[ Main page | Threats | Hacked? | Securing | Win2k/XP | Tweaks | Firewalls & ZA | Links & Software ]

 


Inside this page
Tweaks
Safe IE settings
Netbios security
Index.dat dilemma
System Restore
Clean up!

 




My personal
About me, some
pictures, news,
related stuff




My Politics
Read about my
and political
views




My Forum
Read and write to my
security related
forum online!



 


My Guestbook
Sign or view my
guestbook
online



My Paypal
Please donate for my
"birthday present" :)




My PGP Keys
Download and
use to protect
our privacy




Webstats
Here you can view
stats about my sites
visitors etc.

 

  

 

 

Tweaks and tricks for security and privacy

Here I will show you few tricks and tweaks on how to improve your security and privacy. First, we will adjust your Internet Explorer settings so they are a bit safer. Then we will disable Netbios from bothering you, take care of the Index.dat files privacy issue and get rid of System Restore from ever causing you any privacy or other problems. At last, I show you how to find and delete not-needed files easily from your computer. If Microsoft had bothered to make Windows secure by default, we wouldnt be here doing it for them. ;) The sad fact is that there are just so many privacy and security issues related to default settings of any Windows operating system, that they need to be taken seriously. If you are using Windows2000 or WindowsXP, please consult the "Win2k/XP" page for other tweaks.

Back to Top

 

 

An example about safe settings for Internet Explorer:
These settings apply mainly to Internet Explorer 6 but in most cases to older versions too. Internet Explorer's default settings are very insecure. Not to mention about all the javascript and active-x vulnerabilities there has been in IE! Also, there are plenty of not-patched vulnerabilities in Internet Explorer, please see this. I suggest that you update to latest version of Internet Explorer and download all the patches needed for it to be even relatively safe. If you are still using some 4.xx or 5.xx versions, you should update NOW! Yes, I do know it takes a lot of time to download if you are using modem but there are so many bugs and security holes in old versions that if you dont update...well... Still, I suggest using some other browser for security reasons, like Opera or Netscape or Mozilla. :) Anyway, here are the secure settings for IE.

Attention! Some people prefer using "host files" or "Restricted Sites Zone" for securing their Internet Explorer. I strongly recommend that you DO NOT follow these kinds of practises, or atleast do not trust that they provide any security. The reason for this is that you cannot know the hostile internet sites before you hit them. And then its already too late. Trying to keep up with the "bad sites" using some list of known "bad sites" is a waste of time since there will be plenty of new "bad sites" that will never be added to such list. The ONLY way to be sure is to concider ALL sites in the internet as "possibly hostile until proven friendly". This means that you secure all the settings and only allow things like javascript on sites that you can absolutely trust. Most sites will work just fine without javascript etc. enabled anyway.

1. Go to the menu in the bottom left corner in the screen and choose "Start" - "Settings" - "Control Panel" and doubleclick "Internet Options".

2. Go to next page "Security" and move the security level bar on this "Internet zone" to "High". If you cant see the security level bar, click "Default level" and then move it to "High". This will save you from many dangers, like harmfull Active-X content and so on.

3. Now, click "Trusted Sites" on this page and move the security level bar in here to "medium low". If you cant see the security level bar, click "Default level" and then move it to "Medium low". Now, you MUST add sites you absolutely trust to your "Trusted Sites" by pressing the button "Sites". Add pages like [without quotas] "*.microsoft.com" and press "Add". Now all the pages belong to Microsoft [like http://windowsupdate.microsoft.com] are concidered trusted. Also, remember to disable "Require server verification (https) for all sites in this zone"! It is important to add sites you trust here, so cookies, javascript, Active-X and so on, work in these pages...but only on those pages you trust! Press OK to go back to the rest of the settings.

4. Then click the other zones and change security preferences on those zone to "High". This will ensure that every other zone than "Trusted Sites" zone is as secure as possible.

5. Go to the next page called "Privacy" and move the bar to the top. This makes sure no cookies are stored on your computer from internet sites. The pages you have added to your "Trusted Sites" will still be able to set cookies to your computer as they are supposed to.

