The story is based on Ariya Jintapanichkarn's story titled Praya Prah Hongsawadee. This is a tale about the adventures of Jaiveer aka Jumbo. The latter is a baby elephant who decides to go in search of his father named Yudhveer, who is missing. Since the story is interesting, the viewers has a very wide range. Even the grown up are seen among audiences. According to the story, no sooner Jumbo appears on the scene, he comes across three species -- an elephant trainer, a hyperactive messenger bird and a female elephant. Jumbo turns a war elephant to defend his kingdom from the evil ones.
Thus, the movie is full of action and thrill. Since he meets with the female elephant the movie has romance. Thus, Jumbo has all the traits of a Bollywood movie like romance, action, thrill, emotions etc. The movies voiceovers are extraordinary, as the galaxy of stars have lent their voice. The salient features of 'Jumbo' include a song choreographed by Ahmed Khan and also Akshay Kumar's scenes that fascinate all, irrespective of age and sex. As said above, the voiceovers are by no less than Akshay, Dimple Kapadia, Rajpal Yadav and Gulshan Grover. They have indeed lent full support to the movie by making the characters live.
Wednesday, January 7, 2009
Rab Ne Bana Dil Jodi
The story begins with Surinder played by Shah Rukh Khan who is a simpleton but completely changes at the sight of Taani played by Anushka Sharma, who is just reverse of him . She is flamboyant and vivacious. But both fall a prey to circumstances and come together. However, Surinder changes into Raj by undergoing a personality change. This is a flaw ; how come Anushka didn't find out that it's her husband?
Two, Shah Rukh keeps doing so till the end. Luckily, there comes a change when Anushka is ready to elope with Raj, her dance partner. This is excellent. Anyway, the director and the storywriter are at fault . The movie runs longer than needed and that too when the audience looks for shorter duration. The music by Salim-Sulaiman is good at places. Haule Haule is an excellent composition and Dance Pe Chance is good for foot tapping. However, the other tracks are average. Ravi Chandran's cinematography is perfect.
Actingwise, Shah Rukh is superb. Anushka looks like her character even though she is a new face and gels well with ace actor like SRK. Vinay Pathak lends support throughout the movie. The present generation may appreciate the movie. So, the movie is likely to fare well at multiplexes and not so well at others. Luckily, there is no competitor in the field as it's the only release. The fate of the film, according to the actor, is in the hands of God. "Aditya and I feel that God has made this film. We think rab will take care of it and the people who go to watch it. We just want them to smile in this time of depression
Though this is for the third time that Shah Rukh Khan is sporting a moustache after 'Army' and 'Paheli', he is receiving a mixed response for his 'ordinary man with moustache' look in 'Rab Ne Bana Di Jodi'. Most of his fans say, "Shah Rukh definitely looks good without a moustache. He looks so good when he is clean-shaven." However, his producer Chopra considers moustaches and looks a very secondary consideration in judging an actor's capability.
The film is releasing simultaneously in over 30 countries and over 1200 screens across India today ( December 12th). This includes both analog prints as well as digital cinemas. The producer of Yash Raj Films has decided to postpone the release to a future date, it is reliably learnt. "'Rab Ne Bana De Jodi' is not releasing in Pakistan as the production house has decided that it is not appropriate time to release the film there," the Yash Raj Films official adds, "The final decision to release the film would be decided in due course of time. Shah Rukh Khan is very popular in Pakistan and this move to postpone the release will definitely hit our business," the source further adds.
Two, Shah Rukh keeps doing so till the end. Luckily, there comes a change when Anushka is ready to elope with Raj, her dance partner. This is excellent. Anyway, the director and the storywriter are at fault . The movie runs longer than needed and that too when the audience looks for shorter duration. The music by Salim-Sulaiman is good at places. Haule Haule is an excellent composition and Dance Pe Chance is good for foot tapping. However, the other tracks are average. Ravi Chandran's cinematography is perfect.
Actingwise, Shah Rukh is superb. Anushka looks like her character even though she is a new face and gels well with ace actor like SRK. Vinay Pathak lends support throughout the movie. The present generation may appreciate the movie. So, the movie is likely to fare well at multiplexes and not so well at others. Luckily, there is no competitor in the field as it's the only release. The fate of the film, according to the actor, is in the hands of God. "Aditya and I feel that God has made this film. We think rab will take care of it and the people who go to watch it. We just want them to smile in this time of depression
Though this is for the third time that Shah Rukh Khan is sporting a moustache after 'Army' and 'Paheli', he is receiving a mixed response for his 'ordinary man with moustache' look in 'Rab Ne Bana Di Jodi'. Most of his fans say, "Shah Rukh definitely looks good without a moustache. He looks so good when he is clean-shaven." However, his producer Chopra considers moustaches and looks a very secondary consideration in judging an actor's capability.
The film is releasing simultaneously in over 30 countries and over 1200 screens across India today ( December 12th). This includes both analog prints as well as digital cinemas. The producer of Yash Raj Films has decided to postpone the release to a future date, it is reliably learnt. "'Rab Ne Bana De Jodi' is not releasing in Pakistan as the production house has decided that it is not appropriate time to release the film there," the Yash Raj Films official adds, "The final decision to release the film would be decided in due course of time. Shah Rukh Khan is very popular in Pakistan and this move to postpone the release will definitely hit our business," the source further adds.
Ghajini
The story goes like Aamir Khan suffers an extreme memory loss following the murder of his girlfriend Asin. But the loss of memory is short-lived. He goes to work and slowly but steadily regains the memory .Thus, he remembers his love interest and tries to pursue his lost path. He carries with himself Polaroids that remind him of his past. In this movie, Aamir tattoos them on his body, which constantly remind his mind.After all, one cannot go on weaving innumerable stories. However, he can certainly change the style of narration or presentation. That provides relief to one's eyes and captures one's attention without falling a prey to the repetition. This is the style of 'Ghajini's original, meaning Tamil version director A.R. Murugadoss. He starts off with what happens in the past, comes to the present, falls back in time and thus returns to the earlier theme. Again, the loss of memory in a movie isn't new. Many movies have shown a sort of amnesia. But, 'Ghajini's memory loss is very different inasmuch as the hero recalls events but for 15 minutes only. Aamir has displayed extraordinary skill in the portrayal of a man suffering from short-term memory loss. He doesn't speak but says everything through his eyes - body language. Every narration is full of that's the beauty ! Thus, the movie will be remembered for long. Every expression is strong enough to tells a lot. This saves the movie showing undesirable fighting scenes and turning the movie into a violent one.
Acting-wise, Aamir is superb. We have never seen the actor performing so well. Less said the better about his look, his hairstyle and his physique. The movie may inspire thousands of its viewers to gym for wellness, if not for his memorable body. His body movement is great indeed! Historically, following the success of his Tamil movie, the director was looking for an actor to play his bold character of Shiva. When he met with A. R. Rehman and asked him to name a Bollywood actor for the coveted role, the latter suggested Aamir Khan for the lead role. Aamir accepted the offer but with a rider that he would begin its shoot after eight months.
To do full justice to play this role, Aamir underwent fitness training under his Guru Satya for six months - working in gym from four to six hours every day. In fact, once he broke his knee during the shooting of a stunt and deferred the shoot for a month! Another interesting matter is that the director had first signed Kangna Ranaut but later replaced her with Ziah Khan at the instance of Aamir. Kangna had reportedly leaked out to the media that she has bagged the coveted role. The director had decided to repeat his heroine Asin for the Hindi version, too. She has played her role fabulously and proved worthy of acting opposite Aamir Khan.
She looks fresh and photogenic. Jiah Khan is impressive too. Pradeep Rawat plays an equally successful the villain vis-à-vis hero Aamir Khan. Then follows A.R. Rehman's music. He has left nothing unturned to show his genius. 'Guzarish', 'Behka' and 'Kaise Mujhe' are the notable ones. Ravi Chandran's cinematography is brilliant too. Less said is better as one needs to watch and then conclude. Hence, the movie might prove the best one of the year, both acting as well as money-wise.
