Users, Groups & Built-in Security Principles

Posted: 05-15-2004, 05:56 AM
G'day all

My F-I-L (father-in-law) recently dropped his PC over for some well needed maintenance. Unfortunately, the machine was pretty badly infected with a myriad of trojans, worms, virus', malware..... everything you could imagine that has done the rounds in the last 2 years, he had

The machine is now free of all the nasties but the evidence of them having been there remains (eg user names)

When bringing up a list of what name (RDN's) exist in the User, Group and Objects pane this is what remains

ANONYMOUS LOGO
BATC
DIALU
Help Assistan
Help Services Grou
INTERACTIV
NETWOR
NETWORK SERVIC
REMOTE INTERACTIVE LOGO
SERVIC
SUPPORT_388945a
TERMINAL SERVER USE
CREATOR GROU
CREATOR OWNE

I'm not sure if they are all meant to be in that list, but he would like them gone (of course there are more in the list and he is happy with those that have his name in them!). How can I delete them? He is running XP Home and as far as I can see there is nothing like an ACL where you can delete these profiles or user names. Can anyone help me with this? SFS doesn't allow the names to be deleted from the list and I cant see how to, using WMI (if you can at all with WMI). Am I missing something? (bah all you smarties out there, don't say a brain!

Another question

$LDR
$WIN_NT$.~B

are these required for XP? If not how in the heck do I manually delete them? I have reset attribs and deleted, but on re-start they magically appear again? Would there/could there be a registry entry that reinstates these that I can disable, change the value of, etc

Last one!

In the list of users at the welcome screen is there any registry settings that would allow a user to be hidden ie Administrator? I would still like it to be available but not openly obvious to my F-I-L as I know he will be in there exploring! This logon mostly contains all the AV and AT programs I've just paid a motza for

Any help at all would be wonderful


Users, Groups & Built-in Security Principles


Responses to "Users, Groups & Built-in Security Principles"

Shenan Stanley
Guest
Posts: n/a
 
Re: Users, Groups & Built-in Security Principles
Posted: 05-15-2004, 06:04 AM
Jodip wrote:
> My F-I-L (father-in-law) recently dropped his PC over for some well
> needed maintenance. Unfortunately, the machine was pretty badly
> infected with a myriad of trojans, worms, virus', malware.....
> everything you could imagine that has done the rounds in the last 2
> years, he had!
>
> The machine is now free of all the nasties but the evidence of them
> having been there remains (eg user names).
>
> When bringing up a list of what name (RDN's) exist in the User, Group
> and Objects pane this is what remains:
>
> ANONYMOUS LOGON
> BATCH
> DIALUP
> Help Assistant
> Help Services Group
> INTERACTIVE
> NETWORK
> NETWORK SERVICE
> REMOTE INTERACTIVE LOGON
> SERVICE
> SUPPORT_388945a0
> TERMINAL SERVER USER
> CREATOR GROUP
> CREATOR OWNER
>
> I'm not sure if they are all meant to be in that list, but he would
> like them gone (of course there are more in the list and he is happy
> with those that have his name in them!). How can I delete them? He is
> running XP Home and as far as I can see there is nothing like an ACL
> where you can delete these profiles or user names. Can anyone help me
> with this? SFS doesn't allow the names to be deleted from the list
> and I cant see how to, using WMI (if you can at all with WMI). Am I
> missing something? (bah all you smarties out there, don't say a
> brain!)
>
> Another question:
>
> $LDR$
> $WIN_NT$.~BT
>
> are these required for XP? If not how in the heck do I manually
> delete them? I have reset attribs and deleted, but on re-start they
> magically appear again? Would there/could there be a registry entry
> that reinstates these that I can disable, change the value of, etc?
>
>
> Last one!:
>
> In the list of users at the welcome screen is there any registry
> settings that would allow a user to be hidden ie Administrator? I
> would still like it to be available but not openly obvious to my
> F-I-L as I know he will be in there exploring! This logon mostly
> contains all the AV and AT programs I've just paid a motza for!
>
> Any help at all would be wonderful!
Windows XP?
Leave them. They are part of the OS. Leave them.
Did I mention LEAVE THEM?
Do that.

