Windows Tweaks and Security

PowerBookG4 · Jul 6, 2006

Since the arival of bootcamp on the mac scene allows users to insall and use windows on the mac, I have decided that these forums needed a thread where people can look up windows tweaks and ways to beef up security on their new windows partitions. I have compiled tweaks from all over the internet and I also made some of my own tweaks that I feel are important to share with you. Besides the tweaks at the end of this thread I have provided a series of links to downloads and other informative sites that I believe all windows users should know about if not use.
Before I begin how ever I would like to extend a warning to all of those who are reading this thread. These tweaks have all been tested by me, and do work, but results vary on different computers with different users. So before you start any tweaks if you are not 100% confortable, I highly recomend you back up, esspecially your registry.
Enjoy Reading the thread and happy tweaking.

I will start off the tweaking with a simple registry edit. This will force anybody who is logging into your computer to press ctrl+alt+del before they can log in. Not entirely important, but this provides a little extra security.

I have not tested this with any version of Windows XP besides XP Pro. It might work in Home Edition or other versions.

If you do this, then you will get the "Press Ctrl-Alt-Delete to begin" box when you turn on your computer, before it asks for your username and password. It also asks for you to press Ctrl-Alt-Del before you can unlock your computer if you lock it. This is done by default in Windows 2000 Server or Windows Server 2003.

To enable the Ctrl-Alt-Delete boxes, open Regedit and go to

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

Create a new DWORD value and name it "DisableCAD"

The value should be set to "0"

That's it! Now you can log off to see the change.

(You need to disable the Welcome screen to get this)

The next tweak is a little more involved, It will block ports on your system, which I recomend using with a firewall, although this can take the place of a firewall, or a firewall can tak the place of this. I will repeat that I recomend using this in conjunction with a firewall, not allowing a firewall to replace this tweak or using this tweak to replace the existance of a firewall. Later in this thread I will recomend a firewall which I use and will provide a link to a page where it can be downloaded.

Limit your exposure to the outside world by blocking incomming connections.

Start > Settings > Control Panel > Network Connections
Right click on "Local Area Network" And go to "Properties", In the scroll box, Click on "Internet Protocol (IP/TCP)" and then click on the "Properties" button, In the new window, Click on the "Advanced.." button, Then in the other new window go to the "Options" tab, Click on "TCP/IP Filtering" and hit "Properties", Check off "Enable TCP/IP filtering (All adapters)" next In the Above "TCP Ports" Click on the Radio button "Permit Only" and then add in the ports that you want people to be able to access... If you're running a web server add in 80, If you're running an FTP server add in 21... And so on... Then hit "OK" And close all the other windows, And reboot when it asks you too.

This way you can close the ports that you do not need to be open to the outside world. An alternative to this tweak could be running a firewall or enabling windows built in firewall. Please note that in order for other computers to connect to you, for example sending a file over AOL Instant Messenger or using Windows Messenger to send a file, make sure that the required port is not blocked on your system. Otherwise, nothing will go through.

The next tweak is a way to protect the computer from intruders by disabling a number of services that are not needed that can cause sercurity threats. If you need the service that this tweaks is diabling just do not follow that particular set of instructions and follow on to the next step.

There are several things one can do to protect against intruders. Of course the old adage applies here as well, 'locks keep honest people out'; in other words, if they want in, they will keep trying and eventually will be able to get in through some kind of exploit. The following are some tips that can greatly slow them down and make it nearly impossible for them to get in. If you use file sharing or remote connections, don't make the local policy changes.

1. As it was mentioned before, set the Guest and Administrator account passwords. By default, the Guest account password is blank. Make it something difficult, such as a combination of letters and numbers, preferably not based on dictionary words. Control Panel\Administrative Tools\Computer Management\Local Users and Groups\ Highlight User Account, right-click, 'set password'.