Acting-wise, Aamir is superb. We have never seen the actor performing so well. Less said the better about his look, his hairstyle and his physique. The movie may inspire thousands of its viewers to gym for wellness, if not for his memorable body. His body movement is great indeed! Historically, following the success of his Tamil movie, the director was looking for an actor to play his bold character of Shiva. When he met with A. R. Rehman and asked him to name a Bollywood actor for the coveted role, the latter suggested Aamir Khan for the lead role. Aamir accepted the offer but with a rider that he would begin its shoot after eight months.
To do full justice to play this role, Aamir underwent fitness training under his Guru Satya for six months - working in gym from four to six hours every day. In fact, once he broke his knee during the shooting of a stunt and deferred the shoot for a month! Another interesting matter is that the director had first signed Kangna Ranaut but later replaced her with Ziah Khan at the instance of Aamir. Kangna had reportedly leaked out to the media that she has bagged the coveted role. The director had decided to repeat his heroine Asin for the Hindi version, too. She has played her role fabulously and proved worthy of acting opposite Aamir Khan.
She looks fresh and photogenic. Jiah Khan is impressive too. Pradeep Rawat plays an equally successful the villain vis-à-vis hero Aamir Khan. Then follows A.R. Rehman's music. He has left nothing unturned to show his genius. 'Guzarish', 'Behka' and 'Kaise Mujhe' are the notable ones. Ravi Chandran's cinematography is brilliant too. Less said is better as one needs to watch and then conclude. Hence, the movie might prove the best one of the year, both acting as well as money-wise.
Thursday, January 1, 2009
FIND AN INVISIBLE USER ON YAHOO MESSENGER
Spying Is Ma Game Its Childs Game Finding Invisible Users
Still For the Kids
When a user seems offline, in fact he/she may be online but with Invisible status (avoiding you?), but Yahoo! Messenger will show him/her as offline (the gray face icon).
Then, how do you know whether he/she is offline or online? Just follow these simple steps carefully. It's really simple. There are many ways of finding people who are online but yet invisible.I'm going to describe many of those methods by this post As all we knows that Yahoo has a Stealth settings feature that lets you choose the people who see you as online and offline (Invisible Mode). But may be you want to figure out these peoples really online or offline.
First Method: Doodle Method
1. Double Click on the user whose status you want to check.
2. A message window will open.
3. Click IMVironment button, select See all IMVironments, select Yahoo! Tools or Interactive Fun, and click on Doodle.
4. The last step and the most important step. After loading the Doodle IMVironment, there will be two possibilities.
a) If the user is offline, the Doodle area will show “waiting for your friend to load Doodle” continuously. See figure below
b)If the user is online (in invisible mode), after few seconds (it can take up to one minute, depending on connection speed), you will get a blank page.see figure below
So the user is online!There is a counter attack of this trick:Go to Messenger>>Preferences>>Messages and now uncheck Enable IMVironments. Now this trick is nullified!
Second Method: Voice Chat
1. Double Click on the user whose status you want to check.
2. Click on “Voice” icon on the toolbar, or select “Contact” menu and select “Enable Voice Chat” .
3. The deciding part… there are 2 possible results:
a) If the user is offline, you will get this message: “Internal server error. Cannot obtain voice token to start voice chat.” If the user is invisible (actually online), you will see the Voice Toolbar.
Third Method: Conference Invitation
1. Right Click on the user whose status you want to check.
2. When the menu appears, select Invite to Conference.
3. A window will appear. See at the right pane, the username you selected will be there. Now, click Invite.
4. The deciding part… there are 2 possible results:
a) If the user is offline, you will get this message: “None of the users in the invite list are available to join the conference.
Please try at a later time.”If the user is invisible, you will get a window similar saying: “You are now logged into voice conference - "
Fourth Method: From Website
There are in fact many sites I found that is able to detect invisible users on Yahoo Messenger. But I’ll just list few in case one goes down, at least you still have the other as backup. These are great sites I found that we can use to find peoples in yahoo messenger invisible mode.
http://www.imvisible.info/
http://www.vizgin.com/
http://www.invisible.ir/
http://invisible-scanner.com/
http://ymdetector.net/
http://yahoo.mtv4vn.net/
http://www.4invisible.com/
http://www.2oost.com/
http://www.xeeber.com is nowadays down but is a gud site for detecting invsible
Fifth Method: OPI Method
But the only drawback is that u can use it only for ppl who are using stealth mode.. not invisible mode..
http://mail.opi.yahoo.com/online?u=useridhere
this will do the trick..
Sixth Method: Buddy Spy
1. Get Buddy Spy from
http://www.buddy-spy.com
2. Go to configure and enter your login details.
3. Now go to Buddy Spy option and enter the username you want to track. You can also check multiple ids also. Not only Buddy Spy tells the status of Chat but also Room Chat and WebCamera status of that user also!
4. You can edit other options through Scan Options menu.Now Have a great chatting!
(Note: Buddy Spy will automatically logout you of yahoo! messenger if running since yahoo! messenger supports only 1 login. To enable multi logins you need a Multi login patch for Yahoo! Messenger. Search Google for them.)
Still For the Kids
When a user seems offline, in fact he/she may be online but with Invisible status (avoiding you?), but Yahoo! Messenger will show him/her as offline (the gray face icon).
Then, how do you know whether he/she is offline or online? Just follow these simple steps carefully. It's really simple. There are many ways of finding people who are online but yet invisible.I'm going to describe many of those methods by this post As all we knows that Yahoo has a Stealth settings feature that lets you choose the people who see you as online and offline (Invisible Mode). But may be you want to figure out these peoples really online or offline.
First Method: Doodle Method
1. Double Click on the user whose status you want to check.
2. A message window will open.
3. Click IMVironment button, select See all IMVironments, select Yahoo! Tools or Interactive Fun, and click on Doodle.
4. The last step and the most important step. After loading the Doodle IMVironment, there will be two possibilities.
a) If the user is offline, the Doodle area will show “waiting for your friend to load Doodle” continuously. See figure below
b)If the user is online (in invisible mode), after few seconds (it can take up to one minute, depending on connection speed), you will get a blank page.see figure below
So the user is online!There is a counter attack of this trick:Go to Messenger>>Preferences>>Messages and now uncheck Enable IMVironments. Now this trick is nullified!
Second Method: Voice Chat
1. Double Click on the user whose status you want to check.
2. Click on “Voice” icon on the toolbar, or select “Contact” menu and select “Enable Voice Chat” .
3. The deciding part… there are 2 possible results:
a) If the user is offline, you will get this message: “Internal server error. Cannot obtain voice token to start voice chat.” If the user is invisible (actually online), you will see the Voice Toolbar.
Third Method: Conference Invitation
1. Right Click on the user whose status you want to check.
2. When the menu appears, select Invite to Conference.
3. A window will appear. See at the right pane, the username you selected will be there. Now, click Invite.
4. The deciding part… there are 2 possible results:
a) If the user is offline, you will get this message: “None of the users in the invite list are available to join the conference.
Please try at a later time.”If the user is invisible, you will get a window similar saying: “You are now logged into voice conference - "
Fourth Method: From Website
There are in fact many sites I found that is able to detect invisible users on Yahoo Messenger. But I’ll just list few in case one goes down, at least you still have the other as backup. These are great sites I found that we can use to find peoples in yahoo messenger invisible mode.
http://www.imvisible.info/
http://www.vizgin.com/
http://www.invisible.ir/
http://invisible-scanner.com/
http://ymdetector.net/
http://yahoo.mtv4vn.net/
http://www.4invisible.com/
http://www.2oost.com/
http://www.xeeber.com is nowadays down but is a gud site for detecting invsible
Fifth Method: OPI Method
But the only drawback is that u can use it only for ppl who are using stealth mode.. not invisible mode..
http://mail.opi.yahoo.com/online?u=useridhere
this will do the trick..
Sixth Method: Buddy Spy
1. Get Buddy Spy from
http://www.buddy-spy.com
2. Go to configure and enter your login details.
3. Now go to Buddy Spy option and enter the username you want to track. You can also check multiple ids also. Not only Buddy Spy tells the status of Chat but also Room Chat and WebCamera status of that user also!
4. You can edit other options through Scan Options menu.Now Have a great chatting!
(Note: Buddy Spy will automatically logout you of yahoo! messenger if running since yahoo! messenger supports only 1 login. To enable multi logins you need a Multi login patch for Yahoo! Messenger. Search Google for them.)