6. Go to the next page called "Content" and in that page go to "Autocomplete". Disable all marks, this makes sure that no passwords or forms are saved to the browser so that someone might easily use them for whatever he desires. Passwords are meant to be kept in memory, not saved on anywhere! Also, remember to clear both passwords and forms now. Press OK to go back to rest of the settings.

7. a) Go to the final page "Advanced" and make sure you have the following enabled:
- "Automaticly check for Internet Explorer updates"
- "Use SSL 3"
- "Use TLS 1"
- "Check for signatures on downloaded programs"
- "Check for publisher's certificate revocation"
- "Check for server certificate revokation"
- "Do not save encrypted pages to disk"
- "Warn about invalid site sertificates"
b) Make sure you have the following disabled:
- "Install on demand -other"
- "Use AutoComplete"
- "Use third-party browser extensions"
- "Enable install on demand"
- "Enable integrated Windows authentication"


8. IMPORTANT! At the end, press OK so that the settings will be used by the Internet Explorer!

If you, for some reason, want to able to download files from all over the internet, you should tweak the settings a bit after making the changes described above. The "High" security settings dont allow files to be downloaded from the internet you see. Follow the steps 1 and 2 but when you are in the "Security" page and "Internet" -zone, choose "Custom level". Scroll it down until you see "Download" - "File download" and choose "Enable". You should be very carefull when downloading files from the internet. NEVER execute files directly from the internet. Always download and then execute the file from your computer if you are absolutely sure it is safe to execute that particular file.

 

NetBIOS problem and how to solve it
NetBIOS reveals lots of information about your system, like your name and workgroup. Also it has LOTS of build-in bugs that can be exploited by hackers one way or an other. If you have badly configured system, you might also be sharing the content of your computer to the rest of the world via “File and printer sharing” with NetBIOS. Actually, if you are using WindowsXP, you are, by default, sharing most of the content of your harddrive to the whole world unless you have firewall enabled! Yes, you heard me right! In principle, everyone having network card or internet connection might be vulnerable under Windows OS. If you are home-user without LAN or home network, then you don’t really need it. And you can always give it a try. Running any Windows with Netbios on is like asking for trouble. Get rid of it! But how?

Here’s the tricky part. If you run Windows95/98/ME, you really *cant* remove it. Why? Ask Bill Gates. So what you need to do is to make sure that Windows doesn’t load the NetBIOS at all!

- If you have WindowsME, then you need to run “MSconfig”, then choose “Static VxDs” and simply uncheck “NetBIOS”. That’s it! Now Windows doesn’t load it anymore. If you need it or find out that your connection isn’t working properly, you can just simply enable it again. Remember to reboot every time you do these chances so it will take effect.

- If you have Windows95/98, then you need to rename file “vnbt.386” to something else, like “vnbt.old” and reboot. That’s it! Again, if your system or network/internet doesn’t seem to work fine, then just rename it back to “vnbt.386” and reboot.

- If the previous ones don’t work for you, here is the “final way of doing it”. This has been produced by Steve Gibson at Gibson research. http://grc.com/su-rebinding9x.htm

- If you are using Windows2000/XP, you can disable Netbios by going to your network preferences and disabling it there...you can look the more precise guide at "Win2k/XP".

- You can go to https://grc.com/x/ne.dll?bh0bkyd2 and run “Test my shields!” and see that NetBIOS is really off. Remember to turn off your firewall if you have one that is.

 

Solution for Index.dat files dilemma
Index.dat files contain information about websites you have visited, things you have done, cookies you have received, etc. The main purpose, according to Microsoft, is that they speedup browsing by keeping this information nearby. The problem is, that they don’t delete when you clear your temporary internet files! This is because Windows locks those files. They need to be cleared BEFORE it has a chance of doing that. So here's my recipe for it. Please note that this will also delete all your browsing history, since it deletes the content of “history”, “cookies” and “temporary internet files” folders. All of those index.dat files and folders this deletes will be re-created by Windows during the bootup.