2. Remove/Delete any unused accounts, especially any 'remote assistance' accounts.

3. Disable the Guest account since you can't delete it.

4. Rename the Guest and Administrator accounts to unique names. Remove the description of these accounts (in local users and groups). Control Panel\Administrative Tools\Local Security Policy\Local Policies\Security Options Account: Rename Guest Account - Double click and rename the account Account: Rename Administrator Account

5. If you do not need to connect to your computer from a remote machine, be sure to turn off this functionality. Control Panel\Administrative Tools\Local Security Policy\Local Policies\User rights Assessment\ "Access this computer from the network" - remove all users and groups. This should be blank "Deny access to this computer from the network" - this should include all users and groups. Double click on the policy, click Add User or group, click Advanced, click Find Now, highlight all the accounts and click OK.

6. Turn off the Microsoft File sharing iMac-Forums.com - Post New Threadn Network Neighborhood if it is not going to be used.

7. Under System Properties\Remote, Turn off Remote Desktop and Remote invitations.

8. Run a software firewall program.

9. Be sure to visit WindowsUpdate to get the latest hotfixes and security patches. There are a lot of them.

The last security tweak is a DHCP fix, it patches a security hole that is located in the windows os.

According to AnalogX, a security hole in windows allows other people to monitor your pc. They made a fix, which can be downloaded freely from their site

http://www.analogx.com/contents/download/system/dhcpfix.htm

or go to http://www.analogx.com

Look at the next post for usability tweaks:

PowerBookG4 · Jul 6, 2006

Usability of a system is very imporant it makes you feel better when using a computer and also improves prodcutivity. We all know that if you are not using a computer that you like the feel of you will not be as productive as you would be if you were on a computer that you liked. With that said lets move to the usability tweaks.

Lets start off with just information, you are probably tired of switching of of this screen to perform a tweak you just read about. So lets give some information to you that you can just read right from this page and memorize to make your computing experience in windows better. The first thing I will tell you is get out windows and get back into mac osx and all will be easier. Lol just kidding. I think what you all love about mac osx is that all the keyboar short cuts are the same. So here are so keyboard short cuts that will help you out when you are working in windows.

CTRL + ALT + ESC

While in a full-screen window will launch the task bar. If used while not in a full screen window, it will work like ATL + TAB without the option of choosing which window and simply go to the window whose button is to the RIGHT of the current window.

ALT + D [MSIE]

This will move the cursor to the Address bar, highliting all the text in the bar as well.

ALT + TAB (With Shift)

If you have many windows open, using ALT + TAB can be kind of annoying if you miss the program you're seeking. Adding SHIFT and pressing TAB again will move the highlite back one.

CTRL + TAB

When working with multiple frames/panes, this will jump from one frame to another without having to TAB to the end of the current pane to move to the next. Press TAB again to enter the frame/pane you select.

SHIFT + CLICK (Explorer/MSIE)

This does the same thing as RIGHT CLICKing and selecting "Open in new window". Sometimes, however, I find that you have to DOUBLE CLICK to make it work.

SHIFT + RIGHT CLICK (Explorer)

This gives you an extra option, "Open With..." for certain (most) files types.

WINKEY + L (Using the "Welcome" style logon)

Same as [Start>Log Off>Switch User].

F1

Opens the Help dialogue for most programs.

F3

When searching using a typical text "Find..." feature, this will do the same as "Find next".
Now that you have that information lets move on to some more tweaks. The next tweak that I would like to share with you is one that will allow you to have a cleaner disk (we all love clean and organized disks).

A Better Disk Cleanup

This tip will show you how to create an unattended disk cleanup which will also empty your prefetch folder. This tip assumes you have Windows XP installed in c $:\$ windows.

Step 1.
Create a new text file and place the following contents inside:

c $:\$ windows\system32\cleanmgr.exe /dc /sageset: 1
c:
cd \
cd c $:\$ windows\prefetch
del *.* /q

Step 2.
Save the file, changing the extension from .txt to .bat
For this tip's purpose, we will call it clean.bat

Step 3.
Execute the file. This will run the Disk Cleanup program in a special mode which asks what items you will want cleaned when Disk Cleanup performs an unattended cleanup. Check the items you wish to have cleaned up, then click OK.

