Thursday, June 22, 2006 

How to harden your Unix Server

Mask Apache Server Information

Server headers and directory defaults usually show Apache server information. This information can be used by hackers to learn about vulnerabilities on your server if the system is not updated. You can mask server information as follows:

1. Log into server as root.

2. Open /etc/httpd/conf/httpd.conf with an editor.

3. Change the line ServerSignature on to
ServerSignature Off

4. Find the line "HostnameLookups off"
After that line, add "ServerTokens Prod"

RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
RewriteCond %{REQUEST_METHOD} ^TRACK
RewriteRule .* - [F]

5. Save and exit.

6. Restart Apache with /etc/rc.d/init.d/httpd restart



Install System Integrity Monitor

System Integrity Monitor (SIM) monitors system services and provides a clean and information representation of system status. It is an essential tool for server admins to monitor servers. SIM has several modules that can be installed to help admin with common system processes. SIM will verify that system and services are online, check load averages, and maintain log files.

1. Login to server and su to root.

2. go to /usr/local 3. Get source file wget http://www.r-fx.org/downloads/sim-current.tar.gz

4. Untar file with tar -xzvf sim-current.tar.gz

5. cd sim-2.5-3 (or latest version of SIM)

6. Type ./setup -i

7. Enter and spacebar to continue.

8. Finally, get to auto-configuration script for SIM. Select options you want to install.




Security: Use SSH protocol 2

The old SSH Protocol 1 has several security leaks and faces many automated "root kits". Protocol 2 is an improvement to plug the holes. All servers with SSH 1 should use SSH 2.

1. Open /etc/ssh/sshd_config with an editor.

2. Find the line "#Protocol 2, 1".

3. Uncomment (remove #).

4. Save and exit.

5. Restart SSH with /etc/rc.d/init.d/sshd restart


: Disable direct root login

Root user is the most important account on a server. The root user has access to any file/program/application running on a server. By default, terminal services would allow the root user to login. This is a major threat to security as hackers can try to guess at the root password to gain access.

Disabling direct root login will create an extra user account before changing to root user. This will force a hacker to have try and guess 2 seperate passwords to become root user.

cPanel users/servers must add the user to 'wheel' group so that the user is allowed to su to root. Failure to do so would cause a lock out of the root account.

* A user with SSH access must already be created.

1. SSH into server as user and gain root access by 'su -'

2. Open /etc/ssh/sshd_config with an editor.

3. Find line PermitRootLogin yes

4. Uncomment it. Put no so thatPermitRootLogin no

5. Save the file and exit.

6. Restart SSH with "/etc/rc.d/init.d/sshd restart"




Security: Disabling Telnet

Telnet is a threat to server security. The protocol communicates on port 23 for both incoming and outgoing messages. Passwords and usernames are sent as clear text during logins, giving hackers the chance to tap the traffic between client and server and then gaining access. Telnet should always be disabled on web servers and replaced with a more secure platform like SSH.


To disable telnet on your server, follow these steps:

1. Login as root.

2. Open the file /etc/xinetd.d/telnet with your editor (pico/vi).

3. Find the line "disable = no" ,
replace with "disable = yes".

4. Restart the inetd service with command /etc/rc.d/init.d/xinetd restart

5. Do a quick scan to make sure port 23 telnet is closed.
nmap -sT -O localhost


Our server-side PDF to Word converter and PDF to DOC converter will help you edit your PDF's. Wehave a PDF to Excel converter too. Try our PDF converters at Investintech.com.

 

Install the Microsoft Loopback Adapter in Windows Server 2003

A loopback adapter can be very useful for testing networking features on a server that doesn't have a network adapter already installed, and Microsoft provides this feature in Windows Server 2003.

To install the Microsoft Loopback Adapter, follow these steps:

1. Go to Start | Control Panel | Add Hardware.
2. In the introductory dialog box, click Next.
3. Select Yes, I Have Already Connected The Hardware, and click Next.
4. Scroll to the bottom of the Installed Hardware list box, select Add A New Hardware Device, and click Next.
5. Select the Install The Hardware That I Manually Select From A List (Advanced) option, and click Next.
6. Under Hardware Types, select Network Adapters, and click Next.
7. Under Manufacturer, select Microsoft.
8. Under Network Adapter, select Microsoft Loopback Adapter.
9. Click Next twice, and click Finish.

