REGEDIT4 ; Written by HB3^, Nov. 9, 1999, 11:35pm ; www.hackerzlair.org ; greets to: pROcon, Biosone, koala7, syn|ack, Ledge and the rest from #hackerzlair ; This .reg file will change some settings in your registry so that your machine will be more secure. Just to be sure that everything applies to your box go and check all the entires. ; Disables administrative shares [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters] "AutoShareServer"=dword:00000000 ; turn off ntfs 8.3 name generation [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Filesystem] "NtfsDisable8dot3NameGeneration"=dword:00000001 ; restrict anonymous connections to ipc$ [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA] "RestrictAnonymous"=dword:00000001 ; this will enable SMB signatures ; 1st option == server [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" "RequireSecuritySignature"=dword:00000001 ; ---------------------------------------------------------- ; 2nd option == client [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Rdr\Parameters] "RequireSecuritySignature"=dword:00000001 ; -------------------------------------------------------------- ; NT "Pass the Hash" with Modified SMB Client Vulnerability ; A modified SMB client can mount shares on an SMB host by ; passing the ; username and corresponding LanMan hash of an account that is ; authorized to access the host and share. The modified SMB ; client ; removes the need for the user to "decrypt" the password hash ; into its ; clear-text equivalent. ; For more info check out http://www.securityfocus.com [HKEY_LOCAL_MACHINE\System\CurrentControlSet\control\LSA] "LMCompatibilityLevel"=dword:00000004 ; NT LSA DoS (Phantom) Vulnerability [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\AeDebug] "Auto"="0" ; 'Disable' IP source routing [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters] "DisableIPSourceRouting"=dword:0000001 ; set MDAC to operate in safe [1] / unsafe [0] mode [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DataFactory\HandlerInfo] "HandlerRequired"=dword:00000001 ; Disable Lan Manager authentication, 0 - Send both WinNT and Lan Manager passwd forms. 1 - Send Windows NT and Lan Manager password forms if server requests it. 2 - Only send Windows NT password form [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA] "LMCompatibilityLevel"=dword:00000002 ; To disable DCOM, utilize the "DCOMCNFG.EXE" proggie, select default properties and make sure that 'enable distributed COM on this computer' box is deselected OR Set the following registry key to disable the DCOM service: [HKEY_LOCAL_MACHINE\Software\Microsoft\Ole] "EnableDCOM"="N" ; restrict Null user's and guest access to the Application Event log [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application] "RestrictGuestAccess=dword:00000001 ; restrict Null user's and guest access to the Security Event log [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security] "RestrictGuestAccess=dword:00000001 ; This will restrict Null user's and guest access to the System Event log [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System] "RestrictGuestAccess=dword:00000001 ; Disable last logged in user display == this is what C2 toys are doing too, duh [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "DontDisplayLastUerName"="1" ; Restrict Floppy Disk Drive access to the current logged on interactive user [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon] "AllocateFloppies"="1" ; Restrict CDROM Drive access to the current logged on interactive user [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "AllocateCDRoms"="1" ; Clear page file during system shutdown [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SessionManager\Memory Management] "ClearPageFileAtShutdown"=dword:00000001 ; Disabling cashing of logon credintials [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "CachedLogonsCount"="1" ; Enable screen saver lockout [HKEY_USERS\DEFAULT\ControlPannel\Desktop] "ScreenSaveActive"="1" ; Disable Autorun for the CDROM Drive [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom] "Autorun"=dword:00000000 ; To make IIS server run CGI scrits in the context of the IIS IUSR_computername account 'un-rem' this. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters] "CreateProcessAsUser"=dword:00000001 ; Enable logging of successful http requests on your WWW server [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters] "LogSuccessfulRequests"=dword:00000001 ; Enable logging of bad http requests on the WWW server [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters] "LogErrorRequests"=dword:00000001 ; Disable IIS FTP bounce attack [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSFTPSVC\Parameters] "EnablePortAttack"=dword:00000000