE
Network DDE DSDM
PDEngine (Raxco PerfectDisk)
Performance Logs & Alerts
RPC
Remote Desktop Help Session Manager Service
Remote Packet Capture Protocol v.0 (experimental MS service)
Resultant Set of Policies Provider
SAV Roam
Symantec LiveUpdate
Visual Studio 2005 Remote Debug

PLEASE NOTE: Each service uses a BLANK password when reassigning their logon entity (when you change it from the default of LOCAL SYSTEM Account), because they use SID's as far as I know, not standard passwords.

WHEN YOU TEST THIS, AFTER RESETTING THE LOGON USER ENTITY EACH SERVICE USES: Just run your system awhile, & if say, Norton Antivirus refuses to update, or run right? You KNOW you set it wrong... say, if one you test that I do NOT list won't run as LOCAL SERVICE? Try NETWORK SERVICE instead... if that fails? YOU ARE STUCK USING LOCAL SYSTEM!

If you cannot operate properly while changing the security logon entity context of a service (should NOT happen w/ 3rd party services, & this article shows you which ones can be altered safely)?

Boot to "Safe Mode", & reset that service's logon entity back to LOCAL SYSTEM again & accept it cannot do this security technique is all... it DOES happen!

If that fails (shouldn't, but IF it does)? There are commands in the "Recovery Console" (installed from your Windows installation CD as a bootup option while in Windows using this commandline -> D:\i386\winnt32.exe /cmdcons, where D is your CD-Rom driveletter (substitute in your dvd/cd driveletter for D of course)) of:

ListSvc (shows services & drivers states of stopped or started)

Enable (starts up a service &/or driver)

Disable (stops a server &/or driver)

Which can turn them back on if/when needed

(ON Virtual Disk Service being removed, specifically (because it used to be in this list)): This was done solely because, although it will run as LOCAL SERVICE, diskmgmt.msc will not be able to work! Even though the Logical Disk Manager service does not list VirtualDisk as a dependency, this occurs, so VirtualDisk service was pulled from BOTH the LOCAL SERVICE and NETWORK SERVICE lists here... apk)

CUTTING OFF SERVICES YOU DO NOT NEED TO RUN IS POSSIBLY THE BEST METHOD OF SECURING THEM, AND GAINING SPEED SINCE YOU ARE NOT WASTING I/O, MEMORY, or OTHER RESOURCES ON THEM, PERIOD, in doing this - do consider it, when possible! Many guides online exist for this, & I authored one of the first "back in the day" for NTCompatible.com as "Article #1" back in 1997-1998 - the latest ones are even BETTER!

SECURING SERVICES @ THE ACL LEVEL VIA A SECURITY POLICY HOW-TO:

STEP #1: CONFIGURE A CUSTOM Microsoft Management Console for this!

Configuring yourself a "CUSTOM MMC.EXE (Microsoft Mgt. Console)" setup for security policy templates, here is how (these are NOT default Computer Mgt. tools, so you have to do this yourself, or run them by themselves, but this makes working w/ them convenient):

The next part's per BelArcGuy of BELARC ADVISOR's advice (pun intended):

http://forums.techpowerup.com/showthread.php?t=16097

"Security Configuration and Analysis" is an MMC snap-in. To access the MMC, type in mmc to the Windows Run.. command to pop up the console. Then use it's File|Add/Remove Snap-in... command and click the Add button on the resulting dialog. Choose both "Security Configuration and Analysis" and "Security Templates", close that dialog, and OK. You'll end up with a management console that has both of those snap-ins enabled. The whole MMC mechanism is a bit weird, but does work"

(It's easy, & it works, & is necessary for the actual steps to do this, below)

Next, is the actual "meat" of what we need to do, per Microsoft, to set ACLs!

STEP #2: HOW TO: Define Security Templates By Using the Security Templates Snap-In in Windows Server 2003

http://support.microsoft.com/kb/816297

Create and Define a New Security Template

(To define a new security template, follow these steps)

1. In the console tree, expand Security Templates
2. Right-click %SystemRoot%\Security\Templates, and then click New Template
3. In the Template name box, type a name for the new template.

(If you want, you can type a description in the Description box, and then click OK)

The new security template appears in the list of security templates. Note that the security settings for this template are not yet defined. When you expand the new security template in the console tree, expand each component of the template, and then double-click each security setting that is contained in that component, a status of Not Defined appears in the Computer Setting column.

1. To define a System Services policy, follow these steps:
a. Expand System Services
b. In the right pane, double-click the service that you want to configure
c. Specify the options that you want, and then click OK.

(And, of course, the user feedback on its effectiveness (Makes your Win32 NT-based OS very much like how MacOS X treats its daemon processes via privelege levels), which uses the same general principals)

It works, & although many service packs for Windows OS' have changed their services (not all but many nowadays) to less than SYSTEM, my list covers those they may not have in recent service packs AND 3rd party services are listed too that you may be running possibly!

DONE!

APK

IF you have a HOME LAN/network?

You skip this/leave this alone & do not disable the SERVER service (it creates the hidden default C$ administrative share for example) in services.msc & keep 127.0.0.1 (the default lone entry it has) in your %windir%\system32\drivers\etc HOSTS file as well.

2.) Disable Microsoft "File & Print Sharing" as well as "Client for Microsoft Networks" in your LOCAL AREA CONNECTION (if you do not need them that is for say, running your home LAN)!

E.G.-> Here? I pull ANY Networking clients (Client for MS Networks/File & Printer Sharing)) &/or Protocols (QoS = just 1 example) in the Local Area Connection!

(That is, unless its for an antivirus & their Layered Service Provider hacks, such as Trend Micro use here, or more "hidden ones" like NOD32 or NAV use)

So, other than Tcp/IP typically, it gets removed!

(I also disable NetBIOS over Tcp/IP as well if you don't have a HOME or WORK LAN as well, because I don't need it here, as I am currently @ home on a stand-alone machine that is not dependent on Microsoft's File Sharing etc. on a LAN/WAN).

Stopping the SERVER service helps here as well (no shares possible, not even the default C$ administrative share, iirc)

Also regarding the HOSTS file? IF you have a LAN/WAN you use (or not), you will have to have the mandatory entry of:

127.0.0.1 localhost

In it (needed for networking with a LAN/WAN - you could technically, dispense with it otherwise, but, as you can see above? It has practical uses... even SpyBot utilizes it & that is one HELL of a program, for this purpose:SECURITY!).

APK

3.) Use IP security policies (modded AnalogX one, very good for starters, you can edit & add/remove from it as needed) - Download url link is here for that:

http://www.analogx.com/contents/articles/ipsec.htm

(Search "AnalogX Public Server IPSec Configuration v1.00 (29k zip file)" on that page & follow the directions on the page!)