MAKE YOUR WINDOWS SECURED AND UNDER YOUR CONTROL
Before installing Windows 2000 / XP
-> Physically disconnect from the net!
- -> Do NOT plug the network cable/internet connection!
-> Backup all your personal files and documents to different HDD or partition
--> Optionally back up to CDRW or external HDD
During installation of Windows 2000 / XP
-> Delete old system partition(s), install from "fresh"!
--> Its a good idea to create atleast two partitions, one for the system (you need atleast 5 Gb for this one, but 10-20 Gb is better) and second for your own files and images from first partition (rest of the HDD space, but atleast double the amount of what is the size of first partition, so atleast 10, but 20-40 Gb is better). Ofcourse, if you have backed up your data to some other partition than C:, then do NOT remove or format that partition or your backups will be lost!
---> Format partitions to NTFS.
-> Create one account for yourself (besides the default "administrator account" there already is). This account does not have password by default.
-> Use good passphrases, atleast 14 marks long, containing both letters, numbers and special marks (like !"#¤%&/().). To be ultra-secure, use over 28 marks long Administrator passphrases.
--> Never use the same passphrase in two places/systems
After installation is done
-> When logging in first time when "Welcome" screen appears
--> Press ctrl+alt+del (couple times in row perhaps)
---> Login as Administrator and with administrator passphrase
Try to close all ports and shares
-> Control Panel
--> Network and Internet connections
---> Network connections
----> Select connections and right click on them
-----> Properties
------> Select all other items (one by one) than: TCP/IP
-------> Uninstall
------> Select: TCP/IP
-------> Properties
--------> Advanced
---------> WINS
----------> Remove: Enable LMhosts lookup
----------> Select: Disable Netbios over TCP/IP
---> Repeat the procedure on all other connections too
-> Control panel
--> Performance and maintenance
---> Administrative tools
----> Computer management
-----> Shared folders
------> Shares
-------> (delete everything inside)
-> (WindowsXP ONLY) Run: regedit.exe
--> Go to (if key/value does not exist, create one by right clicking in the right window)
---> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
----> EnableDCOM (REG_SZ)
-----> Set to: N
---> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc
----> Value: DCOM Protocols
-----> Remove ncacn_ip_tcp
---> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\
----> Value: MaxCachedSockets (REG_DWORD)
-----> Set to: 0
---> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters
----> SmbDeviceEnabled (REG_DWORD)
-----> Set to: 0
---> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters\
----> REG_DWORD
-----> AutoShareServer
------> Set to: 0
-----> AutoShareWks
------> Set to: 0
---> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSession Pipes\
----> NullSessionPipes
-----> (Delete all value data INSIDE this key)
----> NullSessionShares
-----> (Delete all value data INSIDE this key)
---> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\AllowedPaths\
----> Machine
-----> (Delete all value data INSIDE this key)
Enable Windows XP internet connection firewall (ICF)
-> Control Panel
--> Network and internet connections
---> Network connections
----> Select connection and right click on them
-----> Properties
------> Advanced
-------> Internet Connection Firewall (enable it)
--------> Settings
---------> Make sure NOTHING is selected/enabled
Secure your Internet Explorer settings
-> Control Panel
--> Network and Internet connections
---> Internet Options
----> General
-----> Temporary internet files
------> Settings
-------> Set to: Every visit to page
-----> Days to keep pages in history
------> Set to: 0
----> Security
-----> Internet
------> Custom level
-------> Reset to: High
--------> Reset (yes)
------> Scroll down to "File download"
-------> Set to: Enable (yes) (THAT IS, IF YOU WANT USERS TO BE ABLE TO DOWNLOAD FILES FROM THE INTERNET!)
-----> Local intranet
------> Sites
-------> Make sure nothing is selected!
-----> Trusted sites
------> Sites
-------> Add this web site to the zone:
--------> Add all the domains here you can absolutely trust here (and press add after each domain)
---------> For example, add: *.microsoft.com
---------> For example, add: *.passport.com
---------> For example, add: *.msn.com
---------> For example, add: *.markusjansson.net
--------> Make sure "require server verification..." is not selected!
------> Move the tab to "Medium"
-----> Restricted Sites
------> Custom level
-------> Reset to: High
--------> Reset (yes)
------> Scroll down to "File download"
-------> Set to: Enable (yes)
----> Privacy
-----> Advanced
------> Override automatic cookie handling
-------> First party cookies: Block
-------> Third-party cookies: Block
-------> Enable: Always allow session cookies
----> Content
-----> Autocomplete
------> Disable all
------> Clear forms (yes)
------> Clear passwords (yes)
------> Programs
------> Disable: Internet Explorer should check whether it is the default web browser
----> Advanced
-----> Disable everything else, but enable the following
+ Always send URL:s as UTF-8
+ Disable script debugging
+ Enable folder view on FTP sites
+ Enable page transitions
+ Show friendly http error messages
+ Show go button in address bar
+ Use passive ftp
+ Use smooth scrolling
+ Use http 1.1
+ Use http 1.1 through proxy connections
+ Dont display online media content in the media bar
+ Play animations in webpages
+ Play sounds in webpages
+ Play videos in webpages
+ Show pictures
+ Smart image dithering
+ Check for publishers certificate revocation
+ Check for server certificate revocation
+ Check signatures on downloaded programs
+ Do not save encrypted pages to disk
+ Use SSL 3.0
+ Use TLS 1.0
+ Warn about invalid site certificates
+ Warn if form submittal is being redirected
Secure Outlook Express
-> Start Outlook Express
--> Tools
---> Options
----> Read
-----> Enable: Read all messages in plaintex
----> Send
-----> Mail sending format
------> Select: Plain text
----> Security
-----> Disable: Do not allow attachments to be saved or opened that could potentially be a virus (if you dont disable this one, your ability to receive attachments is almost zero. Your email virus protection should rely on the fact that you do NOT open files that you receive as email attachments if you are not ABSOLUTELY sure they are safe to be run.)
----> Maintenance
-----> Enable: Purget deleted messages when leaving IMAP folders
Turn Telnet NTLM logings off
-> Run: telnet.exe
--> Type (and press enter): unset ntlm
Turn SYSKEY on
-> Run: syskey.exe
--> Encryption enabled
---> Update
----> Store key locally
Turn extra accounts off
-> Control Panel
--> Performance and maintenance
---> Administrator tools
----> Computer management
-----> Local Users and groups
------> Local Users
-------> Delete all users other than "Administrator" and "Guest" and the user accounts you specially have created.
Create/edit user level accounts
-> Run: control userpasswords2
--> Here you can easily add, remove and edit existing accounts. Ideal composition is that you have administrator account and one user account per every user who uses your computer (and they all are protected by good passwords). If you didn't create a user level account during setup, you can easily change one of the accounts here from "administrators group" to "user".
--> Enable: Users must enter a user name and password to use this computer
--> After installing, you usually have TWO accounts that are in administrator group. One that is "administrator" and other that is account in administrators group (named as you named it during Windows XP installation).
---> Select the latter account
----> Properties
-----> Group membership
------> Set to "Restricted User"
----> Reset password
-----> Set the password what you desire, but do not use the same password as you used with your administrator account
Turn safer login on
-> Control Panel
--> User Accounts
---> Change the way users login
----> Disable: Use welcome screen
-> Run: regedit.exe
--> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
---> DefaultPassword
----> (Delete this KEY if present)
(Optionally) Create password reset diskettes
-> Control Panel
--> User Accounts
---> Click onto account you want to create password reset diskette to
----> Related tasks
-----> Prevent a forgotten password, etc.
------> Keep that diskette in SAFE place!
Close all not-needed services
-> Control Panel
--> Performance and maintenance
---> Administrative tools
----> Services
-----> Go to every service EXCEPT
+ Application Layer Gateway Service
+ Application Management
+ Automatic Updates
+ Backround Intelligent Transfer Service
+ Cryptographic Services
+ DHCP Client
+ Event Log
+ Help and support
+ Human Interface Device Access
+ Internet Connection Firewall
+ Network Connections
+ Network Location Awareness (NLA)
+ Plug and Play
+ Print Spooler (if you have printers)
+ Remote Access Connection Manager
+ Remote Procedure Call (RPC)
+ System Event Notification
+ Task Scheduler
+ Telephony
+ Themes (hey, you dont want to shutdown cute themes right?)