Unless there are already existing adapters, Windows will install the loopback adapter with the name Local Area Connection. If other adapters exist, Windows will name it Local Area Connection .

 

How To Install Microsoft Loopback Adapter in Windows 2000

The Microsoft Loopback adapter is a tool for testing in a virtual network environment where access to a network is not feasible. Also, the Loopback adapter is essential if there are conflicts with a network adapter or a network adapter driver. Network clients, protocols, and so on, can be bound to the Loopback adapter, and the network adapter driver or network adapter can be installed at a later time while retaining the network configuration information. The Loopback adapter can also be installed during the unattended installation process.

Manual Installation


Click Start, point to Settings, click Control Panel, and then double-click Add/Remove Hardware.
2.Click Add/Troubleshoot a device, and then click Next.
3.Click Add a new device, and then click Next.
4.Click No, I want to select the hardware from a list, and then click Next.
5.Click Network adapters, and then click Next.
6.In the Manufacturers box, click Microsoft.
7.In the Network Adapter box, click Microsoft Loopback Adapter, and then click Next.
8.Click Finish.


After the adapter is installed successfully, you can configure its options manually, as with any other adapter. Note that if the TCP/IP properties are configured to use DHCP (the default), the adapter will eventually use an autonet address (169.254.x.x/16) because it is not actually connected to any physical media.

APPLIES TO

Microsoft Windows 2000 Server
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Professional Edition
Microsoft Windows 2000 Datacenter Server

 

How to install the Microsoft Loopback adapter in Windows XP

The Microsoft Loopback adapter is a testing tool for a virtual network environment where network access is not available. Also, you must use the Loopback adapter if there are conflicts with a network adapter or with a network adapter driver. You can bind network clients, protocols, and other network configuration items to the Loopback adapter, and you can install the network adapter driver or network adapter later while retaining the network configuration information. You can also install the Loopback adapter during the unattended installation process.

Manual installation

To manually install the Microsoft Loopback adapter in Windows XP, follow these steps:
1.Click Start, and then click Control Panel.
2.If you are in Classic view, click Switch to Category View under Control Panel in the left pane.
3.Double-click Printers and Other Hardware, and then click Next.
4. Under See Also in the left pane, click Add Hardware,and then click Next.
5.Click Yes, I have already connected the hardware, and then click Next.
6.At the bottom of the list, click Add a new hardware device, and then click Next.
7.Click Install the hardware that I manually select from a list, and then click Next.
8.Click Network adapters, and then click Next.
9.In the Manufacturer box, click Microsoft.
10.In the Network Adapter box, click Microsoft Loopback Adapter, and then click Next.
11.Click Finish.



After the adapter is installed successfully, you can manually configure its options, as with any other adapter. If the TCP/IP properties are configured to use DHCP, the adapter will eventually use an autonet address (169.254.x.x/16) because the adapter is not actually connected to any physical media.

Note By default, TCP/IP properties are configured to use DHCP.

Wednesday, June 21, 2006 

Microsoft Unveils Robotics Studio

Microsoft Corp. on Tuesday launched a technology preview of Robotics Studio, a Windows-based development environment for creating robotic applications.

The early release targets academic, hobbyist and commercial developers with a toolset for building applications that can run on a variety of robotics computing platforms, the company said. Early partners include the LEGO Group.

"We've reached out to a broad range of leading robotics companies and academics early on in the development process and are thrilled with the positive response from the community," Tandy Trower, general manager of the Microsoft Robotics Group, said in a statement.

Key features in Robotics Studio include a visual programming tool that makes it easy to create and debug robot applications, the company said. The tools also allow users to interact with robots through Web-based or Windows-based interfaces, or simulate robotic applications using realistic 3-D models. The latter feature is powered with technology licensed from AGEIA.

Robotics Studio's programming model can be applied for a variety of robot hardware platforms, and third parties can also extend the functionality of the product by providing additional libraries and services.

Both remote PC-based and autonomous robot-based execution scenarios can be developed using programming languages found in Microsoft Visual Studio and Microsoft Visual Studio Express, JScript and Microsoft IronPython 1.0 Beta 1. Third party languages can also be used if they conform to the toolset's services-oriented, message-based architecture.

