UK7
RIPPER
- Messages
- 57
- Reaction score
- 21
- Points
- 8
Много написано по тюнингу винды и по безопасности работы в сети, но всё-же азы нельзя забывать.
Поставили систему, поставили антивирь, апдэйтали.
Disabling Unnecessary and Potentially Dangerous Services
Posted on governmentsecurity.org
Следуя рекомендациям специалистов бегло проверяем самые необходимые настройки
Start ->Settings->Control Panel->Administrative Tools->Services (Local)
Windows XP comes with Terminal Services, IIS, and RAS that can open holes into your operating system. It's often convenient to enable
Terminal Services to allow remote control functions for the help desk or administering servers, but you have to make sure it's configured correctly.
There are also several malicious programs that can run quietly as services without anyone knowing. Be aware of all the services that all run on your servers and audit them periodically.
Below is a list of the common services found on Windows XP, though don't be surprised if the vast majority are not present on your system.
This is an almost complete list from Microsoft. Please read this and keep the running services to only those that you need. A useful tip is that instead
of disabling something you are unsure of, set it to manual. When you restart your machine if that service has started then it is probably required by
one of your components or software products. If it is still OFF then consider disabling it for greater protection.
Here are a list of the services that you "may" see when in the Windows XP services control panel, along with our recommendation for use in a
home environment - please note, that we do specify a HOME environment. These settings may not be appropriate for work-based workstations,
though in all likelihood the majority of the recommendations apply there too.
Alerter - notifies selected users and computers of administrative alerts. If this service is turned off, applications that use the NetAlertRaise or
NetAlertRaiseEx APIs will be unable to notify a user or computer (by a Message Box from the Messenger service) that the administrative alert took
place.
Recommendation: Disabled.
Application Layer Gateway Service - Provides support for 3rd party plug-ins for Internet Connection Sharing/Internet Connection Firewall. Required if
using Internet Connection Sharing/Internet Connection Firewall to connect to the internet.
Recommendation: Automatic if using ICS, Disabled if not.
Application Management - Used for Assign, Publish and Remove software services. If you can not modify your software installation of certain
applications, put this service in to Automatic or Manual.
Recommendation: Disabled
Automatic Updates - Used to check up to see if there is any critical or otherwise updates available for download. It is very important that if you decide
to disable this service, you check the Windows Update site often to ensure the latest patches are installed. Manual (and Automatic) update via
Windows Update web site Requires Cryptographic Services to be running.
Recommends: Automatic if you do not wish to use Windows Update manually.
Background Intelligent Transfer Service - Used to transfer asynchronous data via http1.1 servers. According to Microsoft's site, Windows
Update uses this "feature." It "continues" a download if you log off or shutdown the system (that is, when you log back in.) Manual update
via Windows Update web site Requires Cryptographic Services to be running.
Recommendation: Disabled
ClipBook - enables the Clipbook Viewer to create and share "pages" of data to be viewed by remote computers.
Recommendation: Disabled
COM+ Event System - provides automatic distribution of events to subscribing (Component Object Model) COM components.
Recommendation: Disabled
COM+ System Application - as above
Recommendation: Disabled
Computer Browser - maintains an up-to-date list of computers on your network, and supplies the list to programs that request it.
The Computer Browser service is used by Windows-based computers that need to view network domains and resources.
Not required unless you attach to a network of Windows computers.
Recommendation: Disabled
Cryptographic Services - Confirms signatures of Windows files. You may always get a dialog box complaining about uncertified drivers if this is disabled. Required for Windows Update to function in manual and automatic mode. Windows Media Player may also require this service to function.
Recommendation: Automatic
DHCP Client - Dynamic Host Configuration Protocol Client manages network configuration by registering and updating IP addresses and
Domain Name Server (DNS) names. If you are only dialing up to ISP via modem, cable, etc. If you have a network card in your PC and attach out via a router or sharing device then this may be required. Set to manual if unsure then check on reboot if it has started.
If not then disable.
Recommendation : Automatic if required. Disabled if not.
Distributed Link Tracking Client - maintains links between the NTFS file system files within a computer or across computers in a network domain.
Recommendation: Disabled
Distributed Transaction Coordinator - coordinates transactions that are distributed across multiple computer systems and/or resource managers, such as databases, message queues, file systems, or other transaction-protected resource managers.
Recommendation: Disabled
DNS Client - resolves and caches (Domain Name Server) DNS names. The DNS client service must be running on every computer that will perform DNS name resolution.
Recommendation: Disabled
Error Reporting Service - Calls home to Microsoft when errors occur. Spy ware?
Recommendation: Disabled
Event Log -logs event messages issued by programs and Windows. Event Log reports contain information that can be useful in diagnosing problems.
Recommends: Automatic
Fax Service - enables you to send and receive faxes. Disabling this service will render the computer unable to send or receive faxes. Not used by most people.
Recommendation: Leave not installed or Disabled
Telephony - provides Telephony API (TAPI) support for programs that control telephony devices and IP-based voice connections on the local computer and through the LAN on servers that are also running the service. If you never use a dial-up modem on a PC but connect via a router then disable.
Recommendation: Automatic (if using Dial-Up Networking/Faxing/ or PC Phone Services) Disabled otherwise
FTP Publishing Service - Not available on Windows XP Home. Not installed by default on Windows XP Pro, provides
(file transfer protocol) FTP connectivity and administration through the Internet Information Service (IIS) snap-in.