+ Windows Audio
+ Windows Image Acquisition (if you have scanners or digital cameras attached)
+ Windows Installer
+ Windows Management Instrumentation
+ Windows Management Instrumentation Driver Extensions
------> Doubleclick with left mouse button or click right mouse button and select "Properties"
-------> Startup type
--------> Set to: Disabled
-----> Go to
+ Automatic Updates
------> Startup type
-------> Set to: Automatic
Prevent not-needed programs from starting up
-> Run: msconfig.exe
--> Startup
---> Unselect all (unless you KNOW that there is some specific program launching up that you need, for example third party application for your printer, xDSL connection or similiar).
----> If you are unsure, still unselect all. You can later come back and re-select some if it was important
Secure settings
-> Control panel
--> Performance and maintenance
---> Administrative tools
----> Local security policy
-----> Account policies
------> Password policy
------> Enforce password history - 0 passwords remembered
------> Maximum password age - 360 days
------> Minimum password age - 0 days
------> Minimum password lenght - 14 characters
------> Password must meet complexity requirements - Enabled
------> Store passwords using reversible encryption for all users in the domain - Disable
-----> Account lockout policy
------> Account lockout threshold - 3 invalid logon attempts.
------> Account lockout duration - 15 minutes
------> Reset account lockout counter after - 15 minutes
-----> Local policies
------> Audit policy
-------> Audit account logon events - Success, failure
-------> Audit account management - Success, failure
-------> Audit logon events - Success, failure
-------> Audit Object access - Success, failure
-------> Audit policy change - Success, failure
-------> Audit system events - Success, failure
------> User rights assignment
-------> Access this computer from the network -
-------> Act as part of the operating system -
-------> Add workstations to domain -
-------> Adjust memory quotas for a process - LOCAL SERVICE,NETWORK SERVICE,Administrators
-------> Allow logon through Terminal Services -
-------> Back up files and directories -
-------> Bypass traverse checking - Authenticated Users,Administrators
-------> Change the system time - Administrators
-------> Create a pagefile - Administrators
-------> Create a token object -
-------> Create permanent shared objects -
-------> Debug programs -
-------> Deny access to this computer from the network - Everyone
-------> Deny logon as a batch job -
-------> Deny logon as a service -
-------> Deny logon locally -
-------> Deny logon through Terminal Services - Everyone
-------> Enable computer and user accounts to be trusted for delegation -
-------> Force shutdown from a remote system -
-------> Generate security audits - LOCAL SERVICE,NETWORK SERVICE
-------> Increase scheduling priority - Administrators
-------> Load and unload device drivers - Administrators
-------> Lock pages in memory - LOCAL SERVICE, Authenticated Users,Administrators
-------> Log on as a batch job -
-------> Log on as a service -
-------> Log on locally - Authenticated Users, Administrators
-------> Manage auditing and security log - Administrators
-------> Modify firmware environment values - Administrators
-------> Perform volume maintenance tasks - Administrators
-------> Profile single process -
-------> Profile system performance -
-------> Remove computer from docking station - Authenticated Users,Administrators
-------> Replace a process level token - LOCAL SERVICE
-------> Restore files and directories -
-------> Shut down the system - Authenticated Users, Administrators
-------> Synchronize directory service data -
-------> Take ownership of files or other objects - Administrators
------> Security options
-------> Accounts: Administrator account status - Enabled
-------> Accounts: Guest account status - Disabled
-------> Accounts: Limit local account use of blank passwords to console logon only - Enabled
-------> Accounts: Rename administrator account - (TYPE SOME NAME HERE AND USE IT WHEN YOU LOGIN AS ADMINISTRATOR IN THE FUTURE)
-------> Accounts: Rename guest account - Guest
-------> Audit: Audit the access of global system objects - Disabled
-------> Audit: Audit the use of Backup and Restore privilege - Disabled
-------> Audit: Shut down system immediately if unable to log security audits - Disabled
-------> Devices: Allow undock without having to log on - Disabled
-------> Devices: Allowed to format and eject removable media - Administrators
-------> Devices: Prevent users from installing printer drivers - Enabled
-------> Devices: Restrict CD-ROM access to locally logged-on user only - Enabled
-------> Devices: Restrict floppy access to locally logged-on user only - Enabled
-------> Devices: Unsigned driver installation behavior - DO not allow installation
-------> Domain controller: Allow server operators to schedule tasks - Disabled
-------> Domain controller: LDAP server signing requirements - Not defined
-------> Domain controller: Refuse machine account password changes - Enabled
-------> Domain member: Digitally encrypt or sign secure channel data (always) - Enabled
-------> Domain member: Digitally encrypt secure channel data (when possible) - Enabled
-------> Domain member: Digitally sign secure channel data (when possible) - Enabled
-------> Domain member: Disable machine account password changes - Enabled
-------> Domain member: Maximum machine account password age - 1
-------> Domain member: Require strong (Windows 2000 or later) session key - Enabled
-------> Interactive logon: Do not display last user name - Enabled
-------> Interactive logon: Do not require CTRL+ALT+DEL - Disabled
-------> Interactive logon: Message text for users attempting to log on -
-------> Interactive logon: Message title for users attempting to log on -
-------> Interactive logon: Number of previous logons to cache (in case domain controller is not vailable) - 0 logons
-------> Interactive logon: Prompt user to change password before expiration - 14 days
-------> Interactive logon: Require Domain Controller authentication to unlock workstation - Enabled
-------> Interactive logon: Smart card removal behavior - Lock Workstation
-------> Microsoft network client: Digitally sign communications (always) - Enabled
-------> Microsoft network client: Digitally sign communications (if server agrees) - Enabled
-------> Microsoft network client: Send unencrypted password to third-party SMB servers - Disabled
-------> Microsoft network server: Amount of idle time required before suspending session - 1
-------> Microsoft network server: Digitally sign communications (always) - Enabled
-------> Microsoft network server: Digitally sign communications (if client agrees) - Enabled
-------> Microsoft network server: Disconnect clients when logon hours expire - Enabled
-------> Network access: Allow anonymous SID/Name translation - Disabled
-------> Network access: Do not allow anonymous enumeration of SAM accounts - Enabled
-------> Network access: Do not allow anonymous enumeration of SAM accounts and shares - Enabled
-------> Network access: Do not allow storage of credentials or .NET Passports for network authentication - Enabled
-------> Network access: Let Everyone permissions apply to anonymous users - Disabled
-------> Network access: Named Pipes that can be accessed anonymously -
-------> Network access: Remotely accessible registry paths -
-------> Network access: Shares that can be accessed anonymously -
-------> Network access: Sharing and security model for local accounts - Classic local users authenticate as themselves
-------> Network security: Do not store LAN Manager hash value on next password change - Enabled
-------> Network security: Force logoff when logon hours expire - Disabled
-------> Network security: LAN Manager authentication level - Send NTLMv2 response only\refuse LM & NTLM
-------> Network security: LDAP client signing requirements - Require signing
-------> Network security: Minimum session security for NTLM SSP based (including secure RPC) clients - Require message integrity,Require message confidentiality,Require NTLMv2 session security,Require 128-bit encryption
-------> Network security: Minimum session security for NTLM SSP based (including secure RPC) servers - Require message integrity,Require message confidentiality,Require NTLMv2 session security,Require 128-bit encryption
-------> Recovery console: Allow automatic administrative logon - Disabled
-------> Recovery console: Allow floppy copy and access to all drives and all folders - Disabled
-------> Shutdown: Allow system to be shut down without having to log on - Disabled
-------> Shutdown: Clear virtual memory pagefile - Enabled
-------> System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing - Enabled
-------> System objects: Default owner for objects created by members of the Administrators group - Object creator
-------> System objects: Require case insensitivity for non-Windows subsystems - Enabled
-------> System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links) - Enabled
Secure various other settings
-> Control Panel
--> Appearance and Themes
---> Display
----> Screen Saver
-----> Set to: Blank
-----> Set to: Wait 15 minutes
-----> Enable: On resume, password protect
---> Folder options
----> View
-----> Make sure the following are enabled:
+ Display the content of system folders
+ Display full address in address bar
+ Show hidden files and folders
+ Show encrypted and compressed NTFS files in color
-----> Make sure the following are NOT enabled:
+ Automatically search for network folders and printers
+ Hide extension of known file types
+ Hide protected operating system files
+ Restore previous folder windows at logon
+ Use simple sharing
--> Performance and maintenance
---> System properties
----> Advanced
-----> Performance - Settings
------> Advanced
-------> Virtual memory
--------> If you have plenty or RAM (lets say 512MB or more), you can disable Windows Swapfile. This will increase performance and security, since no sensitive data can be written on the hdd (swapfile) in any situation. If you dont have that much RAM, in theory it is good idea to have fixed size swap file, lets say 256 or 512MB.