Windows XP is a multi-user OS, even when used by one person only, the
fundamentals don't change.

Documents and Settings is the directory that contains your user
information/documents/etc. It also contains a few extra directories used by
Windows.

One is "Default User" - This is used whenever a new account is created. It
bases the initial setup of that account off this directory.

Another is "All Users" - This is used by.. all users. If you want something
to appear on the desktop of every user of the machine, you put it on this
users desktop (in the desktop folder.) Etc.

You may also see "Administrator" - depending on your setup, this is the
original administrator user and if you know that account's password, you
should leave him alone and use him only in an emergency.

You could also (if you have it where you can see ALL files) see
"LocalService" and "NetworkService" folders. These are service accounts,
normally unused by the standard user.

Should you erase any of the above? No. No reason to. The only ones that a
single user will really ever use is the one under their username (ie:
whatever username you log in with) and the "All Users" account. If
something goes wrong(or you add a new user), the default user will be used
(recreated if not there) to create the new account needed. The
Administrator account will hopefully never be used and would just be
recreated if you logged in as administrator (assuming you even have the
user - which you do.) Sometimes your account may be listed as "owner" or
"administrator" under the documents and settings folder.. This all depends
on how things were setup. The name you use and the name of the folder do
NOT have to correspond if the name was changed manually after the account
was created initially.

Continuing with your questions...


Those are directories I am guessing? Hmm.. Tried deleting in Safe Mode?


And for your "users on welcome screen" question - download, install and use
TweakUI. You can decide (in its many settings) who shows up on the Welcome
Screen.


And if I might be so bold, make SURE the machine is clean and stays that
way..

Suggestions on what you can do to secure/clean your PC. I'm going to try
and be general, I will assume a "Windows" operating system is what is
being secured here.


UPDATES and PATCHES
-------------------

This one is the most obvious. There is no perfect product and any company
worth their salt will try to meet/exceed the needs of their customers and
fix any problems they find along the way. I am not going to say Microsoft
is the best company in the world about this but they do have an option
available for you to use to keep your machine updated and patched from
the problems and vulnerabilities (as well as product improvements in some
cases) - and it's free to you.

Windows Update
http://windowsupdate.microsoft.com/

Go there and scan your machine for updates. Always get the critical ones as
you see them. Write down the KB###### or Q###### you see when selecting the
updates and if you have trouble over the next few days, go into your control
panel (Add/Remove Programs), match up the latest numbers you downloaded
recently (since you started noticing an issue) and uninstall them. If there
was more than one (usually is), install them back one by one - with a few
hours of use in between, to see if the problem returns. Yes - the process
is not perfect (updating) and can cause trouble like I mentioned - but as
you can see, the solution isn't that bad - and is MUCH better than the
alternatives. (SASSER/BLASTER were SO preventable with just this step!)

Windows is not the only product you likely have on your PC. The
manufacturers of the other products usually have updates as well. New
versions of almost everything come out all the time - some are free, some
are pay - some you can only download if you are registered - but it is best
to check. Just go to their web pages and look under their support and
download sections.

You also have hardware on your machine that requires drivers to interface
with the operating system. You have a video card that allows you to see on
your screen, a sound card that allows you to hear your PCs sound output and
so on. Visit those manufacturer web sites for the latest downloadable
drivers for your hardware/operating system. Always (IMO) get the
manufacturers hardware driver over any Microsoft offers. On the Windows
Update site I mentioned earlier, I suggest NOT getting their hardware
drivers - no matter how tempting.

Have I mentioned that Microsoft has some stuff to help secure your computer
available to the end-user for free? This seems as good of a time as any.
They have a CD you can order (it's free) that contain all of the Windows
patches through October 2003 and some trial products as well that they
released in February 2004. Yeah - it's a little behind now, but it's better
than nothing (and used in coordination with the information in this post,
well worth the purchase price..)