Step 4.
Right-click on the clean.bat file and click edit. Change the first line to read:

c $:\$ windows\system32\cleanmgr.exe /dc /sagerun: 1

Step 5.
Save the file. You can execute this file in place of running Disk Cleanup, or, to have this program run unattended, run the Add Scheduled Task Wizard in the Control Panel and create a scheduled task using the clean.bat file you just created.

Note: This cleanup script will also clear windows prefetch directory. Often this directory can become cluttered with old appication and a cleaning would free up disk space but it will result in a one time performance decrease and windows has to rebuild the cache with active software afterwards.

Now here is some more information again. Simple studying. I decided to break up this post becaues by now your probably tired of tweaking and probably just want to learn a little bit. The next post will be heavier on the tweaks. I promise (for all of you who are enjoying the tweaking)

This little bit of information is about deleting files with out having to go through the recycle bin. I think its a good idea to know because instead putting files in the recyle bin then emptying it, you can just delete the file, this saves alot of time. Its called bypassing the recyling bin.
The more flexible method of bypassing the recycling bin is to simply hold SHIFT while you delete your selected item(s). This will prompt you to choose whether you want to permanently delete the item(s) or not. Simply click "yes" and the action will be completed.

I find this method much more convenient as sometimes I do not want my files to bypass the recycling bin.

The following tweak is not one that you have to exit out of your browser to perform. It is simply just disabling "sticky keys" which can get quite annoying if you plan on using your windows partition for things such as games.

By Default a feature called Sticky Keys will be enabled on your PC. To disable this feature follow these steps:

1. Press SHIFT 5 times consecutively. The StickyKeys box will pop up.

2. Click Settings. Accessibility Options pops up.

3. On the "Keyboard" tab click the "Settings" button in the "StickyKeys" section.

4. Uncheck the items in this window and click OK.

5. Click Apply and OK on Accessibility Options.

Another way to improve usability would be to stop start-up items from starting up if you do not want them to start up. This tweak is a tweak that will do that for you by editing the registry. If you are not confortable with updating the registry then I will recomend that you do not perform this tweak.

The System Configuration Utility displays items that start with your PC. These items are generally located in one of two areas. The registry or in Common Startup.

Should you decide to prevent specific items from starting up you can uncheck them in the System Configuration Utility. Though this method is fine it is ultimately best to remove them from the source. To access the common registry locations of these items take a look in the following areas:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

If you have disabled items in the System Configuration Utility and would like to remove them from the registry also they can be found in one of the following locations:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SharedTools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

That is all for usability tweaks. In the next post (which should be posted in less then an hour) I will be discussing ways to get the best performance out of windows while it is running on your mac. These will include tweaks and other information.

Scroll down to the next post for system performance tweaks.

PowerBookG4 · Jul 6, 2006

Now guys.. don't lie to me. Computers are all about performance. We love peformance and most of us will do what ever it takes to get the best performance out of our computers. I will now help you with that. Instead of sitting infront of your computers all day looking for a way to get the best of your computer while you are running windows, I have done the research for you and have put all the ways to get the best performance out of your system in this post!

First lets adjust the graphics that are on the computer for speed. I think we all agree that we can get rid of some of those graphics that are on windows, I mean most of them are ugly aren't they? So the following tweak will get some speed out of your computer by removing some of the eye candy from windows.

Windows XP has a lot of new cool looking visual elements, however, those new elements take up more RAM and cause your computer to be less responsive. By tweaking your graphics settings, you can increase the performance of your computer.

To get started, Let's reduce the color quality. This setting determines how many colors are displayed on your screen.

1. Right click on your desktop and select properties.
2. Click on the settings tab and adjust the color quality drop down box to Medium (16 Bit).
3. Click OK.

Next, let's use the windows performance settings to optimize your computer for performance. This will revert back to the old Windows 2000 look as well as take away a lot of the fancy graphics effects. However, if you are really into performance, this is the price you have to pay.