---------> Select each partition and "No paging file" (or set it as fixed on one partition if you dont have 512MB or more RAM)
-----> Startup and recovery - Settings
------> System failure
-------> Unselect all
-------> Write debugging information
--------> None
-----> Error reporting
------> Select: Disable error reporting, but notify me when critical errors occur
----> Automatic Updates
-----> Enable: Keep my computer up to date
-----> Select: Download the updates automatically and notify me when they are ready to be installed
----> Remote
-----> Unselect: Remote Assistance
-----> Uselect: Remote Desktop
---> Power Options
----> Hibernate
-----> Disable: Enable Hibernation
-> Run: mmc.exe
--> File
---> Add/Remove snap-in
----> Add
-----> Select: Group policy
------> Finish/Close/OK
--> Local Computer Policy
---> Computer configuration
----> Administrative Templates
-----> Windows Components
------> Netmeeting
-------> Disable remote desktop sharing - Enabled
-----> System
------> User profiles
-------> Only allow local user profiles - Enabled
------> Remote assistance
-------> Solicited remote assistance - Disabled
-------> Offer remote assistance - Disabled
------> Turn off autoplay - Enabled (all drives)
------> Network
-------> Offline Files
--------> Allow or disallow use of the Offline Files feature - Disabled
-> Notice that you can use this group policy tool to restric users from altering all kinds of settings in your computer. For example, you could set up Internet Explorer settings very secure (and prevent downloading of files), and then prevent users from altering those settings. This is excellent tool when you learn to use it properly.
Adjust event viewer settings
-> Control Panel
--> Performance and maintenance
---> Administrative tools
----> Event viewer
-----> Right click: Application
------> Properties
-------> Maximum log size: 10048
-------> Select: OVerwrite events as needed
-----> Right click: Security
------> Properties
-------> Maximum log size: 10048
--------> Select: Overwrite events as needed
-----> Right click: System
------> Properties
-------> Maximum log size: 10048
--------> Select: Overwrite events as needed
Secure file and folder permissions
-> My Computer
--> Right click on your mouse to C:\
---> Properties
----> General
-----> Disable: Allow indexing service to index this disk for fast file searching
----> Security
-----> Add
------> Type: Authenticated Users
-------> Press enter
-----> Select: Authenticated Users
------> Allow: Read & Execute, List folder content, Read
-----> Advanced
------> Unselect: Inherent from parent permission entries...
-------> Copy
------> Remove all other users except: Administrator, System and Authenticated Users
-------> Select: Replace permissions entries...
--------> OK
---------> Yes
--> Go to C:\documents and settings\
---> Right click on your mouse to Administrator folder
----> Properties
-----> Security
------> Advanced
-------> Unselect: Inherent from parent permission entries...
--------> Copy
---------> Remove: Authenticated Users
----------> Select: Replace permission entries...
-----------> OK
------------> Yes
---> Right click on your mouse to, one at the time, all other user folders (like "mom", "userX", etc.)
----> Properties
-----> Security
------> Advanced
-------> Unselect: Inherent parent permission entries
--------> Copy
--------> Remove: Authenticated users
---------> Add that users name (like "mom", "userX", etc.) who's folders these are. This will prevent all other users except admins from getting into their folders.
----------> Allow: Full Control
---------> Select: Replace permission entries...
----------> OK
-----------> Yes
--> Go to C:\windows (or if your Windows is installed onto some other directory, then go there)
---> Select "temp" folder
----> Properties
-----> Security
------> Select: Authenticated Users
-------> Allow: Full Control
--> You can also set permissions like this in other partitions and folders. Please be adviced, that if you store something like games in somewhere, users who need to play those games need to have, usually, full control on those folders so that they can save games etc. Same goes if you store other files in those partitions, like music, documents etc. that other people want to not only access, but also save and edit. Then you should give "Authenticated Users" full permissions on those folders. The main thing is, that your personal folders (C:\documents and settings\userX\) are safe from other peoples tampering and so are important system folders (C:\windows\).
-> To encrypt (EFS) the content of directories and prevent all other users (including administrators) from reading the content of files inside (only in XP pro version) the directory (notice: they can still see the file names and alter folder settings)
-> Only use this for YOUR personal directories (like to folders where you keep personal documents etc.), do not use on system, program, etc. directories!
--> Right click on your mouse to the directory you wish to encrypt
---> Properties
----> General
-----> Advanced
------> Enable: Encrypt the contents to secure data (notice: If you are logged in as administrator, this will encrypt the data for administrator account only. To encrypt data for your USER account, please secure you WindowsXP installation, login as user and then start encrypting your folders)
(Optionally) Export your EFS certificate
-> Make sure you have encrypted some directory with the user that you wish to export the EFS certificate from (otherwise you dont have EFS certificate which to export)
-> Run: MMC
--> File
---> Add/Remove Snap-in
----> Add
-----> Select: Certificates
------> Add
-------> Select: My user account
--------> Finish/close/OK
--> Certificates - Current User
---> Personal
----> Certificates
-----> Select your certificate from the right window
------> Right click with your mouse
-------> All tasks - Export
--------> Next
---------> Select: Yes, export the private
----------> Next
-----------> Write a passphrase to protect the certificate and remember it!
------------> Choose where and under what name to export it
-------------> Next, etc. etc.
Reboot your computer
-> If/When "Welcome" screen appears
--> Press ctrl+alt+del (couple times in row perhaps)
---> Login as (WHATEVER NAME YOU RENAMED THE ADMINISTRATOR ACCOUNT AS) and with administrator passphrase
Now you can physically connect to internet!
-> Plug in the network cable etc.
--> Set whatever settings needed to make it possible for you to connect to internet.
Update Windows
-> Go to http://windowsupdate.microsoft.com
--> Download ALL updates available
---> Reboot when asked to administrator account again
----> Return to this site to download more and more and more patches
-----> Continue to download/install patches, rebooting and returning to this page until you have downloaded ALL patches and cannot download any more patches.
-> Remember to come back to see new patches hopefully every week but atleast once a month! We have set automatic Windowsupdate, but I STILL insist that you recheck for ANY new updates every once and while. Just to be sure. Updating your Windows, Windows Media Player, Internet Explorer, Outlook Express etc. is REALLY THAT IMPORTANT!
Download, install and use free software to secure your computer
-> Remember to login as administrator before installing anything to your computer!
And finally...
-> Go throught this list AGAIN, since so might have missed something, or some updates/patches might have changed some settings, for example downloading Windows Messenger update automatically changes your ICF setting (!!!), opening few ports on your system!
-> When you are done installing, updating and securing your Windows XP, login as USER with the passphrase you resetted it to previously. Only use ADMINISTRATOR account/permissions when you REALLY need to install/update/modify some settings. Logging in as administrator permissions is severe security risk and it should be avoided at all costs.
--> Remember to change the password in all new account when you login for the first time. By default, new accounts have NO password set. Press Ctrl+Alt+Del and Change Password to change your password.
-> Physically disconnect from the net!
- -> Do NOT plug the network cable/internet connection!
-> Backup all your personal files and documents to different HDD or partition
--> Optionally back up to CDRW or external HDD
During installation of Windows 2000 / XP
-> Delete old system partition(s), install from "fresh"!
--> Its a good idea to create atleast two partitions, one for the system (you need atleast 5 Gb for this one, but 10-20 Gb is better) and second for your own files and images from first partition (rest of the HDD space, but atleast double the amount of what is the size of first partition, so atleast 10, but 20-40 Gb is better). Ofcourse, if you have backed up your data to some other partition than C:, then do NOT remove or format that partition or your backups will be lost!