Joe Wilcox, analyst for JupiterResearch, said Microsoft appears to be interested in the growing market for robotics devices in the home, which is driving the need for operating systems and development tools.

"It's just too bad that, like other Microsoft stuff, to get there you've got to go the Windows way or the highway," Wilcox said in his blog.


Microsoft unveiled the development environment at the RoboBusiness Conference and Exposition in Pittsburgh, Penn. The toolset is available for download through the company's developer Web site.


http://www.informationweek.com

 

IBM runs frozen chip at 500GHz

IBM researchers have pushed a silicon-based microprocessor to speeds of 500GHz, more than 250 times faster than a typical commercial chip in a cell phone.

The research shows that chip makers can reach high speeds with low-cost manufacturing techniques and commercial silicon-based chip technology, said John D. Cressler, a professor at Georgia Tech’s School of Electrical and Computer Engineering.

The new research, announced Tuesday by IBM, could also lead to more efficient chips, opening up new markets. Running at extremely high speeds, these chips could now find new applications in commercial communications systems, defense electronics, space exploration and remote sensing, according to IBM.

A team of scientists from IBM and Georgia Tech used an old hacker’s technique to avoid melting the chip at such high speeds.

Extreme video gamers chill their chips with refrigerated mineral oil stored in the garage, but this team was able to make the chip much colder.

First, the researchers built a prototype silicon-germanium (SiGe) chip that ran at 350GHz at room temperature. IBM, in Armonk, New York, has been mixing germanium with silicon since 1998, using the mixture to make chips for cell phones and other mobile devices that demand reduced power consumption.

Then they used liquid helium to freeze their microprocessor to 451 degrees below zero Fahrenheit. Nature’s coldest temperature, known as absolute zero, is just a few degrees lower, at minus 459.67 degrees Fahrenheit. With no risk of melting the chip, they pushed it to 500GHz.

By contrast, the latest commercial dual-core server chips from Intel and Advanced Micro Devices run at speeds between 2.5GHz to 3.5GHz.

The researchers now plan to return to their lab and find a way to push the chip even faster. IBM’s computer simulations show that their chip could reach speeds of 1,000GHz, known as 1 Terahertz.


http://www.macworld.com/news/2006/06/20/500ghz/index.php

Friday, June 16, 2006 

How to secure windows 2000 server

Windows 2000 Security Checklist

Basic Security Considerations

Provide Physical Security for the machine

Most security breaches in corporate environments occur from the inside. Culprits can be well meaning "power users" who configure their co-workers PCs, to disgruntled employees, or they can be full blown corporate spies that are working at your company. It may not be practical to physically secure every workstation in your environment, but your servers need to be in a locked room with monitored access. Consider placing surveillance cameras in your server rooms and keeping the tapes for 30 days. For desktops, install a lock on the CPU case, keep it locked, and store the key safely away from the computer at a secure location. (i.e. a locked cabinet in the server room)

Disable the Guest Account

Windows 2000 finally disables the guest account by default, but if you didn't build the image yourself, always double check to make sure the guest account is not enabled. For additional security assign a complex password to the account anyway, and restrict its logon 24x7.

Limit the number of unnecessary accounts

Eliminate any duplicate user accounts, test accounts, shared accounts, general department accounts, etc., Use group policies to assign permissions as needed, and audit your accounts regularly. These generic accounts are famous for having weak passwords (and lots of access) and are at the top of every hacker's list of accounts to crack first. This can be a big problem at larger companies with understaffed IT departments. An audit at a Fortune 10 company I worked for revealed that 3,000 of their 15,000 active user accounts were assigned to employees who no longer worked for the company. To make matters worse, we were able to crack the passwords on more than half of those inactive accounts.

Create 2 accounts for Administrators

I know this goes against the previous caveat, but this is the exception to the rule. Create one regular user account for your Administrators for reading mail and other common tasks, and a separate account (with a more aggressive password policy) for tasks requiring administrator privileges. Have your Administrators use the "Run As" command available with Windows 2000 to enable the access they need. This prevents malicious code from spreading through your network with admin privileges.