Order the Windows Security Update CD
http://www.microsoft.com/security/protect/cd/order.asp

They also have a bunch of suggestions, some similar to these, on how to
better protect your Windows system:

Protect your PC
http://www.microsoft.com/security/protect/


FIREWALL
--------

Let's say you are up-to-date on the OS (operating system) and you have
Windows XP.. You should at least turn on the built in firewall. That will
do a lot to "hide" you from the random bad things flying around the
Internet. Things like Sasser/Blaster enjoy just sitting out there in
Cyberspace looking for an unprotected Windows Operating System and jumping
on it, doing great damage in the process and then using that Unprotected OS
to continue its dirty work of infecting others. If you have the Windows XP
ICF turned on - default configuration - then they cannot see you! Think of
it as Internet Stealth Mode at this point. It has other advantages, like
actually locking the doors you didn't even (likely) know you had. Doing
this is simple, the instructions you need to use your built in Windows XP
firewall can be found here:

http://support.microsoft.com/?kbid=320855

If you read through that and look through the pages that are linked from it
at the bottom of that page - I think you should have a firm grasp on the
basics of the Windows XP Firewall as it is today. One thing to note RIGHT
NOW - if you have AOL, you cannot use this nice firewall that came with
your system. Thank AOL, not Microsoft. You HAVE to configure another
one.. So we continue with our session on Firewalls...

But let's say you DON'T have Windows XP - you have some other OS like
Windows 95, 98, 98SE, ME, NT, 2000. Well, you don't have the nifty built in
firewall. My suggestion - upgrade. My next suggestion - look through your
options. There are lots of free and pay firewalls out there for home users.
Yes - you will have to decide on your own which to get. Yes, you will have
to learn (oh no!) to use these firewalls and configure them so they don't
interfere with what you want to do while continuing to provide the security
you desire. It's just like anything else you want to protect - you have to
do something to protect it. Here are some suggested applications. A lot of
people tout "ZoneAlarm" as being the best alternative to just using the
Windows XP ICF, but truthfully - any of these alternatives are much better
than the Windows XP ICF at what they do - because that is ALL they do.

ZoneAlarm (Free and up)
http://www.zonelabs.com/store/conten...eeDownload.jsp

Kerio Personal Firewall (KPF) (Free and up)
http://www.kerio.com/kpf_download.html

Outpost Firewall from Agnitum (Free and up)
http://www.agnitum.com/download/

Sygate Personal Firewall (Free and up)
http://smb.sygate.com/buy/download_buy.htm

Symantec's Norton Personal Firewall (~$25 and up)
http://www.symantec.com/sabu/nis/npf/

BlackICE PC Protection ($39.95 and up)
http://blackice.iss.net/

Tiny Personal Firewall (~$49.00 and up)
http://www.tinysoftware.com/

That list is not complete, but they are good firewall options, every one of
them. Visit the web pages, read up, ask around if you like - make a
decision and go with some firewall, any firewall. Also, maintain it.
Sometimes new holes are discovered in even the best of these products and
patches are released from the company to remedy this problem. However, if
you don't get the patches (check the manufacturer web page on occasion),
then you may never know you have the problem and/or are being used through
this weakness. Also, don't stack these things. Running more than one
firewall will not make you safer - it would likely (in fact) negate some
protection you gleamed from one or the other firewalls you ran together.


ANTIVIRUS SOFTWARE
------------------

That's not all. That's one facet of a secure PC, but firewalls don't do
everything. I saw one idiot posting on a newsgroup that "they had
never had a virus and they never run any anti-virus software. Yep - I used
to believe that way too - viruses were something everyone else seemed to
get, were they just stupid? And for the average joe-user who is careful,
uses their one-three family computers carefully, never opening unknown
attachments, always visiting the same family safe web sites, never
installing anything that did not come with their computer - maybe, just
maybe they will never witness a virus. I, however, am a Network Systems
Administrator. I see that AntiVirus software is an absolute necessity. You
can be as careful as you want - will the next person be as careful? Will
someone send you unknowingly the email that erases all the pictures of your
child/childhood? Possibly - why take the chance? ALWAYS RUN ANTIVIRUS
SOFTWARE and KEEP IT UP TO DATE! Antivirus software comes in so many
flavors, it's like walking into a Jelly Belly store - which one tastes like
what?! Well, here are a few choices for you. Some of these are free (isn't
that nice?) and some are not. Is one better than the other - MAYBE. I
personally love Symantec AV.