1. Right click on the My Computer icon on your desktop or in your start panel and select properties.
2. Next, Click on the Advanced tab and hit the setting button under performance.
3. On the visual effects tab, select Adjust for Best Performance and hit OK.
4. Hit OK once more to exit system properties.

Now your computer will run slightly faster!

See now we are happy, not only is your computer not as ugly, its faster too. Ok I got off topic there for the first time since I started writing this (and that was quite a while ago). So lets move on to the next tweak.

This next teak is as it says automaticly done by windows, but as mac users we know that many things are done automaticly and we will still do them manually any way. So here is a way to defrag the computer from a promt.

This type of defrag pushes all commonly used programs and boot files to the edge of the hard drive for faster access. Windows XP normally schedules this every three days when it is idle, however you can force it to do this by using the b switch anytime

i.e defrag c: -b

The next one is for all of you who are using clasic start menu (which I believe by now all of you are using. If not and you would like to , then you can switch over to clasic In the dialog box partially through these instructions

WARNING: Keep in mind that this tweak is intended for people using the "Classic Start Menu" mode to browse trough the Start Menu.

If your Start Menu loads right away when you click on it, but goes slow while you browse trough it, this will certainly solve your problem. It's quite simple actually, just follow these steps:

1. Right Click on your taskbar and choose "Properties"
2. Choose the "Start Menu" Tab and then click on "Customize"(Classic Start Menu Obviously)
3. Scroll Down the "Advanced Start Menu Options" list and uncheck the "Use Personalized Menus" option, click "OK", then "Apply" and "OK" to finish.

There are obviously alot more system performance tweaks, but I want to move on so I can get through more information tonight. I will be updating this thread in the days and weeks to come as I learn (and test) more. Please continue reading through the rest of the posts for more information. The next post will contain internet tweaks and information.

PowerBookG4 · Jul 7, 2006

Here is an internet tweak the internet tweak is really long so my comments will be brief. Back up your computer!
(link provide recomend going there)

http://www.tweakxp.com/article37124.aspx said:
If you are reading this then you are looking to maximize your bandwidth by tweaking your computers registry and other settings. There are a few things you must know and understand prior to optimizing your connection.

• Your goal in tweaking is to get 90% of your ISPs bandwidth caps, but remember that sometimes due to factors beyond your control such as routers, nodes, distance from your CO or congestion etc. you WILL NOT obtain that goal.

• You need to know your ISPs caps in kilobits, for example I have Cox Internet Service and my caps are 3000/256. This information is usually found on your ISPs website.

• You need to download CableNut from here, it is the most comprehensive internet connection tweaking app available.

• You need to know what your maximum anticipated latency is by following the instructions here.

• Once you know what your ISPs caps and your maximum anticipated latency are you just need to input it into the CableNut Live webpage. Our own Moderator here j79zlr made this page and it uses the proper formula for finding all you optimum registry settings.

• You need to make sure your MTU (maximum transmission unit) is set properly since other settings are based on this, to check yours do a TCP/IP Analyzer Test. This will tell you what your current TCP/IP registry settings are. The proper MTU values are as follows, make sure yours is set accordingly: Cable – 1500, Normal DSL – 1500, PPPoE DSL – 1492, XP Native PPPoE DSL – 1480.

If you are using XP's native PPPoE setup and your MTU is not set to 1480 then copy and paste the following and make it a .reg file and merge it into your regstry to correct it:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NdisWan\Parameters\Protocols]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NdisWan\Parameters\Protocols\0]

"ProtocolType"=dword:00000800
"PPPProtocolType"=dword:00000021
"ProtocolMTU"=dword:000005c8

• It is important to test your speed properly, the most accurate test is to download a large file from a fast reliable FTP server such as the following two:

Another fairly reliable test is from Speakeasy, it is a java based test and isn’t as accurate but if you do multiple tests from around the US it will give you a fairly accurate result. Here is a full list of their test sites:

Make sure you clear your browsers cache prior to each test.

For all the definitions to the values in CableNut read here.