Rename the Administrator Account

Many hackers will argue that this won't stop them, because they will use the SID to find the name of the account and hack that. Our view is, why make it easy for them. Renaming the Administrator account will stop some amateur hackers cold, and will annoy the more determined ones. Remember that hackers won't know what the inherit or group permissions are for an account, so they'll try to hack any local account they find and then try to hack other accounts as they go to improve their access. If you rename the account, try not to use the word 'Admin" in its name. Pick something that won't sound like it has rights to anything.

Consider creating a dummy Administrator account

Another strategy is to create a local account named "Administrator", then giving that account no privileges and impossible to guess +10 digit complex password. This should keep the script kiddies busy for a while. If you create a dummy Administrative account, enabled auditing so you'll know when it is being tampered with.

Replace the "Everyone" Group with "Authenticated Users" on file shares

"Everyone" in the context of Windows 2000 security, means anyone who gains access to your network can access the data. Never assign the "Everyone" Group to have access to a file share on your network, use "Authenticated Users" instead. This is especially important for printers, who have the "Everyone" Group assigned by default.

Password Security

A good password policy is essential to your network security, but is often overlooked. In large organizations there is a huge temptation for lazy administrators to create all local Administrator accounts (or worse, a common domain level administrator account) that uses a variation of the company name, computer name, or advertising tag line. i.e. %companyname%#1, win2k%companyname%, etc. Even worse are new user accounts with simple passwords such as "welcome", "letmein", "new2you", that aren't required to changed the password after the first logon. Use complex passwords that are changed at least every 60 -90 days. Passwords should contain at least eight characters, and preferably nine (recent security information reports that many cracking programs are using the eight character standard as a starting point). Also, each password must follow the standards set for strong passwords .

Password protect the screensaver

Once again this is a basic security step that is often circumvented by users. Make sure all of your workstations and servers have this feature enabled to prevent an internal threat from taking advantage of an unlocked console. For best results, choose the blank screensaver or logon screensaver. Avoid the OpenGL and graphic intensive program that eat CPU cycles and memory. Make sure the wait setting is appropriate for your business. If you can get your users in the habit of manually locking their workstations when they walk away from their desks, you can probably get away with an idle time of 15 minutes or more. You can keep users from changing this setting via Group Policy.

Use NTFS on all partitions

FAT and FAT32 File systems don't support file level security and give hackers a big wide open door to your system. Make sure all of your system partitions are formatted using NTFS.
Always run Anti-Virus softwareAgain, this is something that is considered a basic tenet of security, but you would be surprised at how many companies don't run Anti-Virus software, or run it but don't update it. Today's AV software does more than just check for known viruses, many scan for other types of malicious code as well.

Secure your Backup tapes

It's amazing how many organizations implement excellent platform security, and then don't encrypt and/or lock up their backup tapes containing the same data. It's also a good idea to keep your Emergency Repair Disks locked up and stored away from your servers.


Mid Level Security Measures

Use the Security Configuration Toolset included with Windows 2000 to configure policies.

Microsoft provides a Security Configuration Toolset which provides plug in templates for the MMC that allow you to easily configure your policies based on the level of security you require. The template includes a long list of configurable options (many of which appear on this checklist) and also includes a useful security analysis tool. For more information, download the documentation here. If your workstation is not part of a domain, you can still enable policies by using the Poledit.exe file from the Windows 2000 Server CD-ROM. For more information, check out Microsoft Knowledge Base Article: 269799 - How to Secure Windows 2000 Professional in a Non-Domain Environment.

Don't allow unmonitored modems in your environment

One of the easiest hacks in the world is finding a company's phone number prefix and suffix range and wardialing for a modem that picks up. After weeding through the fax machines, you can either look for an unsecured workstation with RAS enabled, or one with Symantec's PC Anywhere loaded on it. If either one is configured incorrectly, you can easily gain access to the local machine and work up from there. If you have a digital phone system, get a list of every analog line that comes into your workplace and find out where it goes! Every PC hooked to a modem is a security risk. Make sure they're configured correctly and audited regularly.

