• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

Securing Windows 2000/XP/Server 2003 services HOW TO

Status
Not open for further replies.

Namslas90

New Member
Joined
Aug 27, 2006
Messages
4,846 (0.75/day)
Location
Earth
Thanx, I needed that!!
Nice to hear from you;
Don't work too hard!!

L8r
 
Last edited:
Joined
Mar 13, 2007
Messages
1 (0.00/day)
Thanx, I needed that!!

Good, I hope so... I saw your profile, & security IS part of the name of YOUR game I see!

:)

Nice to hear from you;

It is ONLY to "keep square w/ the house" here, karma etc. because folks here did teach me about AMD overclocking (since I let my hardware know-how go WAY slack in the time that I have been concentrating on software/OS/programming instead for the last decade++ or so now)...

My explicitly giving Solaris17 & InfraRed the material for reconstructing this post the RIGHT way, with all of its data intact & what-not, via email, is for getting square w/ the house, debt erased type of thing:

All so they each have data to reconstruct this post the way I would have per Solaris17's request to make the sticky threads I had here (4 of them) into less (I eliminated 1, startup/run areas & consolidated 3 more into what this one WILL be eventually once Solaris does the directions above).

It is probably the BEST post I ever put out here, so... I think it "evens up the score" with TPU members who taught me the tricks of o/c'ing a modern AMD rig.

Don't work too hard!!

L8r

Have no choice, have to... largest reason I have to 'lay off' doing forums really... well, that & some of the replies I saw in various threads after I left... because, as you can see? THERE IS NO BANNING ME.

(Man - 1 good thing comes of things like this situation turned out to be: I can tell who was against me, or was my pal... always a good thing, that!)

APK
 

Jimmy 2004

New Member
Joined
Jan 15, 2005
Messages
5,458 (0.78/day)
Location
England
System Name Jimmy 2004's PC
Processor S754 AMD Athlon64 3200+ @ 2640MHz
Motherboard ASUS K8N
Cooling AC Freezer 64 Pro + Zalman VF1000 + 5x120mm Antec TriCool Case Fans
Memory 1GB Kingston PC3200 (2x512MB)
Video Card(s) Saphire 256MB X800 GTO @ 450MHz/560MHz (Core/Memory)
Storage 500GB Western Digital SATA II + 80GB Maxtor DiamondMax SATA
Display(s) Digimate 17" TFT (1280x1024)
Case Antec P182
Audio Device(s) Audigy 4 + Creative Inspire T7900 7.1 Speakers
Power Supply Corsair HX520W
Software Windows XP Home
Hi Alec - not sure how long you'll last back here, but I thought I'd let you know the guys over at AshenTech would like you to join them I think - not that I want to push people away from TPU, but doubt you're planning to post on here anymore.

Thanks for trying to get the thread back up, although I can't say I approved of removing it in the first place.
BTW, the DDOS comment was from this thread. Anyway, enough of that subject, techPowerUp! has had more than enough drama and doesn't need anything else.
 

AshenSugar

New Member
Joined
Sep 20, 2006
Messages
1,998 (0.31/day)
Location
ashentech.com
Processor Athlon64 3500+(2.2gz)@2.94gz(3.03gz)
Motherboard Biostar Tforce550 (RMA) (m2n-sli delux)
Cooling PIB cooler
Memory 2gb ocz 533 +1gb samsung 533 4-4-4-12
Video Card(s) x1900xtx 512mb+zalman vf900 cooler(kicks stock coolers arse)
Storage 80gb,200gb,250gb,160gb
Display(s) 20.1 in dell 2001fp + KDS visual sensations 19"
Case Codegen briza seirse
Audio Device(s) ADI SoundMax HD audio onboard,using Ket's driver pack
Power Supply FSP 400watt SAGA seirse w/noise killer
Software Windows 2003 ent server as workstation(kills xp in perf and stab)
yes we would like to see alek come by, even if only from time to time.

and ofcorse they banned him again, and would ban a hundred more accounts if they knew it was him, or others who have came back under ghost names.

As you should know alec and others, i consider alec a friend, we had great talks, its over and done, im sure hes not going to be welcomed back here, and im sure thats mostly because a few people still really have a problem with him and how he reacted to the situation that happened that night.......everybody needs to just let it go.......

this was a great place, and may be one again, but many where driven away by whats happened over the last few months, this alec thing was just the straw that broke the camels back, punish 1 and not the other when both should be held accountable...to me that was a big thing.......i have been a forums admin 5+ times in the past, also been a gmod/supermod more times then that, and i would have temp banned them both as soon as i saw it happening, give them a couple/few days to cool off......if that didnt work, well weeks or more may have been needed, but i never would have taken sides as it seems some mods did....i cant blame alec for being upset and desiding not to come back here, it sickens me how mods can jump to take sides, then crap like the thred wazzle posted.......a mod shouldnt be doing that shit..

its become clear that wazzle really does just like to stir shit up.....as others have told me in the past.....not a good thing for a mod to do........
 

Jimmy 2004

New Member
Joined
Jan 15, 2005
Messages
5,458 (0.78/day)
Location
England
System Name Jimmy 2004's PC
Processor S754 AMD Athlon64 3200+ @ 2640MHz
Motherboard ASUS K8N
Cooling AC Freezer 64 Pro + Zalman VF1000 + 5x120mm Antec TriCool Case Fans
Memory 1GB Kingston PC3200 (2x512MB)
Video Card(s) Saphire 256MB X800 GTO @ 450MHz/560MHz (Core/Memory)
Storage 500GB Western Digital SATA II + 80GB Maxtor DiamondMax SATA
Display(s) Digimate 17" TFT (1280x1024)
Case Antec P182
Audio Device(s) Audigy 4 + Creative Inspire T7900 7.1 Speakers
Power Supply Corsair HX520W
Software Windows XP Home
Admittedly you could also follow the first link in ashen's sig to get you to ashentech, but unfortunately that will link you to ashentech.coom .
 

newtekie1

Semi-Retired Folder
Joined
Nov 22, 2005
Messages
28,472 (4.25/day)
Location
Indiana, USA
Processor Intel Core i7 10850K@5.2GHz
Motherboard AsRock Z470 Taichi
Cooling Corsair H115i Pro w/ Noctua NF-A14 Fans
Memory 32GB DDR4-3600
Video Card(s) RTX 2070 Super
Storage 500GB SX8200 Pro + 8TB with 1TB SSD Cache
Display(s) Acer Nitro VG280K 4K 28"
Case Fractal Design Define S
Audio Device(s) Onboard is good enough for me
Power Supply eVGA SuperNOVA 1000w G3
Software Windows 10 Pro x64
Ashen, why is it that you are the only one that can't seem to "just let it go"?

punish 1 and not the other when both should be held accountable...to me that was a big thing.......i have been a forums admin 5+ times in the past, also been a gmod/supermod more times then that, and i would have temp banned them both as soon as i saw it happening, give them a couple/few days to cool off......if that didnt work, well weeks or more may have been needed, but i never would have taken sides as it seems some mods did....i cant blame alec for being upset and desiding not to come back here, it sickens me how mods can jump to take sides

See Here to discover why he was banned and I wasn't:
http://forums.techpowerup.com/showthread.php?p=284508

It has something to do with the fact that I didn't do anything and he did(and then some). The mods didn't take sides, they banned the one that deserved it and not the innocent one. I got my infraction for my one and single insult given out, which again was only after he insulted me.

Now, follow your own advise and just let it go already.
 

Polaris573

Senior Moderator
Joined
Feb 26, 2005
Messages
4,268 (0.61/day)
Location
Little Rock, USA
Processor LGA 775 Intel Q9550 2.8 Ghz
Motherboard MSI P7N Diamond - 780i Chipset
Cooling Arctic Freezer
Memory 6GB G.Skill DDRII 800 4-4-3-5
Video Card(s) Sapphire HD 7850 2 GB PCI-E
Storage 1 TB Seagate 32MB Cache, 250 GB Seagate 16MB Cache
Display(s) Acer X203w
Case Coolermaster Centurion 5
Audio Device(s) Creative Sound Blaster X-Fi Xtreme Music
Power Supply OCZ StealthXStream 600 Watt
Software Windows 7 Ultimate x64
How about all of you stop it?
 

newtekie1

Semi-Retired Folder
Joined
Nov 22, 2005
Messages
28,472 (4.25/day)
Location
Indiana, USA
Processor Intel Core i7 10850K@5.2GHz
Motherboard AsRock Z470 Taichi
Cooling Corsair H115i Pro w/ Noctua NF-A14 Fans
Memory 32GB DDR4-3600
Video Card(s) RTX 2070 Super
Storage 500GB SX8200 Pro + 8TB with 1TB SSD Cache
Display(s) Acer Nitro VG280K 4K 28"
Case Fractal Design Define S
Audio Device(s) Onboard is good enough for me
Power Supply eVGA SuperNOVA 1000w G3
Software Windows 10 Pro x64
How about all of you stop it?

I've let it go, obviously I'm back, just needed a day or two to cool off. But I'll defend myself as long as Ashen keeps going on about it. That is just the kind of person I am and the personality I have.
 

TheMasterOfSinanju

New Member
Joined
Jun 18, 2007
Messages
28 (0.00/day)
Location
A discrete point in the space-time continuum!
NEWLY AMENDED, FULL BORE HOW TO SECURE YOUR RIG by "The Master of Sinanju" (apk)

Original version @ slashdot -> http://it.slashdot.org/comments.pl?sid=237507&cid=19410153

INTRODUCTION:

Windows CAN be secured very well, but, you have to go thru some "GYRATIONS/EFFORT" to do it, but, it IS doable (but not to any 100% levels, because again - new holes/vulnerabilities appear in the OS & its libs + apps, but this gets you closer, if not as close as a body needs to be!).