NOTE: This can be 'troublesome' though, for folks that run filesharing clients though.

An alternative to this is using IP Ports Filtrations, in combination with a GOOD software firewall &/or NAT 'firewalling' (or true stateful inspection type) router. All of these work in combination w/ one another perfectly.

(HOWEVER - Should you choose to use it, and do filesharing programs? No problem really, because you can turn them on/off @ will using secpol.msc & the IP stack in Windows 2000/XP/Server 2003/VISTA is of "plug-N-play" design largely, & will allow it & when done? TURN THEM ON, AGAIN! These work WITH software & hardware router firewalls, IP port filtering, and security IP policies, simultaneosly/concurrently, for "layered security", no hassles!).

APK

4.) Another thing I do for securing a Windows NT-based OS: IP Port Filtrations (like ip security policies (per AnalogX above), it is often called the "poor man's firewall" & works perfectly with both IPSecurity policies, hardware AND software firewalls, all in combination/simultaneously running)!

DIRECTIONS ON HOW TO IMPLEMENT THEM (very easy):

Start Menu -> Connect To Item (on the right hand side) -> Local Area Connection (whatever you called it, this is the default, iirc) open it via double click OR, right-click popup menu PROPERTIES item -> Properties button on left-hand side bottom, press/click it -> NEXT SCREEN (Local Area Connection PROPERTIES) -> "This connection uses the followng items" (go down the list, to Tcp/IP & select it & /click the PROPERTIES button there) -> Press/Click the Advanced Button @ the bottom Right-Hand Side (shows Advanced Tcp/IP Settings screen) -> OPTIONS tab, use it & Tcp IP Filtering is in the list, highlite/select it -> Beneath the Optional Settings, press/click the PROPERTIES button on the lower right-hand side -> Check the "Enable Tcp/IP Filtering (on all adapters)" selection -> In the far right, IP PROTOCOLS section, add ports 6 (tcp) & 17 (udp) -> In the far left "tcp ports" list - check off the radio button above the list titled "PERMIT ONLY", & then add ports you want to have open (all others will be filtered out, & for example, I leave port 80,8080, & 443 here open, only on my standalone, non-networked home machine (for a HOME or WORK LAN, you may need to open up ports 135/137/139/445 for a Windows based network for file & print sharing PLUS enable NetBIOS over Tcp/IP in your network connection properties & ENABLE Client for Microsoft Networks & File and Print sharing too) - you may need more if you run mail servers, & what-have-you (this varies by application)) -> I leave the UDP section "PERMIT ALL" because of ephemeral/short-lived ports usage that Windows does (I have never successfully filtered this properly but it doesn't matter as much imo, because udp does not do 'callback' as tcp does, & that is why tcp can be DDOS'd/DOS'd imo - it only sends out info., but never demands verification of delivery (faster, but less reliable)) -> DONE!

You may need a reboot & it will signal if it needs it or not (probably will, even in VISTA):

I say this, because although IP Security Policies work with the "Plug-N-Play" design of modern Windows NT-based OS' (ipsec.sys) & do NOT require a reboot to activate/deactivate them in Windows 2000/XP/Server 2003/VISTA? This is working @ a diff. level & diff. driver iirc (tcpip.sys) & level of the telecommunications stacks in this OS family & WILL require a reboot to take effect (for a more detailed read of this, see here):

http://www.microsoft.com/technet/community/columns/cableguy/cg0605.mspx

(In THAT url above? Trust me - Enjoy the read, it is VERY informative: That article shows you how TcpIP.sys, ipnat.sys, ipsec.sys, & ipfiltdrv.sys interact, PLUS how you can use them to your advantage in security!)

APK

5.) The use of a CUSTOM ADBANNER BLOCKING HOSTS FILE (my personal one houses, as of this date, 90,000 known adbanner servers, OR sites known to bear malicious code & exploits (per GOOGLE mostly, from stopbadware.org))

Custom HOSTS files work in combination with Opera adbanner blocks & the usage of .PAC filering files + cascading style sheets for this purpose.

(As well as speeding up access to sites I often access - doing this, acting as my own "DNS Server" more or less, is orders of magnitude faster than calling out to my ISP/BSP DNS servers, waiting out a roundtrip return URL-> IP Address resolution. It may take some maintenance for this @ times, especially if sites change HOSTING PROVIDERS, but this is a rarity & most sites TELL YOU when they do this as well, so you can make fast edits, as needed (and, on Windows NT-based OS since 2000/XP/Server 2003 & VISTA? A reboot is NOT required upon edits & commits of changes in the new largely near fully PnP IP stacks!))

For a copy of mine, write me, here -> REMOVED

And, I will send it to you in .zip or .rar format (with sped up sites # UNIX comment symbol disabled, enable the ones you use AFTER you 'ping' them first from my list, & add ones YOU PERSONALLY USE to it as needed after determining their IP address via a PING of them)

OR, JUST DOWNLOAD IT HERE:

http://forums.techpowerup.com/attachment.php?attachmentid=6540&d=1172567412

An example of WHY you'd want to use one of these for security's sake? Read here:

http://forums.techpowerup.com/showthread.php?t=25937

DIRECTIONS FOR USE (also in my downloadable CUSTOM HOSTS file above, with MORE on how to really use them to get even more speed than blocking adbanners mind you is in its internal documentation):

You replace your:

%windir%\system32\drivers\etc

Original version of HOSTS with this one (overwrite it, but, first copy your original OR rename it to keep it around IF ever needed), & have @ it (HBO internet, no commercials + thus MORE SPEED (and, you WILL notice it) by not calling out to ad servers, loading their data, & running it... & certainly NO possibility of being infected by adbanners that bear RBN (Russian Business Network) malware javascripted/FLASH bearing adbanners that infect you as has been seen lately/very currently in fact - between this, and stalling out Java/JavaScript + ActiveX/ActiveScripting globally in your browsers as noted in the last step & why? You are "proof" against MOST attacks today (& consider disabling IFrames too, an oft used attack today as well!)).

Now, like I do? It IS possible to alter the default location of the HOSTS file, & to take away I/O from your main disk to load it by using another one... like a 2nd HDD you may have IF you have one for example!

(E.G.-> I move mine to my CENATEK RocketDrive SSD (solid state RamDisk), for F A S T access since seek times on it are 1000's of times faster than on std. mechanical disks, & doesn't matter WHAT kind - & here I also place my pagefile.sys on its own partition (first) & then webpage caches, %temp% environmental variable ops, logging (even eventlogs, which like HOSTS file, can be moved in the registry to another disk, & applications often have the ability to move their logs in their configuration screens as well)) via this registry key, should you elect to do the same:

In regedit.exe's right-hand-side pane, follow this path:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Tcpip\Parameters

& in the left-hand-side pane of regedit.exe, you change the DataBasePath path value there to the disk & folder you wish to place your HOSTS file in (which makes for faster OS & IP stack initialization since it is on another drive, in my case an SSD so it is THAT MUCH QUICKER since seeks on them are so fast, to load the HOSTS data into your RAM (local DNS cache)).