Windows95/98/ME (English language version) all you need to do is to download and run eng.exe (here is my PGP signature for it), it will guide you to the rest. It contains the .bat file that will delete the content of those folders during reboot. Also it contains registry key that add that .bat file to be executed during reboot. You can view the content of that eng.exe with your WinRar.
To remove this tweak, delete xxx.bat and xxx.pif files from C:\ and delete registry value (use regedit) from [KEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "xxx.bat"

Windows2000/XP(English language version)
Method1: Save exp.cmd (here is my PGP signature for it) to your startup folder (usually its in C:\Documents and Settings\All Users\Start Menu\Programs\Startup) folder. Then it will run every time you login to your computer. To remove this tweak, simply delete xp.cmd from that folder.
Method2: Save exp.cmd to C:\ directory. Then run gpedit.msc and go to "Local computer policy - User Configuration - Windows Settings - Scripts (Logon/Logoff) - Logoff" and add that exp.cmd to the logoff scripts...see below...Now it will run every time you logout of your computer. To remove this tweak, remove the script from there and delete the exp.cmd file from C:\

Method3: You can also delete index.dat file by logging in as an other user that has write access to those proper dirs and simply deleting the index.dat files. Usually this means that you have to be a system administrator.
Method4: Use tool like MRU-blaster. In some cases it can actually work to clean index.dat files. Usually it doesnt.

System Restore privacy issue and fix
System Restore is a feature in WindowsME and WindowsXP that "should" help users to undo changes done to the computer. This is usefull if you or someone else tampers your settings or installations. However, I have discovered that System Restore usually doesnt do its job. What you cant do with command prompt and commands like "scanreg /fix" (fixes the registry) or "scanreg /restore" (restores old, hopefully working registry), you cant do with System Restore. In short, System Restore doesnt do any miracles. Dont count on it.

However, the privacy issue with System Restore is that it stores, in the backround, lots of files, information and logs to your computer (under C:\_restore folder which is hidden in default). Like this isnt enought, but it also denies you to delete them under Windows! I personally had a virus trapped there, and found that it had copies of my documents, programs I had installed, etc. etc. Its a goldmine to anyone who wants to see what you have been doing lately. Also, it can take hundreds of Mb:s of space from your HDD! Thats why you better rip it off. And I mean rip it off because normal disabling it wont help! This tip is for WindowsME, check "Windows2000/XP" for guide on how to do this with Windows2000/XP.

If you want to use a good backup system to backup your system settings, I suggest getting Norton Ghost. You can create byte-by-byte image of your C-partition and save it somewhere save like other HDD or partition or even burn it to CD-R(W). It is 100% backup that you can create or restore in matter of minutes. I suggest using it. Dont use System Restore. Its no good.

1. Go to Control Panel / System / performance / file system / troubleshooting and disable System Restore.

2. Run "msconfig" and go to "startup" and disable "*statemgr" from loading. After reboot, you are done!

3. You can boot to DOS and delete the content of C:\_restore -folder. If you made that little tweak described above for the Index.dat -files, you can easily add one line to that xxx.bat file, add (without quotas) "deltree /Y c:\_restore\" and now the content of that folder will be deleted on every boot. You see, sometimes, windows wants to store your old swapfile in that location if you change your swapfile preferences somehow.

Clean up your system
 You can cleanup your system with programs like EasyCleaner, but you can also clean up a bit with Windows tools too. You can use "Disk Cleanup" to get rid of not needed files but there is more powerfull option to be used too if you are using WindowsXP (atleast, Im not sure does it work with other versions).
1. Run (without quotas) "cleanmgr /sageset:1" this lets you choose what is to be cleaned up. I recommend selecting everything except "Compress old files" unless you are really running out of space. "Compress old files" also requires you to have NTFS and takes a quite a bit of time.

2. Run (without quotas) "cleanmgr /sagerun:1" this actually clears the stuff you just selected. If you want to, you can create a .cmd file that has (without quotas) "cleanmgr /sagerun:1" inside and then create a quicklink to it anywhere you need, so you can easily clean your computer later on.
[ Main page | Threats | Hacked? | Securing | Win2k/XP | Tweaks | Firewalls & ZA | Links & Software ]

Email:Tel: +358445242674
Copyright © 2001-2005 Markus Jansson. All rights reserved.