Well, I have about 8 running right now, I'm wondering if you can squeeze out more?

Right now I have:
DHCP Client
DNS client
Event log
Plug and Play
RPC
Security accounts manager
Windows Audio
Windows Management Instrumentation

Whatever the installed services are. Why would you want to kill more services?

Because anything I'm not using takes up resources and most likely poses as a security risk, ie Messenger service, UPnP, etc.

Turn off those useless services! (http://www.blackviper.com/winxp/servicecfg.htm)

I boot my computer with 10 services :D

OldMX

Yeah, thats who I was referring to, the good ol' black viper

And I am so sure all those not networked services you disabled were a security risk. And I'm sure that having those services enabled slowed your machine down a lot. *Light Sarcasm*

Black Viper may be very good at compiling information from other sources, but he is very bad at discussing the side effects of disabling services.

Programs may not work, Windows may become more unstable, Windows may become slower. (Does this sound like a faster more stable solution to you? ;) )

But feel free to disable services, if you bolo your box, your Hard community will tell you how to fix it. ;)

(And yes I have had to troubleshoot many a persons box that disabled a service they didn't need, that an application, or system call depended on...)

Black Viper may be very good at compiling information from other sources, but he is very bad at discussing the side effects of disabling services.
And he's downright shitty at giving credit where credit is due when it comes to sources.

He's a quack, and causing people who know jack squat about Windows screw up their machines.

People are entitle to their opinions and my opinion is that BlackViper's material is legit and is for people who know what they are doing. But usually, people who don't know what they are doing with windows or software, wouldnt stumble upon his website in the first place.

I am not a BV guru or anything, but I have used most of his suggestions and have found no consequences or disruptions of my everyday computer use.

The only thing "legit" in Quack Viper's material is the sources he rips from without citing. His "suggestions" are a load of crap. If someone "knows what they're doing," they don't need to disable services for performance, because they know that they get absolutely no measurable performance increase. If someone "knows what they're doing," they don't need to disable services to secure a box because they know the right way to do it—without crippling a machine.

Quack Viper reminds me of the asshats who poke holes in their muffler and stick coffee cans on their tailpipes and think that makes their corollas faster.

Originally posted by GreNME
If someone "knows what they're doing," they don't need to disable services to secure a box because they know the right way to do it—without crippling a machine.
Forgive me for sidetracking this discussion somewhat, but short of disabling some of the "problem" XP Pro services, how does one secure their home PCs? Have a link or two? The best I could come up with is something on the order of SmoothWall.

1. Keep your machine up to date with automatic updates.
2. Run a firewall, hardware/software doesn't matter
3. Run A/V software (And yes, this does have the possibility of slowing down your box, but most new A/V software is pretty good about it)

http://www.microsoft.com/security/protect/

Originally posted by Ranma_Sao
1. Keep your machine up to date with automatic updates.
2. Run a firewall, hardware/software doesn't matter
3. Run A/V software (And yes, this does have the possibility of slowing down your box, but most new A/V software is pretty good about it)

http://www.microsoft.com/security/protect/
1. Automatic and manual updates as needed. Done
2. Linksys router plus software firewall. Done
3. McAfee Enterprise 7.0. Done

As was noted in the link you provided, file and print sharing is disabled with ICF turned on (sorry, I leaped from Win98 to WinXP, steep learning curve!). I would like to have file and print sharing turned on, which is why something like SmoothWall or IPCop is appealing.

if you have a routed local network, you can easily set up static ip adressing and turn off dhcp client. dont know how much memory this takes up in windows since services arent listed individually, but the linux dhcpcd (client service) takes up about 3.5 megs, so i just set up static ips.
the most security issues you will have is with port 137 and 445 (?) aka netbios file/printer sharing. In my router logs, 90% of the attempts are to these two ports. but you can always enable windows file sharing for you lan, just block all incoming and outgoing traffic to those ports at the network border.

Originally posted by mfm
1. Automatic and manual updates as needed. Done
2. Linksys router plus software firewall. Done
3. McAfee Enterprise 7.0. Done

As was noted in the link you provided, file and print sharing is disabled with ICF turned on (sorry, I leaped from Win98 to WinXP, steep learning curve!). I would like to have file and print sharing turned on, which is why something like SmoothWall or IPCop is appealing.