Big security risk!
Recommendation: Leave not installed or Disabled
Help and Support - Required for Microsoft’s online help documents.
Recommendation: Disabled.
Human Interface Device Access - If all your devices function then disable it. Seems new with no devices for it as yet.
Recommendation: Disabled.
IIS Admin - Not available on Windows XP Home. Not installed by default on Windows XP Pro allows administration of Internet Information Services (IIS). If this service is not running, you will not be able to run Web, FTP, NNTP, or SMTP sites, or configure IIS. See also World Wide Web Publishing Service. Not usually required unless you are running a local web server. If you are then make sure that if no external access is required that you firewall protect port 80 to only local traffic! Do not even consider running a public web server unless you are 100% sure of the implications - use an ISP server.
Recommendations: Leave not installed or Disabled unless you understand the implications.
IMAPI CD - Burning COM Service - Used for the "drag and drop" CD burn capability. You will need this service to burn CD's. If you still can not burn a CD with it on Manual, switch to Automatic and feel safe that it will only be used when "needed."
Recommendation: Disabled if you do not burn CD's otherwise set to Manual or Automatic.
Indexing Service - indexes contents and properties of files on local and remote computers and provides rapid access to
files through a flexible querying language.
Recommendation: Disabled
Internet Connection Firewall and Internet Connection Sharing - provides network address translation (NAT), addressing and name resolution services for all computers on your home or small-office network through a dial-up or broadband connection. Not required unless you are sharing a dial-up connection with other PC's on your network - not recommended! Far better to use a router or gateway firewall software for this purpose. Consider using a higher specification firewall like Kerio Winroute if sharing your connection.
Recommendation: Automatic if sharing connection, Disabled if not required.
IPSEC Services - manages IP security (IPsec) policy, starts the Internet Key Exchange (IKE) and coordinates IPsec policy settings with the IP security driver. Only leave on if you are using IPSec. Opens Port 500.
Recommendation: Disabled
Logical Disk Manager - watches Plug and Play events for new drives to be detected and passes volume and/or
disk information to the Logical Disk Manager Administrative Service to be configured. If disabled, the Disk Management snap-in display will not change when disks are added or removed. Turn it on only if you add additional disks and then disable again.
Recommendation: Disabled
Logical Disk Manager Administrative Service - as above
Recommendation: Disabled
Message Queuing - A messaging infrastructure and development tool for creating distributed messaging applications for Windows.
Not available on Windows XP Home. Not installed by default on Windows XP Pro. Most home users will never need this service.
Recommendation: Leave not installed or Disabled
Message Queuing Triggers - Not available on Windows XP Home. Not installed by default on Windows XP Pro. Required only if you use Message Queuing service.
Recommendation: Leave not installed or Disabled
Messenger - sends and receives messages to or from users and computers, or those transmitted by administrators or by
the Alerter service. Nothing to do with MSN Messenger
Recommendation: Disabled
MS Software Shadow Copy Provider - Used in conjunction with the Volume Shadow Copy Service. Microsoft Backup uses these services so you will need it if you use that. You will receive Event Log entry complaining about not having this service running if disabled.
Recommendation: Disabled
NetMeeting Remote Desktop Sharing - allows authorized users to remotely access your Windows desktop from another PC over a corporate intranet by using Microsoft NetMeeting®. Very dangerous - allows remote access to your PC. Only use if absolutely essential and if running effective firewall.
Recommendation: Disabled
Network Connections -manages objects in the Network and Dial-Up Connections folder, in which you can view both network and remote connections.
Recommendation: Automatic.
Network DDE -Useless service unless you use remote Clip Book.
Recommendation: Disabled
Network DDE DSDM - as above
Recommendation: Disabled
Network Location Awareness (NLA) - Required for use with the Internet Connection Sharing Service (server only.)
Recommendation: Disabled unless running ICS/ICF, not required for using an ICS sharer.
NT LM Security Support Provider - enables users to log on to the network using the NTLM authentication protocol. If this service is stopped, users will be unable to log on to the domain and access services. NTLM is used mostly by Windows versions prior to Windows 2000.
Recommendation: Disabled
Performance Logs and Alerts - configures performance logs and alerts.
Recommendation: Disabled
Plug and Play - enables a computer to recognize and adapt to hardware changes with little or no user input.
Recommendation: Automatic
Portable Media Serial Number - Retrieves serial numbers from portable music players connected to your computer.
Recommendation: Disabled
Print Spooler - queues and manages print jobs locally and remotely. If you don't have a printer attached then disable.
Recommendation: Automatic if needed, Disabled otherwise.
Protected Storage - provides protected storage for sensitive data, such as private keys, to prevent access by unauthorized services processes or users.
Recommendation: Disabled
QoS RSVP - provides network signaling and local, traffic-control, set-up functionality for (Quality of Service) QoS-aware programs and control applets.
Recommendation: Disabled
Remote Access Auto Connection Manager - creates a connection to a remote network whenever a program references a remote DNS or NetBIOS name or address. Disabling the service has no effect on the rest of the operating system. You will have to set up connections to remote computers manually. Whilst this process is convenient, unauthorized applications (such as Trojans) could bring up your network connection without your explicit request. Far better to manually dial.
