Decided not to use Microsoft’s Lockdown Tool – I'll learn more by applying manual security fixes.....
Disabled Guest account and renamed Administrator account (Computer Management – system tools – local users and groups – users – right click to rename and properties to disable)
Removed indexing service (control panel – add/remove programs – windows setup)
Enabled account switch for Administrator by registry change – see http://is-it-true.org/nt/xp/registry/rtips6.shtml (probably unnecessary - see next step)
Enforced ctrl-alt-del for login (disabled welcome screen in User Accounts then in Local Security Policy went to Local Policies – Security Options and disabled ‘Interactive Logon – do not require ctrl-alt-del)
Set Windows Update to notify before downloading (there will be a need to restore disabled files before accepting updates) – via – control panel – system – automatic updates
Downloaded Microsoft’s Baseline Security Analyser.
Enabled Audit Policy (Local Security Policy - Audit Policy – Audit Access Object – success/failure)
Disabled and audited cmd.exe ftp.exe command.com tftp.exe cscript.exe wscript.exe telnet.exe. ( I can still access these programs in a 'safe' location)
Stopped SMTP service in IIS
Changed location of default web directory ( inetpub/wwwroot). Pointed to new location in IIS Manager)
Tightened security on Front Page Server Extensions (Console1 – right click on web and check server extensions). There is conflicting advice on security of Front Page Server Extensions – reassured by -http://www.windowswebsolutions.com/Articles/Index.cfm?ArticleID=7852
Applied strong Account Policies following advice in http://www.lokbox.net/SecureXP/
Extended properties for log files
Denied syn attacks by registry change - see http://www.colorado.edu/its/windows2000/adminguide/iis5secguidelines.html#synflood
Set up ftp in virtual directory – see
http://www.iisfaq.com/default.aspx?View=A46&P=14
Removed application mappings for .htr .idc .stm .ida .idq .shtml .sthm - see –
http://www.lokbox.net/SecureXP/
Turned off "Index this resource" on ALL websites. (If I want to create a "Site Search" for my website, use a 3rd party tool that does not index the SOURCE CODE of your server-side scripts.
Installed Security Configuration and Analysis Tool in Console 1 (mmc) Right-clicked on this entry in Console and selected ‘Analyse Computer Now’ – noted security messages in right pane.
Removed the following keys from Registry to remove RDS (Remote Data Services) vulnerability (Most database-driven IIS sites use Active Data Objects (ADO) without the need for RDS)
| HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\ADCLaunch\RDSServer.DataFactory
|
| HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\ADCLaunch\AdvancedDataFactory
|
| HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\ADCLaunch\VbBusObj.VbBusObjCls
|
Set
sandbox mode to 3 (all applications) - Jet database engine (ODBC
vulnerability –
| \\HKEY_LOCAL_MACHINE\Software\Microsoft\Jet\4.0\engines\SandboxMode |