Your linksys router is fine? You can have file and print sharing turned on for your lan, the router will block the packets from the internet, unless you forward them onto your lan... (Bad Idea)

Originally posted by cloaked
the most security issues you will have is with port 137 and 445 (?) aka netbios file/printer sharing. In my router logs, 90% of the attempts are to these two ports. but you can always enable windows file sharing for you lan, just block all incoming and outgoing traffic to those ports at the network border.
Originally posted by Ranma_Sao
Your linksys router is fine? You can have file and print sharing turned on for your lan, the router will block the packets from the internet, unless you forward them onto your lan... (Bad Idea)
Okay, I'll admit I'm a bit confused. In the last 5 years of using Win98, I was told NEVER to turn on print and file sharing even with a broadband/DSL router in place. I figured it was worse for WinXP, given all of the security holes I have heard about in NT/2K/XP in recent times.

FWIW, I did run the basic port probe software over at dslreport.com and all tests were green (good!). Is this a decent test or is there a more stressful test available online?

Originally posted by mfm
Okay, I'll admit I'm a bit confused. In the last 5 years of using Win98, I was told NEVER to turn on print and file sharing even with a broadband/DSL router in place.

Someone gave you alot of FUD. If you've got a hardware firewall/router and its configured with all ports closed, e.g. no DMZ, no port forwarding then there is no way someone could directly connect to your computer.

I figured it was worse for WinXP, given all of the security holes I have heard about in NT/2K/XP in recent times.


You can't always believe what you read or hear. Yes there have been security problems,viruses, etc.... but when it comes down to it, *most* of the time systems are compromised or infected because they are not firewalled, not running AV software, not up to date on patches, users blindly clicking on anything and everything, or any combination of the four.


FWIW, I did run the basic port probe software over at dslreport.com and all tests were green (good!). Is this a decent test or is there a more stressful test available online?

Its just about as good as test as most, I use them and GRC (http://www.grc.com)

you can also get nmap (insecure.org) and run
nmap -sS <your.external.ip> for a tcp portscan. but a lot of the time the linksys routers have a lot of ports open by default that you cant disable, i dont know about your particular model.
and sjconsultant, it is definatly possible to get into a computer even if there is no way to directly connect to it. you could use email vulnerabilities (no i dont mean clicking an attachment), client side web page vulnerabilities (java, css tricks), and others.
admittedly, these do require _some_ input, visiting a web page, reading an email, but they can still be excecuted without the user doing more than everyday tasks.

None.

I run Linux.

Originally posted by SJConsultant
Its just about as good as test as most, I use them and GRC (http://www.grc.com)
Hmmm, the GRC test says that port 113 is not stealth on our system. I am reading up on it right now to determine if this is an issue that needs to be addressed.

Thanks for the link.

Originally posted by cloaked
you can also get nmap (insecure.org) and run
nmap -sS <your.external.ip> for a tcp portscan. but a lot of the time the linksys routers have a lot of ports open by default that you cant disable, i dont know about your particular model.

Let me guess, your using NMAP and scanning your own external IP addy from behind your firewall which isn't going to read true.

Linksys routers *DO NOT* have any open ports by factory default to the internet.

If your going to scan your own system, you have to do it from *outside* your network. e..g from a friends house etc.

and sjconsultant, it is definatly possible to get into a computer even if there is no way to directly connect to it. you could use email vulnerabilities (no i dont mean clicking an attachment), client side web page vulnerabilities (java, css tricks), and others.
admittedly, these do require _some_ input, visiting a web page, reading an email, but they can still be excecuted without the user doing more than everyday tasks.

The vulnerability I was responding to was about enabling filesharing while behind a router. Definitely not possible to *directly* connect to any machine when behind a closed hardware firewall/router and file sharing enabled.

Trojans are rendered pretty much ineffective when behind a hardware firewall unless said trojan continually connects *outward* to say an IRC channel for instructions. Unless the trojan can connect *outward* there is no other way to command the trojan to do its dirty work when its located behind a *closed* hardware firewall

Originally posted by mfm
Hmmm, the GRC test says that port 113 is not stealth on our system. I am reading up on it right now to determine if this is an issue that needs to be addressed.

Thanks for the link.