Shut down unnecessary services

Unnecessary services take up system resources and can open holes into your operating system. IIS, RAS, and Terminal Services have security and configuration issues of their own, and should be implemented carefully if required. There are also several malicious programs that can run quietly as services without anyone knowing. You should be aware of all the services that all run on your servers and audit them periodically. The default services allowed in a Windows NT 4.0 C2 certified installation are:

Computer Browser
Microsoft DNS Server
Netlogon
NTLM SSP
RPC Locator
RPC Service
TCP/IP NetBIOS Helper
Spooler
Server
WINS
Workstation
Event Log

Windows 2000 has not been submitted for C2 certification by Microsoft, so an updated list of services is not available. What services are deemed unnecessary may vary based on the function of your server and/or workstations. Please test your specific configuration in a lab environment before enabling it in your production network. A list of services available in Windows 2000 Server (as well as their default settings) can be found here

Shut down unnecessary ports

This is a judgment call based on your needs and risks. Workstations aren't normally at risk behind a firewall, but never assume your servers are safe! A hackers first attempt at rattling the doors and windows usually involves using a port scanner. You can find out a list of open ports on your local system by opening the file located at %systemroot%\drivers\etc\services. You can configure your ports via the TCP/IP Security console located in the TCP/IP properties (Control Panel > Network and Dial Up Connections > Local Area Connection > Internet Protocol (TCP/IP) > Properties > Advanced > Options > TCP/IP Filtering) To allow only TCP and ICMP connections, configure the UDP and IP Protocol check boxes to "Permit Only" and leave the fields blank. A list of default ports for Windows 2000 Domain Controllers can be found here

Enable Auditing

The most basic form of Intrusion Detection for Windows 2000 is to enable auditing. This will alert you to changes in account policies, attempted password hacks, unauthorized file access, etc., Most users are unaware of the types of doors they have unknowingly left open on their local workstation, and these risks are often discovered only after a serious security breach has occurred. At the very minimum, consider auditing the following events:


Event >> Level of Auditing
Account logon events >> Success, failure
Account management >> Success, failure
Logon events >> Success, failure
Object access >> Success
Policy change >> Success, failure
Privilege use >> Success, failure
System events >> Success, failure

Set permissions on the security event log

The event log files are not protected by default, so permissions should be set on the event log files to allow access to Administrator and System accounts only.

Store all sensitive documents on file servers

Although most new workstations come with some very large drives, you should consider storing all of a users data (documents, spreadsheets, project files, etc.,) on a secured server, where the data is backed up regularly. Modify the parameters for the "My Documents" folder to always point to the users network share on a secured server. For laptop users, enable the "Make available offline" capabilities to synchronize the folder's content.


Prevent the last logged-in user name from being displayed

When you press Ctrl-Alt-Del, a login dialog box appears which displays the name of the last user who logged in to the computer, and makes it easier to discover a user name that can later be used in a password-guessing attack. This can be disabled using the security templates provided on the installation CD, or via Group Policy snap in. For more information, see Microsoft KB Article Q310125

Check Microsoft's web site for the latest hotfixes

Nobody writes 30 million lines of code and is going to have it perfect the first time, so updating service packs and hotfixes can go a long way to plug security holes. The problem is that hotfixes and service packs aren't regression-tested as thoroughly as service packs and can come with bugs of their own. You should always test them on a comparable, non production system before deploying them. Check Microsoft's TechNet Security Page frequently for the latest hotfixes and decide which ones you need to roll out. Tip: Our home page at LabMice.net always features
Microsoft's latest hotfix to save you time.


