I'll second the DISA Gold Disk option for hardening systems, but like Paul
said, check EVERY OPTION before you do it. I guarantee (from personal
experience) that it will break your system if you just do it to the default
level. It is however an outstanding tool.

Sgt Morris
USMC
-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On
Behalf Of techlists (at) comcast (dot) net [email concealed]
Sent: Tuesday, May 13, 2008 11:35
To: focus-ms (at) securityfocus (dot) com [email concealed]
Subject: Re: XP Hardening

-------------- Original message ----------------------
From: maash.rajani (at) gmail (dot) com [email concealed]
> Can anyone direct me to some resources explaining hardening procedures
> for windows XP.

The US Defense Department puts their hardening guide online. They have an
automated tool called the Gold Disk that can scan your system and generate a
report of vulnerabilities it finds. The Gold Disk can also apply most of the
settings automatically.

A strong warning however - applying the Gold Disk settings wholesale is
guaranteed to cause you problems.

It is far better to selectively choose the settings you want to apply - you
don't need to apply everything. On a default system, it'll find over 100
different settings that it recommends changing.

Paul

This is a download link for the latest Gold Disk ISO image -

http://iase.disa.mil/stigs/SRR/gdv2_cd1_engine_03_25_2008.iso
0? *?H?÷

 ?0?

10 +0? *?H?÷


 ?o0?p0?X 

0
 *?H?÷


0[10 UUS10U
U.S. Government10
UDoD10
UPKI10U
DoD Root CA 20
041213150010Z
291205150010Z0[10 UUS10U
U.S. Government10
UDoD10
UPKI10U
DoD Root CA 20?
"0
 *?H?÷



?
0?

?

À,Áö;¬ÿ?<Öq¾¸t"ìpAü«@ãªÁÃØ?þÚL:¿?ÈØ({K6
À¬E%ÃÒ
?d=p*o?×܍?³A8!Í­«Â=*ÓW7
Í?Qù?ãÌFI!?´ÍË>8Ír1î«òeê4.V]ÿîcuËmº?4ü?óô-¾PÄBßY?ÿj³ú¨l=ËVqq?»??å?E
YgA°ëí`¤?u?ôCà?ûõ³Ì²?±ý2Á¸¾A¤dµ`:ZQ0?ÎÞA,G\Id¹t©?A¯}nºÁ¸¡¿e1:
gùµ»???c¸±æ?8_?ÿPÕ;¢]k²Ìc

£?0=0UIt»^ºzþTï{ Æ?Æ ?p?0U
?0U

ÿ0

ÿ0
 *?H?÷


?

????È»õÀis);5¬º³v=p ?é?D!
}vîQl7-{1iô?D¸¯FÌ4ú#Ë'Ò?!u+çà?&Ü?@?è¨ÒÌöX\fï?J??º
¢Ý[+§dNë.
5¤´?­UäÕs¨i?ñ?ò1o@Ôøx??? opfª+Îáz?µ}áàÑ?ç¡:-̱Dí??Ó
Mp9Áå~Ùñ¯× ñ"z%¤s?Ì?¤'?¨¢?í?¹Ó??ÂÁò?õbßhßǼiQí±\ÜTT) 9?¬ÁÛM®o
zIñ¿?Ò8?Óö?,·lÉB¶Ê?Ù0?50?? 
l0
 *?H?÷


0]10 UUS10U
U.S. Government10
UDoD10
UPKI10UDOD EMAIL CA-120
060926000000Z
090924235959Z0y10 UUS10U
U.S. Government10
UDoD10
UPKI1
0UUSMC1%0#UMORRIS.DEREK.PAUL.12335636210?0
 *?H?÷



0?Â(¶[9ÞÉ·À¨bSû2Ã?øÖZsгQpý<¶T¡?
æ¢0h¼n¡×'Îèã}¿3Ó!~È???b?7Îĵ¾t?aÐo/ÜM/ ËmZ:¼my_­D5½ñ¸`?(Xæ(Á¹Ð+j ¼FfÁWGù?0ï?Æ?×âHô?

£?
å0?
á0U

ÿ 0"U0derek.p.morris (at) usmc (dot) mil0 [email concealed]U#0?ÕÃ)? wÜ(NwOÿécA30
Uy8;¨.TlÊº?¦{¸ZùR±0U 0
0 `?H
e
 0s+


g0e0A+
0?5http://crl.chamb.disa.mil/getsign?DOD%20EM
AIL%20CA-120 +
0
?http://ocsp.disa.mil0ÝUÕ0Ò0: 8 6?4http://crl.chamb.d
isa.mil/getcrl?DOD%20EMAIL%20CA-120?  ??ldap://crl.chamb.disa.mil/
cn%3dDOD%20EMAIL%20CA-12%2cou%3dPKI%2cou%3dDoD%2co%3dU.S.%20Government%2
cc%3dUS?certificaterevocationlist;binary0
 *?H?÷


·{iÛ?Ë?
BxmØí?5âÓ\~åiÂ?ú¦ß?¡Ó?\¦?IÅß4§??7ÝÕn?ëo§cl2op¬òù9×¾lÓïâAM¼?g?©
øQXÚ?#<Å´?ç.²;¹Jé?0ËUo?K*:"ÉÚ2?ü °?ÄôÅ?ŪÒe40?:0?" 

