Windows security: Remote Desktop, hosts file and keyboard lock down

Reporting on the information security business for close to two decades now has meant that over those years I have collected quite a few tricks and tips for securing Windows. Some of them have been shared already in the earlier segments of this short series. However, I find myself with one part left and a bunch of assorted secrets left over. Bringing the two together seems like a good idea!

Windows 2000 tips and tricks
Let's start with a good one for those of you still working with a Windows 2000 operating system, and there are plenty of people who still fall into that particular genre. Some may be surprised to know that a relatively simple nslookup can reveal plenty of hacker-friendly information. This is courtesy of W2K defaulting to allow DNS zone transfers to any server.

Thankfully, this distinctly dodgy default behaviour was stopped in Windows Server 2003 and later, but if upgrading is not an option, then the solution is as simple as it is obvious with hindsight. Configure it to restrict zone transfers to defined hosts or simply to none at all.

Windows Remote Desktop security
Secure the Remote Desktop for Windows XP and Windows Server 2003 by changing the port it runs on from the 3389 default to something less obvious, so as to hide it from port scanning kiddie scripters. This means rolling your sleeves up and getting into the Windows Registry to do this, specifically editing the following key:

HKEY_LOCAL_MACHINESYSTEM/CurrentControlSet/C

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Tech tips A review of Nmap scan options and timing templates How to test a firewall with Nmap Rootkit Hunter demo: Detect and remove Linux rootkits Using Nmap to scan for open ports, updated servers and more How to perform Nmap scans and port checks Installation tips before beginning Nmap port scans NAC and endpoint security: The hard questions Securing Windows services to prevent hacker attacks How to detect and remove rootkits with Windows encryption How to prevent SQL Server and Internet Explorer hack attacks Platform and OS Security Management Microsoft patches WebDAV security vulnerability in bevy of updates RSA council addresses growing security risks in the cloud Adobe shifts to Microsoft patching process, incident response plan Microsoft updates Office to address serious PowerPoint vulnerabilities Microsoft patches serious Excel zero-day, Windows flaws System management appliance improves school's software deployment Government offers £6m to fund complex network security infrastructure Are Windows Vista security features up to par? Debian: A niche OS with a not-so-niche security flaw Sophos adds browser and virtualisation blocking features Data Protection Solutions and Strategy Sourcefire to ignite new offerings for virtualisation security USB drive security project protects endpoints, aids CoCo compliance How to enforce an enterprise data leak prevention policy Companies underestimate Web 2.0, social networking threat, says survey RSA council addresses growing security risks in the cloud Attackers use ATM malware to steal track data, PINs CSA, Jericho Forum unite on cloud computing security message How to create a data classification policy Trust eroding as social engineering attacks climb in 2009, says Kaspersky expert Organizations struggle with data leakage prevention, rights management

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Serious Organized Crime Agency  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

ontrol/TerminalServerWinStationsRDP-Tcp

Don't forget to bring a decimal to hex calculator to convert the port number to hex before updating the entry, though. Once saved, connect using Remote Desktop by adding ':' to the end of the IP address.

Windows hosts file
Often overlooked, the hosts file can be used to securely manage IP addressing in any flavour of Windows. Layered security always wins out because a single-pronged defence is useless if that single prong gets poked to pieces.

The Windows hosts file should be thought of in terms of being a Windows IP address book. A Web browser will look in this file for any corresponding entry that matches the requested URL, and if it finds nothing, goes online to resolve the address using DNS. If it does find an entry, it goes where directed. To prevent non-admin types from visiting a specific site, have it resolve to 127.0.0.1, and they will go nowhere fast.

Windows lock down
When the need arises to leave one's desktop in a hurry, quickly lock any Windows XP or Vista-powered computer using the Windows key + L combo to go straight to a secure user login prompt.

Wrapping up
And that wraps up our Windows security strategy series, which we hope you have found useful. If you have any Windows security tips and tricks of your own, why not share them with us? Send us an email at editor@searchsecurity.co.uk.

About the author:
Davey Winder has worked as a freelance technology journalist for nearly 20 years. He is based in South Yorkshire.

Rate this Tip To rate tips, you must be a member of SearchSecurity.co.UK. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.