Build a security wall for the operating system using the registry

As we all know, the registry of the operating system is a place where all system settings can be found in the registry, all Program startup methods and Service Startup types can be controlled by a small key value in the registry.
However, the powerful Registry makes the Registry a dirty place. Viruses and Trojans are often parasitic here, And they secretly do evil, threatening the original healthy operating system. How can we effectively prevent viruses and Trojans and ensure the normal operation of the system? Today, I will introduce how to build a secure system through the registry from nine aspects, including service, default settings, and permission assignment.

Note: You must back up the original registry before modifying the registry.

1. Reject "email" Harassment

Security risk: in Windows 2000/XP, the default Messenger service is enabled. Malicious users can send information to the target computer through the "net send" command. The target computer will receive harassment messages from others from time to time, seriously affecting normal use.

Solution: first open the Registry Editor. For SYSTEM Services, we can manage them through the options under the "HKEY_LOCAL_MACHINE SYSTEM CurrentControlSet Services" item in the registry. Each sub-key is the corresponding "service" in the SYSTEM ", for example, the sub-Key of the "Messenger" service is "Messenger ". You only need to find the START key value under the Messenger item and change it to 4. In this way, the service will be disabled and the user will no longer be harassed by "emails.

2. Disable "Remote Registry Service"

Security risks: If a hacker connects to our computer and the computer enables Remote Registry, the hacker can remotely set services in the Registry, therefore, remote registry services require special protection.

Solution: Disable the Remote Registry Startup Mode. However, after hackers intrude into our computers, they can still convert the service from "disabled" to "automatically started" through simple operations ". Therefore, it is necessary to delete the service.

Find the RemoteRegistry item under "HKEY_LOCAL_MACHINE SYSTEM CurrentControlSet Services" in the registry, right-click the item and select "delete" (figure 1). After this item is deleted, the service cannot be started.

Figure 1

You must export and save this item before deleting it. To use this service, you only need to import the saved registry file.

3. Go to "default share"

Security risks: in Windows 2000/XP/2003, some "sharing" functions are enabled by default, including IPC $, c $, d $, e $, and admin $. Many hackers and viruses use this default shared intrusion into the operating system.

Solution: To prevent IPC $ attacks, set the RestrictAnonymous item of "HKEY_LOCAL_MACHINE SYSTEM CurrentControlSet Control LSA" in the Registry to "1". In this way, you can disable the connection of IPC $.

For default sharing of c $, d $, and admin $ types, you must find the "HKEY_LOCAL_MACHINE SYSTEM CurrentControlSet Services LanmanServer Parameters" item in the registry. If the system is Windows 2000 Server or Windows 2003, you need to add the key value "AutoShareServer" (type: "REG_DWORD", value: "0") to this item "). If the system is Windows 2000 PRO, you should add the key value "auto1_wks" (type: "REG_DWORD", value: "0") in this item ").

4. Prohibit system privacy leaks

Security risk: When an error occurs in Windows, a DR. WATSON program automatically saves the privacy information of the system call. The privacy information is stored in the user. dmp and drwtsn32.log files. Attackers can crack this program to understand the privacy information of the system. Therefore, we need to prevent the program from disclosing information.

Solution: Find "HKEY_LOACL_MACHINE SOFTWARE Microsoft WindowsNT CurrentVersion AeDebug" and set the AUTO key value to 0. Now DR. WATSON does not record error information during system running. At the same time, click "Documents and Settings → ALL Users → Documents → drwatson", find and delete the user. dmp and drwtsn32.log files. The purpose of deleting these two files is to delete the privacy information previously stored by DR. WATSON.

Tip: If the run of the DR. WATSON program is disabled, the "drwatson" folder and user. dmp and drwtsn32.log files are not found.

5. Reject malicious harassment of ActiveX Controls

Security risks: Many Trojans and viruses run programs in the system without permission by hiding malicious ActiveX controls on the webpage, so as to damage the local system. To ensure system security, we should prevent ActiveX controls from running programs without permission.

Solution: ActiveX controls run programs by calling the Windows scripting host component. Therefore, we can delete the wshom in the "system32" directory first. ocx file, so that the ActiveX control cannot call Windows scripting host. Then, find "HKEY_LOCAL_MACHINE SOFTWARE assesCLSID {F935DC2 2-1CF0-11D0-ADB9-00C04FD58A0B}" in the Registry and delete the item. After the preceding operations, the ActiveX control can no longer call the script program without permission.

6. Prevent page file leaks

Security risks: Windows 2000 Page Swap files and the above mentioned DR. WATSON programs often become targets of hacker attacks because page files may leak information that was originally transferred to the hard disk in the memory. After all, hackers are not easy to view information in the memory, while the information in the hard disk is easy to obtain.

Solution: locate "HKEY_LOCAL_MACHINE SYSTEM CurrentControlSet Control SessionManager MemoryManagement" and set the ClearPageFileAtShutdown project value to 1 (figure 2 ). In this way, the system will delete the page file every time it is restarted to effectively prevent information leakage.

Figure 2

7. The password cannot be entered automatically.

Security hazard: when surfing on Windows, the password is automatically recorded by the system. The system will automatically enter the password when accessing the system again. This easily causes leakage of privacy information.

Solution: Find the network subitem in the "HKEY_LOCAL_MACHINE SOFTWARE Microsoft Windows CurrentVersion policies" branch (if not, you can add it yourself) and create a new dubyte value under the subitem, the name is disablepasswordcaching and the value is set to 1. After the computer is restarted, the operating system will not record the password intelligently.

8. Disable the virus from starting the service.

Security risk: the current virus is very clever, unlike the previous loading only through the RUN value of the registry or the project in MSCONFIG. Some advanced viruses are loaded through system services. So can we make viruses or Trojans not have the corresponding permissions to start the service?

Solution: run the "regedt32" command to enable the Registry Editor with permission assignment. Find the "HKEY_LOCAL_MACHINE SYSTEM CurrentControlSet Services" branch in the registry, click "Security> Permissions" in the menu bar, and click "add" in the displayed Service permission settings window, import the Everyone account, select the "Everyone" account, and set the "read" permission of the account to "allow ", cancel its "Full Control" permission (Figure 3 ). Currently, no trojan or virus can start the system service on its own. Of course, this method is only valid for viruses and Trojans without administrator permissions.




Figure 3

9. You are not allowed to start the virus on your own.

Security risks: many viruses are started as the operating system starts by loading the RUN value in the registry, we can remove the modification permission of the virus and Trojan to this key value according to the method described in "prohibit virus from starting the service.

Solution: run the "regedt32" command to start the Registry Editor. Find the "HKEY_CURRENT_MACHINE SOFTWARE Microsoft Windows CurrentVersion RUN" branch in the registry, set Everyone's "read" permission on the branch to "allow", and cancel the selection of "Full Control" permission. In this way, viruses and Trojans cannot start themselves with this key value.

Viruses and Trojans are constantly evolving. We must constantly learn new protection knowledge to defend against viruses and Trojans. Instead of virus or Trojan Infection before scanning and killing, it is better to do a good job of defense in advance and build a solid wall to resist. After all, it is not what we want to do to make up for ourselves, but what we should pursue is "Preventing ourselves from suffering from the past.