Symantec (Norton) AntiVirus (~$11 and up)
http://www.symantec.com/

Kaspersky Anti-Virus (~$49.95 and up)
http://www.kaspersky.com/products.html

Panda Antivirus Titanium (~$39.95 and up)
http://www.pandasoftware.com/
(Free Online Scanner: http://www.pandasoftware.com/activescan/)

AVG 6.0 Anti-Virus System (Free and up)
http://www.grisoft.com/

McAfee VirusScan (~$11 and up)
http://www.mcafee.com/

AntiVir (Free and up)
http://www.free-av.com/

avast! 4 (Free and up)
http://www.avast.com/

Trend Micro (~$49.95 and up)
http://www.trendmicro.com/
(Free Online Scanner:
http://housecall.trendmicro.com/hous...start_corp.asp)

Did I mention you have to not only install this software, but also keep it
updated? You do. Some of them (most) have automatic services to help you
do this - I mean, it's not your job to keep up with the half-dozen or more
new threats that come out daily, is it? Be sure to keep whichever one you
choose up to date!


SPYWARE/ADWARE/POPUPS
---------------------

So you must be thinking that the above two things got your back now - you
are covered, safe and secure in your little fox hole. Wrong! There are
more bad guys out there. There are annoyances out there you can get without
trying. Your normal web surfing, maybe a wrong click on a web page, maybe
just a momentary lack of judgment by installing some software packages
without doing the research.. And all of a sudden your screen starts filling
up with advertisements or your Internet seems much slower or your home page
won't stay what you set it and goes someplace unfamiliar to you. This is
spyware. There are a whole SLEW of software packages out there to get rid
of this crud and help prevent reinfection. Some of the products already
mentioned might even have branched out into this arena. However, there are
a few applications that seem to be the best at what they do, which is
eradicating and immunizing your system from this crap. Strangely, the best
products I have found in this category ARE generally free. That is a trend
I like. I make donations to some of them, they deserve it!

Spybot Search and Destroy (Free!)
http://www.safer-networking.net/

Lavasoft AdAware (Free and up)
http://www.lavasoft.de

CWSShredder (Free!)
http://www.spywareinfo.com/~merijn/downloads.html

Hijack This! (Free)
http://mjc1.com/mirror/hjt/

SpywareBlaster (Free!)
http://www.javacoolsoftware.com/

ToolbarCop (Free!)
http://www.mvps.org/sramesh2k/toolbarcop.htm

Bazooka Adware and Spyware Scanner (Free!)
http://kephyr.sureshot.xaviermedia.net/spywarescanner/

Browser Security Tests
http://www.jasons-toolbox.com/BrowserSecurity/

The Cleaner (49.95 and up)
http://www.moosoft.com/

That will clean up your machine of the spyware, given that you download and
install several of them, update them regularly and scan with them when you
update. Some (like SpywareBlaster and SpyBot Search and Destroy) have
immunization features that will help you prevent your PC from being
infected. Use these features!

Unfortunately, although that will lessen your popups on the Internet/while
you are online, it won't eliminate them. I have looked at a lot of options,
seen a lot of them used in production with people who seem to attract popups
like a plague, and I only have one suggestion that end up serving double
duty (search engine and popup stopper in one):

The Google Toolbar (Free!)
http://toolbar.google.com/

Yeah - it adds a bar to your Internet Explorer - but its a useful one. You
can search from there anytime with one of the best search engines on the
planet (IMO.) And the fact it stops most popups - wow - BONUS! If you
don't like that suggestion, then I am just going to say you go to
www.google.com and search for other options.

One more suggestion, although I will suggest this in a way later, is to
disable your Windows Messenger service. This service is not used frequently
(if at all) by the normal home user and in cooperation with a good firewall,
is generally unnecessary. Microsoft has instructions on how to do this for
Windows XP here:
http://www.microsoft.com/windowsxp/p...e/stopspam.asp


SPAM EMAIL/JUNK MAIL
--------------------

This one can get annoying, just like the rest. You get 50 emails in one
sitting and 2 of them you wanted. NICE! (Not.) What can you do? Well,
although there are services out there to help you, some email
servers/services that actually do lower your spam with features built into
their servers - I still like the methods that let you be the end-decision
maker on what is spam and what isn't. If these things worked perfectly, we
wouldn't need people and then there would be no spam anyway - vicious
circle, eh? Anyway - I have two products to suggest to you, look at them
and see if either of them suite your needs. Again, if they don't, Google is
free and available for your perusal.

