config1.html
sponsored links |  ----  validate |
This is a more or less security configuration related page, but I still need to decide if it will be titled as "config" also in future. I would like/prefer to call it "security", however, the one under the software section is already named security so the name/title "config" seemed the most appropriate at the time of writing it (compare to "safety" or "privacy" that were other two options that I thought of back then); simply because as mentioned, it's more or less related to security configurations, rather than to the security programs themselves.
NAVIGATE: next --> config2.html
A FEW CONFIG RECOMMENDATIONS
As first, here below is a list of a few special locations where you can change security and various other settings with (Local) Group Policy or gpedit.msc (a MMC type of program):
Local Computer Policy - Computer Configuration - Administrative Templates
Windows Components, System, Network Printers
Local Computer Policy - User Configuration - Administrative Templates
Windows Components, Start Menu and Taskbar, Desktop, Control Panel, Shared Folders, Network, System
And here a list of few locations where you can change security and various other settings with Local Security Settings or secpol.msc (also a MMC program):
Security Settings - Account Policies
Password Policy, Account Lockout Policy
Security Settings - Local Policies
Audit Policy, User Rights Assignment, Security Options
ENVIRONMENT VARIABLES CONFIG
Next is a bit about the custom and/or optional Environment Variables that I use. For instance I am talking about entries like the variable name: dircmd with variable value: /-n which sets the display of directories/filenames in a CMD window on/under Windows XP (i.e. "command prompt" or "DOS prompt") to the left hand side when you run the dir command as it was in trevious versions of Windows, the variable name: PROMPT or prompt with more or less optional values (I usually set it to: $P\-$G or $P\-\$G, while $P$G is the default value) to set what's displayed in a CMD window; the value "$P\-$G" above would result in "D:\Software\->" instead of the default "D:\Software>" that's shown if the default "$P$G" value is used.
The thumbnail-screenshots of windows (click to enlarge):
Then there are the variable name: TEMP and TEP which I both set to value: B:\Cache\Temp\ so that it points to my RAM-drive. And finally are the variable name: devmgr_show_nonpresent_devices with value: 1, which shows also hidden devices under "Non-Plug and Play Drivers" in Device Manager so that you can for instance stop or uninstall/remove old unused drivers (see also "Removing unused device drivers from Windows XP" article: http://techrepublic.com.com/5100-10877_11-6017628.html?tag=nl.e103 on Techrepublic website), and the variable name: MOZ_NO_REMOTE with value: 1 which is used for Mozilla Firefox respectively (see "THE FIREFOX-PROFILE PRINCIPLE" entry on the "principles1.html" page for details)
THE HARD-DISK'S WRITE-CACHING
And finally about the hard-disk related preventive measure that I recommend you all to take. This is/was originally a "blog-entry" on my slovenian Sopca blog entitled Ukrep za preprecitev sesutja trdega diska: http://tadej.sopca.com/2008/01/08/ukrep-za-preprecitev-sesutja-trdega-diska. It is all very very simple and it's about disabling the so-called "write caching" functions which is (at least as far as I know) enabled by defaultu on all new/fresh Windows installations. As you can see in the example screenshots below, you need to open Control Panel -- System (or System Properties) -- Harware tab -- Device Manager, then under "Disk drives" double-click on the hard-disk you're using (mine is for instance "Western Digital, WD Caviar SE"), then in "WDC WD800JB-00JJA0 Properties" sub-window (of course, only in my cases) go to v "Policies" tab, and finally under "Write caching and Safe Removal" UN-CHECK the "Enable write caching on the disk" checkbox.
The thumbnail-screenshots (click to enlarge):
This preventive measure prevents the data that wouldn't have time to be written from it's internal cache to the hard-disk (in case of a BSOD, an electricity failure etc.) to become lost or corrupted, which in some cases could even cause a total hard-disk or at least partition/drive corruption.
SET TERMINAL-WINDOW SETTINGS
I urge anyone with a dial-up connection (or other types too, if they have these two options) to always set you computer for the one particular connection (free ISP account) that you are mostly using to "Never dial a connection" but especially to "Show terminal window" before dialing. This way, there is no chance for those malicious "dialer" programs to do any harm. Here are the links to screenshots of these two settings/windows stored at CastleCops (where I've used the graphic in one of my posts back then): 
http://castlecops.com/modules.php?name=Forums&file=download&id=5725, http://castlecops.com/modules.php?name=Forums&file=download&id=5726.
Hmmm, if I remember correctly, there is yet another setting called "Show Pre-dial Terminal Screen" which is not the same as "Show terminal window" mentioned above. Anyways, if the thumbnails above are not displayed OK in your browser, then you can try with these two direct links to the screenshots hosted on Imageshack: http://img259.imageshack.us/img259/5233/terminalwindow0gb.gif, http://img259.imageshack.us/img259/8858/connection2qc.gif.
DNS-SERVER AND NETWORK CONFIG
Well, it's all about the great OpenDNS: http://www.opendns.com alternative DNS service (for more about it, see also page "diverse.html"), which you can use instead of your ISP's name-servers. First let me provide a few related links for you to get more details about it: http://www.opendns.com/start, http://www.opendns.com/faq, http://www.opendns.com/what, http://www.opendns.com/who, http://www.opendns.com/blog, http://system.opendns.com, http://www.opendns.com/stats. But also for more information regarding it, see about setting the "Default and Alternate DNS Server" settings (to other than my ISP's) under section dedicated to DNSKong: http://pyrenean.com/?page_value=-1 program; namely, with setting the "Alternate DNS Server", I could use OpenDNS only when DNSKong is filtering, or use it always nomather if DNSKong is running or not.