Port 113 is Ident. Your ISP may be the one who is causing that port to be "closed" instead of stealth. GRC (http://grc.com/port_113.htm) has a link there that will provide some insight as to why this may be so.

On both Verizon DSL and Comcast Cable I show port 113 as closed instead of stealth. Nothing to really be worried about.

Originally posted by Ranma_Sao


Black Viper may be very good at compiling information from other sources, but he is very bad at discussing the side effects of disabling services.

Programs may not work, Windows may become more unstable, Windows may become slower. (Does this sound like a faster more stable solution to you? ;) )

So far I know what I am disabling. I have another computer for printing on, and everything that I use my gaming computer for worked before and after disabling a massive amount of services. NO SHIT disabling a service takes out functionality. You think I don't test my setup?

I also don't know what you mean by "he is very bad at discussing the side effects of disabling services" He says it plain and clear.

Originally posted by MooCow
So far I know what I am disabling. I have another computer for printing on, and everything that I use my gaming computer for worked before and after disabling a massive amount of services. NO SHIT disabling a service takes out functionality. You think I don't test my setup?

I also don't know what you mean by "he is very bad at discussing the side effects of disabling services" He says it plain and clear.

So I disable let's say the telephony service. He spells out you might break dsl software.

What he doesn't say, is you might break any application that tries to get a list of countries. Why? Because the Windows API assumes that the TAPI service is running, and asks TAPI to provide it. I had to test a bugfix to not cause the application to a/v, since we were getting all these a/v reports, on this function call. Many customer's were not happy, yet I could never repro it in house. It took us a long time to figure out it was become someone disabled the TAPI service. (Because finally a customer told us this is how he repro'd it)

Now, that is 1 specific example, of how black viper doesn't list all the details, now granted he has a ton more information on side effects now then he used to. (He used to not have this dsl software listed...)

Now you might blame me, the software tester in charge of testing this application, on how come I didn't catch the dependency? But I ask you, why the hell did someone disable a perfectly working o/s, and then blame my application when it didn't work correctly and then a/v? ;)

you could use email vulnerabilities (no i dont mean clicking an attachment), client side web page vulnerabilities (java, css tricks), and others.
Bullshit. I dare you to try to break into my machine. No arbitrary code will run on my Outlook, there are no unpatched vulnerabilities of my browser (IE, Avant, Mozilla, Firefox), and Java, CSS, or anything else cannot run anything unless the client OK's it. You're talking out your ass. On top of that, none of that shit would be mitigated by disabling services.

Prove it—prove there is anything out there that is not already patched and does not require the actual user on the machine to be tricked instead of the actual code being exploited.

"Hacks" nowadays are shams where people are being tricked, not inherent weaknesses in the operating systems.

Originally posted by GreNME


"Hacks" nowadays are shams where people are being tricked, not inherent weaknesses in the operating systems.
What about the MSBlaster worm, then?

Originally posted by Ranma_Sao
So I disable let's say the telephony service. He spells out you might break dsl software.

What he doesn't say, is you might break any application that tries to get a list of countries. Why? Because the Windows API assumes that the TAPI service is running, and asks TAPI to provide it. I had to test a bugfix to not cause the application to a/v, since we were getting all these a/v reports, on this function call. Many customer's were not happy, yet I could never repro it in house. It took us a long time to figure out it was become someone disabled the TAPI service. (Because finally a customer told us this is how he repro'd it)

Now, that is 1 specific example, of how black viper doesn't list all the details, now granted he has a ton more information on side effects now then he used to. (He used to not have this dsl software listed...)

Now you might blame me, the software tester in charge of testing this application, on how come I didn't catch the dependency? But I ask you, why the hell did someone disable a perfectly working o/s, and then blame my application when it didn't work correctly and then a/v? ;)
I understand there are dependencies, which is why I wouldn't disable things like Plug and Play, DHCP client, RPC (duh) etc. Yeah, if something doesn't work, the first thing I would do is set the default reg key to enable the default startup services.

What about the MSBlaster worm, then?
The flaw in the RPC DCOM library was patched a full month before blaster showed up. Microsoft had the flaw covered, and few people bothered to patch. Since MS can't make people patch their machines, whose fault is MSBlaster? The dumb shits who don't patch.