APK

6.) USE Tons of security & speed oriented registry hacks (reconfiging the OS basically - stuff like you might do in etc / conf in UNIX/LINUX I suppose)

Download them from here @ SOFTPEDIA (where they are rated 4/5):

http://www.softpedia.com/get/Tweak/System-Tweak/APK-Internet-and-NTkXP-Speedup-Guides.shtml

OR, just email me here for them -> REMOVED

(The email option's the best, because I also have these PREBUILT, in .reg files, mind you, available by email, BUT, the ones I can mail ARE FULLY INTERNALLY DOCUMENTED!)

They are FULLY documented internally, with link url's to the Microsoft pages they came from, inside the .reg files, so YOU can look at what the hack does inside them, verify this @ MS, & know what the valid parameters are as well!

(This? It took me FOREVER a year or so ago to do this, but worth it!)

The urls, or downloadable .mht files, outline it all (as do my prebuilt .reg files, probably the BEST choice of the lot imo), as to what you can ".reg file hack" for better SPEED, and SECURITY online, in a modern Windows 2000/XP/Server 2003 OS & has references from Microsoft in it for each setting plus their definitions & parameters possible!

APK

7.) USE General security policies (in gpedit.msc/secpol.msc - afaik though, these are NOT in XP "Home" edition, sorry)), these are VALUABLE tools (and will be needed & suggestions for it will be told to you by the CIS Tool noted above - great stuff!) and regedit.exe!

(Newly added - regedit.exe use is for registry ACL permissions, via its EDIT menu, PERMISSIONS submenu item (to add/remove users that have rights to regisry hives/values, & to establish their rights levels therein))

ALSO NEWLY ADDED - Explorer.exe "right-click" on drive letters/folders/files (for file access ACL permissions hardening) using its popup menu selection of "PROPERTIES", & in the next screen, the SECURITY tab (to add/remove users that have rights to said items, & to establish their rights levels therein), also - this is another requirement of CIS Tool 1.x & its suggestions for better security.

APK

uh... spam?
theres been alot lately.... :rolleyes:
reported.

8.) KEEP UP ON PATCHES FROM MICROSOFT, for your OS & Microsoft Office Apps, & IE, etc., HERE (ordered by release date) and run AntiVirus/AntiSpyware/AntiRootkit tools (& yes, keep them updated/current)!

http://www.microsoft.com/downloads/Browse.aspx?DisplayLang=en&nr=20&categoryid=7&sortCriteria=date&sortOrder=descending

Again, keep up on antivirus/antispyware/antirootkit AND Java runtimes updates!

(Done either automatically via their services, or manually)

Download them manually & install them yourself (OR just let "Windows Automatic Updates" run)

ALSO - do the use of the "std. security stuff", like:

AntiVirus Programs (NOD32 latest 2.7x - "best" one there is, all-around (best speed/efficiency, less "moving parts" in drivers (kernelmode-RPL0-Ring 0 portion) & services/gui usermode-RPL2-Ring3 sections + great consistent showings in detect rates, especially heuristics), & that is not only MY opinion after testing it vs. my former fav. NAV Corporate 10.2 (it is lighter in RAM & resource uses than NAV Corporate even, finds more virus' than others, & uses less "moving parts" (in the way of services componentry, than most do, & certainly less than NAV))

Proof? See here -> http://www.eset.com/products/compare.php

(That's a single source, there are others, such as av-comparatives.org, which also test & compare AntiVirus products out there as well on many levels (mostly detection rates). The URL above goes into more than that, such as program speed/efficiency/throughput, & the fact NOD32 is written almost TOTALLY in pure Assembler language (when, if coupled with a solid fast algorithm/engine, is untouchable even by C/C++ or Delphi even for that)).

+

SpyBot (Ad-Aware is another option) as my resident antispyware tool running in the background!

This tool in SPYBOT also installs & runs PERFECTLY in safemode (combined with ComboFix &/or SmitfraudFix, you can "burn out" just about ANY spyware/malware infestation in 30-60 minutes, depending on level of infection, speed of your disks/CPU/RAM, & amount of files on your disks - A good antivirus (See NOD32 above, best there is on speed/efficiency, resource consumption, & accuracy) alongside it plus vendor specialized "removal tools" is all a body needs (mostly) when infected.

AntiRootkit tools are another one to be conscious of nowadays, now that such machinations are available for Windows (they originated, afaik, in the UNIX world though).

The "best ones" (AntiRootkit scanners) & their download URL links are:

AVG AntiRootkit
BitDefender AntiRootkit
GMER
Rootkit Revealer
PrevX AntiRootkit
Rootkit Hook Analyzer
Sophos AntiRootkit
F-Secure Blacklight
Gromozon Rootkit Removal Tool
KLister
McAfee Rootkit Detective
PatchFinder
RogueRemover
VICE
System Virginity Verifier for Windows 2000/XP/2003

That is a list for you all to choose from, look them up on GOOGLE to download them from their homepages, as they all do a decent enough job though, & are 100% FREE - SO, DO use them!

APK

9.) It is also possible, for webbrowsers &/or email clients, to create a "VISTA LIKE IE 7 Protected Mode"-like type scenario, isolating them into their own spaces in memory, here are 2 methods, how (not needed on VISTA though, afaik):

IE6/7 & FF + OPERA AS WELL (as noted by A/C slashdot poster in reply to my methods, both his & my own work well, & are listed here @ /. (slashdot)) on modern NT-based OS "how-to":

http://it.slashdot.org/comments.pl?sid=236547&cid=19310513

MY METHOD for RUNNING IE in a "runas limited user class" sandbox effect:

"It is actually possible to run IE securely: just create a throwaway restricted user account for IE use alone. The restricted account user can't install software and can't access files of other users, so even if IE autoexecutes any nastiness, it can't do any damage.

Of course, it's a hassle to log in as a different user just to browse the web. So we'd want to use "runas" to run just IE as a different user.

Unfortunately, MS has made running IE as a different user a little harder than necessary. Rightclicking and using "Run as" doesn't seem to work. What did work for me was the following.

