Toolkit
Story: IE flaw danger increases as exploit code released
Posted by: TurboTramp (Thursday 9 June 2005, 12:40 AM)
Thirty steps to PC security
This article describes the steps necessary to secure your Windows operating system from malicious exploits. The solutions listed below will protect you from every major vulnerability found on the Internet today, June 08, 2005. If by chance you would prefer to use tested software to enable these solutions, go to http://www.geocities.com/turbotramp2/samurai.html or click http://www.geocities.com/turbotramp2/samurai.zip to download the most recent version of Samurai. This Host-based Intrusion Prevention System will secure your machine using the solutions listed below.
DISABLE INSECURE CONTROLS: Disable known insecure ActiveX controls.
This solution disables the use of insecure ActiveX controls. The registry key “HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility” is updated with the GUID’s of known insecure controls that do not affect normal operation when disabled. The GUIDs are:
// ADODB control
{00000566-0000-0010-8000-00AA006D2EA4}
// Shell.Application
{13709620-C279-11CE-A49E-444553540000}
// AnchorClick DHTML Behavior
{8856F961-340A-11D0-A96B-00C04FD705A2}
// Image Control 1.0 (uses asycpict.dll)
{D4A97620-8E8F-11CF-93CD-00AA00C08FDF}
// DHTML Editing Control
{2D360201-FFF5-11D1-8D03-00A0C959BC0A}
PREVENT AIM EXPLOIT: Disable the AIM URL protocol handler.
This solution prevents the use of the AIM URL protocol by replacing the insecure ActiveX GUID with a harmless substitute, in this case the HTML Help GUID is used. The AIM URL protocol is not required for normal operation and does not affect AOL Instant Messaging.
The registry key is “HKCR\PROTOCOLS\Handler\aim”.
The registry value is “CLSID”.
PREVENT ANONYMOUS ACCOUNTS: Prevent anonymous accounts.
This solution prevents the use anonymous sessions by setting the registry value “HKLM\System\CurrentControlSet\Control\Lsa\restrictanonymous” to true. This setting will not become active until the machine is rebooted. As such, “The new configuration will require a reboot” will be displayed when this setting is altered in Samurai.
DISABLE AUTO FILE OPEN: Disable automatic file open from explorer.
This solution prevents Explorer from opening files without first prompting the user. This is accomplished by masking all auto open bits in EditFlags values of registry keys located in HKLM\Software\Classes, HKLM\Software\Classes\Shell\Open, HKLM\Software\Classes\CLSID, HKCU\Software\Classes, HKCU\Software\Classes\Shell\Open and HKCU\Software\Classes\CLSID.
STOP BIT SERVICE: Stop the Background Intelligent Transfer Service.
This solution stops the Background Intelligent Transfer Service. This service is not required for normal operation and can be abused to allow full control of a host machine from a remote computer.
DISABLE URL PROTOCOLS: Disable dangerous URL protocols.
This solution disables the use of insecure URL types "ms-its”, "ms-itss", "its", "mk" and "local" by removing the type entries from the “HKLM\Software\Classes\Protocols\Handler” and “HKCR\Protocols\Handler” registry keys.
DISABLE DYNAMIC ICONS: Disable insecure job icon handlers.
This solution disables dynamic icon handlers for (.job) JobObject files by removing the "IconHandler" keys from "HKCR\JobObject\shellex" and "HKLM\SOFTWARE\Classes\JobObject\shellex". Dynamic job icon handlers are not required for normal operation and can be abused to allow full control of a host machine from a remote computer.
SECURE EXPLORER ZONE 0: Set and secure "My Computer" zone.
This solution secures “My Computer Zone” by resetting the values of the registry key “SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0”. These special settings prevent many vulnerabilities including MS05-001, MS05-008 and MS05-014. The settings are:
1001 Download signed ActiveX controls Disable
1004 Download unsigned ActiveX controls Disable
1200 Run ActiveX controls and plug-ins Prompt
1201 Initialize and script Act
Full Talkback thread