We can thank BSD's shared libraries for that problem, not inherent Windows code. Also, if someone is behind any firewall, it's a non-issue. The reason blaster spread is because there are stupid users out there who run without firewalls or A/V

And one exploit in years is hardly showing inherent flaws in the code.

And as I already pointed out, no one can explain with real detail and real examples how someone is going to break into my machine using e-mail, Java, CSS, or anything else, let alone trying to take advantage of services on my machine. Anyone who says it's easy doesn't know what they're talking about, or just flat-out lying. Exploits take advantage of the user, not the code.

Originally posted by GreNME
there are no unpatched vulnerabilities of my browser (IE, Avant, Mozilla, Firefox), and Java, CSS, or anything

Prove it—prove there is anything out there that is not already patched and does not require the actual user on the machine to be tricked instead of the actual code being exploited.


I will say first off that I do not know too much about OSs like most of you. But the keyword above is "unpatched". The reason there are "patches" is due to security flaws in the code that needed fixing. Being a cynic, I would guess that there are still more to be discovered. I agree, don't be afraid of what is out there and is known, be afraid of what is out there that you don't know of. People are looking for exploits constantly.

The problem is that most people don't know all this crap about computer security and use what came with their system. There is some seriously righteous talk saying that people are "stupid" because they don't know all this stuff or are tricked. But is someone really that dumb if they open an attachment from their brother that says "This is funny as hell, check it out" and it turns out to be a virus. The "average" person just wants to do e-mail and surf the net. I suppose the irony is that is that you might bring your car to this "stupid" guy and pay $300 bucks for a $15 part and 10 minutes of labor and he will think you are stupid.

Originally posted by E-virus
I will say first off that I do not know too much about OSs like most of you. But the keyword above is "unpatched". The reason there are "patches" is due to security flaws in the code that needed fixing. Being a cynic, I would guess that there are still more to be discovered. I agree, don't be afraid of what is out there and is known, be afraid of what is out there that you don't know of. People are looking for exploits constantly.

The problem is that most people don't know all this crap about computer security and use what came with their system. There is some seriously righteous talk saying that people are "stupid" because they don't know all this stuff or are tricked. But is someone really that dumb if they open an attachment from their brother that says "This is funny as hell, check it out" and it turns out to be a virus. The "average" person just wants to do e-mail and surf the net. I suppose the irony is that is that you might bring your car to this "stupid" guy and pay $300 bucks for a $15 part and 10 minutes of labor and he will think you are stupid.
There is no such thing as an OS that has not needed patches. The blaster vulnerability—that was found in BSD first, and was patched in BSD/Linux. Try looking at the patch release history for all of Linux some time, and you'll find just as many, if not more, patches for vulnerabilities, both security related and performance related. OS X has not only had many patches for each new 10.x revision, but it can be argued that each new "release" to OS X has been carried patches in the upgrade (which is why some people call them $130 service packs). There is no such thing as an OS that doesn't need patches.

To make your poor car analogy work, let's put things in perspective: does someone who owns a car have to have the oil changed regularly? Regular tune-ups? Various other regular maintenance work? They sure as hell do. And if they don't follow through with those things, they don't get supported by their maintenance contract (warranty). If they have no warranty, then when their car breaks down due to them never changing the oil or having plugs, rotors, brakes, tires, or whatever else replaced, or they've never had something simple like an injector cleaning, who are you going to blame for the car falling apart? The manufacturer of the automobile? The mechanic? No, it's the fault of the car owner, for not taking proper care of their vehicle.

Gee, it makes more sense when put in the proper perspective, doesn't it?

There is an easy setting in XP to download and install critical patches automagically. If this was on for most home users before Blaster, then none of those people would have gotten hit. They wouldn't have had to do a damn thing out of their way to be protected, yet stupid myths like "MS phones home" and "SEKRIT APIS" keep people from having properly set up machines.

The only "stupid" people are the ones spreading myths and misinformation as if it were truth. Quack Viper is one of these people.

OK I have one suggestion for the non-service tampering people out there. If I change the word disable to manual, doesn't that end the 'you can't disable the service because you don't know all the dependencies' argument? I seriously wonder why you guys (Ranma Sao and GreNME) never mention that? You guys (sorry to lump you togther but you always say the same thing on this topic) always say disabeling services is bad and throw out various examples of why, and you right.