Say the limited account is called "IEuser". Then create a shortcut to "runas /user:IEuser cmd". on your desktop. Double-clicking this will open a command prompt that runs as IEuser. Now you can manually start IE with "start iexplore". Or create a batchfile c:windowsie.bat that just contains the line "start iexplore" and you can start IE by just typing "ie". Remove all shortcuts to IE from you normal desktop and only run it from the restricted account. This way you can use IE without worry about any IE exploits"

OTHER, VERY QUITE POSSIBLY SUPERIOR METHOD:

http://theinvisiblethings.blogspot.com/2007/02/running-vista-every-day.html

See section: Do-It-Yourself: Implementing Privilege Separation. Using the psexec tool as described results in a "clean" process tree where iexplore.exe will show up directly under the root avoiding beeing a child process.

Note - The "invisible thing"? She's "Yuriko DeathStrike" as far as I am concerned... Joanna Rutkowska, my fellow "Polish Person" & she's a regular "wonder" in the security/hacking/cracking world!

This is my runopera.bat which runs opera as user internet:
psexec.exe -d -u internet -p p4ssw0rd "cmd" "/d /D /c start /b Opera.exe"

PLUS, Windows Server 2003 has a hardened IE6/7 by default (which can be duplicated on other Win32 OS versions, because it mainly just does what I have been doing for a long time & noted by myself earlier, in stuff like turning off ActiveX & scripting + JAVA online on the public internet, of all types by default, & I do this in ALL of my browsers (IE, FF, & Opera) & only make exceptions for CERTAIN sites)

A USER SUGGESTED ADDON TO AUTOMATE THIS STUFF ON ISOLATION OF IE:

(Per "OILY 17" (TPU forums user) suggestion, to aid in automating this (a tool)):

http://forums.techpowerup.com/showthread.php?p=500284#post500284

"For running IE,Firefox etc as a throw away account has anyone tried this app out yet.Recently came across it, but have not tried it out yet.
Anyone any views?

http://www.sandboxie.com/

As the name suggests runs IE etc in a sand box effect."

Thanks oily (apk) - RECENT UPDATE: I've tried "sandboxie" & understand the layered filtering driver it employs for writes (ignores reads from main HDD) & it IS a great idea, + it works!

APK

10.) Plus good email client practices like using .txt mail only, no RTF or HTML mail, not opening or allowing attachments unless I know the person & even THEN, scan it with an antivirus (still gets email scanned though by your resident antivirus email scan component (use AntiVirus programs with these, OR, manually scan ANY attachments before opening them (if you get Microsoft Office .doc, .xls, .ppt etc. files uncompressed? HOLD DOWN THE SHIFT KEY AS YOU OPEN THEM - this stops macros from running & macros are the avenue utilized using VBA script to infect you))

APK

11.) I also use a LinkSys/CISCO BEFSX41 "NAT" true firewalling CISCO technology-based router (with cookie & scripting filtering built-in @ the hardware level), these are excellent investments for security.

APK

12.) Windows Server 2003's SCW was run over it FIRST (this only exists on Windows Server 2003, not on 2000/XP or VISTA (you have to install this, it does NOT install by default) first to help security it (SCW = security configuration wizard, & it's pretty damn good believe-it-or-not, (@ least, as as starting point))...

Directions for its installation are as follows:

Start the Add or Remove Programs Control Panel applet.

Click Add/Remove Windows Components.

On the Windows Components Wizard screen, select the "Security Configuration Wizard" check box, as the figure shows. Click Next.

The Windows Components Wizard builds a list of files to be copied and finishes installing SCW. Click Finish.

DONE! Now, run it...

It is very simple to use, and will help even TRIM services you do not need running (which saves Memory, other resources, & I/O to cpu/ram/disk etc. AS WELL AS PROVIDING SECURITY should any services you disable turn up vulnerabilities (this has happened before)).

ALSO, per TPU forums user (username "xvi") @ techpowerup.com forums (software section): Use Microsoft Baseline Security Advisor, a free download from Microsoft as well to check your system for security holes, patch updates, etc. (be wary of the fact it does require various services running though, iirc, Terminal Server Services Client - I do NOT keep that running here anymore, & this program failed on me because of that (would not initialize @ all))

APK

AN IMPORTANT POINT:

STOP JAVASCRIPT USAGE IN YOUR BROWSERS (along with ActiveX & JAVA) On the PUBLIC internet, PERIOD (well, with SOME exceptions on sites that demand you use it, OR those that cannot function properly without it, some examples below)!

Why? Well, read on:

Fact is, that today? Well... Javascript's dangerous & can be used AGAINST you, as well as help you... it truly is, or can be, a 'double-edged sword'...

(For example - if you follow security related news, you will see that JavaScript is the key avenue being used against you in today's attacks (even thru adbanners!)). Some examples:

http://www.wired.com/techbiz/media/news/2007/11/doubleclick

&

http://apcmag.com/5382/microsoft_apologises_for_serving_malware_to_custom ers

If you MUST use Javascript (for instance, on a particular site like banking or shopping oriented ones)?

Try "NoScript" (the .xpi addon for FireFox/Mozilla/NetScape 9 etc.) & let it let YOU decide sites to use it on, & then DISABLE JAVA/JAVASCRIPT globally...

(& if you use IE, trying to do the same can be a nightmare (as IE will "nag you to death" if you turn off javascript on sites that use it)).

Opera has similar functionality, ALBEIT, built into it by default as a NATIVE tool!

I.E.-> The ability to GLOBALLY block scripting tools like Javascript, BUT... to also allow it for sites you MUST use it on as exceptions to the GLOBAL rule set in Tools, Preferences menus it has on its menubar.

Opera has the NATIVE BUILT IN ABILITY to allow you to use it on sites you visit IF you must, via rightclicks on the page & "EDIT SITE PREFERENCES" popup menu submenu item that appears.

Either way? It works, & I STRONGLY recommend this. I also recommend Opera for these reasons (less security holes period, & the 1 it had yesterday? Patched yesterday too... fast!)

=====
SECUNIA DATA ON BROWSER SECURITY (dated 11/29/2007):
=====

Opera 9.24 security advisories @ SECUNIA (0% unpatched):

http://secunia.com/product/10615/?task=advisories

----

Netscape 9.0.0.4 (0% unpatched)

http://secunia.com/product/14690/

----

FireFox 2.0.0.11 security advisories @ SECUNIA (22% unpatched):

http://secunia.com/product/12434/

----

IE 7 (latest cumulative update from MS) security advisories @ SECUNIA (37% unpatched):

http://secunia.com/product/12366/

----

Those %'s are the latest for FireFox 2.0.0.11, Netscape 9.0.0.4, IE7 after last "patch Tuesday" from MS with the "CUMULATIVE IE UPDATES" they have (see the security downloads URL I post in the 12 steps above to secure yourself), & Opera 9.24... all latest/greatest models.

