A few notes before we begin. Remember, spelling and capitalization do count. Some applications are smart enough to handle keys and values that are in the wrong case, but very few programs are smart enough to handle typos. Also, be careful when entering values by hand. There's no undo when you're using RegEdit or RegEdt32. Finally, many of the security tips require you to change permissions on a key, instead of actually changing the value of the key. Keep in mind that only RegEdt32 knows about NT permissions and will allow you to change them. Now, on to the fun part!
Restrict Performance Monitor data
If you'd like to restrict who can view your server's Performance Monitor, you simply need to change the permissions on the
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows NT\Current Version\Perflib
Figure A: Changing permissions on the Perflib subkey changes who can view Performance
Monitor data.
![[ Figure A ]](ewn9915a.gif)
Disable the Save Password option
The Dial-Up Networking (DUN) program allows you to save a user name and password for each of your dial-up connection. While this is convenient, it's very insecure, especially when most dial-up networking is done using laptops, which are easily stolen.
To prevent users from saving passwords, add the REG_DWORD value DisableSavePassword value to the
-
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\RasMan\Parameters
Figure B: Disabling the Save Password checkbox could save your network.
![[ Figure B ]](ewn9915b.gif)
Clear system pagefile at shutdown
A few of the publicly available attacks on NT security rely on the fact that the NT pagefile is left intact on shutdown, and can subsequently be scanned for useful information. To clear the pagefile at shutdown, add the REG_DWORD value
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\Session Manager\Memory
Management\ClearPageFileAtShutdown
Prevent users from changing video resolution
One of the most useful features of NT is the ability to change video resolution and color depth on the fly. Unfortunately, some users will try to push their systems beyond the configuration's capabilities. You can prevent users from changing the video settings by changing the permissions on the settings key for the video card. The exact location of this key will vary, depending on the specific type of video card, but our key was located at
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Hardware
Profiles\Current\System\CurrentControlSet\Services\mga_mil\Device0
Prevent users from changing "My Computer"
It can be very annoying to start your computer and realize that someone has changed the name of the "My Computer" icon to "Funky Town" or something worse. You can prevent this by changing the permissions on the
HKEY_LOCAL_MACHINE\Software\Clases\CLSID\
20D04FE0-3AEA-1069-08002B30309D
Speed up the taskbar
With the introduction of Windows95 and NT 4.0, the user interface has been enhanced with the taskbar. If you have a small screen, you can configure the taskbar to disappear when you're not on it and re-appear when you slide your mouse to the bottom of the screen. Depending on the speed of your computer, it may take too long for the taskbar to appear. You can speed up this appearance, as well as the appearance of other taskbar menus by adding a REG_SZ value named
HKEY_CURRENT_USER\ControlPanel\Desktop\
MenuShowDelay
Enable filename completion
If you've ever used a UNIX shell, you'll fondly remember the wonders of tab filename completion. By typing the first few characters of a filename and pressing [Tab], the entire name would appear on the command line. Well, you can have that same feature at your Command Prompt by adding a REG_DWORD value named
HKEY_CURRENT_USER\Software\Microsoft\
Command Processor\CompletionChar
Enable X Windows style mouse
If you've ever worked on a UNIX workstation using X Windows, you probably remember being able to bring a window to the front just by placing your mouse pointer on it. You can enable a similar feature in NT by setting the value of HKEY_CURRENT_USER\Control Panel\Mouse\ActiveWindowTracking to 1. Changing this value will set the focus to whatever window the mouse is pointing to, although it won't bring it up to the top of the stack. You'll need to log off and back on before this change will take effect.
Enable snap to default button
Another useful feature stolen from the X Windows interface is the ability to have your mouse pointer jump to the default button of any dialog box or alert that appears. As each dialog appears, you don't have to drag your mouse to the OK button or the Next button, as it will jump there all by itself. To enable this feature, set the value of
HKEY_CURRENT_USER\ControlPanel\Mouse\
SnapToDefaultButton
Turn off CD-ROM AutoRun
One feature that many power users and administrators find annoying is CD-ROM AutoRun. Each time you put a new CD into the drive, AutoRun kicks in and starts the CD's install program. While this may be helpful to users who don't know how to use NT Explorer, it's of little value to most technical users. To turn this feature off, simply add a REG_DWORD value named
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Cdrom\AutoRun
Create a network Favorites folder
Each user has a Favorites folder used by Internet Explorer and Microsoft Office to store shortcuts and documents most often used. You might find it helpful to create a networked Favorites folder so all users can see and use these favorite files.