BUT... You never mention the obvious solution that makes both arguments win. If you set them to manual you will not take resources and time loading the service AND if the system needs it for an obsure call you didn't predict the OS will automaticall start the service for you. That solution makes your argument go away AND generates the same results the MFM was looking for in the first place...

About patches, GreNME, so does that mean you are happy or lucky that the virii writers were slower than the patch (RPC DCOM)? Not like I would suggest disabeling services, you know where I stand on that, or not like I would suggest setting that service to manual. BUT your point about unsecure/patching is BS. All the virii writers have to do is be a little quicker to the punch. The RPC DCOM exploit was how old when it finally got patched?!? No system is 100% safe, if there is copper wiring from be to you you are vulnerable (relative). If I can touch your machine your screwed.

EDIT: oh, you might as well set your machines up to do the auto updates like GreNME says... That where 'things' are heading anyways. Unless you have multiple machine and downloading the patches X the number of machines you have is too much, then setup a SUS server.

Because if the service is set to manual, something has to tell the service to start. (And the application I was discussing, didn't tell the service to start, it just expected the service was started, which also caused an A/V)

SCM isn't psychic, if the service is set to manual, it expects applications to start the service if they need it, unfortunatly not all programmers check the status of the service before using it. (Most assume if the service is always started, it's always started... Bad habit I agree, but you pick your battles...)

Also, if the application has to start the service, it can create timing issues, and may not be the most tested code, since 99% of the machines will have the default behavior.

About patches, GreNME, so does that mean you are happy or lucky that the virii writers were slower than the patch (RPC DCOM)?
When are they not slower? There is rarely a case where a virus is released before a patch of the exploit. If you were aware of how discovery of exploits worked, you would know it not only has to do with quick patching, but with slow releasing and the simple fact that more than 90% of virus writers are not creative enough to actually create exploits, and must be told how to exploit code—usually through bulliten releases—to be able to create those exploits.

BUT your point about unsecure/patching is BS. All the virii writers have to do is be a little quicker to the punch.
Which they rarely are, and as I already pointed out, they almost never can until they're told how to do it. Virus writers are wannabe programmers who aren't good enough to get real work at it. There is a small percentage of antisocials who are trying to prove something and have a few skills, but have you ever seen any of these viruses (including Blaster)? Sloppy, piss-poor hacks (as in copying) that often barely work.

No system is 100% safe, if there is copper wiring from be to you you are vulnerable (relative). If I can touch your machine your screwed.
Not if you can't touch it. I tell you what: I'll be in Dallas from the 13th to the 20th of this month. If you like, we can meet up, stick a switch between your favorite machine and my laptop, and we can have a wager on whether you can do anything but UDP flood me. I'll guarantee you that you wouldn't be able to get on my laptop. I'd give you $50 if you could log on to my laptop without pulling the HDD. If you're so confident, would you like to put your money where your mouth is? P4 laptop running XP Pro—care to make a wager? Anyone I've challenged here in south jersey who talks big like that has never taken the challenge.

OK, so pick you battle is right, bad code (poorly written software) or a leaner OS. Seems simple to me, ditch poorly written code, don't support companies that produce that crap. I'm about to dump Symantec Firewall because they are not able to resolve my issues (fundamental flaw, been working with them for months and several releases), so I'm about to make sure they see 0 dollars on that product. It would have been gone a while ago, but that's polotics in my shop... I'll reward a company that CAN write their software correctly with cold hard cash and let the coders who can't do their job learn how, or find new careers.

I do see your point, but why support bad coding? I mean the way the OS works is if the serivce isn't started start it. If the app doesn't take that into consideration it isn't an OS issue. It also isn't something your going to see over and over, if you run into that problem (you should already know what services are set to manual) you just change it to start on boot. Sure it adds an extra trouble shooting step, but so does overclocking, tweaking of RAM timings, all sorts of tweaks. Don't change something unless you know what your jacking around with. Education is better than running blind and using out of the box configurations. The out of box setups are designed for the AVERAGE user, if your that, great. If not learn, tweak, test, learn more... But "don't mess with services, because bad things happen" is less than educational answer.

edit: sorry GreNME, I started this post before I left for work and didn't see you post until now.