0
 *?H?÷


0[10 UUS10U
U.S. Government10
UDoD10
UPKI10U
DoD Root CA 20
060109135445Z
120108135445Z0]10 UUS10U
U.S. Government10
UDoD10
UPKI10UDOD EMAIL CA-120?0
 *?H?÷



0?ã"¦î?¢¤Ñ
F{RCV¦{ð´êSTÏ+lj-~Ä?*¸²ËcF©?É)ÿy]òNÙÊäZ³@@ÝÿEÔ
ÔNZ?"Úó?¸éi?7¢ª¬C??jZQü?ëRåM±?õ]÷Ú¼Vå?b?Z!·K×?b?Õ??Êð@tZ_F¼m


£?
?0?
?0U

ÿ
?0U#0?It»^ºzþTï{ Æ?Æ ?p?0UÕÃ)? wÜ(NwOÿécA30U$0?
0U

ÿ0

ÿ00U )0'0 `?H
e
0 `?H
e
 0 `?H
e

0áUÙ0Ö0: 8 6?4http://crl.chamb.disa.mil/getcrl?DoD%20Root%20CA%2
020? ? ???ldap://crl.chamb.disa.mil/cn%3dDoD%20Root%20CA%202%2cou%3d
PKI%2cou%3dDoD%2co%3dU.S.%20Government%2cc%3dUS%3fcertificaterevocationl
ist%3bbinary0
 *?H?÷


?

*
wå?úä?Ím¨]??
?ÍСOTm¾k?î!_³4Db?ÂÞ´?0F?¾x½aHrè&P?f?è"ñKÿ-ëå???¥/Ý{W¶`²|g]Χ8Ô¨äÞÆ=²??÷jÅX?Rᨍµ²
G?x2Ã;ú,@¢Irße»õ¬?mÚ??3GÑI?NÄ×8¤õîaJÞ?ÁÒö?Þ?Ýä?ÔøO¤<(®ÞF3ICC­
'¦A·?fèo$á-º¹aÜC|-òCzTós?¡?2Ü)W.[?sZ?ôcëcÎf@ä)ß×?Þgz¿?ÐÇ·è0??
0?é 
S0
 *?H?÷


0]10 UUS10U
U.S. Government10
UDoD10
UPKI10UDOD EMAIL CA-120
060926000000Z
090924235959Z0y10 UUS10U
U.S. Government10
UDoD10
UPKI1
0UUSMC1%0#UMORRIS.DEREK.PAUL.12335636210?0
 *?H?÷



0?ª³/Ü-×Åx#Ã_u$?³»I[Ô¹F?{?Åfyç·6PÜÌã?)q????1å¥?òÂZRé?
ós^Ö,Ésì
âJ?~#GÜ®S©+±Dn¼´Ô÷B«êbÖÃ×ø??¤êÓ¨ú?ðS¬?ýÜÙ¾²NFH«0e

£?00?,0
U

ÿÀ0U#0?ÕÃ)? wÜ(NwOÿécA30U
={ç ÊÅaÊ"/?Nn2ÀZ0U 0
0 `?H
e
 0s+


g0e0A+
0?5http://crl.chamb.disa.mil/getsign?DOD%20EM
AIL%20CA-120 +
0
?http://ocsp.disa.mil0ÝUÕ0Ò0: 8 6?4http://crl.chamb.d
isa.mil/getcrl?DOD%20EMAIL%20CA-120?  ??ldap://crl.chamb.disa.mil/
cn%3dDOD%20EMAIL%20CA-12%2cou%3dPKI%2cou%3dDoD%2co%3dU.S.%20Government%2
cc%3dUS?certificaterevocationlist;binary0)U%"0 
+

?7+
+
0BU;09derek.p.morris (at) usmc (dot) mil [email concealed] 
+

?7 1233563621@mil0
 *?H?÷


®x-]+¥Ø¨Z¹'ǤÒC8ÔhÉC??s-PæýUÍýw ºH;T6c´bòP¤µÉp¸ÙuP0ås+Þ\¾?)°?¨´ ?}FÖIY?É"^ë^?²§sNÞKÐÝ-Ë)iN??º?¨?õbu³ïah÷4TqÖãßVÇ1?±0?­

0d0
]10 UUS10U
U.S. Government10
UDoD10
UPKI10UDOD EMAIL CA-12S0 + ?
£0 *?H?÷

1 *?H?÷


0 *?H?÷

1
080513203712Z0# *?H?÷

1~?3S§.d«m?Ö
*úC\Ê10X *?H?÷

1K0I0
*?H?÷
0*?H?÷
?0+0
*?H?÷

(0+0
*?H?÷
0s +

?71f0d0]10 UUS10U
U.S. Government10
UDoD10
UPKI10UDOD EMAIL CA-12l0u*?H?÷

1f d0]10 UUS10U
U.S. Government10
UDoD10
UPKI10UDOD EMAIL CA-12l0
 *?H?÷



?ue¸
¥%'1?ûE
°?>¯ó?Fw?n\øÕ»ÑØѪt©áJ°%qhdIó&"2ÛÄý[|lx*YKçÒv«w µª?s?PþÕ¨1Ó7??-)÷µ)öí|-?÷ӁFTþä?ï_F?{s!æ aóxD?ÕV3Ò®Ìß·Æ

[ reply ]