So, as you can see?

Well, NOT ONLY IS OPERA MORE SECURE/BEARING LESS SECURITY VULNERABILITIES?

It's faster too, on just about ANYTHING a browser does, & is probably the MOST standards compliant browser under the sun (not counting HTML dev tools). This is borne out in these tests:

http://www.howtocreate.co.uk/browserSpeed.html

AND, yes others (most recently in Javascript parsing speeds, oddly enough, lol... given the topic of my post here that is), right here:

http://nontroppo.org/timer/kestrel_tests/

Opera's just more std.'s compliant, faster, & more secure than the others... so, "where do you want to go today?"...

ALSO - HOW TO SET THE "KILL BIT" ON ACTIVEX CONTROLS:

(I.E.-> This is how to stop an ActiveX control from running in Internet Explorer)

http://support.microsoft.com/kb/240797

In case you have "problematic" or security vulnerable ActiveX controls, per this RealPlayer example thereof:

http://service.real.com/realplayer/security/191007_player/en/

APK

P.S.=> Yes, it's LONG, & takes about 1-3 hours to do & test, but worth it... enjoy guys, & IF you have more to add or valid critique? Please do so, thanks... apk

uh... spam?
theres been alot lately.... :rolleyes:
reported.

This isn't spam - it works, anyone is welcome to try the techniques listed & ESPECIALLY, to discuss points in them, in case I put in something "wrong" or something that might not list an exception it may need.

(So far, it has been well received @ roughly 20 forums online... & I am looking for critique as well, to strengthen it further mind you, so, let 'em rip & we can all discuss points made, etc.)

Above all - I am only spreading the word on it, & the fact it works for "layered security" for people online.

APK

oh, so you arent a bot :)

well, in that case we all here would find it a little risky, theres links to outside websites and its your first post(s)

i dont know where this would be posted, or if its in the right place.
we'll just have to see what a mod says.
thanks for clarifying, though :)

No, lol, I am not a bot...

(BUT, thanks for checking, you probably did the "right thing" & all that by your fellow forums members etc.)

I'm putting this up all over "the wire" today while I wait for my car to come out of its inspection, so, might as well pass the time, constructively.

(The nicest part is, folks have given me some GOOD solid tips, & I credited them within the contents of this posting... there's a GOOD chance I will get the same here, & elsewhere (which, I have, & you guys got the further refined model, & all that because of critique - 1 oz. of critique, is worth 10,000 lbs. of praise, imo, as you get stronger for it!))

Heck, even "Grammar & Spellchecker" types critiques are welcome (lol, though I loathe those, as this is not legal correspondence, or my last will & testament, but... every little bit, helps!)... though, I am really looking for fellow "tech folks'" opinions on TECHNICAL points, first & foremost (of course, & where better to do that, than technical forums!)

:)

* Stay cool, enjoy, & I hope you guys like this (& lol, don't "cut it up" too badly & all that - It used to be the foundation of "Article #1" from NTCompatible.com, as far back as 1997 * & before that on various forums - this is the CURRENT "refined" version is all &, it just works!)

APK

P.S.=> I've been @ this field for 15 yrs. as a pro (roughly 25 yrs. total time though) ranging @ first from fieldtech, to in house tech, to network tech/administrator, & lastely as a developer mostly for the past 10 yrs. now...

(& yes, "tooting my horn" a bit here, filling in some background/credentials etc., where I was featured in books/mags/newspapers in this field (as well as a fairly "avid" shareware author in my day) & my research + corporate programming has taken some folks to finalist positions @ 2 Microsoft Tech Ed's in a row 2001/2002 iirc, in the hardest category: SQLServer performance enhancement!

(EEC System/SuperSpeed.com, when I wrote part of their SuperCache program & this reviewed excellently (by Mr. John Enck of Windows IT Pro fame(he is one of the technical editors) & for ramdisk usage, for they I did research on creative uses of RamDisk which took them ).

See, I have to kill @ least 3-5 virus/trojan/spyware/malware in general type stuff everyday (as I am sure some of YOU GUYS ARE TOO) & I realize from readings on security material (such as I posted from secunia.com & others above as examples) that a simple handful of IT Tricks (AND, edit, COMMON SENSE PRACTICES) can largely stop or @ least STALL these things... I hope so! apk

Most people post this kind of info on their own websites and invite people to visit them... Joining forums just to post this is likely to get you banned in many forums... As you observed, the criminals are very active these days, including doing things that look very much like this, so many of us are suspicious... This is most true when someone we don't know posts something as filled with links as this...

Sorry for delay in reply guys (see subject line above, apologies & all that + I noted I had my car inspected today... & thus, I just HAD to put in the late hours, LOL, or lose my job... can't have that!)

Anyways... here goes:

Most people post this kind of info on their own websites and invite people to visit them...

I have had this on websites over time, & lately, since it's been even more "refined"? It's done well (1 site has it currently over 10,000 views, others nearing 1,000 views already in just 2-3 days time - & 2 sites have it as a "guide" now... folks are also emailing me for the custom registry hacks too, but I don't ask WHERE they saw the post, but it tells me that they are using its tips!).

IF you would like verification of the above statements? Please ask, I will put them down, no problem.

The nice part about this is, using the CIS Tool makes it almost like a game... fun in a "geeky/techie" kind of way... & the CIS Tool has been reviewed well in COMPUTERWORLD & other publications/sites (feel free to check up on it by ALL means, please - odds are, you will like what you read).

Joining forums just to post this is likely to get you banned in many forums...

Heh, I'll tell you what gets ME banned, personally: Getting "into it" with mods... I will take almost anything from folks, to a point, & then, I don't (like most folks).

Thing is? I could absolutely & QUICKLY floor their servers, no questions asked, & I don't... I just "walk away" 9/10 times, & watch them delete their posts where they started up with myself to "cover their b.s." & they must think folks are blind... lol! That people don't see & remember stuff like that.

That's just dumb. I guess that is what comes of thinking you are the "lord of your own little planet" long enough... absolute power, corrupting absolutely & all that (until you run into someone that can blast the planet you lord over, to dust that is).

And, there is ALWAYS someone who can online, the nature of Tcp portion of IP creates the possibility, & it only takes 5 minutes, tops.

As you observed, the criminals are very active these days, including doing things that look very much like this, so many of us are suspicious... This is most true when someone we don't know posts something as filled with links as this...

The links are straight up 100% good & honest ones... they are mostly photos of my scores (so you all have verification they are not b.s.) & the links to sites @ Microsoft are EXCELLENT for knowledge gain that I list, but most of all? SECUNIA is a known security site, & wired mag is pretty famous (apcmag's legit, but not on the level those others are, imo @ least).