I am aware that most virii creators are not the brightest bulb, and must be told the exploit in order to use it. But I am not waiting for a more intelligent writer to come along. I work help desk support, so yes I have seen most of these virii, at least in small fashion. We mostly prone, like most people, to laptops that connect to home networks, or consultant's laptops. At any rate, it will happen that a virii comes out that uses an unpatched exploit. I bet if I though/searched it out there are current examples, maybe not, either way I'll lay money it WILL happen.

As far as a challenge I don't profess to be a hacker, so I mis-stated things there a bit. "I" should be replaced with "hacker". I know quite a few thing, and I -think- I could get in with the right tools. I have to admit there are people who know more than me, you may be one. The simple way I would start is by resetting your admin. account passwords with a bootable CD (can be on various media). I won't post the specific method for obvious reasons, but I'd bet you know how.

However I do stand by the statement about physical medium and physical access, in general terms. If a hacker can touch your machine (that includes HDD) your screwed. If there is phsyical copper between you and a hacker you are at risk (relative to you security practices).

Well, I wasn't trying to "call you out" in order to make any kind of example to you in specific, Phoenix. In theory, you are pretty close to being correct. The thing is, it's a highly over-generalized idea that "can touch your machine, you're screwed." I've been keeping up with regular "hackers" techniques for quite a while, and people give them far too much credit. It's not that anyone can eventually get into anything they can connect to with enough time, it's that anyone can eventually take advantage of human oversight, given enough time. It's almost always (with very rare exceptions in every case) the human operator error, not the machine itself. The days of insecure operating systems pretty much disappeared when Win2K and OS X showed up (Linux, being Unix-like already, already had it, given the user could set it up).

This is what I mean about considering services sercurity flaws: it's not the services that are flawed, because they aren't what's causing the open-ness of all these risky machines. If that were the case, anything running those services would be at risk, including *nix and MacOS machines. Instead, it's how they are used, especially on the end-user side. Don't get me wrong, it's also heavily on the programmer side, but not the programmer(s) of the OS itself. There is still far too many Win32 programmers who have not updated their style to fit the NT mode of thinking, and are writing crap like they did in 9x (which is bad). That is what leaves holes all over the place, not the services. Not only is it overly-simplistic to blame the OS maker for these problems, but it's not addressing the sources of the problems.

Think of some of the most popularly used Win32 software. Then, if you know at least the logic behind programming for specific OSes, look at how some of them operate in terms of leaving "issues" in their wake. There are some games, programs like Quicken, even older media programs that are a pain in the ass to operate without risky exceptions (rights granted) made. This is a flaw, not in the OS, but in how these programs are accessing and using it.


And for at least the next couple years, I'll be heading down to Dallas on a semi-regular basis, so maybe one of these trips we'll have to hang out and compare note over a beer or something. I can assure you that things like bootable removable media will never work on my system, since it doesn't boot from CD, and you can't get into BIOS without a password. :) The "easy" things like that are the first step I take when locking down anyone's system. However, as an acquaintance pointed out to someone around here who thought he could hack anything (not something you said, this guy was totally different, and less knowledgable), "you can't get into that thing. The only way I could get in would be to rip it apart and reset everything." I keep it dual-boot now, too, because I use both OSes, and because I can use either in my typical "challenge" when demonstrating that phsyical access ownage requires more than just access to the keyboard and mouse. I also have similar services start on startup for both. (still haven't been pwned) :)

May win9x style programmers burn in hell. But the root question is about OSes not apps, and security isn't the only reason to change services. As mentioned keep boot times down and using less resources is the aim. I used to beat the services=security drum a bit, but I have taken a step back on that. It MAY secure your system, but like you said services are generally secure/patched. So preventing them from starting is a marginal security step, and only then when said service has a known flaw. As far as a security practice I don't think it's usefull.

Physical access implies more than keyboard/mouse access, otherwise I would have said keyboard/mouse access. Physical access means I can touch your HDD. It's the highest level of security, and people often gloss over it. I mean if I have physical access what would stop me from touching your HDD/mobo to reset bios (possible even on laptops, just got to dig more for the info). Besides, keyboard/mouse access only its not a realistic scenario. When would someone get keyboard/mouse access but not to the case? Physical access should be discussed in terms of "I have you HDD in my hand, are you secure?" We all know it takes less time to rip a HDD out of a machine than to boot to the OS.