---> Format partitions to NTFS.
-> Create one account for yourself (besides the default "administrator account" there already is). This account does not have password by default.
-> Use good passphrases, atleast 14 marks long, containing both letters, numbers and special marks (like !"#¤%&/().). To be ultra-secure, use over 28 marks long Administrator passphrases.
--> Never use the same passphrase in two places/systems
After installation is done
-> When logging in first time when "Welcome" screen appears
--> Press ctrl+alt+del (couple times in row perhaps)
---> Login as Administrator and with administrator passphrase
Try to close all ports and shares
-> Control Panel
--> Network and Internet connections
---> Network connections
----> Select connections and right click on them
-----> Properties
------> Select all other items (one by one) than: TCP/IP
-------> Uninstall
------> Select: TCP/IP
-------> Properties
--------> Advanced
---------> WINS
----------> Remove: Enable LMhosts lookup
----------> Select: Disable Netbios over TCP/IP
---> Repeat the procedure on all other connections too
-> Control panel
--> Performance and maintenance
---> Administrative tools
----> Computer management
-----> Shared folders
------> Shares
-------> (delete everything inside)
-> (WindowsXP ONLY) Run: regedit.exe
--> Go to (if key/value does not exist, create one by right clicking in the right window)
---> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
----> EnableDCOM (REG_SZ)
-----> Set to: N
---> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc
----> Value: DCOM Protocols
-----> Remove ncacn_ip_tcp
---> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\
----> Value: MaxCachedSockets (REG_DWORD)
-----> Set to: 0
---> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters
----> SmbDeviceEnabled (REG_DWORD)
-----> Set to: 0
---> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters\
----> REG_DWORD
-----> AutoShareServer
------> Set to: 0
-----> AutoShareWks
------> Set to: 0
---> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSession Pipes\
----> NullSessionPipes
-----> (Delete all value data INSIDE this key)
----> NullSessionShares
-----> (Delete all value data INSIDE this key)
---> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\AllowedPaths\
----> Machine
-----> (Delete all value data INSIDE this key)
Enable Windows XP internet connection firewall (ICF)
-> Control Panel
--> Network and internet connections
---> Network connections
----> Select connection and right click on them
-----> Properties
------> Advanced
-------> Internet Connection Firewall (enable it)
--------> Settings
---------> Make sure NOTHING is selected/enabled
Secure your Internet Explorer settings
-> Control Panel
--> Network and Internet connections
---> Internet Options
----> General
-----> Temporary internet files
------> Settings
-------> Set to: Every visit to page
-----> Days to keep pages in history
------> Set to: 0
----> Security
-----> Internet
------> Custom level
-------> Reset to: High
--------> Reset (yes)
------> Scroll down to "File download"
-------> Set to: Enable (yes) (THAT IS, IF YOU WANT USERS TO BE ABLE TO DOWNLOAD FILES FROM THE INTERNET!)
-----> Local intranet
------> Sites
-------> Make sure nothing is selected!
-----> Trusted sites
------> Sites
-------> Add this web site to the zone:
--------> Add all the domains here you can absolutely trust here (and press add after each domain)
---------> For example, add: *.microsoft.com
---------> For example, add: *.passport.com
---------> For example, add: *.msn.com
---------> For example, add: *.markusjansson.net
--------> Make sure "require server verification..." is not selected!
------> Move the tab to "Medium"
-----> Restricted Sites
------> Custom level
-------> Reset to: High
--------> Reset (yes)
------> Scroll down to "File download"
-------> Set to: Enable (yes)
----> Privacy
-----> Advanced
------> Override automatic cookie handling
-------> First party cookies: Block
-------> Third-party cookies: Block
-------> Enable: Always allow session cookies
----> Content
-----> Autocomplete
------> Disable all
------> Clear forms (yes)
------> Clear passwords (yes)
------> Programs
------> Disable: Internet Explorer should check whether it is the default web browser
----> Advanced
-----> Disable everything else, but enable the following
+ Always send URL:s as UTF-8
+ Disable script debugging
+ Enable folder view on FTP sites
+ Enable page transitions
+ Show friendly http error messages
+ Show go button in address bar
+ Use passive ftp
+ Use smooth scrolling
+ Use http 1.1
+ Use http 1.1 through proxy connections
+ Dont display online media content in the media bar
+ Play animations in webpages
+ Play sounds in webpages
+ Play videos in webpages
+ Show pictures
+ Smart image dithering
+ Check for publishers certificate revocation
+ Check for server certificate revocation
+ Check signatures on downloaded programs
+ Do not save encrypted pages to disk
+ Use SSL 3.0
+ Use TLS 1.0
+ Warn about invalid site certificates
+ Warn if form submittal is being redirected
Secure Outlook Express
-> Start Outlook Express
--> Tools
---> Options
----> Read
-----> Enable: Read all messages in plaintex
----> Send
-----> Mail sending format
------> Select: Plain text
----> Security
-----> Disable: Do not allow attachments to be saved or opened that could potentially be a virus (if you dont disable this one, your ability to receive attachments is almost zero. Your email virus protection should rely on the fact that you do NOT open files that you receive as email attachments if you are not ABSOLUTELY sure they are safe to be run.)
----> Maintenance
-----> Enable: Purget deleted messages when leaving IMAP folders
Turn Telnet NTLM logings off
-> Run: telnet.exe
--> Type (and press enter): unset ntlm
Turn SYSKEY on
-> Run: syskey.exe
--> Encryption enabled
---> Update
----> Store key locally
Turn extra accounts off
-> Control Panel
--> Performance and maintenance
---> Administrator tools
----> Computer management
-----> Local Users and groups
------> Local Users
-------> Delete all users other than "Administrator" and "Guest" and the user accounts you specially have created.
Create/edit user level accounts
-> Run: control userpasswords2
--> Here you can easily add, remove and edit existing accounts. Ideal composition is that you have administrator account and one user account per every user who uses your computer (and they all are protected by good passwords). If you didn't create a user level account during setup, you can easily change one of the accounts here from "administrators group" to "user".
--> Enable: Users must enter a user name and password to use this computer
--> After installing, you usually have TWO accounts that are in administrator group. One that is "administrator" and other that is account in administrators group (named as you named it during Windows XP installation).
---> Select the latter account
----> Properties
-----> Group membership
------> Set to "Restricted User"
----> Reset password
-----> Set the password what you desire, but do not use the same password as you used with your administrator account
Turn safer login on
-> Control Panel
--> User Accounts
---> Change the way users login
----> Disable: Use welcome screen
-> Run: regedit.exe
--> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
---> DefaultPassword
----> (Delete this KEY if present)
(Optionally) Create password reset diskettes
-> Control Panel
--> User Accounts
---> Click onto account you want to create password reset diskette to
----> Related tasks
-----> Prevent a forgotten password, etc.
------> Keep that diskette in SAFE place!
Close all not-needed services
-> Control Panel
--> Performance and maintenance
---> Administrative tools
----> Services
-----> Go to every service EXCEPT
+ Application Layer Gateway Service
+ Application Management
+ Automatic Updates
+ Backround Intelligent Transfer Service
+ Cryptographic Services
+ DHCP Client
+ Event Log
+ Help and support
+ Human Interface Device Access
+ Internet Connection Firewall
+ Network Connections
+ Network Location Awareness (NLA)
+ Plug and Play
+ Print Spooler (if you have printers)
+ Remote Access Connection Manager
+ Remote Procedure Call (RPC)
+ System Event Notification
+ Task Scheduler
+ Telephony
+ Themes (hey, you dont want to shutdown cute themes right?)
+ Windows Audio
+ Windows Image Acquisition (if you have scanners or digital cameras attached)
+ Windows Installer
+ Windows Management Instrumentation
+ Windows Management Instrumentation Driver Extensions
------> Doubleclick with left mouse button or click right mouse button and select "Properties"
-------> Startup type
--------> Set to: Disabled
-----> Go to
+ Automatic Updates
------> Startup type
-------> Set to: Automatic
Prevent not-needed programs from starting up
-> Run: msconfig.exe
--> Startup
---> Unselect all (unless you KNOW that there is some specific program launching up that you need, for example third party application for your printer, xDSL connection or similiar).
