Dimanche 20 mai 7 20 /05 /Mai 19:14


With the release of Vista, many home users are certainly wondering if the migration from XP to Vista is absolutely necessary.
As claims the VOX POPULI : "Vista is an evolution, not a revolution".
Hardening the system makes XP as secure as Vista.
Since the hardware works fine, there's consequently no reason for a hasty migration.

In this article are provided exhaustive resources that can be helpful in system's hardening.

All tools linked here have already been tested and experimented.
But as usual, it's suited to check their requirements1 and to choose a tool in relation with the real need and level of knowledge.

Articles, guides and resources

-Principle of Least Privileges (Microsoft,  WikipediaDerek Melber, and here a dedicated site more intended for experienced users and developers).

-Aaron Margosis (important articles here)

-NonAdmin Wiki

-The Lazy Admin

-Living the Least Privilege Lifestyle

-Windowsecurity (especially Derek Melber's articles)

-Windowsnetworking tips

Running Windows under non admin account

-Running as limited user: the easy way (Mark Russinovich)

-10 easy ways to lock down your computer

-10 immutable laws of security

-Launch explorer.exe under admin. privileges on XP Pro

-MST Windows XP Security Guide

-Limited User setup in Windows XP


-Kellys-korner xp tweak

-Locking and restricting the registry in Windows XP (Killian's guide)

-Hardening Windows XP Pro

-NIST guides and checklists

-NSA guide


-Dwheeler (securing Windows)

-Windows NT security faq

-Spywarewarrior links and resources

-Reducing browser privileges

-Browsing the web and reading email safely as an administrator


-Stanford (securecomputing)

-Kayodeok resources for XP

-CoreCompetence win XP resources

-Bill Wall's windows NT links (defense and attack)

-First BPGL

-Labmice  Win XP security checklist

-Castlecops check list (part 1)

-TweakHound (securing Win XP)

-Securing Win 2000 (arstechnica)

-Abxzone (securing Win XP)

-Markusjansson (How to secure Win 2000/XP)

-Malwarehelp (hardening windows security)

-Pcnineoneone (securing windows)

-Freefire hardening resources

PDF guides about windows hardening:

-Windows 2000 and XP hardening guides

-The digital underground

-Jonahtan Hassel

-ITS (Win XP Pro)

-M.van Hoenbeek

-Compass Security

-SystemExperts (win 2000)


-NebraskaCert ( Win XP part 1 and part 2)

-Professional Windows Desktop and Server Hardening (doc file, direct download)

About Group Policy :

-Fast Guide

-General Hardening Techniques

-Group Policy Learning Guide (free registration required)





-Killian 's guide


-Microsoft Group Policy Reference and Faq

-Microsoft: software policy restrictions

-Circumventing Group Policy Settings/as a limited user (Mark Russinovich)

GP Tools and softs


Userenv and GPE logging

-Policy Maker Registry Extension (Microsoft)

Rights and permissions management Tools:



-StripMyRights (a more interesting alternative to DropMyRights)


-Adwin (gui for MakeMeAdmin)



-RunAsUser ( by M.Puff, in german only, also available for download here)


-Safe Run As (keylogger protection)

-Steel Run-As

-Raise My Rights



-RFE (Restriction File Executer)

-How to enter RunAs password automatically with a script

-Lauch Admin

-High Road


-Supercrypt (and LsRunAs/LsRunAse)


A Windows version of Sudo (Unix OS)

A tutorial from The Sans Institut here (pdf)

-WinSudo (new stable version available soon)

-Superior Su

-Sanur (no longuer supported)

AutoIt (scripting langage, not suited for classical home users).

-RunAs vbs (also xrunas and other scripts)

-Windows hardening script


-LUA Buglight (administrators/developers )

-PrivBar (toolbar for Internet Explorer) and IsAdmin (Firefox extension)

-Run Internet Explorer and other browsers and applications under a "condom" :

*For IE: AMUST 1-Defender and Reduced Permissions

*For other browsers and applications:

          -virtual condom such as BufferZone (installation required)

          -sandboxing condom with Sandboxie (installation required)

NB.There's also a virtual condom for browsers called VappWare but i've not evaluated this tool (currently in alpha and beta phase, and not available for download): a few comments are available here and here.
BufferZone is (personal point of view) the most interesting condom here.
But as it seems that "condom" name is amusing for some people, why not a Windows Xp virtual condom...



-Windows Permission Identifier (WMI)

-ACL View


-SetACL (also here)

-Cacl and Xcacls from Microsoft


Paid softs:

It's important to note that there's already enough tools for windows accounts and rights managements, and there's technically no absolute reason to use a paid tool in a home user environment.


-RunAs Professional



-Encrypted RunAs

-RunSafe (seems to be no longuer supported by GetData)


Accounts Management


-Account View


-Start menu name hide



-Nuxbox NTUsers and Rights: french and english language (translation not perfect), mostly intended to be used in a Lan).

-Group Manager

-Disable Me

-Unlock Me

-XP UserManager (paid, german only)

-Local Account Manager (paid)

Other tools (for rights and accounts management, task sheduler,password reseting and recovery, boot CD etc).

-Nncron (free and paid version)



-Windows Command

-Windows Ressource Kit tools (here or here)


-Marty List

-Sysinternals Suite

-Toolcrypt tools

-LS Tools

-SamInside (paid)

-Windows Key (paid)



Tools and plugins here

-UltimateBoot CD









Softwares designed for a corporate environement (just for information purpose)

-BeyondTrust privilege manager

-Altiris Security Expression (Symantec)


-Dameware NT Utilities

-Policy template editor

-Emco RunAs Professional


IS YOUR SYSTEM REALLY HARDENED? Test it with Pedestal Software WebAudit:

Now it would be interesting to audit your system before and after hardening.
Pedestal Sofware (aquired by Symantec) provides an online security audit here.
It requires Internet Explorer and ActiveX installation (safe and can easily be removed after the test).
For privacy reasons or for paranoiacs, it could be suited to uncheck the box "collect statistics"  (these statistics concern only number of OK, errors etc).

The result is detailled and can be used as a checklist for the hardening phase.

Here's the test page done on a non hardened system (case of most users):

A good result (really hardened systems) should have "NOT OK" result < 40

An expanded result related to Remote Access Service ( "NOT OK" result):

1. I've installed RunsAdmin on XP Pro, and it was neccesary to back up.
The bug is fixed in the latest version.


Par kareldjag - Publié dans : LINE DEFENSE
Ecrire un commentaire - Voir les 20 commentaires
Retour à l'accueil
Créer un blog gratuit sur over-blog.com - Contact - C.G.U. - Rémunération en droits d'auteur - Signaler un abus