Recommendation: Disabled.
Remote Access Connection Manager - creates a network connection.
Recommendation: Automatic if using Dial-Up Networking, Disabled otherwise.
Remote Desktop Help Session Manager - Manages and controls Remote Assistance. Could create a MAJOR security
hole so disable it unless absolutely necessary.
Recommendation: Disabled
Remote Procedure Call (RPC) - provides the endpoint mapper and other miscellaneous RPC services. Absolutely essential.
Recommendation: Automatic.
Remote Procedure Call (RPC) Locator - Manages the RPC name service database. Useless service
Recommendation: Disabled
Remote Registry Service - Not available on Windows XP Home. allows remote registry manipulation. This service lets users connect to a remote registry and read and/or write keys to it-providing they have the required permissions. Hacker could use this to attack other PC's.
Recommendation: Disabled
Removable Storage - manages removable media drives and libraries. This service maintains a catalogue of identifying information for removable media used by a system, including tapes, CDs, and so on.
Recommendation: Disabled
RIP Listener - Not installed by default.
Recommendation: Leave not installed or Disabled
Routing and Remote Access - offers routing services in local area and wide area network environments. Shouldn't be required on a home PC.
Recommendation: Leave not installed or Disabled
Secondary Logon - allows you to run specific tools and programs with different permissions than your current logon provides.
Recommendation: Disabled
Security Accounts Manager -start-up of this service signals other services that the Security Accounts Manager subsystem is ready to accept requests.
Recommendation: Disabled unless needed.
Server - provides RPC support and file print and named pipe sharing over the network. The Server service allows the sharing of your local resources (such as disks and printers) so that other users on the network can access them. You should carefully consider the full implications of enabling this!
Recommendation: Disabled unless absolutely needed. Better still REMOVED.
Shell Hardware Detection - Used for the auto play of devices like memory cards, some CD drives, etc. Set to Automatic if you are experiencing problems with laptop docking stations.
Recommendation: Disabled unless required.
Simple Mail Transport Protocol (SMTP) - Not available on Windows XP Home. Not installed by default on Windows XP Pro. Transports e-mail across the network. If you are using the built-in mail server for receiving mail then leave on automatic. If not, as would be usual in a home environment, then disable.
Recommendation: Leave not installed or Disabled
Simple TCP/IP Services - Not installed by default, implements support for a number of IP protocols.
Recommendation : Leave not installed or Disabled
Smart Card - manages and controls access to a smart card inserted into a smart card reader attached to the computer. If not using a smart card reader then disable.
Recommendation: Disabled
Smart Card Helper - provides support for earlier smart card readers attached to the computer. As above.
Recommendation: Disabled
SNMP Service - allows incoming (Simple Network Management Protocol) SNMP requests to be serviced by the local computer.
Recommendation: Leave not installed or Disabled
SNMP Trap Service - receives trap messages generated by local or remote SNMP agents and forwards the messages to SNMP management programs running on the computer.
Recommendation: Leave not installed or Disabled
SSDP Discovery Service - Used to locate UPnP devices on your home network. Used in conjunction with Universal Plug and Play Device Host, it detects and configures UPnP devices on your home network. For security reasons disable this service. Please read the section in the guide on UPnP. Please note that even the FBI recommends disabling and preferably deinstalling this!!Recommendation: Disabled for security reasons, better still removed totally as per the Steve Gibson instructions in the UPnP section.
System Event Notification - tracks system events such as Windows logon network and power events. Notifies COM+ Event System subscribers of these events. SENS is an Auto Started service that depends on COM+ Event System service. Recommendation: Disabled
System Restore Service - Creates system snap shots or restore points for returning to at a later time. Big resource overhead! Forget about it! Recommendation: Disabled
Task Scheduler - enables a program to run at a designated time. Can be very dangerous. If you must run scheduled tasks then consider disabling all users other than administrator from running tasks. Can create major security problems and allow a hacker to compromise your system by scheduling Trojans to run.Recommends: Disabled unless absolutely required
TCP/IP NetBIOS Helper Service - enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution. Only required if you need to share files with others.
Recommendation: Disabled
TCP/IP Printer Server - Not installed by default, but if needed, you may install it later off of the WinXP CD. Used for setting up a local UNIX print server. If you do not need this function, leave it uninstalled.
Recommendation: Leave not installed or Disabled
Telephony - provides Telephony API (TAPI) support for programs that control telephony devices and IP-based voice connections on the local computer and through the LAN on servers that are also running the service. If you never use a dial-up modem on a PC but connect via a router then disable.
Recommendation: Automatic (if using Dial-Up Networking/Faxing/ or PC Phone Services) Disabled otherwise
Telnet - Not available on Windows XP Home and for good reason!! allows a remote user to log on to the system and run console programs by using the command line. Very dangerous. .
Recommendation: Disabled, preferably deinstall
Terminal Services - provides a multi session environment that allows client devices to access a virtual Windows 2000 Professional desktop session and Windows-based programs running on the server. Big security risk!
Recommendation: Disabled, preferably deinstall
Themes - Used to display all those new XP themes and colors on your desktop. Lots of space needed.
Recommendation: Disabled
Uninterruptible Power Supply - manages communications with a UPS connected to the computer by a serial port.