THIS IS GEARED TO "stand-alone" systems online on the internet (However - it can be adapted for LAN/WAN office or home networked environs, BUT, pay attention to step #2's 'warnings' about pulling Client For Microsoft Networks, &/or File & printer sharing - most networks require/need this)

BACKGROUND & INFORMATION + TOOLS YOU CAN USE TO HELP YOU SECURE YOUR SYSTEM:

Here I am running Windows Server 2003 SP #2, fully current patched by MS update pages, here (I check it every 2nd Tuesday of the month of course, on "Patch Tuesday's"):

http://www.microsoft.com/downloads/Results.aspx?DisplayLang=en&nr=50&sortCriteria=date

It is a personally 'security-hardened' model I have been working on for many years, using principals I learned & used since the NT 3.5x days onward to this version of the OS: As is now?

I score an 84.735 on the CIS Tool 1.x currently as of 06/01/2007! This is up from my past score here of 76.xxx on it, & here is how to do it!

(For CIS Tool - There are Linux, MacOS X, Solaris, & other OS models ports of this are available too by the way - not really "ports" strictly speaking, they require JAVA to run)

DOWNLOAD URL FOR CIS TOOL (for multiple platforms), from "The Center for Internet Security" here:

http://www.cisecurity.org/bench.html

(IMPORTANT: This tool IS invaluable in guiding you to a more secure OS, on any OS platform really!)

APK 14 STEPS TO FOLLOW TO SECURE YOUR WINDOWS NT-BASED SYSTEM (2000/XP/SERVER 2003/VISTA):

1.) Windows Server 2003's SCW was run over it FIRST (this only exists on Windows Server 2003, not on 2000/XP (you have to install this, it does NOT install by default) first to help security it (SCW = security configuration wizard, & it's pretty damn good believe-it-or-not, (@ least, as as starting point))...

Directions for its installation are as follows:

Start the Add or Remove Programs Control Panel applet.

Click Add/Remove Windows Components.

On the Windows Components Wizard screen, select the "Security Configuration Wizard" check box, as the figure shows. Click Next.

The Windows Components Wizard builds a list of files to be copied and finishes installing SCW. Click Finish.

DONE! Now, run it... it is very simple to use, and will help even TRIM services you do not need running (which saves Memory, other resources, & I/O to cpu/ram/disk etc. AS WELL AS PROVIDING SECURITY should any services you disable turn up vulnerabilities (this has happened before)).

Then, @ that point? I pull ANY Networking clients &/or Protocols in the Local Area Connection, other than Tcp/IP typically (& disable NetBIOS as well, because I don't need it here), on a stand-alone machine that is not dependent on Microsoft's File Sharing etc. on a LAN/WAN. I also disable that too!

2.) Disable Microsoft "File & Print Sharing" as well as "Client for Microsoft Networks" in your LOCAL AREA CONNECTION (if you do not need them that is for say, running your home LAN)!

3.) Use IP security policies (modded AnalogX one, very good for starters, you can edit & add/remove from it as needed) - Download url link is here for that:

http://www.analogx.com/contents/articles/ipsec.htm

(Search "AnalogX Public Server IPSec Configuration v1.00 (29k zip file)" on that page & follow the directions on the page!)

NOTE: This can be 'troublesome' though, for folks that run filesharing clients though. An alternative to this is using IP Ports Filtrations, in combination with a GOOD software firewall &/or NAT 'firewalling' (or true stateful inspection type) router. All of these work in combination w/ one another perfectly.

(HOWEVER - Should you choose to use it, and do filesharing programs? No problem really, because you can turn them on/off @ will using secpol.msc & the IP stack in Windows 2000/XP/Server 2003/VISTA is of "plug-N-play" design largely, & will allow it & when done? TURN THEM ON, AGAIN!).

4.) USE General security policies in gpedit.msc/secpol.msc, these are VALUABLE tools (and will be needed & suggestions for it will be told to you by the CIS Tool noted above - great stuff!)

5.) HARDENING & SECURING SERVICES HOW-TO:

Many services I do not need are either cut off OR secured in their logon entity to lower privilege entities (from default, near "ALL POWERFUL" SYSTEM, to lesser ones like NETWORK SERVICE or LOCAL SERVICE), see this URL where I did a lot of research for a prebuilt list for another forums, to see how/why this works:

http://forums.techpowerup.com/showthread.php?t=16097

I went at ALL of the services in Windows Server 2003 (some will not be in XP for instance, & Windows 2000 has no NETWORK SERVICE or LOCAL SERVICE as far as I know, but not sure, you can always make a limited privelege user too for this on 2000 if needed)...

I did testing to see which services could be run/logged in as LOCAL SERVICE, or NETWORK SERVICE, rather than the default of LOCAL SYSTEM (which means Operating System entity level privileges - which CAN be "misused" by various spyware/malware/virus exploits).

LOCAL SERVICE startable list (vs. LocalSystem Logon Default):

Acronis Scheduler 2 Service
Alerter (needs Workstation Service Running)
COM+ System Application
GHOST
Indexing Service
NVIDIA Display Driver Service
Office Source Engine
O&O Clever Cache
Remote Registry
Sandra Service
Sandra Data Service
SmartCard
Tcp/IP NetBIOS Helper
Telnet
UserProfile Hive Cleanup Service
Volume Shadowing Service
Windows UserMode Drivers
Windows Image Acquisition
WinHTTP Proxy AutoDiscovery Service

NETWORK SERVICE startable list (vs. LocalSystem Logon Default):

ASP.NET State Service
Application Layer Gateway
Clipbook (needs Network DDE & Network DDE DSDM)
Microsoft Shadow Copy Provider
Executive Software Undelete
DNS Client
DHCP Client
Error Reporting
FileZilla Server
Machine Debug Manager
Merger
NetMeeting Remote Desktop Sharing Service
Network DDE
Network DDE DSDM
PDEngine (Raxco PerfectDisk)
Performance Logs & Alerts
RPC
Remote Desktop Help Session Manager Service
Remote Packet Capture Protocol v.0 (experimental MS service)
Resultant Set of Policies Provider
SAV Roam
Symantec LiveUpdate
Visual Studio 2005 Remote Debug

PLEASE NOTE: Each service uses a BLANK password when reassigning their logon entity (when you change it from the default of LOCAL SYSTEM Account), because they use SID's as far as I know, not standard passwords.

WHEN YOU TEST THIS, AFTER RESETTING THE LOGON USER ENTITY EACH SERVICE USES: Just run your system awhile, & if say, Norton Antivirus refuses to update, or run right? You KNOW you set it wrong... say, if one you test that I do NOT list won't run as LOCAL SERVICE? Try NETWORK SERVICE instead... if that fails? YOU ARE STUCK USING LOCAL SYSTEM!

If you cannot operate properly while changing the security logon entity context of a service (should NOT happen w/ 3rd party services, & this article shows you which ones can be altered safely)?

Boot to "Safe Mode", & reset that service's logon entity back to LOCAL SYSTEM again & accept it cannot do this security technique is all... it DOES happen!

If that fails? There are commands in the "Recovery Console" (installed from your Windows installation CD as a bootup option while in Windows using this commandline -> D:\i386\winnt32.exe /cmdcons, where D is your CD-Rom driveletter (substitute in your dvd/cd driveletter for D of course)) of:

ListSvc (shows services & drivers states of stopped or started)

Enable (starts up a service &/or driver)

Disable (stops a server &/or driver)

Which can turn them back on if/when needed

(ON Virtual Disk Service being removed, specifically (because it used to be in this list): This was done solely because, although it will run as LOCAL SERVICE, diskmgmt.msc will not be able to work! Even though the Logical Disk Manager service does not list VirtualDisk as a dependency, this occurs, so VirtualDisk service was pulled from BOTH the LOCAL SERVICE and NETWORK SERVICE lists here... apk)

CUTTING OFF SERVICES YOU DO NOT NEED TO RUN IS POSSIBLY THE BEST METHOD OF SECURING THEM, AND GAINING SPEED SINCE YOU ARE NOT WASTING I/O, MEMORY, or OTHER RESOURCES ON THEM, PERIOD, in doing this - do consider it, when possible!

SECURING SERVICES @ THE ACL LEVEL VIA A SECURITY POLICY HOW-TO:

STEP #1: CONFIGURE A CUSTOM Microsoft Management Console for this!

Configuring yourself a "CUSTOM MMC.EXE (Microsoft Mgt. Console)" setup for security policy templates, here is how (these are NOT default Computer Mgt. tools, so you have to do this yourself, or run them by themselves, but this makes working w/ them convenient):

The next part's per BelArcGuy of BELARC ADVISOR's advice (pun intended):

http://forums.techpowerup.com/showthread.php?t=16097

"Security Configuration and Analysis" is an MMC snap-in. To access the MMC, type in mmc to the Windows Run.. command to pop up the console. Then use it's File|Add/Remove Snap-in... command and click the Add button on the resulting dialog. Choose both "Security Configuration and Analysis" and "Security Templates", close that dialog, and OK. You'll end up with a management console that has both of those snap-ins enabled. The whole MMC mechanism is a bit weird, but does work"

(It's easy, & it works, & is necessary for the actual steps to do this, below)

Next, is the actual "meat" of what we need to do, per Microsoft, to set ACLs!