Advanced Security Settings

Set a power on password

This should be mandatory for all laptop users, but is rarely done in most environments for servers and workstations because it doesn't allow you to remotely log on and reboot a machine to the point that the Operating System will restart. Keep in mind that an intruder who can physically open your computer's central processing unit (CPU) can adjust hardware switches to disable the power-on password, and could also temporarily install a drive and boot another OS, bypassing all of your security settings. If this is a concern for your company, consider locking the case (if the model permits it) or using removable hard drives that are locked up every night.
Disable DirectDrawThis prevents direct access to video hardware and memory which is required to meet the basic C2 security standards. Disabling DirectDraw may impact some programs that require DirectX (games), but most business applications should be unaffected. To disable it edit the Registry HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\DCI and set the value for Timeout (REG_DWORD) to 0
Disable the default sharesWindows NT and Windows 2000 open hidden shares on each installation for use by the system account. (Tip: You can view all of the shared folders on your computer by typing NET SHARE from a command prompt.) You can disable the default Administrative shares two ways. One is to stop or disable the Server service, which removes the ability to share folders on your computer. (However, you can still access shared folders on other computers.) When you disable the Server service (via Control Panel > Administration Tools > Services), be sure to click Manual or Disabled or else the service will start the next time the computer is restarted. The other way is via the Registry by editing HKeyLocal Machine\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters. For Servers edit AutoShareServer with a REG_DWORD Value of 0. For Workstations, the edit AutoShareWks. Keep in mind that disabling these shares provide an extra measure of security, but may cause problems with applications. Test your changes in a lab before disabling these in a production environment. The default hidden shares are:
Share
Path and Function
C$ D$ E$
Root of each partition. For a Windows 2000 Professional computer, only members of the Administrators or Backup Operators group can connect to these shared folders. For a Windows 2000 Server computer, members of the Server Operators group can also connect to these shared folders
ADMIN$
%SYSTEMROOT% This share is used by the system during remote administration of a computer. The path of this resource is always the path to the Windows 2000 system root (the directory in which Windows 2000 is installed: for example, C:\Winnt).
FAX$
On Windows 2000 server, this used by fax clients in the process of sending a fax. The shared folder temporarily caches files and accesses cover pages stored on the server.
IPC$
Temporary connections between servers using named pipes essential for communication between programs. It is used during remote administration of a computer and when viewing a computer's shared resources
NetLogon
This share is used by the Net Logon service of a Windows 2000 Server computer while processing domain logon requests.
PRINT$
%SYSTEMROOT%\SYSTEM32\SPOOL\DRIVERS Used during remote administration of printers.
Disable Dump File CreationA dump file can be a useful troubleshooting tool when either the system or application crashes and causes the infamous "Blue Screen of Death". However, they also can provide a hacker with potentially sensitive information such as application passwords. You can disable the dump file by going to the Control Panel > System Properties > Advanced > Startup and Recovery and change the options for 'Write Debugging Information" to None. If you need to troubleshoot unexplained crashes at a later date, you can re-enable this option until the issue is resolved but be sure to disable it again later and delete any stored dump files.
Enable EFS (Encrypting File System)Windows 2000 ships with a powerful encryption system that adds an extra layer of security for drives, folders, or files. This will help prevent a hacker from accessing your files by physically mounting the hard drive on another PC and taking ownership of files. Be sure to enable encryption on Folders, not just files. All files that are placed in that folder will be encrypted. For more information check out our EFS Resource Center
Encrypt the Temp FolderApplications use the temp folder to store copies of files while they are being updated or modified, but they don't always clean the folder when you close the program. Encrypting the temp folder provides an extra layer of security for your files.
Lock down the RegistryIn Windows 2000, only Administrators and Backup Operators have default network access to the registry, however you may wish to tighten this down even further. To restrict network access to the registry, follow the steps listed in TechNet Article Q153183
Clear the Paging File at shutdownThe Pagefile is the temporary swap file Windows NT/2000 uses to manage memory and improve performance. However, some 3rd party programs may store store unencrypted passwords in memory, and there may be other sensitive data cache as well. You can clear the pagefile at shutdown by editing the Registry Key HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management and changing the data value of the ClearPageFileAtShutdown value to 1
Disable the ability to boot from a floppy or CD ROM on physically unsecured systems.There are a number of 3rd party utilities that pose a security risk if used via a boot disk (including resetting the local administrator password.) If your security needs are more extreme, consider removing the floppy and CD drives entirely. As an alternative, store the CPU in a locked external case that still provides adequate ventilation.
Disable AutoRun for CD-ROM drives on physically unsecured systems.One of the easiest ways for a hacker with physical access to a company's PC's to distribute malicious code is via the CD-ROM. By creating a custom CD with a payload set to launch from the autorun feature in any machine, a hacker can affect any number of unlocked systems without ever leaving a fingerprint or touching a keyboard. Or he/she can simply leave a few of these lying around the office marked "MP3's", or "Payroll Data" and wait for an unsuspecting user to simply pick it up and insert it into their machine. You can disable this function by editing the Registry and changing the HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Services Cdrom subkey and set the AutoRun value to 0
Remove the OS/2 and POSIX SubsystemsIf you are not using these subsystems (and people rarely do), removing them may improve performance and also closes a potential security risk.To remove the OS/2 and POSIX subsystems:1. Delete the \winnt\system32\os2 directory and all of its subdirectories.2. Use the Registry Editor to remove the following registry entries:
Key:
HKEY_LOCAL_MACHINE\SOFTWARE
Subkey:
Microsoft\OS/2 Subsystem for NT
Entry:
delete all subkeys
Key:
HKEY_LOCAL_MACHINE\SYSTEM
Subkey:
CurrentControlSet\Control\Session Manager\Environment
Entry:
Os2LibPath
Value:
delete entry
Key:
HKEY_LOCAL_MACHINE\SYSTEM
Subkey:
CurrentControlSet\Control\Session Manager\SubSystems
Entry:
Optional
Values:
delete entry
Key:
HKEY_LOCAL_MACHINE\SYSTEM
Subkey:
CurrentControlSet\Control\Session Manager\SubSystems
Entry:
delete entries for OS2 and POSIX


