How do you lock down XP Home?

In lieu of the privilege escalation hax I started to wonder what exactly do you need to do to lock down an XP Home machine. In XP pro you can use the group policies to limit what user can do on the local machine. Unfortunately, the home edition is missing gpedit.msc so we can only rely on registry hacks.

In the examples below I use HCU to denote HKEY_CURRENT_USER.

First order of business is to lock the user out of the command prompt so that he can’t issue the at command. This is controlled by the DisableCMD dword. To disable it:

KEY: HCU\Software\Policies\Microsoft\Windows\System\
DWORD: DisableCMD = 1 (use 2 enable it back)

Next is the Task Manager. We don’t want the user being able to kill the explorer process:

KEY: HCU\Software\Microsoft\Windows\
      CurrentVersion\Policies\System
DWORD: DisableTaskMgr = 1 (use 0 to enable it back)

If you feel especially nasty (or security conscious) you can also disable access to regedit

KEY: HCU\Software\Microsoft\Windows\
      CurrentVersion\Policies\System
DWORD: DisableRegistryTools = 1

This of course will make it a little difficult to change any keys for this user in the future do probably this is not the best idea. Chances are that the would-be h4x0r will get discouraged after seeing that neither task manager nor CMD are working.

This method is not perfect, but it is a step in the right direction.

reg-hax © j79zlr

[tags]xp, xp home, windows xp, windows, microsoft, registry, hax, group policies, security, windows security, lock down xp home[/tags]

This entry was posted in sysadmin notes and tagged , , . Bookmark the permalink.



Leave a Reply

Your email address will not be published. Required fields are marked *