Various thumbnail-screenshots (click to enlarge):
FYI, there was one thing that was bothering me on the beginning though. You see, on the OpenDNS website it says that OpenDNS uses huge caches (of IPs resolved to host-names) and that this is one of the factors for OpenDNS being so fast (or at least faster than ISP's DNS servers), therefore I started to wonder: isn't it like that with caches in general (if they are really huge), this "takes away" all the meaning/advantage of the cache, since the cache needs to be searched/queried too, and in case of (too) huge caches this might in fact take longer that resolving an IP in a "standard manner" (i.e. by contacting the "normal" ISP's name-server)
Oh and I almost forgot to mention my own "invention" about which I also write on my Sopca blog (in an "blog-entry" titled Moj sistem za pohitritev DNS operacij: http://tadej.sopca.com/2006/10/23/moj-sistem-za-pohitritev-dns-operacij), i.e. a "two/three layer local DNS caching system", i.e. in my case, the resolved DNS queries (i.e. IP to hostname and vice versa) are first locally cached in the OS's "hosts" file (located under the "%systemroot%\system32\drivers\etc\" directory on XP), then are keept in DNSKong's cache (a data structure called a completely balanced AVL tree along with a dynamic cache in the computer heap storage) and in its "presets.txt" file, and then finally in OpenDNS's huge caches.
FIREWALL CONFIG SETTINGS/RULES
These below are so-called "expert settings" for Zone Alarm firewall from ZoneLabs program (and beside the mentioned Sunbelt Kerio Personal firewall); both are available also in free versions. But anyway, Zone Alarm in particular, I put in the Trusted Zone: loopback/localhost (127.0.0.1), DNS servers, and in the Blocked Zone: those particular IPs that you want't to prevent from connecting to the Internet.
Expert settings for Internet Explorer:
| Access | Type | Source | Destination | Description | |
| Allow | UDP | MyComputer: Any | *DNSservers: 53 | DNS | |
| Allow | TCP | MyComputer: 1024-5000 | InternetZone: *Webservers | Webservers | |
| Allow | UDP | MyComputer: 1024-5000 | MyComputer: 1024-5000 | Loopback | |
| Block | Any | Any | Any | Block the rest |
*Protocol Group: Webservers
Protocol: TCP
Source ports: Any
Destination ports: *80, 443, 8000, 8080
Expert settings for Outlook Express:
| Access | Type | Source | Destination | Description | |
| Allow | TCP | MyComputer: Any | *E-Mail Servers: (or: InternetZone) | E-Mail Servers | |
| Allow | TCP | MyComputer: 3000-5000 | Internet Zone: *HTTP | HTTP | |
| Block | Any | Any | Any | Block the rest |
Protocol: TCP
Source ports: Any
Destination ports: 25, *81-83, 110, 143, 443, 993, 1080, 8080, 8088, 11523, + 113 (local auth)
*Protocol Group: HTTP
Protocol: TCP
Source ports: 3000-5000
Destination ports: 80 (or: *81-83)
*Location Group: E-Mail Servers
POP3, SMTP
And secondly there are the specific "program settings" that I created for Agnitum Outpost firewall program (and yes, I would also recommend trying the Sygate firewall), which processes the rules by the order (from the top to the bottom) by which they are created; by the way, these two firewalls are also available in a free version.
Program settings for Firefox:
| Access | Type | Local Host | Remote Host | Local Port | Remote Port | Destination |
| Allow | TCP | Any | loopback | Any | 1024-7500 | Outbound |
| Allow | TCP | Any | pop.gmail.com | Any | 995 | Outbound |
| Allow | TCP | Any | Any | Any | 25, 80, 110, ... | Outbound |
Program settings for Thunderbird:
| Access | Type | Local Host | Remote Host | Local Port | Remote Port | Destination |
| Allow | TCP | Any | loopback | Any | 1024-7500 | Outbound |
| Allow | TCP | Any | stream.24ur.com | 1024-17500 | 21, 80-83, 443, ... | Outbound |
| Allow | UDP | Any | stream.24ur.com | Any | Any | Any |
| Allow | TCP | Any | Any | Any | 554, 7070 | Outbound |
| Allow | TCP | Any | Any | 1024-7500 | 20 | Inbound |
Program settings for Internet Explorer:
| Access | Type | Local Host | Remote Host | Local Port | Remote Port | Destination |
| Allow | TCP | Any | loopback | Any | 1024-17500 | Outbound |
| Allow | TCP | Any | Any | 1024-17500 | 21, 80-83, 443, ... | Outbound |
| Allow | TCP | Any | Any | 1024-5000 | 20 | Inbound |
Program settings for Real Player:
| Access | Type | Local Host | Remote Host | Local Port | Remote Port | Destination |
| Allow | TCP | Any | Any | Any | *80-83, 443, ... | Outbound |
| Allow | TCP | Any | Any | Any | *80-83, 443, ... | Outbound |
| Allow | TCP | Any | Any | Any | 6770-32000 | Inbound |
| Allow | TCP | Any | Any | Any | 6770-32000 | Outbound |
* ..., 3128, 8000, 8080, 11523 (it would be too long to fit the table)
NAVIGATE: next --> config2.html
Disclaimer 1: The opinions expressed on my website and in my files are mine, or belong to other individuals/entities where so specified. Each product or service is the trademark of their respective company. All the registered copyrights and trademarks (© and ™) referred in this site retain the property of their respective owners. All information is provided as opinions only. Please, also see the "Disclaimer 2" on the page "about.html".
The website is maintained solely by its author and is best viewed with a standards-compliant browser.