ANYHOW:

DO check on CIS Tool... just so you know it's "straight & legit", & then? Have @ it, & secure the HECK out of yourselves, by ALL means & have fun doing it...

APK

P.S.=> Hey, you guys are all "Geeks/Techs/Nerds" & all that (like myself) & since I liked doing it & the great security gain possible? Well, it's pretty GOOD odds, you will too (birds of a feather & all that)... enjoy! apk

I removed the email addresses, it's not a good idea to offer to send people files by email, especially when this is your first post and we don't have a clue who you really are.

I would really prefer you post this kind of thing after you've been here for a while and our resident security experts, such as Budfred, KNOW you know what you're doing. Sorry but I prefer to err on the side of caution.

That's just my opinion...

Heh, I'll tell you what gets ME banned, personally: Getting "into it" with mods... I will take almost anything from folks, to a point, & then, I don't (like most folks).

Thing is? I could absolutely & QUICKLY floor their servers, no questions asked, & I don't... I just "walk away" 9/10 times, & watch them delete their posts where they started up with myself to "cover their b.s." & they must think folks are blind... lol! That people don't see & remember stuff like that.

That's just dumb. I guess that is what comes of thinking you are the "lord of your own little planet" long enough... absolute power, corrupting absolutely & all that (until you run into someone that can blast the planet you lord over, to dust that is).

And, there is ALWAYS someone who can online, the nature of Tcp portion of IP creates the possibility, & it only takes 5 minutes, tops.
Offering what appear to be threats and insults is not a good way to earn trust... Showing a little appreciation of the constant attack from people who show up to offer solutions only to turn out to be criminals would be far more likely to earn some trust here... Have you even looked at some of the exchanges with malware makers who defend their products with threats and insults??

I removed the email addresses, it's not a good idea to offer to send people files by email, especially when this is your first post and we don't have a clue who you really are.

Too bad, because all it was is .reg files, with links from Microsoft & other valid sources, regarding .reg file settings that can help secure you more. Oh well... not my loss.

Please, have this fellow:

I would really prefer you post this kind of thing after you've been here for a while and our resident security experts, such as Budfred, KNOW you know what you're doing.

Then, let him "do his thing", & examine the links from SECUNIA, Microsoft, WIRED MAGAZINE, (completely legit all of them), CIS Tool & the folks that created it etc. & then let him add to this with some good solid points, OR have him critique the existing ones that merit it & I will discuss his points with he... I welcome that actually...

It will only make it stronger.

Sorry but I prefer to err on the side of caution.
That's just my opinion...

Well, since your resident security guru's here... then again: Let's see if he can add anything constructive to my points above, OR some critique to the existing ones...

That's all I am looking for really, so I can "shore up" any weaknesses in it, OR add more to it, so everyone can gain by it.

APK

Offering what appear to be threats and insults is not a good way to earn trust...

No threats or insults... I don't see where you got that from. I only told it how it is from my point of view and I was completely honest about it.

Since you are the resident expert on security here, am I not telling it how it is on Tcp (that portion of the IP stack, not udp), as regards soliciting connections?

Showing a little appreciation of the constant attack from people who show up to offer solutions only to turn out to be criminals would be far more likely to earn some trust here...

Well, according to Paleo Pete above you? You're the resident security expert here... again: IF you would? Critique or add to points in that posting above... thanks.

Have you even looked at some of the exchanges with malware makers who defend their products with threats and insults??

I kill their machinations everyday professionally on the job, step tracing & all. Good enough for me. I generally don't see too much of what you state though... most of them imo @ least? Tend to 'stay under the covers/outta the limelight'... lol, which makes TOTAL sense, as they're not exactly acting to "the letter of the law" etc. et al.

LASTLY/AGAIN: Since you are the "resident security expert" here?

Well - Get "experting" then, as Paul suggested!

(& add to this with constructive technical points please (or critique points you think may have exceptions/weaknesses, etc.)).

Thanks. You'll only be making it stronger/better, if you do or can, with valid technical critique.

APK

P.S.=> Of all people here, since you come heavily endorsed, I am surprised you haven't "pored over the points above" & done so already.

On CIS Tool: I think also, of ALL people here, that you will enjoy it more than anybody... again - I thought I had the "secured as possible" Windows NT-based OS rig & this tool taught me a "trick or two" by all means... hopefully, you gain the same too! apk

Heh, I'll tell you what gets ME banned, personally: Getting "into it" with mods... I will take almost anything from folks, to a point, & then, I don't (like most folks).

Thing is? I could absolutely & QUICKLY floor their servers, no questions asked, & I don't... I just "walk away" 9/10 times, & watch them delete their posts where they started up with myself to "cover their b.s." & they must think folks are blind... lol! That people don't see & remember stuff like that.

That's just dumb. I guess that is what comes of thinking you are the "lord of your own little planet" long enough... absolute power, corrupting absolutely & all that (until you run into someone that can blast the planet you lord over, to dust that is).

And, there is ALWAYS someone who can online, the nature of Tcp portion of IP creates the possibility, & it only takes 5 minutes, tops.You refer to taking down sites and explain how mods are dumb, corrupt and have regal pretensions... I would say that adds up to threats and insults...

You refer to taking down sites and explain how mods are dumb, corrupt and have regal pretensions... I would say that adds up to threats and insults...

I never said they were dumb, just that trying to bury what everyone has seen, is. "Regal pretensions"? If you took it that way, then so be it.

Above all else: I *could* do what I said, but... I said, I don't & "walk away" 9/10 times.

Is this the best you have to offer on its points?

Ok then. Nothing I can do about that, as it's a matter of your personal perception... So... How to change that perception, & "overcome your objections" then?

Hmmm...

Well, gosh: Please, if you will - Do examine those points above, & offer any solid technical critique you may have on them (again, as it will only possibly make it that much stronger).

You're EXACTLY the kind of guy to do it, per Paleo Pete's description of you & THAT is the kind of guys I want especially, offering solid technical critique of its points in fact!

(Again: it only makes it further refined & stronger - plus, I do credit others who offer them in its points when they do offer STRONG valid technical points).

And, the links/urls in it are legitimate & well-noted good reputable sites (like SECUNIA.COM, which I would wager you're familiar with if you're into security & all that. Microsoft.com is another, slashdot is another, etc. et al)

I think, once more, if you try CIS TOOL? You, of all folks here, will love it. It truly is, good stuff, enjoy!

APK

So let me see if I understand you...

You are in court for assault and you tell the judge: "I don't know what your problem is, I got angry at 10 guys today, but I only put one in the hospital"...

Or you are proposing to the woman you want to marry and you tell here: "I promise you that I won't beat you up for more than one out of every ten things you say or do that I think are stupid"...