STEP #2: HOW TO: Define Security Templates By Using the Security Templates Snap-In in Windows Server 2003

http://support.microsoft.com/kb/816297

Create and Define a New Security Template

(To define a new security template, follow these steps)

1. In the console tree, expand Security Templates
2. Right-click %SystemRoot%\Security\Templates, and then click New Template
3. In the Template name box, type a name for the new template.

(If you want, you can type a description in the Description box, and then click OK)

The new security template appears in the list of security templates. Note that the security settings for this template are not yet defined. When you expand the new security template in the console tree, expand each component of the template, and then double-click each security setting that is contained in that component, a status of Not Defined appears in the Computer Setting column.

1. To define a System Services policy, follow these steps:
a. Expand System Services
b. In the right pane, double-click the service that you want to configure
c. Specify the options that you want, and then click OK.

(And, of course, the user feedback on its effectiveness (Makes your Win32 NT-based OS very much like how MacOS X treats its daemon processes via privelege levels), which uses the same general principals)

It works, & although many service packs for Windows OS' have changed their services (not all but many nowadays) to less than SYSTEM, my list covers those they may not have in recent service packs AND 3rd party services are listed too that you may be running possibly!

DONE!

6.) Another thing I do for securing a Windows NT-based OS: IP Port Filtrations (like ip security policies (per AnalogX above), it is often called the "poor man's firewall" & works perfectly with both IPSecurity policies, hardware AND software firewalls, all in combination/simultaneously running)!

DIRECTIONS:

Start Menu -> Connect To Item (on the right hand side) -> Local Area Connection (whatever you called it, this is the default, iirc) open it via double click OR, right-click popup menu PROPERTIES item -> Properties button on left-hand side bottom, press/click it -> NEXT SCREEN (Local Area Connection PROPERTIES) -> "This connection uses the followng items" (go down the list, to Tcp/IP & select it & /click the PROPERTIES button there) -> Press/Click the Advanced Button @ the bottom Right-Hand Side (shows Advanced Tcp/IP Settings screen) -> OPTIONS tab, use it & Tcp IP Filtering is in the list, highlite/select it -> Beneath the Optional Settings, press/click the PROPERTIES button on the lower right-hand side -> Check the "Enable Tcp/IP Filtering (on all adapters)" selection -> In the far right, IP PROTOCOLS section, add ports 6 (tcp) & 17 (udp) -> In the far left "tcp ports" list - check off the radio button above the list titled "PERMIT ONLY", & then add ports you want to have open (all others will be filtered out, & for example, I leave port 80,8080, & 443 here open, only - you may need more if you run mail servers, & what-have-you (this varies by application)) -> I leave the UDP section "PERMIT ALL" because of ephemeral/short-lived ports usage that Windows does (I have never successfully filtered this properly but it doesn't matter as much imo, because udp does not do 'callback' as tcp does, & that is why tcp can be DDOS'd/DOS'd imo - it only sends out info., but never demands verification of delivery (faster, but less reliable)) -> DONE!

You may need a reboot & it will signal if it needs it or not (probably will, even in VISTA):

I say this, because although IP Security Policies work with the "Plug-N-Play" design of modern Windows NT-based OS' (ipsec.sys) & do NOT require a reboot to activate/deactivate them in Windows 2000/XP/Server 2003/VISTA? This is working @ a diff. level & diff. driver iirc (tcpip.sys) & level of the telecommunications stacks in this OS family & WILL require a reboot to take effect (for a more detailed read of this, see here):

http://www.microsoft.com/technet/community/columns/cableguy/cg0605.mspx

(Enjoy the read, it is VERY informative - That article shows you how TcpIP.sys, ipnat.sys, ipsec.sys, & ipfiltdrv.sys interact, PLUS how you can use them to your advantage in security!)

7.) PLUS, this version of the OS in Server 2003 has a hardened IE6/7 by default (which can be duplicated on other Win32 OS versions, because it mainly just does what I have been doing for a long time & noted by myself earlier, in stuff like turning off ActiveX & scripting + JAVA online on the public internet, of all types by default, & I do this in ALL of my browsers (IE, FF, & Opera) & only make exceptions for CERTAIN sites)

8.) Running the "std. stuff", like AntiVirus (NOD32 latest 2.7x - best one there is, & that is not only MY opinion after testing it vs. my former fav. NAV Corporate 10.2 (it is lighter in RAM & resource uses than NAV Corporate even, finds more virus' than others, & uses less "moving parts" (in the way of services componentry, than most do, & certainly less than NAV)) + SpyBot (Ad-Aware is another option) as my resident antispyware tool running in the background! AntiRootkit tools are another one to be conscious of nowadays, now that such machinations are available for Windows (they originated, afaik, in the UNIX world though). The "best ones" are:

AVG AntiRootkit
BitDefender AntiRootkit
GMER
Rootkit Revealer
PrevX AntiRootkit
Rootkit Hook Analyzer
Sophos AntiRootkit
F-Secure Blacklight
Gromozon Rootkit Removal Tool
KLister
McAfee Rootkit Detective
PatchFinder
RogueRemover
VICE
System Virginity Verifier for Windows 2000/XP/2003

That is a list for you all to choose from, they all do a decent enough job though, & are 100% FREE - SO, DO use them!

9.) Plus good email client practices like using .txt mail only, no RTF or HTML mail, not opening or allowing attachments unless I know the person (still gets email scanned though by your resident antivirus email scan component (use AntiVirus programs with these, OR, manually scan ANY attachments before opening them (if you get Microsoft Office .doc, .xls, .ppt etc. files uncompressed? HOLD DOWN THE SHIFT KEY AS YOU OPEN THEM - this stops macros from running & macros are the avenue utilized using VBA script to infect you))

10.) I also use a LinkSys/CISCO BEFSX41 "NAT" true firewalling CISCO technology-based router (with cookie & scripting filtering built-in @ the hardware level), these are excellent investments for security.

11.) USE Tons of security & speed oriented registry hacks (reconfiging the OS basically - stuff like you might do in etc in UNIX/LINUX I suppose)

Many can be found here, in an article I authored (and it tells what they do, & how they work, w/ descriptions from Microsoft themselves):

http://www.avatar.demon.nl/APK.html

OR, if that site is down? Download them from here @ SOFTPEDIA (where they are rated 4/5):

http://www.softpedia.com/get/Tweak/System-Tweak/APK-Internet-and-NTkXP-Speedup-Guides.shtml

OR, just email me here for them -> apk4776239@hotmail.com

(I also have these PREBUILT, in .reg files, mind you!)

They are FULLY documented internally, with link url's to the Microsoft pages they came from, inside the .reg files, so YOU can look at what the hack does inside them, verify this @ MS, & know what the valid parameters are as well!

(This? It took me FOREVER a year or so ago to do this, but worth it!)

The urls, or downloadable .mht files, outline it all (as do my prebuilt .reg files, probably the BEST choice of the lot imo), as to what you can ".reg file hack" for better SPEED, and SECURITY online, in a modern Windows 2000/XP/Server 2003 OS & has references from Microsoft in it for each setting plus their definitions & parameters possible!

12.) The use of a CUSTOM ADBANNER BLOCKING HOSTS FILE (my personal one houses, as of this date, 90,000 known adbanner servers, OR sites known to bear malicious code & exploits (per GOOGLE mostly, from stopbadware.org))

Custom HOSTS files work in combination with Opera adbanner blocks & the usage of .PAC filering files + cascading style sheets for this purpose.

(As well as speeding up access to sites I often access - doing this, acting as my own "DNS Server" more or less, is orders of magnitude faster than calling out to my ISP/BSP DNS servers, waiting out a roundtrip return URL-> IP Address resolution. It may take some maintenance for this @ times, especially if sites change HOSTING PROVIDERS, but this is a rarity & most sites TELL YOU when they do this as well, so you can make fast edits, as needed (and, on Windows NT-based OS since 2000/XP/Server 2003 & VISTA? A reboot is NOT required upon edits & commits of changes in the new largely near fully PnP IP stacks!))

For a copy of mine, write me, here -> apk4776239@hotmail.com

And, I will send it to you in .zip or .rar format (with sped up sites # UNIX comment symbol disabled, enable the ones you use AFTER you 'ping' them first from my list, & add ones YOU PERSONALLY USE to it as needed after determining their IP address via a PING of them)

13.) KEEP UP ON PATCHES FROM MICROSOFT, HERE (ordered by release date) and your antivirus/antispyware/antirootkit AND Java runtime vendors:

http://www.microsoft.com/downloads/Results.aspx?DisplayLang=en&nr=50&sortCriteria=date

(Download them manually & install them yourself, OR just let "Windows Automatic Updates" run)

& please - DO keep up on your AntiVirus updates (either automatically via their services, or manually) & the same with your AntiSpyware products &/or things like JAVA runtimes (which was updated yesterday (06/05/2007) to JRE6.1 by SUN Microsystems mind you)!

14.) It is also possible, for webbrowsers &/or email clients, to create a "VISTA LIKE" UAC-like type scenario, isolating them into their own spaces, here are 2 methods, how (not needed on VISTA though, afaik):

IE6/7 & FF + OPERA AS WELL (as noted by A/C slashdot poster in reply to my methods, both his & my own work well, & are listed here @ /. (slashdot)) on modern NT-based OS "how-to":

http://it.slashdot.org/comments.pl?sid=236547&cid=19310513

MY METHOD:

RUNNING IE in a "runas limited user class" sandbox effect:

"It is actually possible to run IE securely: just create a throwaway restricted user account for IE use alone. The restricted account user can't install software and can't access files of other users, so even if IE autoexecutes any nastiness, it can't do any damage.