In order to create a network Favorites directory, you must first create the directory and share it from one of your file servers. Be sure to set the appropriate share and NTFS permissions. Next, on each machine you want to use the network Favorites folder, change the value of
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Explorer\User Shell
Folders\Favorites
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\
CurrentVersion\Explorer\User
Shell Folders\Favorites
Change the print spool directory
By default, NT uses the system disk for all print spooling directories. If you're running out of space, or fire off a large number of print jobs, this can soon become a performance bottleneck. You can change the spool directory by adding a new REG_SZ value named
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\
Print\Printers\[PrinterName]\SpoolDirectory
| Note: You can't use a UNC path for the printer spool. You must use a fully qualified local path that exists before you make the changes. |
You must stop and restart the Spooler service after making these changes to the Registry.
Force NT to reboot after a crash
If you spend any time administering Windows NT, you're far too familiar with the Blue Screen of Death (BSOD) which displays the cause of the crash and gives some information about the state of the system when it crashed. The BSOD will sit on the screen until someone reboots the system, which could be very bad for a system that should be running 24 hours a day, like an Exchange server. You can force NT to automatically reboot after a crash by setting the value of
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
CrashControl\AutoReboot
Send alerts during a crash
In addition to the crash log file, you can also enable two other methods of crash notification and logging. You can enable an administrative alert by changing the value of
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
CrashControl\SendAlert
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
CrashControl\LogEvent
Turn off power after shutdown
If you've installed NT on a laptop, this customization may come in very handy! Most laptops allow the operating system to turn off the hardware after shutdown, instead of displaying the message telling you it's now safe to turn off your system. You can take advantage of this capability by enabling the Power Down After Shutdown feature.
To enable this feature, simply add a REG_SZ value named
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\PowerdownAfterShutDown
Kill hung processes when logging off
When you tell NT to shut down, it first sends shutdown requests to any running
processes. Most 32-bit applications honor these requests and shut down, but
older 16-bit apps running in the Virtual DOS Machine often won't. When this
occurs, the operating system prompts you with a dialog box asking if you want
to kill the task, wait for the task to die on its own, or cancel the shutdown.
By modifying the Registry, you can automate this process.
You can force NT to kill all running processes on shutdown by adding a REG_SZ
value named HKEY_USER\<SID>\ControlPanel\
Desktop\AutoEndTasks and set the
value to 1. You can also add this value to HKEY_USERS\.DEFAULT so that all new
accounts will shut down the same way.
Set a time limit for killing hung processes
In addition to forcing NT to kill hung processes, you can also set the amount
of time NT will wait before shutting them down. The REG_SZ value named
HKEY_USERS\<SID>\Control Panel\Desktop\
WaitToKillAppTimeout contains the
number of milliseconds to wait before deciding an application isn't going to
honor a shutdown request. By default, this value is set to 20 seconds. You can
change this value to something more reasonable, like 10 seconds, if you find
it's taking too long to shut down. After the 10 seconds have expired, the
operating system will prompt you with a dialog box, or kill the process if
AutoEndTasks is defined.
Speed up shutdown
As NT shuts down, it allows each service up to 20 seconds to shut down and clean up after itself. Depending on the number of services you have running on your machine, this may take a long time. You can shorten the time allotted to each service by changing the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\WaitToKillServiceTimeoutCopyright © 1999, ZD
Inc. All rights reserved. ZD Journals and the ZD Journals logo are trademarks of ZD
Inc. Reproduction in whole or in part in any form or medium without
express written permission of ZD Inc. is prohibited. All other product
names and logos are trademarks or registered trademarks of their
respective owners.