Lock Your Doors by Tightening Network Settings
Windows network security seems a weak spot. Old protocols like NetBIOS broadcast too much information. New protocols, such as IPv6, provide access you may not be ready for. Meanwhile, active fileshares give viruses such as Conficker too much opportunity. Let’s tighten up settings with an easy-to-use tool called Ultimate Windows Tweaker. Alternately, I got my copy at CNET.
I Don’t Like Default Shares
After checking your download for viruses (you do check all downloads for viruses, right?), start UWT. There are several network security settings. I like to start by disabling default fileshares (see Figure 6).
Figure 6 Default Shares are risky
I like UWT for many reasons. It allows you to create a checkpoint as a backup. It lets you make several important settings with one panel. It keeps you from difficult Registry edits. Please make the settings I indicate above. Let’s discuss why they are important:
- Disable default Admin and Disk drive share server. Disables fileshares that are active on most versions of Windowsnot sure why they are.
- Restrict access of IPC$ for anonymous users. This share is used to “enumerate” many of the settings on your system. This setting will stop revealing information to just anyone on the network.
- Disable recent shares in Network Places. This will stop others from noting the shares you’ve been using.
- Enable NTLM2 support. NTLM version 2 is an improved authentication protocol. Using it will make attacks more difficult.
You may want to try the other settings. Set a checkpoint before making changes! Later, you can restore old settings. After you restart your system, these changes should be active. If you open Administrative Tools in the Control Panel and select Computer Management, the shares tab should not show the shares in Figure 7.
Figure 7 Warning! Only IPC$ should appear when default shares are disabled!
More Restrictive Network Settings
Windows 7 assumes a Home network is more secure and trustworthy than a Public network. This trust enables a hacker to compromise one system on the home network and then attack yours. Step up the security! Configure your network location to be Public, the Location setting that puts stringent firewall settings in place (see Figure 8).
Figure 8 Good fences make good networks.
Once you are connected to your home network, click the link below the network name and change it to be Public network, as illustrated in Windows 7 online help.
Let’s dig into the network settings in greater depth. To do that, open the Network and Sharing Center shown in Figure 8 and select Change Adapter Settings, on the left pane. If you right-click a connection, you can see all the “stuff” enabled by default. Do you really need to activate IPv6? Is it configured on your network? Are you sharing a printer or creating fileshares on your home network? You may want to try selectively disabling items, except for the IPv4, the Internet Protocol most of us use (see Figure 9). You can re-enable them if you or your applications have problems accessing networked information.
Figure 9 Too much on by default
Click the Properties button once you select IPv4. It’s now time to disable NetBIOS communications. This can further limit the ability to find out Windows settings. Deselect Enable LMHOSTS lookup and Disable NetBIOS over TCP/IP (see Figure 10).
Figure 10 NetBIOS disabling
This has been a lot of work. Your system may or may not have problems at this point. No one can specify the exact settings you should make. Your applications may require some settings be left enabled. This is especially important when you use old, old Windows applications, many of which must access Windows resources anonymously. Consider working to upgrade from old, old applications to newer, more secure versions.