Recommendation: Disabled
Universal Plug and Play Device Host - Used in conjunction with SSDP Discovery Service, it detects and configures UPnP devices on your home network. For security reasons disable this service immediately. Please read the section in the guide on UPnP. Please note that even the FBI recommends disabling and preferably deinstalling this!!
Recommendation: Disabled for security reasons, better still removed totally as per the Steve Gibson instructions in the UPnP section.
Upload Manager - As with BITS, this service manages file transfers between clients and servers on the network. This service is NOT required for basic File and print sharing.
Recommendation: Disabled
Volume Shadow Copy - Used in conjunction with the MS Software Shadow Copy Provider Service. Microsoft Backup uses these services.
Recommendation: Disabled
Web Client - Disable this for security reasons.
Recommendation: Disabled
Windows Audio - This service is required if you wish to hear any audio at all. If your computer does not have a sound card, Disable this service.
Recommendation: Automatic unless you do not have a sound card, then set it to Disabled.
Windows Image Acquisition (WIA) - Used for some scanners and cameras. If, after disabling this service, your scanner or camera fails to function properly, enable this service.
Recommendation: Disabled
Windows Installer - installs, repairs, or removes software according to instructions contained in .MSI files provided with the applications Recommendation: Manual
Windows Management Instrumentation - provides system management information.
WMI is an infrastructure for building management applications and instrumentation shipped as an integral part of the current generation of Microsoft operating systems.
Recommendation: Automatic
Windows Management Instrumentation Driver Extension - Not available on Windows XP Home. Tracks of all of the drivers that have registered WMI information to publish.
Recommendation: Manual
Windows Time - sets the computer clock. W32Time maintains date and time synchronization on all computers running on a Microsoft Windows network. NTP can be dangerous. Not worth the risk.
Recommendation: Disabled
Wireless Zero Configuration - Automatic configuration for wireless network devices. If you do not have any wireless network devices in use, Disable this service.
Recommendation: Disabled
WMI Performance Adapter - ??
Recommendation: Disabled
Workstation - provides network connections and communications. If this service is turned off, no network connections can be made to remote computers using Microsoft Networks. Use if you require drive-mapping connections to other Windows PC's.
Recommendation: Disabled, Automatic if required
World Wide Web Publishing Service - Not available on Windows XP Home. Provides HTTP services for applications on the Windows platform. Required if you are running a web server, but consider firewalling such a local web server so it is not visible to the world. Use an ISP web server for greatest security. Most common entry point for hackers!
Recommendation: Leave not installed or Disabled
As you can see from the above, not very much is actually needed to keep your Windows XP installation functioning in a home environment. All the enabled services just pose an enormous security risk, bring little or no benefit, consume resources and can be safely turned off.
Also disabling permanently Hidden Administrative Shares is best. This might help:
Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\LanManServer\Par ameters
Name: AutoShareServer for servers
Name: AutoShareWks for workstations
Type: REG_DWORD
Value: 0
Затем ставим Аутпост. Все настройки фаера пропускаю, но самое главное замечание в настройках у многих опытных юзеров остаётся долго без внимания:
Сначала заходим на hччp://www.dnsstuff.com/tools/aboutyou.ch
Даже после установки ВПН и использовании проксей палится ДНС!
Настройка VPN
Чтобы настроить VPN-соединение необходимо знать ip-адрес сервера, где расположена служба VPN, а также логин и пароль на соединение.
Итак, для настройки тестового/постоянного доступа Вам необходимо:
Войти в Панель управления, выбрать пункт "Сетевые подключения" и запустить мастер новых подключений.
Щелкнуть кнопку "Далее", выбрать тип "Подключить к сети на рабочем месте", затем отметить "Подключение к виртуальной частной сети". В следующем окошке необходимо задать имя подключения. Пишите, что хотите (например, можно назвать соединение "Vpn service"). Далее у Вас попросят выбрать метод подключения к Интернету, отметьте, что не хотите предваритально набирать номер. В следующем окне нужно ввести IP-адрес сервера, где находится служба VPN. Этот адрес мы предоставим Вам по предварительной договоренности. После настройки мастер предложит добавить ярлык подключения на рабочий стол. Делать это или нет - решать Вам.
В появившемся окне нажмите кнопку "Свойства", затем перейдите во вкладку "Сеть", и выберите из списка протоколов "Протокол Интернета (TCP/IP)". Затем нажмите кнопку "Дополнительно". Во вкладке "Общие" будет стоять галочка напротив опции "Использовать основной шлюз в удаленной сети". Если Вы пока еще не купили полный доступ к VPN, снимите ее. В случае, если Вы наш клиент - установите опцию. Этот параметр позволяет перенаправлять все данные через VPN, что гарантирует Вашу абсолютную безопасность в сети.
Не закрывайте свойства соединения. Перейдите в раздел "Безопасность" и убедитесь, что у вас выбран пункт "Требуется данных шифрование (иначе отключаться)". Только в этом случае мы гарантируем шифрование всех данных, переданных через VPN.
Теперь вернитесь к первому окну подключения, введите тестовый/купленный логин и пароль и нажмите кнопку "Подключение". Если все настроено верно, Вы соединитесь с сервером и у Вас в трее появится новое подключение. Если Вы настраиваете купленный аккаунт - это последний шаг конфигурации.