The Windows 2000 White Papers – The official Microsoft papers on how TCP/IP works in Windows 2000 & XP.

Along with properly optimizing your TCP/IP & AFD values there are also a number of other things you can do to help maximize your bandwidth.

• Setting your NIC (Ethernet card) duplex mode properly. Duplex modes are as follows:

Cable Modem – 10mb half duplex*
DSL – ISP dependant
If using a router set it to 100mb full duplex.
*OOL users should set their duplex mode to 100mb full duplex

To set yours do the following:

Open your control panel – select the network icon – right click on your LAN connection and select properties - under the ethernet adapter icon click the button configure - select the advanced tab - in the property box, the property name to be selected varies according to model of ethernet card. Examples are: Network Link Selection, Media Type, Connection Type, Duplex Mode, or any similarly named property which can have Values looking like Auto-Negotiation, or 10BT, or 10BaseT - in the Value box, select a value which either (a) explicitly says half-duplex or semi-duplex, or (b) at least does not say full-duplex [e.g. 10BaseT on its own is OK] – if there is a choice between 10 and 100 with half-duplex, choose the 10. Do not choose 10Base5, 10Base2, or AUI - click OK to exit the Adapter settings - click OK to exit the connection properties.

• Setting your TCP/IP metric setting properly, it should be set to a value of 1. To do so do the following:

Open your control panel – select the network icon – right click on your LAN connection and select properties – highlight Internet Protocol TCP/IP and select properties – advanced – select the IP settings tab – in the interface metric box put the value 1 – ok.

• Speeding up network browsing.

Open regedit and navigate to:

HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/Explorer/RemoteComputer/NameSpace

Delete the key: {D6277990-4C6A-11CF-8D87-00AA0060F5BF}

• Faster webpage tweak by giving priority to DNS lookup.

Copy and paste the following and make it a .reg file and merge it into your regstry:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider]

"DnsPriority"=dword:00000001
"HostsPriority"=dword:00000001
"LocalPriority"=dword:00000001
"NetbtPriority"=dword:00000001

• Forward buffer memory tweak, this controls how much RAM TCP/IP uses for storing packet data in the router packet queue.

Copy and paste the following and make it a .reg file and merge it into your regstry:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]

"ForwardBufferMemory"=dword:00024a00
"NumForwardPackets"=dword:0000024a
"MaxForwardBufferMemory"=dword:00024a00
"MaxNumForwardPackets"=dword:0000024a

• By default Windows 2K & XP cache everything in the DNS cache service, both correct and faulty DNS lookups. To increase performance by eliminating the caching of faulty DNS lookups, copy and paste the following and make it a .reg file and merge it into your regstry:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters]

"NegativeCacheTime"=dword:00000000
"NetFailureCacheTime"=dword:00000000
"NegativeSOACacheTime"=dword:00000000

• Internet Explorer important settings:

Open Internet Explorer and select Tools - Internet Options - under the General tab in the Temporary Internet files section select the Settings button.

Select "Every visit to the page" and set the amount of disk space to use: to no more than 80MB. Now select the Connections tab and select LAN Settings make sure EVERYTHING there is unchecked and select OK.

For IE6 ONLY - select the Privacy tab and choose Advanced check the box "Override automatic cookie handling" and for First-party Cookies - Accept, Third-party Cookies - Block and check "Always allow session cookies. Now NO MORE SPYWARE COOKIES.

Another thing to do about once a week if you modem is on 24/7 is to power cycle your modem, just completely disconnect power from it for at least 15 seconds and then power it back on.

Set your temporary internet files to 80mb and delete them regularly.

• DSL users may want to check out the DSL Wiring Guide for possibly increasing your DSL speed.

DSL users also want to make sure they do not have any halogen lights close to their modems or 900mhz or 2.4ghz phones in the same room.

• Always connect your modem via ethernet (Network Interface Card) instead of USB, ethernet is faster and much more stable. Also ALWAYS make sure you have the latest drivers for your NIC from the manufacturer NOT Microsoft, usually the drivers from the manufacturer have advanced settings that help optimize the performance of your NIC that the native Microsoft drivers don't have. If you are using a router always keep your firmware up to date.

