Windows security: Remote Desktop, hosts file and keyboard lock down

For more on Windows security Detect and remove rootkits with Windows own encryption services Prevent SQL Server and Internet Explorer hack attacks Learn about Windows password policies Block Windows services to prevent hacker attacks Secure Windows during the pre-installation and post-installation process

Reporting on the information security business for close to two decades now has meant that over those years I have collected quite a few tricks and tips for securing Windows. Some of them have been shared already in the earlier segments of this short series. However, I find myself with one part left and a bunch of assorted secrets left over. Bringing the two together seems like a good idea!

Windows 2000 tips and tricks
Let's start with a good one for those of you still working with a Windows 2000 operating system, and there are plenty of people who still fall into that particular genre. Some may be surprised to know that a relatively simple nslookup can reveal plenty of hacker-friendly information. This is courtesy of W2K defaulting to allow DNS zone transfers to any server.

Thankfully, this distinctly dodgy default behaviour was stopped in Windows Server 2003 and later, but if upgrading is not an option, then the solution is as simple as it is obvious with hindsight. Configure it to restrict zone transfers to defined hosts or simply to none at all.

Windows Remote Desktop security
Secure the Remote Desktop for Windows XP and Windows Server 2003 by changing the port it runs on from the 3389 default to something less obvious, so as to hide it from port scanning kiddie scripters. This means rolling your sleeves up and getting into the Windows Registry to do this, specifically editing the following key:

HKEY_LOCAL_MACHINESYSTEM/CurrentControlSet/Control/TerminalServerWinStationsRDP-Tcp

Don't forget to bring a decimal to hex calculator to convert the port number to hex before updating the entry, though. Once saved, connect using Remote Desktop by adding ':' to the end of the IP address.

Windows hosts file
Often overlooked, the hosts file can be used to securely manage IP addressing in any flavour of Windows. Layered security always wins out because a single-pronged defence is useless if that single prong gets poked to pieces.

The Windows hosts file should be thought of in terms of being a Windows IP address book. A Web browser will look in this file for any corresponding entry that matches the requested URL, and if it finds nothing, goes online to resolve the address using DNS. If it does find an entry, it goes where directed. To prevent non-admin types from visiting a specific site, have it resolve to 127.0.0.1, and they will go nowhere fast.

Windows lock down
When the need arises to leave one's desktop in a hurry, quickly lock any Windows XP or Vista-powered computer using the Windows key + L combo to go straight to a secure user login prompt.

Wrapping up
And that wraps up our Windows security strategy series, which we hope you have found useful. If you have any Windows security tips and tricks of your own, why not share them with us? Send us an email at editor@searchsecurity.co.uk.

About the author:
Davey Winder has worked as a freelance technology journalist for nearly 20 years. He is based in South Yorkshire.

Rate this Tip To rate tips, you must be a member of SearchSecurity.co.UK. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Tech tips Considerations for buying and implementing DLP solutions Code complexity analysis: How to keep it simple How to use Windows XP Mode in Windows 7 Understand role-based access control in Microsoft Exchange 2010 Avoid common Web application firewall configuration errors Cross-site scripting explained: How to prevent XSS attacks How to automate and apply Microsoft Windows 7 AppLocker rules How to use Microsoft Windows 7 AppLocker for whitelisting applications Should you disable IE ESC, or manage it in Windows servers? Scanning with N-Stalker offers basic Web application security assessment Platform and OS Security Management Google bug hunter discovers serious Windows XP flaw Microsoft emphasizes three critical updates on patch-heavy Tuesday Microsoft to issue 10 security bulletins, three critical Malware discovered in freely distributed Mac applications Report: Google to phase out Windows, cites security issues Microsoft to issue two critical bulletins, SharePoint to remain vulnerable Researchers aim to smarten Web application security scanners Microsoft fixes critical drive-by media handling flaws Microsoft to repair 25 flaws in Windows, Office and Exchange Microsoft emergency patch addresses IE vulnerabilities, zero-day Data Protection Solutions and Strategy Pros and cons of Skype security for encrypted phone calls NHS smart card devices enable secure access to health care apps Company files at risk of employee data theft McAfee-Intel: Why the McAfee acquisition is being met with scepticism Mobile digital pad/pen helps secure patient data collection Hard-disk erasure: Using HDDerase and Secure Erase hard-drive eraser In any given app for smartphone, security risks are being neglected First of data loss prevention vendors touts downloadable DLP software Ministry of Justice asks for input on UK privacy laws PCI PTS: Understanding PCI PIN security requirements RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Serious Organized Crime Agency  (SearchSecurityUK.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.