But this type of security discussion is mostly academic, if you have valuable data, physical security is generally limited by data center access. However, how many data centers use false ceilings. You know you can just pop the tile out and jump over the wall. :rolleyes:

Hahahaha, 'hack anything' LMAO. OK, you may know a couple of OSes well enough, but that's just retarded. Hell no one at MS knows everything about windows, yet he knows enough about every OS. That's laughable in itself.

Originally posted by Phoenix86
When would someone get keyboard/mouse access but not to the case? Physical access should be discussed in terms of "I have you HDD in my hand, are you secure?" We all know it takes less time to rip a HDD out of a machine than to boot to the OS.

I've got one client who's computer system is locked in an office and the general user population accesses that machine thru a remote monitor and keyboard setup with a restricted account.

This is one where you have physical access to a keyboard/mouse, but not the computer itself. If you didn't know the password, your not getting into the system. As it stands the restricted account can only run the 3rd party app they need, nothing else.

Yeah, I was gonna say, in many workstations, there are actual key locks you can get for the cases, and most servers are in locked rack cases or cabinets to begin with. It may be easy to sneak into a friend's house and pop open the side panel to reset the BIOS, but in an actual business, it takes some better-than-novice social engineering to get that kind of access.

Not that it can't be done. ;)

Hahahaha, 'hack anything' LMAO. OK, you may know a couple of OSes well enough, but that's just retarded. Hell no one at MS knows everything about windows, yet he knows enough about every OS. That's laughable in itself.
Heh. I agree. This guy had never run anything but 98 and 2K, by his own admission. However, I was feeling kinda punchy one time at a TS2 seminar, when the MS rep was saying he could gain access to a Win or *nix server inside of 20 seconds once. I seriously wish I had my laptop with me then. I would have totally put him on the spot. :D

And probably gotten blacklisted from more MS seminars... maybe it's not a good idea to embarrass the reps (of any company's seminars), even when they talk smack. :eek:

*sigh*... it was just a simple question, I didn't ask to read a novel. :rolleyes: :)

hehe MooCow you should know better than to ask *simple questions* here :D

fwiw I used to tweak my system settings too and play with the services, but I could never tell any difference in normal day to day operation. I've gotten to the point where if a tweak/upgrade doesn't show a 25% or better improvement across the board then it's not worth wasting my time and/or money on. Right now I have a 2.4 P4/512Mb/9600Pro/160Gb WD SE drive and a standard install of XP Pro SP1 with all the updates and the only sevices I disabled are messenger, remote registry, routing and remote access, telnet, themes and wireless zero configuration. Everything else is set to their defaults. My antivirus sw is current and I'm behind a WRT54G router on Comcast here in FL and come up all green on grc.com and dslreport scans, I have file and printer sharing on too. My system runs all my games to my satisfaction and will stay as it is unless HL2 and Doom 3 prove to be too much for my 9600 and seeing as how I like all the eye candy and have switched to an lcd running 1280x1024 up from a crt at 1024x768 I have the feeling a 9800 is in my future as is another 512 of ram.

Originally posted by Mr45
fwiw I used to tweak my system settings too and play with the services, but I could never tell any difference in normal day to day operation. I've gotten to the point where if a tweak/upgrade doesn't show a 25% or better improvement across the board then it's not worth wasting my time and/or money on...the only sevices I disabled are messenger, remote registry, routing and remote access, telnet, themes and wireless zero configuration. Everything else is set to their defaults.
Are you saying that these services you disabled saved you 25% or more on performance? If not, why disable them in the first place?

Originally posted by mfm
Hmmm, the GRC test says that port 113 is not stealth on our system. I am reading up on it right now to determine if this is an issue that needs to be addressed.

Thanks for the link.

Go into your router and forward port 113 to an invalid address high upon your DHCP scope. Say if your DHCP scope is 192.168.0.1 - 192.168.0.55 then set port 113 to forward to 192.168.0.60 and that will return your router to FULL stealth mode again. According to GRC, most NAT firewall manufacturers close port 113 because some older UNIX mail serves use this port. But it's not a very common thing. Forward the port then go to your POP3 email client and see if you can retrieve email, if you can then it's likely your ISP doesn't need port 113 to be open/closed.