• Remove any uneeded protocols:

Open your control panel – right click your LAN connection - properties - general tab, uninstall all the protocols there that you do not need. If you are a stand alone pc then all you need Internet Protocol TCP/IP. If you are on a network then you will need them except QoS Packet Scheduler, it is never needed.

The next section discusses network tweaks (there is only 1 as there was only 1 internet one as well, the other tweaks I found on the internet were not as good) The reason I did not merge the 2 was it did not let me, it was to long. So read on for the networking tweak.

PowerBookG4 · Jul 7, 2006

Ok guys this is the last tweak post of the thread, there is only one more short post after this one that I have planned to talk to you guys software. But this is the last post where you will have to follow instructions. So bear with me here.

The next tweak that I found is a tweak that enables you to tranfer files across your network at faster rates (this tweak is for 100mbs file transfers)

This tweak will speed up your network to the speeds you thought you were getting. It is dependant on the network equipment that you are using, so please see the oppropriate section.

By default windows uses an auto detect feature to determine your link speed. This feature can not handle 100Mbps. to change it. Click Start and right click on "My Network Places" and select properties. On the network connections windows, right click on the adapter for your network connection and click properties. Click the configure button on the Local Area Connection Properties window. Click the advanced tab on the new window. Highlight the one on the list that relates to speed. (My one card is Speed & Duplex, where the other is Connection type, i have also seen media type, and i am sure there are others) If you can figure out which one it is, simply click each one, and look at the value box, your speed property will have the value Auto Negotiate. Change this value to one of the following:

Hub Networks

Hubs can only handle half duplex speeds (50mbps in / 50mbps out = 100mbps), because they lack the ability to create virtual circuits as they are stupid, so set this to 100 half duplex (i've also seen 100 half mode)

Switch Network

Switches are smarter devices, and can handle full duplex speeds (100mbps in / 100 mbps out = 200 mbps), because they know which port the destination computer is, and create a virtual circuit to it, so set this to 100 full duplex (i've also seen 100 full mode)

Router Network

Routers, with buit in hub, see hub section, routers with built in switch see switch section.

Please remember to make these changes on every computer on the network, or you will no notice a change. A transfer is as fast as the slowest connection, in most cases, windows auto negotiate.

To increaase your speed further, refer to

http://www.tweakxp.com/display.aspx?id=282

this will remove the 20% cap on your 100 mbps full duplex network

Enjoy the network speed.

Mike

That was all that was significant for tweaking your internet and network, but they work really well, so I had to share them with my fellow mac-forum users.

The next post is what you guys have all been waiting for, my souces, a little message from me, and best of all, links to programs to help in your windows tweaking.

PowerBookG4 · Jul 7, 2006

Ok guys so the last post, you made it (and I made it to, it took me over an hour to write that)
List of programs:
TweakUI
Zone Alarms
Nortan Anti Virus

Along with good protection on your windows system it is always a good idea to protect the mac too. I mean they are one computer so viruses can easily jump from mac to pc so I would get an anti virus to run on your mac too. (there are free ones out there you can have your choice)

Now that the thread is over I would like to send the inviation out there for anybody to add in other posts tweaks that they feel other mac users should know so they can perform them on their windows partions that they are running through bootcamp. It would be nice if you tested them before you post so you don't cause headaches. If they are good then I might add them to the offical list of tweaks. You can also asks about tweaks and I will be happy to research test and add the tweak to the list.

sources said:
www.tweakxp.com
http://www.dougknox.com/
http://www.tweakhound.com/xp/WindowsXP.htm
http://www.onecomputerguy.com/windowsxp_tips.htm
http://www.pcstats.com/articleview.cfm?articleID=1494

Windows Tweaks and Security

PowerBookG4

PowerBookG4

PowerBookG4

PowerBookG4

PowerBookG4

PowerBookG4

Shop Amazon