Of course, it's a hassle to log in as a different user just to browse the web. So we'd want to use "runas" to run just IE as a different user.

Unfortunately, MS has made running IE as a different user a little harder than necessary. Rightclicking and using "Run as" doesn't seem to work. What did work for me was the following.

Say the limited account is called "IEuser". Then create a shortcut to "runas /user:IEuser cmd". on your desktop. Double-clicking this will open a command prompt that runs as IEuser. Now you can manually start IE with "start iexplore". Or create a batchfile c:windowsie.bat that just contains the line "start iexplore" and you can start IE by just typing "ie". Remove all shortcuts to IE from you normal desktop and only run it from the restricted account. This way you can use IE without worry about any IE exploits"

OTHER, VERY QUITE POSSIBLY SUPERIOR METHOD: ...this is exacly the way I do (but with opera and other internet related apps as acroread, mail, ...). But simply "runas /user:xxx cmd" is not the best way to achieve process separation. If you have a look at the process tree you will see: system->smss.exe->winlogon.exe->services.exe->cmd. exe->iexplore.exe. A better way is to use the method described in Joannas blog

http://theinvisiblethings.blogspot.com/2007/02/running-vista-every-day.html

See section: Do-It-Yourself: Implementing Privilege Separation. Using the psexec tool as described results in a "clean" process tree where iexplore.exe will show up directly under the root avoiding beeing a child process.

This is my runopera.bat which runs opera as user internet:
psexec.exe -d -u internet -p p4ssw0rd "cmd" "/d /D /c start /b Opera.exe"

(YOU ARE NOW @ THE END OF THIS DOCUMENT & ALL of that is done for ONLINE security... &, it works!)

(Yes, it's a PAIN to do it the first time - maybe 1 hr. work for an experienced user, more for less experienced ones, but WORTH EVERY SECOND! Why? Well, I have not had this system "go down" due to hacks/cracks/malware/virus/trojans/spyware, etc. et al (you name it) in years now! It just works... & everyone ought to know this stuff, so here 'tis!)

Enjoy & IF you know of more to do? Please, have @ it, & let us all know what it is you do on your Win32 rigs of NT-based OS nature!

APK

P.S.=> Enjoy it, & SOLARIS? Do put this in place of the original post, & THE WIKI too... it is truly, as good as I can get it to be... thanks! Nice to see you all again also! apk
 
Last edited:
Joined
Jul 1, 2005
Messages
5,197 (0.76/day)
Location
Kansas City, KS
System Name Dell XPS 15 9560
Processor I7-7700HQ
Memory 32GB DDR4
Video Card(s) GTX 1050/1080 Ti
Storage 1TB SSD
Display(s) 2x Dell P2715Q/4k Internal
Case Razer Core
Audio Device(s) Creative E5/Objective 2 Amp/Senn HD650
Mouse Logitech Proteus Core
Keyboard Logitech G910
Belarc advisor security status...

Isn't that the program that posts your windows key online?

Lolz.
 

TheMasterOfSinanju

New Member
Joined
Jun 18, 2007
Messages
28 (0.00/day)
Location
A discrete point in the space-time continuum!
Belarc advisor security status...

Isn't that the program that posts your windows key online?

Lolz.

Well, it's SORT OF like the "CIS Tool 1.x" I note above, & their developer came in here to these forums, to speak with myself & others in regards to differences I saw in it, vs. CIS Tool 1.x (which is multiplatform, & java driven, whereas Belarc Advisor is pure Windows/Win32 code, afaik @ least & could tell & only runs on Windows - CIS Tool runs on TONS of platforms, java etc. et al is why).

It's a decent program (BELARC ADVISOR), but I have to admit:

I actually LIKE CIS Tool 1.x better, & hence, why I suggest it above, vs. BELARC ADVISOR!

(Plus, if you are conscious of things like you note & suspect badware etc.? Suggest that to Majorgeeks.com or other sites that feature it, OR write him - he came here @ my behest once, is a nice guy, and knows his stuff! He is willing to talk to folks & yes, even help them out as he did myself & others here!)

I like CIS Tool 1.x though, because imo?

It is more accurate, & doesn't assume things (it asks you questions first, & ones I suggested to BelarcGuy to put into HIS app, rather than assume things OR worse, get them wrong).

The "CENTER FOR INTERNET SECURITY" also authored CIS Tool, & if you can't trust them? WHO CAN YOU TRUST?? lol... you know???

He (belarcguy) may have amended it since, especially vs. your objections!

(Yes, I have heard this tell of this too as you did, but it may just be an "urban myth" online (heck, my initials 'apk' are in virus' for God's sake - I did not write those, but I have heard folks say (even here after I left) "APK IS IN VIRUS PROGRAMS", sheesh, lol!))

"APK DON'T BUILD NO JUNK" as the saying goes.

http://www.techpowerup.com/downloads/389/foowhatevermakesgooglehappy.html

LOL!

Anyhow/anyways, on BELARC ADVISOR - I do know he has issued several updates since the time of our test here, write him in regard to your thoughts.

APK

P.S.=> He was EXTREMELY helpful to me though, as he is noted above as helping me out in this capacity - using SECURITY policies! apk
 
Last edited:
Joined
Jul 1, 2005
Messages
5,197 (0.76/day)
Location
Kansas City, KS
System Name Dell XPS 15 9560
Processor I7-7700HQ
Memory 32GB DDR4
Video Card(s) GTX 1050/1080 Ti
Storage 1TB SSD
Display(s) 2x Dell P2715Q/4k Internal
Case Razer Core
Audio Device(s) Creative E5/Objective 2 Amp/Senn HD650
Mouse Logitech Proteus Core
Keyboard Logitech G910

Wile E

Power User
Joined
Oct 1, 2006
Messages
24,318 (3.81/day)
System Name The ClusterF**k
Processor 980X @ 4Ghz
Motherboard Gigabyte GA-EX58-UD5 BIOS F12
Cooling MCR-320, DDC-1 pump w/Bitspower res top (1/2" fittings), Koolance CPU-360
Memory 3x2GB Mushkin Redlines 1600Mhz 6-8-6-24 1T
Video Card(s) Evga GTX 580
Storage Corsair Neutron GTX 240GB, 2xSeagate 320GB RAID0; 2xSeagate 3TB; 2xSamsung 2TB; Samsung 1.5TB
Display(s) HP LP2475w 24" 1920x1200 IPS
Case Technofront Bench Station
Audio Device(s) Auzentech X-Fi Forte into Onkyo SR606 and Polk TSi200's + RM6750
Power Supply ENERMAX Galaxy EVO EGX1250EWT 1250W
Software Win7 Ultimate N x64, OSX 10.8.4

TheMasterOfSinanju

New Member
Joined
Jun 18, 2007
Messages
28 (0.00/day)
Location
A discrete point in the space-time continuum!
OS X, ftw! lol

LOL, I do ideas from that OS, before they HAD it even (because I've been messing around with this since 1992-1998 really, before there WAS a MacOS X)... secured services!

Still, MacOS X, I have to admit, has GREAT BSD foundations!

BSD's have the best IP stack in the business imo, & Windows XP/2003 Server/VISTA bit off of it, in the 'dynamically loading' ip stack (MacOS X stuff here, not sure on early BSD), that previous windows did NOT have!

(AND YES, when MS first put Tcp/IP into their OS, they took older BSD code for their IP stack (there are still ways to show & prove this in fact, if you look online, in the tcpip.sys drivers & other libs MS uses for this, but I don't recall the specifics of it... it's older IP stack BSD code largely, but it was improved upon in some ways, by MS))

I.E. (very real in effect)?

You get a FASTER BOOT from it, for one thing, & you can load/unload stuff like IP Security policies dynamically (I do note this above, see "Analog X" section) & also alter your HOSTS file w/ out a reboot in XP/Server2003/VISTA, where you could NOT in Windows 2000 & below for example WITHOUT reboots of the OS!

Also, & if you have ever noted?

If you do not start up a browser right away with the OS boot, or other apps that call the IP stack (OR perform an esoteric hack to the OS using iirc, gpedit.msc, that makes it like Windows 2000 & below were (making the IP stack load FULLY prior to entering the windows explorer desktop shell, slowing its bootup))?

Your first web based app takes a BIT of time to load, & subsequent loads of it are faster, as are any other IP utilizing app, once only 1 has made calls to it once you are in Windows...

This is why: ONLY Part of the OS' IP stack is loaded @ boot & when an application in "usermode" (explorershell) calls on it? It then only, loads up FULLY!

This technique/trick was 'stolen' from MacOS X tech by MS from what I understand (perhaps an urban myth online, but imo, not in THIS case).

Anyhow - run CIS tool on your MacOS X rigs... see if you can beat a score of 84.735!

(Consider it a 'challenge' to you MacOS X users!)

Hey - None of the Linux folks I challenged to it here:

http://linux.sys-con.com/read/382946_f.htm

(A debate/discussion over Windows vs. Linux security superiority partially)

Tried, or rather perhaps just could NOT exceed my score (which if you guys go about the above? You can have it too, & perhaps, exceed it), & they could NOT beat my score!

Whatever the case may have been? Doesn't matter really... I do suspect they did try it though, & could NOT exceed my score.