Если настраивается тестовый доступ, то после подключения нужно открыть командную оболочку (Пуск-> Выполнить-> cmd.exe) и написать команду route add 195.2.91.125 192.168.2.50 (именно так, и никак иначе!). Затем убедитесь, что в свойствах Вашего браузера не выставлено использование прокси-сервера и перейдите на страницу http://www.leader.ru/secure/who.html. Если настройка выполнена верно, на странице высветится IP-удаленного сервера, а не Ваш адрес до подключения к VPN.
Делаем в Агнитуме так:
Options->Plug-Ins Setup->DNS Cache->Properties->Block extra long DNS requestsОпять проверяемся hччp://www.dnsstuff.com/tools/aboutyou.ch
Должно помочь. Если нет – причина может быть в другом.
Лекарство при палеве ДНС: _http://www.opendns.com/start/
Настраиваем
Два компьютера и ВПН - настраиваем локальную сеть.
Допустим, у нас стоит на компьютере № 1 Windows 2000, а на компьютере № 2 Windows XP Pro SP2.
Компьютер № 1 выходит в Интернет через dial-up, а компьютер № 2 через LAN connection.
Для начала проверим настройки локальной сети компьютера № 1:
1. Start - Settings - Network and Dial-up Connections - кликаем на Local Area Connection Properties.
2. Internet Protocol (TCP/IP) ->Properties->Use the following IP address:
IP address (прописываем локальный адрес 192.168.100.1)
Subnet mask - 255.255.255.0
-Use the following DNS server addresses:
Preferred DNS server: пусто
Alternate DNS server: пусто
Кликаем на Advanced - IP Settings - IP address 192.168.100.1 - Subnet mask 255.255.255.0
Ниже Default Gateways - Gateway …… Metric
Interface Metric: 1
Кликаем DNS: Все пусто, кроме Append primary and connection specific DNS suffixes
Кликаем WINS: Enable LMHOSTS lookup (стоит галка) + отмечено Enable NetBIOS over TCP/IP
Остальное - пусто
Кликаем Options - TCP/IP filtering не тронуто - IP security - Properties - Do not use IPSEC
Теперь проверим настройки локальной сети компьютера № 2:
1. Start - Settings - Network and Dial-up Connections - кликаем на Local Area Connection
Properties.
2. Internet Protocol (TCP/IP) ->Properties->Use the following IP address:
IP address (прописываем локальный адрес 192.168.100.2)
Subnet mask - 255.255.255.0
Default gateway: 192.168.100.1
-Use the following DNS server addresses:
Preferred DNS server: пусто
Alternate DNS server: пусто
Кликаем на Advanced - IP Settings - IP address 192.168.100.2 - Subnet mask 255.255.255.0
Ниже Default Gateways -192.168.100.1 Interface Metric: Automatic
Ниже Automatic Metric: 1
Кликаем DNS: Все пусто, кроме Append primary and connection specific DNS suffixes
Кликаем WINS: Enable LMHOSTS lookup (стоит галка) + отмечено Disable NetBIOS over TCP/IP
Остальное - пусто
Кликаем Options - TCP/IP filtering - Properties - Enable TCP/IP Filtering (All adapters)
->Permit All (для всех)
Windows Firewall - off
Для уверенности правильной настройки локальной сети пингуем компьютер № 1, с компьютера № 2.
Для этого заходим на Far или Command Prompt -> ping 192.168.100.1
Все работает? ОК.
Проверяем работу ВПН с компьютера № 1.
1. подключаемся к ВПН (настройки ВПН пропускаем) компьютером № 1
2. Far или Command Prompt -> C:\>ipconfig /all -> enter
PPP adapter ISP (Internet Service Provider):
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
Physical Address. . . . . . . . . : 00-XX-XX-00-00-00
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : XXX.XXX.XXX.XXX (реальный IP адрес)
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : XXX.XXX.XXX.XXX
DNS Servers . . . . . . . . . . . : YYY.YY.YY.YY
ZZ.ZZ.ZZ.ZZ
NetBIOS over Tcpip. . . . . . . . : Disabled
PPP adapter ☺:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
Physical Address. . . . . . . . . : 00-XX-XX-00-00-00
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : AA.AAA.A.AAA (показывает локальный адрес ВПН)
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : AA.AAA.A.AAA
DNS Servers . . . . . . . . . . . : 00.000.00.97 (DNS VPN Server)
00.000.00.97
NetBIOS over Tcpip. . . . . . . . : Disabled
3.набираем команду в Far или Command Prompt route delete 0.0.0.0 mask 0.0.0.0 XXX.XXX.XXX.XXX (Enter). Таким образом
убиваем Default Gateway. Далее проверяем:
ipconfig (Enter), и видим, что там, где у нас был прописан Default Gateway, теперь у нас пусто.
Таким образом мы имеем возможность работать с компьютера № 1, через ВПН + Socks Cap + Socks Chain. Если
разорвется соединение с ВПН, то связь с Интернетом будет потеряна.
Проверяем работу ВПН с компьютера № 2.
1. подключаем компьютер № 1 к Интернету
2. подключаем компьютер № 2 к ВПН, используя LAN
3. набираем команду ipconfig /all и видим, что наш реальный IP адрес нигде не виден.