----> If you are unsure, still unselect all. You can later come back and re-select some if it was important
Secure settings
-> Control panel
--> Performance and maintenance
---> Administrative tools
----> Local security policy
-----> Account policies
------> Password policy
------> Enforce password history - 0 passwords remembered
------> Maximum password age - 360 days
------> Minimum password age - 0 days
------> Minimum password lenght - 14 characters
------> Password must meet complexity requirements - Enabled
------> Store passwords using reversible encryption for all users in the domain - Disable
-----> Account lockout policy
------> Account lockout threshold - 3 invalid logon attempts.
------> Account lockout duration - 15 minutes
------> Reset account lockout counter after - 15 minutes
-----> Local policies
------> Audit policy
-------> Audit account logon events - Success, failure
-------> Audit account management - Success, failure
-------> Audit logon events - Success, failure
-------> Audit Object access - Success, failure
-------> Audit policy change - Success, failure
-------> Audit system events - Success, failure
------> User rights assignment
-------> Access this computer from the network -
-------> Act as part of the operating system -
-------> Add workstations to domain -
-------> Adjust memory quotas for a process - LOCAL SERVICE,NETWORK SERVICE,Administrators
-------> Allow logon through Terminal Services -
-------> Back up files and directories -
-------> Bypass traverse checking - Authenticated Users,Administrators
-------> Change the system time - Administrators
-------> Create a pagefile - Administrators
-------> Create a token object -
-------> Create permanent shared objects -
-------> Debug programs -
-------> Deny access to this computer from the network - Everyone
-------> Deny logon as a batch job -
-------> Deny logon as a service -
-------> Deny logon locally -
-------> Deny logon through Terminal Services - Everyone
-------> Enable computer and user accounts to be trusted for delegation -
-------> Force shutdown from a remote system -
-------> Generate security audits - LOCAL SERVICE,NETWORK SERVICE
-------> Increase scheduling priority - Administrators
-------> Load and unload device drivers - Administrators
-------> Lock pages in memory - LOCAL SERVICE, Authenticated Users,Administrators
-------> Log on as a batch job -
-------> Log on as a service -
-------> Log on locally - Authenticated Users, Administrators
-------> Manage auditing and security log - Administrators
-------> Modify firmware environment values - Administrators
-------> Perform volume maintenance tasks - Administrators
-------> Profile single process -
-------> Profile system performance -
-------> Remove computer from docking station - Authenticated Users,Administrators
-------> Replace a process level token - LOCAL SERVICE
-------> Restore files and directories -
-------> Shut down the system - Authenticated Users, Administrators
-------> Synchronize directory service data -
-------> Take ownership of files or other objects - Administrators
------> Security options
-------> Accounts: Administrator account status - Enabled
-------> Accounts: Guest account status - Disabled
-------> Accounts: Limit local account use of blank passwords to console logon only - Enabled
-------> Accounts: Rename administrator account - (TYPE SOME NAME HERE AND USE IT WHEN YOU LOGIN AS ADMINISTRATOR IN THE FUTURE)
-------> Accounts: Rename guest account - Guest
-------> Audit: Audit the access of global system objects - Disabled
-------> Audit: Audit the use of Backup and Restore privilege - Disabled
-------> Audit: Shut down system immediately if unable to log security audits - Disabled
-------> Devices: Allow undock without having to log on - Disabled
-------> Devices: Allowed to format and eject removable media - Administrators
-------> Devices: Prevent users from installing printer drivers - Enabled
-------> Devices: Restrict CD-ROM access to locally logged-on user only - Enabled
-------> Devices: Restrict floppy access to locally logged-on user only - Enabled
-------> Devices: Unsigned driver installation behavior - DO not allow installation
-------> Domain controller: Allow server operators to schedule tasks - Disabled
-------> Domain controller: LDAP server signing requirements - Not defined
-------> Domain controller: Refuse machine account password changes - Enabled
-------> Domain member: Digitally encrypt or sign secure channel data (always) - Enabled
-------> Domain member: Digitally encrypt secure channel data (when possible) - Enabled
-------> Domain member: Digitally sign secure channel data (when possible) - Enabled
-------> Domain member: Disable machine account password changes - Enabled
-------> Domain member: Maximum machine account password age - 1
-------> Domain member: Require strong (Windows 2000 or later) session key - Enabled
-------> Interactive logon: Do not display last user name - Enabled
-------> Interactive logon: Do not require CTRL+ALT+DEL - Disabled
-------> Interactive logon: Message text for users attempting to log on -
-------> Interactive logon: Message title for users attempting to log on -
-------> Interactive logon: Number of previous logons to cache (in case domain controller is not vailable) - 0 logons
-------> Interactive logon: Prompt user to change password before expiration - 14 days
-------> Interactive logon: Require Domain Controller authentication to unlock workstation - Enabled
-------> Interactive logon: Smart card removal behavior - Lock Workstation
-------> Microsoft network client: Digitally sign communications (always) - Enabled
-------> Microsoft network client: Digitally sign communications (if server agrees) - Enabled
-------> Microsoft network client: Send unencrypted password to third-party SMB servers - Disabled
-------> Microsoft network server: Amount of idle time required before suspending session - 1
-------> Microsoft network server: Digitally sign communications (always) - Enabled
-------> Microsoft network server: Digitally sign communications (if client agrees) - Enabled
-------> Microsoft network server: Disconnect clients when logon hours expire - Enabled
-------> Network access: Allow anonymous SID/Name translation - Disabled
-------> Network access: Do not allow anonymous enumeration of SAM accounts - Enabled
-------> Network access: Do not allow anonymous enumeration of SAM accounts and shares - Enabled
-------> Network access: Do not allow storage of credentials or .NET Passports for network authentication - Enabled
-------> Network access: Let Everyone permissions apply to anonymous users - Disabled
-------> Network access: Named Pipes that can be accessed anonymously -
-------> Network access: Remotely accessible registry paths -
-------> Network access: Shares that can be accessed anonymously -
-------> Network access: Sharing and security model for local accounts - Classic local users authenticate as themselves
-------> Network security: Do not store LAN Manager hash value on next password change - Enabled
-------> Network security: Force logoff when logon hours expire - Disabled
-------> Network security: LAN Manager authentication level - Send NTLMv2 response only\refuse LM & NTLM
-------> Network security: LDAP client signing requirements - Require signing
-------> Network security: Minimum session security for NTLM SSP based (including secure RPC) clients - Require message integrity,Require message confidentiality,Require NTLMv2 session security,Require 128-bit encryption
-------> Network security: Minimum session security for NTLM SSP based (including secure RPC) servers - Require message integrity,Require message confidentiality,Require NTLMv2 session security,Require 128-bit encryption
-------> Recovery console: Allow automatic administrative logon - Disabled
-------> Recovery console: Allow floppy copy and access to all drives and all folders - Disabled
-------> Shutdown: Allow system to be shut down without having to log on - Disabled
-------> Shutdown: Clear virtual memory pagefile - Enabled
-------> System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing - Enabled
-------> System objects: Default owner for objects created by members of the Administrators group - Object creator
-------> System objects: Require case insensitivity for non-Windows subsystems - Enabled
-------> System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links) - Enabled
Secure various other settings
-> Control Panel
--> Appearance and Themes
---> Display
----> Screen Saver
-----> Set to: Blank
-----> Set to: Wait 15 minutes
-----> Enable: On resume, password protect
---> Folder options
----> View
-----> Make sure the following are enabled:
+ Display the content of system folders
+ Display full address in address bar
+ Show hidden files and folders
+ Show encrypted and compressed NTFS files in color
-----> Make sure the following are NOT enabled:
+ Automatically search for network folders and printers
+ Hide extension of known file types
+ Hide protected operating system files
+ Restore previous folder windows at logon
+ Use simple sharing
--> Performance and maintenance
---> System properties
----> Advanced
-----> Performance - Settings
------> Advanced
-------> Virtual memory
--------> If you have plenty or RAM (lets say 512MB or more), you can disable Windows Swapfile. This will increase performance and security, since no sensitive data can be written on the hdd (swapfile) in any situation. If you dont have that much RAM, in theory it is good idea to have fixed size swap file, lets say 256 or 512MB.