See - what I really WANTED was someone with the SELinux builds (addon hooks into the Linux kernel to create ACL like security control, except they call it MAC (mandatory access control)), especially to try it!

CIS Tool 1.x runs on Windows, MacOS X, Linux, BSD, & Solaris (some FYI guys, it is great stuff, & helps you secure yourself, unlike other security testers (not counting Belarc Advisor, it does so, but is NOT quite up to the level of CIS Tool 1.x imo, @ least in the version we tried here)).

Anyhow/anyways - Good luck, hope you can beat my score Wile E!

APK

P.S.=>
I'm impressed. all this work.

I fixed all those problems the easy way. :laugh::laugh:

Yes, Dippy, it is some work (1 hour's worth for experienced folks imo)... but, worth every second, for YEARS of stability from a single setup (I am on 2 now with this one, maybe more)...

I never get "hacked/cracked/virus-malware-spyware ridden" etc. et al, because of that stuff above! I did it once, & have not had to look back, she stays UP & RUNNING, solid!

Does it bug me, that MS does NOT ship it setup like the above?

Yes, and NO...

IMO, it's done for app & network compatibility, mainly for MASS deployments!

Imo, VISTA as it ships "oem/outta-the-box" is probably the BEST that can be done w/ Windows NT-based OS for security, & still have the OS easily "mass deployable" by networkers, & assuring compatibility w/ networks & shared apps that run across networks... I could be wrong, but this is what I suspect. Otherwise, IF I am wrong (& I can be, rare, lol, but I can be)? Ms needs to do this stuff above imo, as std. practice/oem shipped this way (barring the NetBIOS/Client For Microsoft networks cutoffs I note above).

The above 14 steps I use? Generally, its for 'stand-alone/single-rigs online' like mine, but it can be adapted for home LAN setups too (note the LanManager/NetBIOS/Client for Microsoft Networks steps above & their warning!)... apk
 
Last edited:

TheMasterOfSinanju

New Member
Joined
Jun 18, 2007
Messages
28 (0.00/day)
Location
A discrete point in the space-time continuum!
One last thing before hitting work today: Photo proof of my CIS Tool 1.x score



"Pictures DO say a 1,000 words"...

:)

* Which, lol, equates to my post above I would say (easily 1,000 words I would guess/wager)...

APK
 
Joined
Nov 10, 2006
Messages
4,665 (0.73/day)
Location
Washington, US
System Name Rainbow
Processor Intel Core i7 8700k
Motherboard MSI MPG Z390M GAMING EDGE AC
Cooling Corsair H115i, 2x Noctua NF-A14 industrialPPC-3000 PWM
Memory G. Skill TridentZ RGB 4x8GB (F4-3600C16Q-32GTZR)
Video Card(s) ZOTAC GeForce RTX 3090 Trinity
Storage 2x Samsung 950 Pro 256GB | 2xHGST Deskstar 4TB 7.2K
Display(s) Samsung C27HG70
Case Xigmatek Aquila
Power Supply Seasonic 760W SS-760XP
Mouse Razer Deathadder 2013
Keyboard Corsair Vengeance K95
Software Windows 10 Pro
Benchmark Scores 4 trillion points in GmailMark, over 144 FPS 2K Facebook Scrolling (Extreme Quality preset)
Not bad. I think you should add the Microsoft Baseline Security Analyzer to the mix.

I'm not a fan of adding extra software on my servers, though. Most of the ones that I'm lucky enough to manage don't touch the internet. Just keep current on your updates and don't install software that you don't trust with your life.
 

TheMasterOfSinanju

New Member
Joined
Jun 18, 2007
Messages
28 (0.00/day)
Location
A discrete point in the space-time continuum!

Thanks! It just works...

I think you should add the Microsoft Baseline Security Analyzer to the mix.

That's an idea, but I have had trouble running it before here, & iirc, it was calling for me to run SOME services I do not keep running usually!

(IIRC, it depends on services I turn off, & iirc, it MAY have been Terminal Services (I don't use them here like I used to, so, I cranked it off)... I used to use it to work from home 2-3 days a week, but not anymore, have to be "on site" from now on (in mgt. now)).

I'm not a fan of adding extra software on my servers, though. Most of the ones that I'm lucky enough to manage don't touch the internet. Just keep current on your updates and don't install software that you don't trust with your life.

Thing is? This is oriented to WORKSTATIONS/PRO type Windows NT-based OS setups... e.g.-> The Windows Server 2003 setup I have here, is nearly PURELY a "Workstation/Pro" setup, its default in this OS version (you add server components like IIS, or others, ONLY AS YOU NEED THEM (sorry if you are aware of this already, I hate to sound OR BE, condescending, because it's NOT cool, & you never know if you may be talking to someone who is your equal OR superior in a particular area)).

If ANYTHING above? I am cutting back on wares (stopping Client for Microsoft Network or NetBIOS + File & Printer sharing for example)...

Still - I ought to add the basic concept of cutting off services really, ones you do NOT need, but that IS covered in my downloads documents internally, above (softseek ones, etc.).

APK

P.S.=> I will add this to that above, it cannot hurt, IF I missed it (this latter point, cutting off services you do NOT need to be running, & here, NOT just in my downloadable speedup stuff)... EDIT PART - it is there already, but I 'reinforced it more' in a bolded statement! apk
 
Joined
Jul 1, 2005
Messages
5,197 (0.76/day)
Location
Kansas City, KS
System Name Dell XPS 15 9560
Processor I7-7700HQ
Memory 32GB DDR4
Video Card(s) GTX 1050/1080 Ti
Storage 1TB SSD
Display(s) 2x Dell P2715Q/4k Internal
Case Razer Core
Audio Device(s) Creative E5/Objective 2 Amp/Senn HD650
Mouse Logitech Proteus Core
Keyboard Logitech G910
Anyhow - run CIS tool on your MacOS X rigs... see if you can beat a score of 84.735!

(Consider it a 'challenge' to you MacOS X users!)

Hey - None of the Linux folks I challenged to it here:

http://linux.sys-con.com/read/382946_f.htm

(A debate/discussion over Windows vs. Linux security superiority partially)

Tried, or rather perhaps just could NOT exceed my score (which if you guys go about the above? You can have it too, & perhaps, exceed it), & they could NOT beat my score!

Hey, link me a working os x bench and I'll gladly beat it. ;)

But all I could find was a crappy pdf :(
 

Remo_Williams

New Member
Joined
Jun 27, 2007
Messages
7 (0.00/day)
Location
A discrete point in the space-time continuum
Hey, link me a working os x bench and I'll gladly beat it. ;)

But all I could find was a crappy pdf :(

Sorry my man, you are right... I checked before I got the ban (as "TheMasterOfSinanju"), & you are right (I don't use MacOS X, & I figured since it is basically a BSD variant, it would have one, as BSD's do there)...

Of course, this also is an evidence of there being LESS SOFTWARE FOR MacOS X, than there is for Windows... keep that in mind!

Anyhow/anyways - "Oh well!"

If anyone can 'take out my score'? I figured it MIGHT just be a MacOS X rig... SELinux folks can't, & I posted @ slashdot MANY times to the BSD folks even (and Linux Penguins too, even SELinux ones)... nobody could/no takers!

APK

P.S.=> Anyhow, final mod for the TPU Wiki for this post is upcoming... the technique's & article material are down to a "12 step program" in my next post (final one I will ever EVER do here)... enjoy the read, & I hope you guys find it useful in securing your Windows rigs (especially so no one can EVER feed you a line that "Windows is less secure than (insert other OS here)" type stuff... cuz it just AIN'T true!)... apk
 
Last edited:

Remo_Williams

New Member
Joined
Jun 27, 2007
Messages
7 (0.00/day)
Location
A discrete point in the space-time continuum
APK "12 step program" 4 a secure Windows NT-based OS (2000/XP/Server 2003/VISTA))

INTRODUCTION:

Windows CAN be secured very well, but, you have to go thru some "GYRATIONS/EFFORT" to do it, but, it IS doable (but not to any 100% levels, because again - new holes/vulnerabilities appear in the OS & its libs + apps, but this gets you closer, if not as close as a body needs to be!).

THIS IS GEARED TO "stand-alone" systems online on the internet (However - it can be adapted for LAN/WAN office or home networked environs, BUT, pay attention to step #2's 'warnings' about pulling Client For Microsoft Networks, &/or File & printer sharing - most networks require/need this)

BACKGROUND & INFORMATION + TOOLS YOU CAN USE TO HELP YOU SECURE YOUR SYSTEM:

Here I am running Windows Server 2003 SP #2, fully current patched by MS update pages, here (I check it every 2nd Tuesday of the month of course, on "Patch Tuesday's"):

http://www.microsoft.com/downloads/Results.aspx?DisplayLang=en&nr=50&sortCriteria=date

It is a personally 'security-hardened' model I have been working on for many years, using principals I learned & used since the NT 3.5x days onward to this version of the OS: As is now?

I score an 84.735 on the CIS Tool 1.x currently as of 06/01/2007! This is up from my past score here of 76.xxx on it, & here is how to do it!

Currently, I can go NO higher than this score of 84.735 (of 100 total) on CIS Tool 1.x for Windows, pictured here (photo proof/pictures DO say, a 1,000 words (like this post, lol)):

http://forums.techpowerup.com/showthread.php?p=366342#post366342

BUT, that is a GOOD score (especially considering the default score of VISTA even, is FAR BELOW THAT! Nice part is? The techniques noted here can LARGELY APPLY TO VISTA AS WELL! Read on...)