SpamBayes (Free!)
http://spambayes.sourceforge.net/

Spamihilator (Free!)
http://www.spamihilator.com/

As I said, those are not your only options, but are reliable ones I have
seen function for hundreds+ people.


DISABLE (Set to Manual) UNUSED SERVICE/STARTUP APPS
---------------------------------------------------

I might get arguments on putting this one here, but it's my spill. There are
lots of services on your PC that are probably turned on by default you don't
use. Why have them on? Check out these web pages to see what all of the
services you might find on your computer are and set them according to your
personal needs. Be CAREFUL what you set to manual, and take heed and write
down as you change things! Also, don't expect a large performance increase
or anything - especially on todays 2+ GHz machines, however - I look at each
service you set to manual as one less service you have to worry about
someone exploiting. A year ago, I would have thought the Windows Messenger
service to be pretty safe, now I recommend (with addition of a firewall)
that most home users disable it! Yeah - this is another one you have to
work for, but your computer may speed up and/or be more secure because you
took the time. And if you document what you do as you do it, next time, it
goes MUCH faster! (or if you have to go back and re-enable things..)

Task List Programs
http://www.answersthatwork.com/Taskl...s/tasklist.htm

Black Viper's Service List and Opinions (XP)
http://www.blackviper.com/WinXP/servicecfg.htm

Processes in Windows NT/2000/XP
http://www.reger24.de/prozesse/

There are also applications that AREN'T services that startup when you start
up the computer/logon. One of the better description on how to handle these
I have found here:

Startups
http://www.pacs-portal.co.uk/startup_content.php


That's it. A small booklet on how to keep your computer secure, clean of
scum and more user friendly. I am SURE I missed something, almost as I am
sure you won't read all of it (anyone for that matter.) However, I also
know that someone who followed all of the advice above would also have less
problems with their PC, less problems with viruses, less problems with spam,
less problems with spyware and better performance than someone who didn't.

Hope it helps.

--
<- Shenan ->
--


Roger Abell
Guest
Posts: n/a
 
Re: Users, Groups & Built-in Security Principles
Posted: 05-15-2004, 12:26 PM
I will add a little to what Shenan has provided . . .

--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Jodip" <anonymous@discussions.microsoft.com> wrote in message
news:8AB7FAAA-4B13-491F-BC38-B259B4D18B8A@microsoft.com...
> G'day all,
>
> My F-I-L (father-in-law) recently dropped his PC over for some well
needed maintenance. Unfortunately, the machine was pretty badly infected
with a myriad of trojans, worms, virus', malware..... everything you could
imagine that has done the rounds in the last 2 years, he had!
>
> The machine is now free of all the nasties but the evidence of them having
been there remains (eg user names).
>
> When bringing up a list of what name (RDN's) exist in the User, Group and
Objects pane this is what remains:
>
> ANONYMOUS LOGON
> BATCH
> DIALUP
> Help Assistant
> Help Services Group
> INTERACTIVE
> NETWORK
> NETWORK SERVICE
> REMOTE INTERACTIVE LOGON
> SERVICE
> SUPPORT_388945a0
> TERMINAL SERVER USER
> CREATOR GROUP
> CREATOR OWNER
>
The above are all, except for
> Help Assistant
> Help Services Group
> SUPPORT_388945a0
built-in principals of one type or another
They are not actual accounts, but rather (most of
them) placeholders used to grant specific things
to the actual account in use if it meets specific
criteria.
The three I exempted are accounts (or a group)
that are part of the initial install. The accounts
can be disabled without ill effect provided that
the remote assistance is not to be used.
> I'm not sure if they are all meant to be in that list, but he would like
them gone (of course there are more in the list and he is happy with those
that have his name in them!). How can I delete them? He is running XP Home
and as far as I can see there is nothing like an ACL where you can delete
these profiles or user names. Can anyone help me with this? SFS doesn't
allow the names to be deleted from the list and I cant see how to, using WMI
(if you can at all with WMI). Am I missing something? (bah all you smarties
out there, don't say a brain!)
>
Any non-built-in account or group can be deleted with Wmi
> Another question:
>
> $LDR$
> $WIN_NT$.~BT
>
> are these required for XP? If not how in the heck do I manually delete
them? I have reset attribs and deleted, but on re-start they magically
appear again? Would there/could there be a registry entry that reinstates
these that I can disable, change the value of, etc?
>
>
> Last one!:
>
> In the list of users at the welcome screen is there any registry settings
that would allow a user to be hidden ie Administrator? I would still like it
to be available but not openly obvious to my F-I-L as I know he will be in
there exploring! This logon mostly contains all the AV and AT programs I've
just paid a motza for!
>
visibility on the Welcome screen is controlled by
reg entries (this is what TweakUI manipulates) at
HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\SpecialAccounts\UserLis t