Somehow this kind of statement makes sense to you and doesn't seem threatening??

So let me see if I understand you...

Apparently, you don't, so drop it... I am.

I mean, hey:

You are not willing to even try to help make this post better, on technical levels (that or you have nothing to add, what else could it be)!

after you've been here for a while and our resident security experts, such as Budfred, KNOW you know what you're doing.

(& you are the "resident security guru" here, according to your friend's stating this on the prior page)...

Too bad.

I was hoping you'd @ least stay on topic, & try to critique this post on technical merits @ least.

APK

P.S.=> Above all else - You're not going to "rope me into some 'flaming match', sorry... I don't have time for that, so this is the last I have to say, if you won't examine this posting & hopefully, find weaknesses in it, or add stuff I don't have...& that's too bad: Everyone gains by critique & analysis! apk

You still don't get it... This is about trust... That is what this topic is about until you address it...

You drop into our forum and immediately start posting your treatise about what you think is good security... When questioned about that, you post a threat to attack our forum if you don't like what we say... Yes, you disguise the threat, but it is a threat nonetheless... You refuse to remove the threat and you insist that we provide you feedback on your terms... You also suggest that you have had similar problems at a number of other forums, but apparently you haven't learned to be respectful of those forums and there policies as a result... This is our policy which you agreed to:

Forum Rules

Registration to this forum is free! We do insist that you abide by the rules and policies detailed below. If you agree to the terms, please check the 'I agree' checkbox and press the 'Register' button below. If you would like to cancel the registration, click here to return to the forums index.

Although the administrators and moderators of The PC Guide Discussion Forums will attempt to keep all objectionable messages off this forum, it is impossible for us to review all messages. All messages express the views of the author, and neither the owners of The PC Guide Discussion Forums, nor Jelsoft Enterprises Ltd. (developers of vBulletin) will be held responsible for the content of any message.

By agreeing to these rules, you warrant that you will not post any messages that are obscene, vulgar, sexually-oriented, hateful, threatening, or otherwise violative of any laws.

The owners of The PC Guide Discussion Forums reserve the right to remove, edit, move or close any thread for any reason.

If you can earn some trust, you can earn some feedback on your writing... So far, you have not even begun to earn my trust...

Either end the threat or leave...

APK:

I think you're the one who doesn't understand.

Your posts so far, after the first barrage, have been tedious and uncooperative, nitpicking, threatening and irritating, which I think is probably your primary goal.

If you want proof of Budfred's abilities, go read a few dozen of his posts, he doesn't have to prove a thing to you.

He quoted your threat verbatim, talking circles around it won't change the facts, outright denying it is just plain lying and that's a fact. So you've proven in black and white you are a liar:



No threats or insults... I don't see where you got that from. I only told it how it is from my point of view and I was completely honest about it.

Then

I never said they were dumb,

Those are both lies.

Your thinly veiled threat is quoted exactly. Lying won't change that. In the next paragraph you at least implied that the people running the forums you apparently regularly get banned from are dumb. And the implication was very clear.

By threatening the website's administration you have directly violated the user agreement you were required to electronically sign to be able to register your user name and therefore post in these forums. It says and I quote:

Registration to this forum is free! We do insist that you abide by the rules and policies detailed below. If you agree to the terms, please check the 'I agree' checkbox and press the 'Register' button below. If you would like to cancel the registration, click here to return to the forums index.

Although the administrators and moderators of The PC Guide Discussion Forums will attempt to keep all objectionable messages off this forum, it is impossible for us to review all messages. All messages express the views of the author, and neither the owners of The PC Guide Discussion Forums, nor Jelsoft Enterprises Ltd. (developers of vBulletin) will be held responsible for the content of any message.

By agreeing to these rules, you warrant that you will not post any messages that are obscene, vulgar, sexually-oriented, hateful, threatening, or otherwise violative of any laws.

The owners of The PC Guide Discussion Forums reserve the right to remove, edit, move or close any thread for any reason.

We furthermore expect you to conduct yourself in a non-confrontational manner, which you obviously have no intention of doing by all present appearances.

No more, it stops here. Say what you want about your perception of our way of doing things, you're playing in our sandbox, we expect you to try and get along, not stir up a stink. If you acted this way in someone's living room you would have been thrown out or punched in the nose long ago and you know it.

If you want to remain an active member of these forums longer than your next post, stop the arguing, drop the BS and work with us, you are not at all welcome here if you continue to conduct yourself in a confrontational manner.

You are not willing to even try to help make this post better, on technical levels (that or you have nothing to add, what else could it be)!

(& you are the "resident security guru" here, according to your friend's stating this on the prior page)...

Too bad.

You don't seem to be willing to make it better either, by continuing to argue the matter and belittle people instead of posting something constructive, which you so quickly demand of us.

I strongly suggest YOU be the one to drop it...

Budfred, APK, the both of you comon.

APK: I can understand where Budfred is coming from on this one,
but Budfred it's total user choice, APK was making no one do his steps, they were pure recommendations.

APK I personally value your views, and find your recommendations to be quite informative, I think you could be a very useful member to this community, and wish you stay.
You were however, way out of line when you insinuated that the people who run the forums are dumb, as Paleo Pete said, Budfred is an established member and doesnt have to prove a thing to you.

also like Paleo Pete said. this is over. please drop it.

Budfred, APK, the both of you comon.

I'm just here to post something, that if followed to its entirety using the CIS Tool, just works as noted by myself, & the scores posted note this fromt the CIS Tool.

I.E.-> You're as secure as you can get (or, as secure as I know how to make one, & still be able to go online) online today (vs. hackers/trojans/spyware/malware etc. et al).

I was looking for folks to critique it &/or add to it because I am certain of 1 thing:

Nobody in this field knows everything is why.

(I.E.-> I may have missed crucial points or exceptions in my init. posts (12 steps) above is why).

BudfredAPK: I can understand where Budfred is coming from on this one,

I do, but he has it ALL wrong from my end. Reality's just a matter of perception after all.

He EXPLICITLY STATES & I quote it below, that I made threats vs. THIS forum? Well, I challenge him to show ANY OF US, where.

That's all @ this point.

In reply to he earlier, I was just being honest above on my own experiences on SOME forums before, & he took it as if I was addressing he & if it was something that had happened with he from me... it had not.

He also seems to overlook the fact that I said "9/10 times I just walk away" in essence.

As far as technical critique from he, as regards the points in this posting well... hey, why not?

Since he's the top dog here security-wise, & thus described by a few of you as such, & as I stated above?

He'd be the perfect fellow for helping make it better then with good points that improve it or shore up any weaknesses in it, then you gain, I gain, & anyoine reading, gains.

but Budfred it's total user choice, APK was making no one do his steps, they were pure recommendations.