Originally posted by Private Citizen
Go into your router and forward port 113 to an invalid address high upon your DHCP scope. Say if your DHCP scope is 192.168.0.1 - 192.168.0.55 then set port 113 to forward to 192.168.0.60 and that will return your router to FULL stealth mode again. According to GRC, most NAT firewall manufacturers close port 113 because some older UNIX mail serves use this port. But it's not a very common thing. Forward the port then go to your POP3 email client and see if you can retrieve email, if you can then it's likely your ISP doesn't need port 113 to be open/closed.
I did that late last night and it worked. I am not sure whether it is necessary, given most opinions I have read about port 113, but I didn't see a problem while doing this.

Since I now have two spare PCs, I installed SmoothWall on one of them today to try it out (and to learn a little about LINUX). Funny thing is GRC says that port 113 is open even with Smoothwall. But that's a topic for another post. Thanks for everyone's help and suggestions.

Yeah I use smoothwall too. Great app!

On the topic:

I only disable things like Help and Support, Firewall, Zero Wireless Configs, and etc. Nothing that IS necessary for the OS to operate feely. If I don't use the network Messenger (Not MSN Messenger or Windows Messenger) in Windows or even Telnet, there is NO reason for these services to be taking up recourses. How much they takeup is anyone's guess.

How much they takeup is anyone's guess.
You mean no one has tested their machine for RAM and CPU usage prior to and after changing those settings?

How scientific...

Originally posted by SJConsultant
I've got one client who's computer system is locked in an office and the general user population accesses that machine thru a remote monitor and keyboard setup with a restricted account.

This is one where you have physical access to a keyboard/mouse, but not the computer itself. If you didn't know the password, your not getting into the system. As it stands the restricted account can only run the 3rd party app they need, nothing else. Well if your accessing a PC through remote keyboards and mice it's not physical access. Physical access. I can touch your box.

Don't even make me discuss locks. Locks keep honest people out. You cannot argue this point much, physical access=screwed.

It would take less time to rip a lock off than (just about any) remove the computer security (bios, OS, whatever...).

If I wanted to break into a business and enter their data center it wouldn't take much. Most offices close at night and leave their data center unstaffed. Flase ceilings=fasle security. Unless your talking about a fortune 500 type company, and those are not the only ones vulnerable to hacks...

MooCow, sorry simple questions != computers questions. Unless your talking about user questions, like "how do I change the font in word?" Do you know where you are? ;)

You cannot argue this point much, physical access=screwed.
I can argue it. :) You have the equation wrong. Physical access + time + gullible staff == screwed. If the equation is missing any one of those things, it's bullshit. There are plenty of gullible people, and with that plenty of opportunity to get physical access for at least a few minutes. However, the amount of manipulation to get the time needed to take advantage of the other two is not easily had. Trust me, I'm good at doing that sort of thing (no, I don't break the law) and it's not easy for me.

Originally posted by Phoenix86
Well if your accessing a PC through remote keyboards and mice it's not physical access. Physical access. I can touch your box.

Touch my box and I got fingerprints!!! ;)


Don't even make me discuss locks. Locks keep honest people out. You cannot argue this point much, physical access=screwed.

It would take less time to rip a lock off than (just about any) remove the computer security (bios, OS, whatever...).

If I wanted to break into a business and enter their data center it wouldn't take much.

It really depends if you are trying to get the information *unnoticed*, which is much harder when all the appropriate safeguards are in place.

Originally posted by mfm
Are you saying that these services you disabled saved you 25% or more on performance? If not, why disable them in the first place?

No, I only do upgrades if they improve performance by 25% or better, the services I disabled showed no tangible performance improvement, they were done for security and personal preference.

messenger service because of it's abuse (http://www.microsoft.com/windowsxp/pro/using/howto/communicate/stopspam.asp)

remote registry because I don't like the idea of remote users being able to change the registry. Some apps require it to be running and in the event I need to run one it will be enabled.

routing and remote access and telnet serives are not used or needed.

themes service is disabled becuase I prefer the classic interface, this may actually improve performace some but I'm too lazy to measure it.

wireless zero configuration is disabled because I have no wlan adaptors in this pc.