> Any help at all would be wonderful!
>
>

jodip
Guest
Posts: n/a
 
RE: Users, Groups & Built-in Security Principles
Posted: 05-16-2004, 02:06 AM
Thanks to both of you!

I have purchased a few AV and AT programs and they will always be enabled and I will keep his Norton's subscription up-to-date. He will also have firewall through XP enabled as well as a new purchase of an external FW from his service provider

Somewhere through all this disinfecting and clean up................(and it is at this point that I could scream as I have no hair left to pull out after this exercise! I am just not that tech literate being self taught!

After using Registry Mechanic (I think it was at this point), the PC is now unable to perform "search" from within the start menu. Clicking the search icon the PC freezes for approximately 120 seconds and then the cursor appears again - nothing else appears to be happening. No search results page opens where you can articulate your search with the search assistant on the left hand side, nothing. It just remains at the desktop with the start menu expanded

The PC can, however, search albeit very slowly from within the "my computer" folder. The system is now performing extremely slowly (and frequent "this program is not responding" messages occur for browsing or starting programs, though if you wait a while it actually starts responding again). Task Manager doesn't show any errant processes

"Last Good" and system restore still don't allow the search function to be used

How do I

1. Get the search function to correctly work again from the start menu
2. Improve the overall performance speed of program execution

Thanks again you guys

jodip
Guest
Posts: n/a
 
RE: Users, Groups & Built-in Security Principles
Posted: 05-17-2004, 07:46 AM
Thanks to both of you! (Shenan and Roger - for previous help re RE: Users, Groups & Built-in Security Principles

I have purchased a few AV and AT programs and they will always be enabled and I will keep his Norton's subscription up-to-date. He will also have firewall through XP enabled as well as a new purchase of an external FW from his service provider

Somewhere through all this disinfecting and clean up................(and it is at this point that I could scream as I have no hair left to pull out after this exercise! I am just not that tech literate being self taught!

After using Registry Mechanic (I think it was at this point), the PC is now unable to perform "search" from within the start menu. Clicking the search icon the PC freezes for approximately 120 seconds and then the cursor appears again - nothing else appears to be happening. No search results page opens where you can articulate your search with the search assistant on the left hand side, nothing. It just remains at the desktop with the start menu expanded

The PC can, however, search albeit very slowly from within the "my computer" folder. The system is now performing extremely slowly (and frequent "this program is not responding" messages occur for browsing or starting programs, though if you wait a while it actually starts responding again). Task Manager doesn't show any errant processes

"Last Good" and system restore still don't allow the search function to be used

How do I

1. Get the search function to correctly work again from the start menu
2. Improve the overall performance speed of program execution

Thanks again you guys


 
LinkBack Thread Tools Display Modes
 


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On
Forum Jump


Similar Threads
Thread Thread Starter Forum Replies Last Post
LinkedIn groups for SBS users and security enthusiasts Brad Dinerman [MVP - Enterprise Security] Windows Vista Security 0 03-05-2008 01:26 PM
How to push users & groups to Windows Messenger v5 users? Daniel Barton Windows XP Messenger 2 01-06-2004 03:39 PM
Editing membership in XP pro built-in user groups Roger Windows XP Security & Administration 3 12-31-2003 07:17 AM
Users / Groups / Account Groups verossa Customize Windows XP 0 12-29-2003 11:26 AM
Trying to add users of groups in porperties->security Ron Lowe Windows XP Network & Web 1 08-05-2003 05:55 PM