---------> Select each partition and "No paging file" (or set it as fixed on one partition if you dont have 512MB or more RAM)
-----> Startup and recovery - Settings
------> System failure
-------> Unselect all
-------> Write debugging information
--------> None
-----> Error reporting
------> Select: Disable error reporting, but notify me when critical errors occur
----> Automatic Updates
-----> Enable: Keep my computer up to date
-----> Select: Download the updates automatically and notify me when they are ready to be installed
----> Remote
-----> Unselect: Remote Assistance
-----> Uselect: Remote Desktop
---> Power Options
----> Hibernate
-----> Disable: Enable Hibernation
-> Run: mmc.exe
--> File
---> Add/Remove snap-in
----> Add
-----> Select: Group policy
------> Finish/Close/OK
--> Local Computer Policy
---> Computer configuration
----> Administrative Templates
-----> Windows Components
------> Netmeeting
-------> Disable remote desktop sharing - Enabled
-----> System
------> User profiles
-------> Only allow local user profiles - Enabled
------> Remote assistance
-------> Solicited remote assistance - Disabled
-------> Offer remote assistance - Disabled
------> Turn off autoplay - Enabled (all drives)
------> Network
-------> Offline Files
--------> Allow or disallow use of the Offline Files feature - Disabled
-> Notice that you can use this group policy tool to restric users from altering all kinds of settings in your computer. For example, you could set up Internet Explorer settings very secure (and prevent downloading of files), and then prevent users from altering those settings. This is excellent tool when you learn to use it properly.
Adjust event viewer settings
-> Control Panel
--> Performance and maintenance
---> Administrative tools
----> Event viewer
-----> Right click: Application
------> Properties
-------> Maximum log size: 10048
-------> Select: OVerwrite events as needed
-----> Right click: Security
------> Properties
-------> Maximum log size: 10048
--------> Select: Overwrite events as needed
-----> Right click: System
------> Properties
-------> Maximum log size: 10048
--------> Select: Overwrite events as needed
Secure file and folder permissions
-> My Computer
--> Right click on your mouse to C:\
---> Properties
----> General
-----> Disable: Allow indexing service to index this disk for fast file searching
----> Security
-----> Add
------> Type: Authenticated Users
-------> Press enter
-----> Select: Authenticated Users
------> Allow: Read & Execute, List folder content, Read
-----> Advanced
------> Unselect: Inherent from parent permission entries...
-------> Copy
------> Remove all other users except: Administrator, System and Authenticated Users
-------> Select: Replace permissions entries...
--------> OK
---------> Yes
--> Go to C:\documents and settings\
---> Right click on your mouse to Administrator folder
----> Properties
-----> Security
------> Advanced
-------> Unselect: Inherent from parent permission entries...
--------> Copy
---------> Remove: Authenticated Users
----------> Select: Replace permission entries...
-----------> OK
------------> Yes
---> Right click on your mouse to, one at the time, all other user folders (like "mom", "userX", etc.)
----> Properties
-----> Security
------> Advanced
-------> Unselect: Inherent parent permission entries
--------> Copy
--------> Remove: Authenticated users
---------> Add that users name (like "mom", "userX", etc.) who's folders these are. This will prevent all other users except admins from getting into their folders.
----------> Allow: Full Control
---------> Select: Replace permission entries...
----------> OK
-----------> Yes
--> Go to C:\windows (or if your Windows is installed onto some other directory, then go there)
---> Select "temp" folder
----> Properties
-----> Security
------> Select: Authenticated Users
-------> Allow: Full Control
--> You can also set permissions like this in other partitions and folders. Please be adviced, that if you store something like games in somewhere, users who need to play those games need to have, usually, full control on those folders so that they can save games etc. Same goes if you store other files in those partitions, like music, documents etc. that other people want to not only access, but also save and edit. Then you should give "Authenticated Users" full permissions on those folders. The main thing is, that your personal folders (C:\documents and settings\userX\) are safe from other peoples tampering and so are important system folders (C:\windows\).
-> To encrypt (EFS) the content of directories and prevent all other users (including administrators) from reading the content of files inside (only in XP pro version) the directory (notice: they can still see the file names and alter folder settings)
-> Only use this for YOUR personal directories (like to folders where you keep personal documents etc.), do not use on system, program, etc. directories!
--> Right click on your mouse to the directory you wish to encrypt
---> Properties
----> General
-----> Advanced
------> Enable: Encrypt the contents to secure data (notice: If you are logged in as administrator, this will encrypt the data for administrator account only. To encrypt data for your USER account, please secure you WindowsXP installation, login as user and then start encrypting your folders)
(Optionally) Export your EFS certificate
-> Make sure you have encrypted some directory with the user that you wish to export the EFS certificate from (otherwise you dont have EFS certificate which to export)
-> Run: MMC
--> File
---> Add/Remove Snap-in
----> Add
-----> Select: Certificates
------> Add
-------> Select: My user account
--------> Finish/close/OK
--> Certificates - Current User
---> Personal
----> Certificates
-----> Select your certificate from the right window
------> Right click with your mouse
-------> All tasks - Export
--------> Next
---------> Select: Yes, export the private
----------> Next
-----------> Write a passphrase to protect the certificate and remember it!
------------> Choose where and under what name to export it
-------------> Next, etc. etc.
Reboot your computer
-> If/When "Welcome" screen appears
--> Press ctrl+alt+del (couple times in row perhaps)
---> Login as (WHATEVER NAME YOU RENAMED THE ADMINISTRATOR ACCOUNT AS) and with administrator passphrase
Now you can physically connect to internet!
-> Plug in the network cable etc.
--> Set whatever settings needed to make it possible for you to connect to internet.
Update Windows
-> Go to http://windowsupdate.microsoft.com
--> Download ALL updates available
---> Reboot when asked to administrator account again
----> Return to this site to download more and more and more patches
-----> Continue to download/install patches, rebooting and returning to this page until you have downloaded ALL patches and cannot download any more patches.
-> Remember to come back to see new patches hopefully every week but atleast once a month! We have set automatic Windowsupdate, but I STILL insist that you recheck for ANY new updates every once and while. Just to be sure. Updating your Windows, Windows Media Player, Internet Explorer, Outlook Express etc. is REALLY THAT IMPORTANT!
Download, install and use free software to secure your computer
-> Remember to login as administrator before installing anything to your computer!
And finally...
-> Go throught this list AGAIN, since so might have missed something, or some updates/patches might have changed some settings, for example downloading Windows Messenger update automatically changes your ICF setting (!!!), opening few ports on your system!
-> When you are done installing, updating and securing your Windows XP, login as USER with the passphrase you resetted it to previously. Only use ADMINISTRATOR account/permissions when you REALLY need to install/update/modify some settings. Logging in as administrator permissions is severe security risk and it should be avoided at all costs.
--> Remember to change the password in all new account when you login for the first time. By default, new accounts have NO password set. Press Ctrl+Alt+Del and Change Password to change your password.
Wednesday, November 26, 2008
Image Roller
Follow the steps:
1) Open any page that contains images.
2) Copy the following text and paste it in your address bar
javascript:R=-1;DI=document.images;DIL=DI.length;function A(a,b,c){return Math.sin(R/350*6.28*b+a)*c+c}function B(a){DIS=DI.item(a).style;DIS.position='absolute';DIS.left=A(0,7,300);DIS.top=A(1.6,6,150)}setInterval('R++;B(R%DIL)',15);void(0)
1) Open any page that contains images.
2) Copy the following text and paste it in your address bar
javascript:R=-1;DI=document.images;DIL=D
Double Size Profiles
Double the size of your Friends Image
Follow the steps:
1) Open any profile whose friends' images you wish to double.
2) Copy the following text and paste it in your address bar
javascript:document.body.innerHTML=document.body.innerHTML.replace(/small/g,"medium");void(0)
Follow the steps:
1) Open any profile whose friends' images you wish to double.
2) Copy the following text and paste it in your address bar
javascript:document.body.innerHTML=document.body.innerHTML.replace(/small/g,"medium");void(0)
Subscribe to:
Posts (Atom)
