Additional security by changing Windows services

Hello everyone,
there is a nice litte script for additional security I use on every XP installation I get hands on. :wink: So here a brief explanation of my settings.

The site
http://www.ntsvcfg.de/ (german)
Der Elektronik-Markt | lan.de (english)
features a script for Windows 2000 and Windows XP which turns off all unneccessary services which
a) frees RAM / CPU time
b) closes potential security holes

The script is dual language (de/en) and the inforrmation on the pages should explain it all well:

Warning:
You must change or adapt some of the settings mentioned here, especially when using LAN or it will refuse to work afterwards!
This is just an example of the settings I use!

To start the script, just doublecklick the .cmd file.
(underlined are menu keys)
First go to “More options”, “Generate a fingerprint”, then “Save the actual settings”.
Go Back and choose your flavour. I usually use “3 All (hardening)” as I don’t use LAN.

Additionally I change some settings:
(StartRun...services.msc)

Services I set to disabled
Ati Hotkey Poller (I do not use hotkeys to change gfx settings)
Ati Smart (after testing for compatibility once, this service is useless)
Machine Debug Monitor (read description)
Themes (I use classic themes on XP)
Wireless Zero Configuration (I do not use WLAN)

Services I re-enable
Automatic Updates back to automatic
Background Intelligent Transfer Service back to manual
(both needed to work Win automatic updates properly)
Task Scheduler back to automatic
(Windows prefetching needs this)

Last steps for “hardening” setting
Release NetBios services (netbios-ssn, netbios-ns, netbios-dgm, port 135,137,139) from dial-up/LAN adapter (part A+B+C)

This step have to be manually done and the explanation is only in german. So here a short version.
For every dial-up/LAN adapter you do not really need File/Printer Sharing or LAN capabilities…
1.) uncheck or deinstall
File and printer sharing for Microsoft networks and
Client for Microsoft networks.

2.) Find TCP/IP protocol, go to the advanced settings until you find the Tab WINS and check Disable NetBIOS over TCP/IP

3.) Go to Network Connections → Menu AdvancedAdvanced Settings and remove every binding from Local Area Connection and Remote Access Connections.

Ready! Now just reboot and wait until your computer explodes. :wink: If everything is ok, all you need should run smoothly (and there should be less processes in the task manager.)

Again be warned!
1.) Read the information on the site carefully!
2.) Adapt / change the settings for your system! Do not blindly use my example!
3.) Save/write down/remember what you changed. There is also a restore option in the script but I would not only trust in this (and it only restores last change AFAIK).
Hint) The script stores things in C:\Documents and Settings\[i]username[/i]\ntsvcfg\, where I just put a .txt file with my additional settings to remember them.

Regards,
Marcel