Следовательно, даже при включенных ActiveX and Java в нашем браузере, IP адрес компьютера № 2, будет виден:
192.168.100.2
Объяснив своему компьютеру его Ай Пишник, работаем спокойно с вебманей, а также с другими системами.
Надо учитывать, что некоторые провайдеры не дадут пользоваться ВПН без письменного договора.
В любом случае, при правильных настройках ВПН, надо пользоваться Socks Cap + Socks Chain или другими аналогичными
прогами.
FireFOX:
Directions -
Type "about:config" in your firefox address bar.
Search for the following settings:
1. network.http.pipelining
Set to true
2. network.http.pipelining.firstrequest
Set to true
3. network.http.pipelining.maxrequests
Set to 32
4. network.http.proxy.pipelining
Set to true
5. nglayout.initialpaint.delay
Set to 0
Its very likely that you won't have an entry for network.http.pipelining.firstrequest. Thats ok. Just add one.
Right-click on the preferences list, select 'New' then select 'Boolean'
On the first prompt, type:
network.http.pipelining.firstrequest
On the second prompt, set it to 'true'
Its also likely that you won't have an entry for nglayout.initialpaint.delay
Right-click on the preferences list, select 'New' then select 'Integer
On the first prompt, type:
nglayout.initialpaint.delay
On the second prompt, set it to '0'
Подбор материалов сделан из различных источников и опробован в разных странах. Некоторые вещи написаны лично. Удобно иметь такую подборку под рукой, чтобы не вспоминать каждый раз азы, при настройке очередного рабочего компьютера. Зашёл на форум – проверился.
Всем удачи и процветания.
				
			Поставили систему, поставили антивирь, апдэйтали.
Disabling Unnecessary and Potentially Dangerous Services
Posted on governmentsecurity.org
Следуя рекомендациям специалистов бегло проверяем самые необходимые настройки
Start ->Settings->Control Panel->Administrative Tools->Services (Local)
Windows XP comes with Terminal Services, IIS, and RAS that can open holes into your operating system. It's often convenient to enable
Terminal Services to allow remote control functions for the help desk or administering servers, but you have to make sure it's configured correctly.
There are also several malicious programs that can run quietly as services without anyone knowing. Be aware of all the services that all run on your servers and audit them periodically.
Below is a list of the common services found on Windows XP, though don't be surprised if the vast majority are not present on your system.
This is an almost complete list from Microsoft. Please read this and keep the running services to only those that you need. A useful tip is that instead
of disabling something you are unsure of, set it to manual. When you restart your machine if that service has started then it is probably required by
one of your components or software products. If it is still OFF then consider disabling it for greater protection.
Here are a list of the services that you "may" see when in the Windows XP services control panel, along with our recommendation for use in a
home environment - please note, that we do specify a HOME environment. These settings may not be appropriate for work-based workstations,
though in all likelihood the majority of the recommendations apply there too.
Alerter - notifies selected users and computers of administrative alerts. If this service is turned off, applications that use the NetAlertRaise or
NetAlertRaiseEx APIs will be unable to notify a user or computer (by a Message Box from the Messenger service) that the administrative alert took
place.
Recommendation: Disabled.
Application Layer Gateway Service - Provides support for 3rd party plug-ins for Internet Connection Sharing/Internet Connection Firewall. Required if
using Internet Connection Sharing/Internet Connection Firewall to connect to the internet.
Recommendation: Automatic if using ICS, Disabled if not.
Application Management - Used for Assign, Publish and Remove software services. If you can not modify your software installation of certain
applications, put this service in to Automatic or Manual.
Recommendation: Disabled
Automatic Updates - Used to check up to see if there is any critical or otherwise updates available for download. It is very important that if you decide
to disable this service, you check the Windows Update site often to ensure the latest patches are installed. Manual (and Automatic) update via
Windows Update web site Requires Cryptographic Services to be running.
Recommends: Automatic if you do not wish to use Windows Update manually.
Background Intelligent Transfer Service - Used to transfer asynchronous data via http1.1 servers. According to Microsoft's site, Windows
Update uses this "feature." It "continues" a download if you log off or shutdown the system (that is, when you log back in.) Manual update
via Windows Update web site Requires Cryptographic Services to be running.
Recommendation: Disabled
ClipBook - enables the Clipbook Viewer to create and share "pages" of data to be viewed by remote computers.
Recommendation: Disabled
COM+ Event System - provides automatic distribution of events to subscribing (Component Object Model) COM components.
Recommendation: Disabled
COM+ System Application - as above
Recommendation: Disabled
Computer Browser - maintains an up-to-date list of computers on your network, and supplies the list to programs that request it.
The Computer Browser service is used by Windows-based computers that need to view network domains and resources.
Not required unless you attach to a network of Windows computers.
Recommendation: Disabled
Cryptographic Services - Confirms signatures of Windows files. You may always get a dialog box complaining about uncertified drivers if this is disabled. Required for Windows Update to function in manual and automatic mode. Windows Media Player may also require this service to function.
Recommendation: Automatic
DHCP Client - Dynamic Host Configuration Protocol Client manages network configuration by registering and updating IP addresses and
Domain Name Server (DNS) names. If you are only dialing up to ISP via modem, cable, etc. If you have a network card in your PC and attach out via a router or sharing device then this may be required. Set to manual if unsure then check on reboot if it has started.