He didn't even once make comments on the technical material though... he's continuing on 1 paragraph of my reply, & that only (where I was honest about my experiences online is all).

APK I personally value your views, and find your recommendations to be quite informative, I think you could be a very useful member to this community, and wish you stay.

Seems like a nice spot online, & I stay to improve the points in this article so everyone can gain by it... & Windows OS + Security forums is where that is going to happen & this is one such spot.

You were however, way out of line when you insinuated that the people who run the forums are dumb, as Paleo Pete said, Budfred is an established member and doesnt have to prove a thing to you.

Who said I was out to have him "Prove Anything"? I only ASKED he make critique of the technical material, especially because you guys hold him in high regard in THIS particular area...

Guys... but, doing some flaming match is NOT where I am @ guys... where I am @, is to get critique of the points I put up, in case I am "wrong/off/weak" in any of them.

That way? Everyone reading, gains.

also like Paleo Pete said. this is over. please drop it.

I did & only *asked* (not demanded) that he take a peek @ what's in this point's init. 12-13 posts, to make them better hopefully.

(That's better & more constructive than continuing the madness of debating points I spoke in all honesty is all - & NOT ONCE had I made a threat to this forums, not once... he is now asked to show WHERE I did... he can't.).

Anyhow, I am glad you enjoy the points on security.

APK

When questioned about that, you post a threat to attack our forum if you don't like what we say...

What?

Care to show me where I made a threat to attack *THIS* forums?

Show any of us, that.

Thanks.

I am asking for critique of its points, which I probably WOULD ACTUALLY LIKE (despite what you're saying now)... AND, that's whether you like the points I note above, or not, I would like critique/exceptions etc. that I do NOT cover, OR may have missed.

I would discuss the points you or others make, rationally, based on facts is all (technical facts, NOT insinuations or misconceptions/misperceptions)...

Just to make this posting, stronger, & get diff. folks' views on its points.

This is all.

APK

P.S.=> Well, guys, all I ask of anyone (in fact, I do so in the termination of its last "P.S." paragraph in its P.S.) who tries these points, or reads this post, is please:

Do add to it (or "knock it down on its points" to where I may have missed something or was incomplete about it is all)

... we ALL gain by that... apk

OK, I've had enough. You obviously don't intend to do anything but bicker with us, you are still denying that you DID make a thinly veiled threat, you're still issuing an outright challenge for Budfred (or any of us for that matter) to prove something, you're still evading the issuews and working in circles around them without actually offering a straight response, you're still trying to prolong and provoke a confrontation.

Later

You seem to miss the point, you posted a compilation of best practice configurations you collected and then claimed them as your own.
On about half of those 20(?) forums (I counted 12) you never got any replies at all, and the ones you did get replies on got the same responses you got here. You seem to feed on the "controversy" you create. That is not acceptable behavior here, it is trolling.

Paleo Pete asked you to stop, but you have not.

I think it is time for you to leave.

Edit: Pete beat me to the hammer.

Tr tr s mch s cn... cn't stp m, .M. th gngrbrd mn...

Th n tht blw pst r WK bn, lk t ws nt vn thr.

(G b P ddrss nxt tm, lsrs... & f d? Wll, wll jst bt tht t... ll!)

PK

G thght 'bnnd m'... ll, sm bn!

PWRLSS MDS... ll!

PK

Jst lttl lssn t , & t lt flks hr s hw WK & dctfl lttl fls hr r... cld d wrs? BSLTL.

BT, ths wll d. Jst t shw ppl hr hw WK & slss ll r... ll!

B th w, nmrds:

skd th qstns, ddn't "skt nthng"... bt, r "rsdnt scrt xprt" (NT) srl dd, ll...

H's lm, & wk.

S r Pl Pt. t ght t b "pl wth rslf Pt" nstd, bcs r bn?

s ffctv s wt ppr bg & sr t gt pst.

PK

P.S.=> Fnn n n cld shw whr sd wld ttck ths frms... gs? 'r WK! pk

You seem to miss the point, you posted a compilation of best practice configurations you collected and then claimed them as your own.

Hv ? skd hm t shw WHR SD WLD TTCK *THS* FRMS... fnn, h cn't.

r rsdnt "scrt gr"? LL... h cn't vn crtq th pnts n m rpl prprl.

wldn't jn frms wth drks lk frks @ th hlm.

On about half of those 20(?) forums (I counted 12) you never got any replies at all, and the ones you did get replies on got the same responses you got here. You seem to feed on the "controversy" you create. That is not acceptable behavior here, it is trolling.

ddn't ttck frst... jst nswrd qstns, & ddn't skt pst nthng... lns n th thr hnd? LL... skd fr vdnc f whr sd wld ttck ths frms... hv gttn t??

N. Smpl bcs t's nt thr.

Paleo Pete asked you to stop, but you have not.

I think it is time for you to leave.

STP M... MK M lv... ll, n r BST D "ll pwrfl mds", cn't... sm xprts.

t's FN nw, hmltng ths.


Edit: Pete beat me to the hammer.

LL, sm hmmr... m hr nw, rn't ?

Prvng m pnt, mkng lk lk th WK FLS, r, ND, rght n frnt f LL F R SRS, ll... hlrs.

Gt jb bs, bt nt n THS fld... 'r T wk!

LL!

PK

OK, I've had enough.

LL, hvn't... r PWRLSS, WK, nd s mch fr r "bn" lttl frms brd Npln.

'm r wtrl, chmp!

PK

Wow... Get a life. Loser.

, k... mk m: r "scrt xprt" cldn't... hll, h cldn't shw whr sd xplctl wld ttck r frms cld h?

ND, h & hs chmp sdkck Pl wth rslf PT, cldn't bn m n hs BST d...

LL!

T s... fls ndd t b mbrssd, & m jst th g t d t.

Rght n frnt f LL f r srs.

PK

Wow... Get a life. Loser.

What happened? Cat got your vowels???

For anyone who is interested in the material posted here... Most of it is valid, but overly complex and clearly not user friendly... Pretty much all of it has been published elsewhere, but usually in a much more accessible manner and using tools that do much of it automatically for those who don't want to dig around in the innards of their software... This is one good example:

http://forums.spywareinfo.com/index.php?showtopic=60955

And of course, there are many others...

I very much doubt that the casual computer user could use much, if any, of the material here...

He just keeps posting this same stuff all over the web, then gets into arguments with moderators:
http://antionline.com/showthread.php?t=276291
http://hothardware.com/cs2007/forums/t/36212.aspx
http://forums1.techpowerup.com/showthread.php?p=500284
Seems we are not the only forum who has issues with this jerks' behavior.