The changes take effect the next time the computer is started. You might want to update the emergency repair disk to reflect these changes.
Consider using SmartCard or Biometric devices instead of passwords.The more stringent your password policy is, the more likely your users will begin keeping paper password lists in their desk drawers, or taped to the bottom of their keyboard. Windows 2000 supports these devices, so consider the costs vs. risks of your most sensitive data.
Consider implementing IPSecBasically, IPSec provides encryption for network sessions using the Internet Protocol (IP) and promises to offer transparent and automatic encryption of network connections. For more information, click here

Sunday, June 11, 2006 

'Spy' revealed in Microsoft security tool

Microsoft has acknowledged that it needs to better inform users that its tool for determining whether a computer is running a pirated copy of Windows also quietly checks in daily with the software maker.

The company said the undisclosed daily check is a safety measure designed to allow the tool, called Windows Genuine Advantage, to quickly shut down in case of a malfunction.

For example, if the company suddenly started seeing a rash of reports that Windows copies were pirated, it might want to shut down the program to make sure it wasn't delivering false results.

"It's kind of a safety switch," said David Lazar, who directs the Windows Genuine Advantage program.

Lazar said the company added the safety measure because the piracy check, despite widespread distribution, is still a pilot program. He said the company was worried that it might have an unforeseen emergency that would require the program to terminate quickly.

But he acknowledged that Microsoft should have given users more information about the daily interactions.

"We're looking at ways to communicate that in a more forward manner," he said.

Lazar also said the company plans to tweak the program soon so that it will only check in with Microsoft every two weeks, rather than daily.

The tool, part of the company's bid to thwart widespread piracy, is being distributed gradually to people who have signed up to receive Windows security updates. The company expects to have offered it to all users worldwide by the end of the year.

Lazar said that so far, about 60 per cent of users who were offered the piracy check decided to install it. Once installed, the program checks to make sure the version of Windows a user is running is legitimate, and gathers information such as the computer's manufacturer and the language and locale it is set for.

That information-gathering is disclosed in a licensing agreement. But the agreement does not make clear that the program also is designed to "call home" to Microsoft's servers, to make sure that it should keep running.

At least every 90 days, the tool also checks again to see if the copy of Windows is legitimate. Lazar said that's because the company sometimes discovers that a copy of Windows that it thought was legitimate is actually pirated.

When Microsoft believes a copy of Windows is pirated, the user begins to get a series of reminders that the copy isn't genuine. Such users also are barred from downloading noncritical updates, such as the new version of its Internet Explorer browser. But anyone who has signed up to automatically receive security updates, which repair flaws to prevent Internet attacks, will still get those fixes.

Lauren Weinstein, who is co-founder of People for Internet Responsibility and was one of the first people to notice the daily communications to Microsoft, said he understands and sympathises with Microsoft's desire to control piracy. But he said it's problematic that Microsoft did not disclose all the program's communications with the company.

Weinstein said he also was surprised that Microsoft decided to release so widely a tool that it says is in a "pilot" mode and might need to be suddenly shut down.