If not then disable.
Recommendation : Automatic if required. Disabled if not.
Distributed Link Tracking Client - maintains links between the NTFS file system files within a computer or across computers in a network domain.
Recommendation: Disabled
Distributed Transaction Coordinator - coordinates transactions that are distributed across multiple computer systems and/or resource managers, such as databases, message queues, file systems, or other transaction-protected resource managers.
Recommendation: Disabled
DNS Client - resolves and caches (Domain Name Server) DNS names. The DNS client service must be running on every computer that will perform DNS name resolution.
Recommendation: Disabled
Error Reporting Service - Calls home to Microsoft when errors occur. Spy ware?
Recommendation: Disabled
Event Log -logs event messages issued by programs and Windows. Event Log reports contain information that can be useful in diagnosing problems.
Recommends: Automatic
Fax Service - enables you to send and receive faxes. Disabling this service will render the computer unable to send or receive faxes. Not used by most people.
Recommendation: Leave not installed or Disabled
Telephony - provides Telephony API (TAPI) support for programs that control telephony devices and IP-based voice connections on the local computer and through the LAN on servers that are also running the service. If you never use a dial-up modem on a PC but connect via a router then disable.
Recommendation: Automatic (if using Dial-Up Networking/Faxing/ or PC Phone Services) Disabled otherwise
FTP Publishing Service - Not available on Windows XP Home. Not installed by default on Windows XP Pro, provides
(file transfer protocol) FTP connectivity and administration through the Internet Information Service (IIS) snap-in.
Big security risk!
Recommendation: Leave not installed or Disabled
Help and Support - Required for Microsoft’s online help documents.
Recommendation: Disabled.
Human Interface Device Access - If all your devices function then disable it. Seems new with no devices for it as yet.
Recommendation: Disabled.
IIS Admin - Not available on Windows XP Home. Not installed by default on Windows XP Pro allows administration of Internet Information Services (IIS). If this service is not running, you will not be able to run Web, FTP, NNTP, or SMTP sites, or configure IIS. See also World Wide Web Publishing Service. Not usually required unless you are running a local web server. If you are then make sure that if no external access is required that you firewall protect port 80 to only local traffic! Do not even consider running a public web server unless you are 100% sure of the implications - use an ISP server.
Recommendations: Leave not installed or Disabled unless you understand the implications.
IMAPI CD - Burning COM Service - Used for the "drag and drop" CD burn capability. You will need this service to burn CD's. If you still can not burn a CD with it on Manual, switch to Automatic and feel safe that it will only be used when "needed."
Recommendation: Disabled if you do not burn CD's otherwise set to Manual or Automatic.
Indexing Service - indexes contents and properties of files on local and remote computers and provides rapid access to
files through a flexible querying language.
Recommendation: Disabled
Internet Connection Firewall and Internet Connection Sharing - provides network address translation (NAT), addressing and name resolution services for all computers on your home or small-office network through a dial-up or broadband connection. Not required unless you are sharing a dial-up connection with other PC's on your network - not recommended! Far better to use a router or gateway firewall software for this purpose. Consider using a higher specification firewall like Kerio Winroute if sharing your connection.
Recommendation: Automatic if sharing connection, Disabled if not required.
IPSEC Services - manages IP security (IPsec) policy, starts the Internet Key Exchange (IKE) and coordinates IPsec policy settings with the IP security driver. Only leave on if you are using IPSec. Opens Port 500.
Recommendation: Disabled
Logical Disk Manager - watches Plug and Play events for new drives to be detected and passes volume and/or
disk information to the Logical Disk Manager Administrative Service to be configured. If disabled, the Disk Management snap-in display will not change when disks are added or removed. Turn it on only if you add additional disks and then disable again.
Recommendation: Disabled
Logical Disk Manager Administrative Service - as above
Recommendation: Disabled
Message Queuing - A messaging infrastructure and development tool for creating distributed messaging applications for Windows.
Not available on Windows XP Home. Not installed by default on Windows XP Pro. Most home users will never need this service.
Recommendation: Leave not installed or Disabled
Message Queuing Triggers - Not available on Windows XP Home. Not installed by default on Windows XP Pro. Required only if you use Message Queuing service.
Recommendation: Leave not installed or Disabled
Messenger - sends and receives messages to or from users and computers, or those transmitted by administrators or by
the Alerter service. Nothing to do with MSN Messenger
Recommendation: Disabled
MS Software Shadow Copy Provider - Used in conjunction with the Volume Shadow Copy Service. Microsoft Backup uses these services so you will need it if you use that. You will receive Event Log entry complaining about not having this service running if disabled.
Recommendation: Disabled
NetMeeting Remote Desktop Sharing - allows authorized users to remotely access your Windows desktop from another PC over a corporate intranet by using Microsoft NetMeeting®. Very dangerous - allows remote access to your PC. Only use if absolutely essential and if running effective firewall.
Recommendation: Disabled
Network Connections -manages objects in the Network and Dial-Up Connections folder, in which you can view both network and remote connections.
Recommendation: Automatic.
Network DDE -Useless service unless you use remote Clip Book.
Recommendation: Disabled
Network DDE DSDM - as above
Recommendation: Disabled
Network Location Awareness (NLA) - Required for use with the Internet Connection Sharing Service (server only.)