(For CIS Tool - There are Linux, Solaris, BSD variants, & other OS models ports (some only in .pdf security guide form though, not programmatically automated yet, like MacOS X) of this are available too by the way - not really "ports" strictly speaking, they require JAVA to run)

DOWNLOAD URL FOR CIS TOOL (for multiple platforms), from "The Center for Internet Security" here:

http://www.cisecurity.org/bench.html

(IMPORTANT: This tool IS invaluable in guiding you to a more secure OS, on any OS platform really!)

APK 12 STEPS TO FOLLOW TO SECURE YOUR WINDOWS NT-BASED SYSTEM (2000/XP/SERVER 2003/VISTA):

1.) Windows Server 2003's SCW was run over it FIRST (this only exists on Windows Server 2003, not on 2000/XP (you have to install this, it does NOT install by default) first to help security it (SCW = security configuration wizard, & it's pretty damn good believe-it-or-not, (@ least, as as starting point))...

Directions for its installation are as follows:

Start the Add or Remove Programs Control Panel applet.

Click Add/Remove Windows Components.

On the Windows Components Wizard screen, select the "Security Configuration Wizard" check box, as the figure shows. Click Next.

The Windows Components Wizard builds a list of files to be copied and finishes installing SCW. Click Finish.

DONE! Now, run it... it is very simple to use, and will help even TRIM services you do not need running (which saves Memory, other resources, & I/O to cpu/ram/disk etc. AS WELL AS PROVIDING SECURITY should any services you disable turn up vulnerabilities (this has happened before)).

ALSO, per TPU forums user (username "xvi") @ techpowerup.com forums (software section): Use Microsoft Baseline Security Advisor, a free download from Microsoft as well to check your system for security holes, patch updates, etc. (be wary of the fact it does require various services running though, iirc, Terminal Server Services Client - I do NOT keep that running here anymore, & this program failed on me because of that (would not initialize @ all))

2.) Disable Microsoft "File & Print Sharing" as well as "Client for Microsoft Networks" in your LOCAL AREA CONNECTION (if you do not need them that is for say, running your home LAN)!

E.G.-> Here? I pull ANY Networking clients &/or Protocols in the Local Area Connection, other than Tcp/IP typically (& disable NetBIOS as well, because I don't need it here), on a stand-alone machine that is not dependent on Microsoft's File Sharing etc. on a LAN/WAN. I also disable that too!

3.) Use IP security policies (modded AnalogX one, very good for starters, you can edit & add/remove from it as needed) - Download url link is here for that:

http://www.analogx.com/contents/articles/ipsec.htm

(Search "AnalogX Public Server IPSec Configuration v1.00 (29k zip file)" on that page & follow the directions on the page!)

NOTE: This can be 'troublesome' though, for folks that run filesharing clients though. An alternative to this is using IP Ports Filtrations, in combination with a GOOD software firewall &/or NAT 'firewalling' (or true stateful inspection type) router. All of these work in combination w/ one another perfectly.

(HOWEVER - Should you choose to use it, and do filesharing programs? No problem really, because you can turn them on/off @ will using secpol.msc & the IP stack in Windows 2000/XP/Server 2003/VISTA is of "plug-N-play" design largely, & will allow it & when done? TURN THEM ON, AGAIN! These work WITH software & hardware router firewalls, IP port filtering, and security IP policies, simultaneosly/concurrently, for "layered security", no hassles!).

4.) USE General security policies (in gpedit.msc/secpol.msc), these are VALUABLE tools (and will be needed & suggestions for it will be told to you by the CIS Tool noted above - great stuff!) and regedit.exe!

(Newly added - regedit.exe use is for registry ACL permissions, via its EDIT menu, PERMISSIONS submenu item (to add/remove users that have rights to regisry hives/values, & to establish their rights levels therein))

ALSO NEWLY ADDED - Explorer.exe "right-click" on drive letters/folders/files (for file access ACL permissions hardening) using its popup menu selection of "PROPERTIES", & in the next screen, the SECURITY tab (to add/remove users that have rights to said items, & to establish their rights levels therein), also - this is another requirement of CIS Tool 1.x & its suggestions for better security.

5.) HARDENING & SECURING SERVICES HOW-TO:

Many services I do not need are either cut off OR secured in their logon entity to lower privilege entities (from default, near "ALL POWERFUL" SYSTEM, to lesser ones like NETWORK SERVICE or LOCAL SERVICE), see this URL where I did a lot of research for a prebuilt list for another forums, to see how/why this works:

http://forums.techpowerup.com/showthread.php?t=16097

I went at ALL of the services in Windows Server 2003 (some will not be in XP for instance, & Windows 2000 has no NETWORK SERVICE or LOCAL SERVICE as far as I know, but not sure, you can always make a limited privelege user too for this on 2000 if needed)...

I did testing to see which services could be run/logged in as LOCAL SERVICE, or NETWORK SERVICE, rather than the default of LOCAL SYSTEM (which means Operating System entity level privileges - which CAN be "misused" by various spyware/malware/virus exploits).

LOCAL SERVICE startable list (vs. LocalSystem Logon Default):

Acronis Scheduler 2 Service
Alerter (needs Workstation Service Running)
COM+ System Application
GHOST
Indexing Service
NVIDIA Display Driver Service
Office Source Engine
O&O Clever Cache
Remote Registry
Sandra Service
Sandra Data Service
SmartCard
Tcp/IP NetBIOS Helper
Telnet
UserProfile Hive Cleanup Service
Volume Shadowing Service
Windows UserMode Drivers
Windows Image Acquisition
WinHTTP Proxy AutoDiscovery Service

NETWORK SERVICE startable list (vs. LocalSystem Logon Default):

ASP.NET State Service
Application Layer Gateway
Clipbook (needs Network DDE & Network DDE DSDM)
Microsoft Shadow Copy Provider
Executive Software Undelete
DNS Client
DHCP Client
Error Reporting
FileZilla Server
Machine Debug Manager
Merger
NetMeeting Remote Desktop Sharing Service
Network DDE
Network DDE DSDM
PDEngine (Raxco PerfectDisk)
Performance Logs & Alerts
RPC
Remote Desktop Help Session Manager Service
Remote Packet Capture Protocol v.0 (experimental MS service)
Resultant Set of Policies Provider
SAV Roam
Symantec LiveUpdate
Visual Studio 2005 Remote Debug

PLEASE NOTE: Each service uses a BLANK password when reassigning their logon entity (when you change it from the default of LOCAL SYSTEM Account), because they use SID's as far as I know, not standard passwords.

WHEN YOU TEST THIS, AFTER RESETTING THE LOGON USER ENTITY EACH SERVICE USES: Just run your system awhile, & if say, Norton Antivirus refuses to update, or run right? You KNOW you set it wrong... say, if one you test that I do NOT list won't run as LOCAL SERVICE? Try NETWORK SERVICE instead... if that fails? YOU ARE STUCK USING LOCAL SYSTEM!

If you cannot operate properly while changing the security logon entity context of a service (should NOT happen w/ 3rd party services, & this article shows you which ones can be altered safely)?

Boot to "Safe Mode", & reset that service's logon entity back to LOCAL SYSTEM again & accept it cannot do this security technique is all... it DOES happen!

If that fails (shouldn't, but IF it does)? There are commands in the "Recovery Console" (installed from your Windows installation CD as a bootup option while in Windows using this commandline -> D:\i386\winnt32.exe /cmdcons, where D is your CD-Rom driveletter (substitute in your dvd/cd driveletter for D of course)) of:

ListSvc (shows services & drivers states of stopped or started)

Enable (starts up a service &/or driver)

Disable (stops a server &/or driver)

Which can turn them back on if/when needed

(ON Virtual Disk Service being removed, specifically (because it used to be in this list)): This was done solely because, although it will run as LOCAL SERVICE, diskmgmt.msc will not be able to work! Even though the Logical Disk Manager service does not list VirtualDisk as a dependency, this occurs, so VirtualDisk service was pulled from BOTH the LOCAL SERVICE and NETWORK SERVICE lists here... apk)

CUTTING OFF SERVICES YOU DO NOT NEED TO RUN IS POSSIBLY THE BEST METHOD OF SECURING THEM, AND GAINING SPEED SINCE YOU ARE NOT WASTING I/O, MEMORY, or OTHER RESOURCES ON THEM, PERIOD, in doing this - do consider it, when possible! Many guides online exist for this, & I authored one of the first "back in the day" for NTCompatible.com as "Article #1" back in 1997-1998 - the latest ones are even BETTER!

SECURING SERVICES @ THE ACL LEVEL VIA A SECURITY POLICY HOW-TO:

STEP #1: CONFIGURE A CUSTOM Microsoft Management Console for this!

Configuring yourself a "CUSTOM MMC.EXE (Microsoft Mgt. Console)" setup for security policy templates, here is how (these are NOT default Computer Mgt. tools, so you have to do this yourself, or run them by themselves, but this makes working w/ them convenient):

The next part's per BelArcGuy of BELARC ADVISOR's advice (pun intended):

http://forums.techpowerup.com/showthread.php?t=16097

"Security Configuration and Analysis" is an MMC snap-in. To access the MMC, type in mmc to the Windows Run.. command to pop up the console. Then use it's File|Add/Remove Snap-in... command and click the Add button on the resulting dialog. Choose both "Security Configuration and Analysis" and "Security Templates", close that dialog, and OK. You'll end up with a management console that has both of those snap-ins enabled. The whole MMC mechanism is a bit weird, but does work"

(It's easy, & it works, & is necessary for the actual steps to do this, below)

Next, is the actual "meat" of what we need to do, per Microsoft, to set ACLs!