"Really what you're talking about is someone saying, 'Look we've put something on your computer and it might go screwy, so we're going to kind of check in every day,'" he said.

http://www.smh.com.au/news/

Tuesday, June 06, 2006 

Fujitsu spins 1.8 inch monster

Fujitsu will launch its first 1.8-inch hard-disk drive in the middle of next year, a company engineer said at the Computex trade show Tuesday.

The Japanese company already makes 3.5-inch drives for desktop computers and servers and 2.5-inch drives for laptops and is getting into the market for smaller drives because it anticipates strong growth over the next few years.

In January Fujitsu said that it expected worldwide demand for 2.5-inch mobile PC drives to rise from 81 million in 2005 to 210 million units in 2010, and for 1.8-inch drives to rise from 16 million units to 90 million units over the same period.

The sector is expected to see strong growth because 1.8-inch drives are small enough to be used in portable consumer electronic devices. Notable uses of such drives at present include Apple's iPod music players.

Fujitsu's first drive will likely be launched in June or July 2007, said Kenji Nakajima, a senior marketing engineer with Fujitsu's hard-disk business division. The drive will have a capacity of around 60G bytes per platter and a prototype will be available to customers in the April to June period, he said.

That's right in line with the April to September launch date Fujitsu predicted earlier this year when it disclosed its 1.8-inch drive development.

Fujitsu already has a prototype 1.8-inch drive, which Nakajima carefully removed from a box in his pocket to show a reporter. The prototype has a 30G byte capacity and uses a controller chip from a 2.5-inch drive. Development of a smaller chip for the new drive is one of the tasks still in front of the engineering team.

The prototype shown Tuesday has a parallel ATA interface but Fujitsu's first two commercial drives will come with Serial ATA and CE-ATA, the latter for the consumer electronics industry.

Sunday, June 04, 2006 

Australia's meteoric rise from Gondwana

Giant 300-mile wide crater in Antarctica shown encircledA METEOR believed to have caused the biggest mass extinction in Earth's history, long before dinosaurs roamed the planet, may have also spawned the Australian continent, US scientists have revealed.

A geological team from Ohio State University, which collaborated with NASA, said it was likely the impact of the meteor about 250 million years ago jump-started the break-up of the Gondwana supercontinent that led to the creation of modern Australia.

Australia separated from Gondwana about 100 million years ago and began drifting northward, pushed away by the expansion of a rift valley into the eastern Indian Ocean.

"Its size and location — (of the impact) in the Wilkes Land region of East Antarctica, south of Australia — suggest that it could have begun the break-up of Gondwana supercontinent by creating the tectonic rift that pushed Australia northward," the team's leader Ralph von Frese said in a statement.

"The rift cuts directly through the crater, so the impact may have helped the rift to form."

The crater, which is about 483 kilometres wide and hidden more than 1.6 kilometres beneath the East Antarctic ice sheet, is twice the size of the Chicxulub crater in Mexico's Yucatan peninsula that marks the impact that scientists say may have ultimately killed the dinosaurs 65 million years ago.

"The Wilkes Land impact is much bigger than the impact that killed the dinosaurs, and probably would have caused catastrophic damage at the time," Professor von Frese said.

The scientists presented their preliminary findings at a recent American Geophysical Union Joint Assembly meeting. They used gravity fluctuations measured by NASA's satellites to peer beneath Antarctica's icy surface, finding a 321-kilometre-wide plug of mantle material — a mass concentration, or "mascon" in geological parlance — that had risen up into the Earth's crust.

Mascons are the planetary equivalent of a bump on the head. They form where large objects slam into a planet's surface. Upon impact, the denser mantle layer bounces up into the overlying crust, which holds it in place beneath the crater.

When the scientists overlaid their gravity image with airborne radar images of the ground beneath the ice, they found the mascon perfectly centred inside a circular ridge some 483 kilometres wide — large enough to hold Tasmania.

Taken alone, the ridge structure wouldn't prove anything. But to Professor von Frese, the addition of the mascon means "impact".

http://www.theage.com.au/

Add to Google

The Author

  • Nick Perrydoo
  • Spawn at Philippines
My profile

Links


Read Ons

Article of the Day

This Day in History

Today's Birthday

In the News

Quotation of the Day

Word of the Day


Powered by Blogger
and Blogger Templates
© Copyright 2006 Ba-zoo-ra - All Rights Reserved.