Windows security: Remote Desktop, hosts file and keyboard lock down

Reporting on the information security business for close to two decades now has meant that over those years I have collected quite a few tricks and tips for securing Windows. Some of them have been shared already in the earlier segments of this short series. However, I find myself with one part left and a bunch of assorted secrets left over. Bringing the two together seems like a good idea!

Windows 2000 tips and tricks
Let's start with a good one for those of you still working with a Windows 2000 operating system, and there are plenty of people who still fall into that particular genre. Some may be surprised to know that a relatively simple nslookup can reveal plenty of hacker-friendly information. This is courtesy of W2K defaulting to allow DNS zone transfers to any server.

RELATED CONTENT Tech tips Code complexity analysis: How to keep it simple How to use Windows XP Mode in Windows 7 Understand role-based access control in Microsoft Exchange 2010 Avoid common Web application firewall configuration errors SQL injection detection tools and prevention strategies Cross-site scripting explained: How to prevent attacks How to automate and apply Microsoft Windows 7 AppLocker rules How to use Microsoft Windows 7 AppLocker for whitelisting applications Should you disable IE ESC, or manage it in Windows servers? Scanning with N-Stalker offers basic Web application security assessment Platform and OS Security Management Microsoft issues advisory on new IE security vulnerability Microsoft patches SMB flaws, Hyper-V problem in big update Microsoft blue screen affecting few corporate PCs Microsoft to fix 26 flaws in Windows, Office Thin-client technologies surge thanks to easier security, says Deloitte Microsoft issues critical security update, blocks IE 6 attacks How to use Windows XP Mode in Windows 7 Microsoft to patch single Windows 2000 vulnerability How to prevent memory dump attacks Microsoft gives Internet Explorer a major security overhaul Data Protection Solutions and Strategy Enterprise data management: Prevent data loss and insider threats NSA, cryptoexperts jab at RSA Conference 2010 Cryptographers' Panel Make PCI DSS compliance easier by reducing scope, outsourcing data Data Protection Act fines likely limited, audit powers may expand Websense integrated security system aims to simplify security management Full disk encryption: Safer and easier than file and folder encryption No major PCI DSS revision expected in 2010 Data breach costs continue to rise in 2009, Ponemon study finds Chinese hacker attacks target Google Gmail accounts, top tech firms Annual security reports offer some hope

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Serious Organized Crime Agency  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

Thankfully, this distinctly dodgy default behaviour was stopped in Windows Server 2003 and later, but if upgrading is not an option, then the solution is as simple as it is obvious with hindsight. Configure it to restrict zone transfers to defined hosts or simply to none at all.

Windows Remote Desktop security
Secure the Remote Desktop for Windows XP and Windows Server 2003 by changing the port it runs on from the 3389 default to something less obvious, so as to hide it from port scanning kiddie scripters. This means rolling your sleeves up and getting into the Windows Registry to do this, specifically editing the following key:

HKEY_LOCAL_MACHINESYSTEM/CurrentControlSet/Control/TerminalServerWinStationsRDP-Tcp

Don't forget to bring a decimal to hex calculator to convert the port number to hex before updating the entry, though. Once saved, connect using Remote Desktop by adding ':' to the end of the IP address.

Windows hosts file
Often overlooked, the hosts file can be used to securely manage IP addressing in any flavour of Windows. Layered security always wins out because a single-pronged defence is useless if that single prong gets poked to pieces.

The Windows hosts file should be thought of in terms of being a Windows IP address book. A Web browser will look in this file for any corresponding entry that matches the requested URL, and if it finds nothing, goes online to resolve the address using DNS. If it does find an entry, it goes where directed. To prevent non-admin types from visiting a specific site, have it resolve to 127.0.0.1, and they will go nowhere fast.

Windows lock down
When the need arises to leave one's desktop in a hurry, quickly lock any Windows XP or Vista-powered computer using the Windows key + L combo to go straight to a secure user login prompt.

Wrapping up
And that wraps up our Windows security strategy series, which we hope you have found useful. If you have any Windows security tips and tricks of your own, why not share them with us? Send us an email at editor@searchsecurity.co.uk.

About the author:
Davey Winder has worked as a freelance technology journalist for nearly 20 years. He is based in South Yorkshire.

Rate this Tip To rate tips, you must be a member of SearchSecurity.co.UK. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.