STEP #2: HOW TO: Define Security Templates By Using the Security Templates Snap-In in Windows Server 2003

http://support.microsoft.com/kb/816297

Create and Define a New Security Template

(To define a new security template, follow these steps)

1. In the console tree, expand Security Templates
2. Right-click %SystemRoot%\Security\Templates, and then click New Template
3. In the Template name box, type a name for the new template.

(If you want, you can type a description in the Description box, and then click OK)

The new security template appears in the list of security templates. Note that the security settings for this template are not yet defined. When you expand the new security template in the console tree, expand each component of the template, and then double-click each security setting that is contained in that component, a status of Not Defined appears in the Computer Setting column.

1. To define a System Services policy, follow these steps:
a. Expand System Services
b. In the right pane, double-click the service that you want to configure
c. Specify the options that you want, and then click OK.

(And, of course, the user feedback on its effectiveness (Makes your Win32 NT-based OS very much like how MacOS X treats its daemon processes via privelege levels), which uses the same general principals)

It works, & although many service packs for Windows OS' have changed their services (not all but many nowadays) to less than SYSTEM, my list covers those they may not have in recent service packs AND 3rd party services are listed too that you may be running possibly!

DONE!

6.) Another thing I do for securing a Windows NT-based OS: IP Port Filtrations (like ip security policies (per AnalogX above), it is often called the "poor man's firewall" & works perfectly with both IPSecurity policies, hardware AND software firewalls, all in combination/simultaneously running)!

DIRECTIONS ON HOW TO IMPLEMENT THEM (very easy):

Start Menu -> Connect To Item (on the right hand side) -> Local Area Connection (whatever you called it, this is the default, iirc) open it via double click OR, right-click popup menu PROPERTIES item -> Properties button on left-hand side bottom, press/click it -> NEXT SCREEN (Local Area Connection PROPERTIES) -> "This connection uses the followng items" (go down the list, to Tcp/IP & select it & /click the PROPERTIES button there) -> Press/Click the Advanced Button @ the bottom Right-Hand Side (shows Advanced Tcp/IP Settings screen) -> OPTIONS tab, use it & Tcp IP Filtering is in the list, highlite/select it -> Beneath the Optional Settings, press/click the PROPERTIES button on the lower right-hand side -> Check the "Enable Tcp/IP Filtering (on all adapters)" selection -> In the far right, IP PROTOCOLS section, add ports 6 (tcp) & 17 (udp) -> In the far left "tcp ports" list - check off the radio button above the list titled "PERMIT ONLY", & then add ports you want to have open (all others will be filtered out, & for example, I leave port 80,8080, & 443 here open, only - you may need more if you run mail servers, & what-have-you (this varies by application)) -> I leave the UDP section "PERMIT ALL" because of ephemeral/short-lived ports usage that Windows does (I have never successfully filtered this properly but it doesn't matter as much imo, because udp does not do 'callback' as tcp does, & that is why tcp can be DDOS'd/DOS'd imo - it only sends out info., but never demands verification of delivery (faster, but less reliable)) -> DONE!

You may need a reboot & it will signal if it needs it or not (probably will, even in VISTA):

I say this, because although IP Security Policies work with the "Plug-N-Play" design of modern Windows NT-based OS' (ipsec.sys) & do NOT require a reboot to activate/deactivate them in Windows 2000/XP/Server 2003/VISTA? This is working @ a diff. level & diff. driver iirc (tcpip.sys) & level of the telecommunications stacks in this OS family & WILL require a reboot to take effect (for a more detailed read of this, see here):

http://www.microsoft.com/technet/community/columns/cableguy/cg0605.mspx

(In THAT url above? Trust me - Enjoy the read, it is VERY informative: That article shows you how TcpIP.sys, ipnat.sys, ipsec.sys, & ipfiltdrv.sys interact, PLUS how you can use them to your advantage in security!)

7.) Plus good email client practices like using .txt mail only, no RTF or HTML mail, not opening or allowing attachments unless I know the person (still gets email scanned though by your resident antivirus email scan component (use AntiVirus programs with these, OR, manually scan ANY attachments before opening them (if you get Microsoft Office .doc, .xls, .ppt etc. files uncompressed? HOLD DOWN THE SHIFT KEY AS YOU OPEN THEM - this stops macros from running & macros are the avenue utilized using VBA script to infect you))

8.) I also use a LinkSys/CISCO BEFSX41 "NAT" true firewalling CISCO technology-based router (with cookie & scripting filtering built-in @ the hardware level), these are excellent investments for security.

9.) USE Tons of security & speed oriented registry hacks (reconfiging the OS basically - stuff like you might do in etc / conf in UNIX/LINUX I suppose)

Many can be found here, in an article I authored (and it tells what they do, & how they work, w/ descriptions from Microsoft themselves):

http://www.avatar.demon.nl/APK.html

OR, if that site is down? Download them from here @ SOFTPEDIA (where they are rated 4/5):

http://www.softpedia.com/get/Tweak/System-Tweak/APK-Internet-and-NTkXP-Speedup-Guides.shtml

OR, just email me here for them -> apk4776239@hotmail.com

(I also have these PREBUILT, in .reg files, mind you, available by email, fully internally documented!)

They are FULLY documented internally, with link url's to the Microsoft pages they came from, inside the .reg files, so YOU can look at what the hack does inside them, verify this @ MS, & know what the valid parameters are as well!

(This? It took me FOREVER a year or so ago to do this, but worth it!)

The urls, or downloadable .mht files, outline it all (as do my prebuilt .reg files, probably the BEST choice of the lot imo), as to what you can ".reg file hack" for better SPEED, and SECURITY online, in a modern Windows 2000/XP/Server 2003 OS & has references from Microsoft in it for each setting plus their definitions & parameters possible!

10.) The use of a CUSTOM ADBANNER BLOCKING HOSTS FILE (my personal one houses, as of this date, 90,000 known adbanner servers, OR sites known to bear malicious code & exploits (per GOOGLE mostly, from stopbadware.org))

Custom HOSTS files work in combination with Opera adbanner blocks & the usage of .PAC filering files + cascading style sheets for this purpose.

(As well as speeding up access to sites I often access - doing this, acting as my own "DNS Server" more or less, is orders of magnitude faster than calling out to my ISP/BSP DNS servers, waiting out a roundtrip return URL-> IP Address resolution. It may take some maintenance for this @ times, especially if sites change HOSTING PROVIDERS, but this is a rarity & most sites TELL YOU when they do this as well, so you can make fast edits, as needed (and, on Windows NT-based OS since 2000/XP/Server 2003 & VISTA? A reboot is NOT required upon edits & commits of changes in the new largely near fully PnP IP stacks!))

For a copy of mine, write me, here -> apk4776239@hotmail.com

And, I will send it to you in .zip or .rar format (with sped up sites # UNIX comment symbol disabled, enable the ones you use AFTER you 'ping' them first from my list, & add ones YOU PERSONALLY USE to it as needed after determining their IP address via a PING of them)

11.) KEEP UP ON PATCHES FROM MICROSOFT, for your OS & Microsoft Office Apps, & IE, etc., HERE (ordered by release date) and run AntiVirus/AntiSpyware/AntiRootkit tools (& yes, keep them updated/current)!

http://www.microsoft.com/downloads/Results.aspx?DisplayLang=en&nr=50&sortCriteria=date

Again, keep up on antivirus/antispyware/antirootkit AND Java runtimes updates!

(Done either automatically via their services, or manually)

Download them manually & install them yourself (OR just let "Windows Automatic Updates" run)

Running the "std. stuff", like AntiVirus (NOD32 latest 2.7x - best one there is, & that is not only MY opinion after testing it vs. my former fav. NAV Corporate 10.2 (it is lighter in RAM & resource uses than NAV Corporate even, finds more virus' than others, & uses less "moving parts" (in the way of services componentry, than most do, & certainly less than NAV)) + SpyBot (Ad-Aware is another option) as my resident antispyware tool running in the background! AntiRootkit tools are another one to be conscious of nowadays, now that such machinations are available for Windows (they originated, afaik, in the UNIX world though).

The "best ones" are:

AVG AntiRootkit
BitDefender AntiRootkit
GMER
Rootkit Revealer
PrevX AntiRootkit
Rootkit Hook Analyzer
Sophos AntiRootkit
F-Secure Blacklight
Gromozon Rootkit Removal Tool
KLister
McAfee Rootkit Detective
PatchFinder
RogueRemover
VICE
System Virginity Verifier for Windows 2000/XP/2003

That is a list for you all to choose from, they all do a decent enough job though, & are 100% FREE - SO, DO use them!

12.) It is also possible, for webbrowsers &/or email clients, to create a "VISTA LIKE IE 7 Protected Mode"-like type scenario, isolating them into their own spaces in memory, here are 2 methods, how (not needed on VISTA though, afaik):

IE6/7 & FF + OPERA AS WELL (as noted by A/C slashdot poster in reply to my methods, both his & my own work well, & are listed here @ /. (slashdot)) on modern NT-based OS "how-to":

http://it.slashdot.org/comments.pl?sid=236547&cid=19310513

MY METHOD:

RUNNING IE in a "runas limited user class" sandbox effect:

"It is actually possible to run IE securely: just create a throwaway restricted user account for IE use alone. The restricted account user can't install software and can't access files of other users, so even if IE autoexecutes any nastiness, it can't do any damage.

Of course, it's a hassle to log in as a different user just to browse the web. So we'd want to use "runas" to run just IE as a different user.

Unfortunately, MS has made running IE as a different user a little harder than necessary. Rightclicking and using "Run as" doesn't seem to work. What did work for me was the following.

Say the limited account is called "IEuser". Then create a shortcut to "runas /user:IEuser cmd". on your desktop. Double-clicking this will open a command prompt that runs as IEuser. Now you can manually start IE with "start iexplore". Or create a batchfile c:windowsie.bat that just contains the line "start iexplore" and you can start IE by just typing "ie". Remove all shortcuts to IE from you normal desktop and only run it from the restricted account. This way you can use IE without worry about any IE exploits"

OTHER, VERY QUITE POSSIBLY SUPERIOR METHOD: ...this is exacly the way I do (but with opera and other internet related apps as acroread, mail, ...). But simply "runas /user:xxx cmd" is not the best way to achieve process separation. If you have a look at the process tree you will see: system->smss.exe->winlogon.exe->services.exe->cmd. exe->iexplore.exe. A better way is to use the method described in Joannas blog

http://theinvisiblethings.blogspot.c...every-day.html

See section: Do-It-Yourself: Implementing Privilege Separation. Using the psexec tool as described results in a "clean" process tree where iexplore.exe will show up directly under the root avoiding beeing a child process.

Note - The "invisible thing"? She's "Yuriko DeathStrike" as far as I am concerned... Joanna Rutkowska, my fellow "Polish Person" & she's a regular "wonder" in the security/hacking/cracking world!

This is my runopera.bat which runs opera as user internet:
psexec.exe -d -u internet -p p4ssw0rd "cmd" "/d /D /c start /b Opera.exe"

PLUS, Windows Server 2003 has a hardened IE6/7 by default (which can be duplicated on other Win32 OS versions, because it mainly just does what I have been doing for a long time & noted by myself earlier, in stuff like turning off ActiveX & scripting + JAVA online on the public internet, of all types by default, & I do this in ALL of my browsers (IE, FF, & Opera) & only make exceptions for CERTAIN sites)

(YOU ARE NOW @ THE END OF THIS DOCUMENT & ALL of that is done for ONLINE security... &, it works!)

APK

P.S.=> Yes, it's a PAIN to do it the first time - maybe 1 hr. work for an experienced user, more for less experienced ones, but WORTH EVERY SECOND!

Why?

Well, I have not had this system "go down" due to hacks/cracks/malware/virus/trojans/spyware, etc. et al (you name it) in years now! It just works...

(... & everyone ought to know this stuff, so here 'tis!)

Enjoy & IF you know of more to do? Please, have @ it, & let us all know what it is you do on your Win32 rigs of NT-based OS nature... apk

Original version @ slashdot -> http://it.slashdot.org/comments.pl?sid=237507&cid=19410153

Updated version #2 @ techpowerup.com -> http://forums.techpowerup.com/showthread.php?p=365996#post365996
 
Last edited:
Joined
Sep 25, 2006
Messages
2,312 (0.36/day)
Location
Norn Iron
Processor Q9550 @3.8
Motherboard Asus Maximus Extreme
Cooling Custom water cooling
Memory 4GB Patriot Viper DDR3 1600MHz
Video Card(s) 2x HD4870 512MB
Storage 2x 500GB
Display(s) 3x LG L226WTQ 22" Widescreen LCD
Case Modded TJ07
Audio Device(s) On board
Power Supply PC P&C Silencer 750
Software Windows 7 Ultimate
Cheers Alec,I am shortly going to do a clean install and this will come in very helpfull before I make a ghost backup for later use when looking to revert back to a secure OS.
 

Wile E

Power User
Joined
Oct 1, 2006
Messages
24,318 (3.81/day)
System Name The ClusterF**k
Processor 980X @ 4Ghz
Motherboard Gigabyte GA-EX58-UD5 BIOS F12
Cooling MCR-320, DDC-1 pump w/Bitspower res top (1/2" fittings), Koolance CPU-360
Memory 3x2GB Mushkin Redlines 1600Mhz 6-8-6-24 1T
Video Card(s) Evga GTX 580
Storage Corsair Neutron GTX 240GB, 2xSeagate 320GB RAID0; 2xSeagate 3TB; 2xSamsung 2TB; Samsung 1.5TB
Display(s) HP LP2475w 24" 1920x1200 IPS
Case Technofront Bench Station
Audio Device(s) Auzentech X-Fi Forte into Onkyo SR606 and Polk TSi200's + RM6750
Power Supply ENERMAX Galaxy EVO EGX1250EWT 1250W
Software Win7 Ultimate N x64, OSX 10.8.4
A Tout Le Monde

Posted by me, as requested by APK, thru email.

APK said:


It's the latest breaking my old record of 84.735, now @ 85.185 of 100%
perfect. Everyone reading that thread should see the "mark to beat", & what
is possible...

Thanks!

APK

P.S.=> I am TOO tired from putting in 63 hour work week, & starting this one
on 11.5 hours today, to do the tasks for "blowing by the ban" as I have
before to do this (which is silly this whole thing on that note), as
substantiating proof of potential of what's in this thread's contents for
those that correctly & FULLY, apply it...

This is "APK SeWindows"... lol, one for the "Penguins" that...

(& as Leonardo DeCaprio said while playing the role of Howard Hughes?
"She'll go faster" & I'll even addon -> "& more secure", as time passes...
I want to hit A grade 90 scores (not too far now))...

On that A++ grade score, though? Heh - wish me luck! I'll settle for B+
grades for now, lol, raising NT-based OS' past C-2 levels, & closer to B
(nobody has reached verified design though afaik)... apk
 
Joined
Jan 28, 2007
Messages
2,648 (0.42/day)
Location
UK
System Name Ma Biatch
Processor i7 860
Motherboard Gigabyte GA-P55-UD3A
Cooling Noctua
Memory 8gb (4x2gb) G-Skill
Video Card(s) GTX 470
Storage WD5000aaks raid0
Display(s) Sony Bravia 37" 1080p
Case CM 690
Audio Device(s) Onboard
Power Supply Corsair HX520
Software Windows 7 Ultimate
lol apk ftw :roll: :rockout:

even now i enjoy reading his posts, i alos like when he creates a new user account he blatantly signs it apk (although jusat by reading the first line of any of his posts you know who it is ;) ) also his location, did you see it ? "a discreet point in the space-time continuim" lol :toast:
 
Joined
Nov 12, 2006
Messages
2,996 (0.47/day)
System Name COLOSSUS-MK4
Processor E8400 @4.4 GHz - FSB @550 MHZ
Motherboard Asus P5K Premium (Black Pearl)
Cooling Xigmatek HDT-S1283
Memory 2x1GB Geil BlckDrgn 800 @1158 5-5-5-18
Video Card(s) 8800GT 512MB @740/1782/2080
Storage Hitachi T7K250 250GB & 7200.10 Seagate 250GB
Display(s) Gateway FPD1975W 19" Widescreen
Case Antec 1200
Audio Device(s) Xi-FI Xtreme Audio
Power Supply CoolerMaster IGreen 500W
Software XP Home SP3
Benchmark Scores SuperPi: 10.563 Sciencemark: 2563.14
Russian boy would like this

Message from APK:

"It's getting BETTER ALL THE TIME!" - The Beatles
(see attached picture)
(For RussianBoy of course, as he's a Beatle's Fan, & I think that tune fits this increased score, as a theme)...

Thanks!

APK

P.S.=> A SIDE NOTE -> A guy over @ /. (slashdot.org) has supposedly "beaten"
my score!

(However, his LINUX is running under a VMWare emulation)

So I would like others' feedback as to that if you would like to post this as well:

http://enigma.ev6.net/result2.html <---------His result's there.
 

Attachments

  • APK10102007_85706CISToolScoreWindowsServer2003SP2.jpg
    APK10102007_85706CISToolScoreWindowsServer2003SP2.jpg
    148.9 KB · Views: 16,410

DoctorWhoIsWho

New Member
Joined
Oct 20, 2007
Messages
5 (0.00/day)
LINUX RESULTS (both default AND security hardened on SuSE Linux Enterprise)

See the attached jpg photos for the scores for LINUX folks (default is 46.xxx & security hardened is 90.xxx).

LINUX SuSE Enterprise SECURITY HARDENED SCORE:



LINUX SuSE Enterprise DEFAULT NON-SECURITY HARDENED SCORE:



This all just goes to show you that even LINUX (which is WORSE by default per this security settings test than Windows XP SP 2 is, despite the constant diatribes spouted by the *NIX community of "how superior the security is on *NIX's" vs. Windows) can stand quite the bit of security hardening...

APK

P.S.=> My next post will have my current highscore on Windows Server 2003 SP #2 fully security hotfix patched (as of the date of the last "Patch Tuesday") & also my workstation on the job (now security hardened) scoring 85.356 (and, I cannot FULLY security harden it, because we have some legacy NT 4.x servers & they cannot handle NTLMv2 communications, a requirement for a higher score + our pwd policies are limited as well)... apk
 

Attachments

  • LINUXSuSEEnterpriseDEFAULT46Score.jpg
    LINUXSuSEEnterpriseDEFAULT46Score.jpg
    170.9 KB · Views: 15,937
  • LINUXSuSEEnterpriseSECURITYHARDENED90Score.jpg
    LINUXSuSEEnterpriseSECURITYHARDENED90Score.jpg
    169 KB · Views: 15,809
Status
Not open for further replies.
Top