Recommendation: Disabled unless running ICS/ICF, not required for using an ICS sharer.
NT LM Security Support Provider - enables users to log on to the network using the NTLM authentication protocol. If this service is stopped, users will be unable to log on to the domain and access services. NTLM is used mostly by Windows versions prior to Windows 2000.
Recommendation: Disabled
Performance Logs and Alerts - configures performance logs and alerts.
Recommendation: Disabled
Plug and Play - enables a computer to recognize and adapt to hardware changes with little or no user input.
Recommendation: Automatic
Portable Media Serial Number - Retrieves serial numbers from portable music players connected to your computer.
Recommendation: Disabled
Print Spooler - queues and manages print jobs locally and remotely. If you don't have a printer attached then disable.
Recommendation: Automatic if needed, Disabled otherwise.
Protected Storage - provides protected storage for sensitive data, such as private keys, to prevent access by unauthorized services processes or users.
Recommendation: Disabled
QoS RSVP - provides network signaling and local, traffic-control, set-up functionality for (Quality of Service) QoS-aware programs and control applets.
Recommendation: Disabled
Remote Access Auto Connection Manager - creates a connection to a remote network whenever a program references a remote DNS or NetBIOS name or address. Disabling the service has no effect on the rest of the operating system. You will have to set up connections to remote computers manually. Whilst this process is convenient, unauthorized applications (such as Trojans) could bring up your network connection without your explicit request. Far better to manually dial.
Recommendation: Disabled.
Remote Access Connection Manager - creates a network connection.
Recommendation: Automatic if using Dial-Up Networking, Disabled otherwise.
Remote Desktop Help Session Manager - Manages and controls Remote Assistance. Could create a MAJOR security
hole so disable it unless absolutely necessary.
Recommendation: Disabled
Remote Procedure Call (RPC) - provides the endpoint mapper and other miscellaneous RPC services. Absolutely essential.
Recommendation: Automatic.
Remote Procedure Call (RPC) Locator - Manages the RPC name service database. Useless service
Recommendation: Disabled
Remote Registry Service - Not available on Windows XP Home. allows remote registry manipulation. This service lets users connect to a remote registry and read and/or write keys to it-providing they have the required permissions. Hacker could use this to attack other PC's.
Recommendation: Disabled
Removable Storage - manages removable media drives and libraries. This service maintains a catalogue of identifying information for removable media used by a system, including tapes, CDs, and so on.
Recommendation: Disabled
RIP Listener - Not installed by default.
Recommendation: Leave not installed or Disabled
Routing and Remote Access - offers routing services in local area and wide area network environments. Shouldn't be required on a home PC.
Recommendation: Leave not installed or Disabled
Secondary Logon - allows you to run specific tools and programs with different permissions than your current logon provides.
Recommendation: Disabled
Security Accounts Manager -start-up of this service signals other services that the Security Accounts Manager subsystem is ready to accept requests.
Recommendation: Disabled unless needed.
Server - provides RPC support and file print and named pipe sharing over the network. The Server service allows the sharing of your local resources (such as disks and printers) so that other users on the network can access them. You should carefully consider the full implications of enabling this!
Recommendation: Disabled unless absolutely needed. Better still REMOVED.
Shell Hardware Detection - Used for the auto play of devices like memory cards, some CD drives, etc. Set to Automatic if you are experiencing problems with laptop docking stations.
Recommendation: Disabled unless required.
Simple Mail Transport Protocol (SMTP) - Not available on Windows XP Home. Not installed by default on Windows XP Pro. Transports e-mail across the network. If you are using the built-in mail server for receiving mail then leave on automatic. If not, as would be usual in a home environment, then disable.
Recommendation: Leave not installed or Disabled
Simple TCP/IP Services - Not installed by default, implements support for a number of IP protocols.
Recommendation : Leave not installed or Disabled
Smart Card - manages and controls access to a smart card inserted into a smart card reader attached to the computer. If not using a smart card reader then disable.
Recommendation: Disabled
Smart Card Helper - provides support for earlier smart card readers attached to the computer. As above.
Recommendation: Disabled
SNMP Service - allows incoming (Simple Network Management Protocol) SNMP requests to be serviced by the local computer.
Recommendation: Leave not installed or Disabled
SNMP Trap Service - receives trap messages generated by local or remote SNMP agents and forwards the messages to SNMP management programs running on the computer.
Recommendation: Leave not installed or Disabled
SSDP Discovery Service - Used to locate UPnP devices on your home network. Used in conjunction with Universal Plug and Play Device Host, it detects and configures UPnP devices on your home network. For security reasons disable this service. Please read the section in the guide on UPnP. Please note that even the FBI recommends disabling and preferably deinstalling this!!Recommendation: Disabled for security reasons, better still removed totally as per the Steve Gibson instructions in the UPnP section.
System Event Notification - tracks system events such as Windows logon network and power events. Notifies COM+ Event System subscribers of these events. SENS is an Auto Started service that depends on COM+ Event System service. Recommendation: Disabled
System Restore Service - Creates system snap shots or restore points for returning to at a later time. Big resource overhead! Forget about it! Recommendation: Disabled
Task Scheduler - enables a program to run at a designated time. Can be very dangerous. If you must run scheduled tasks then consider disabling all users other than administrator from running tasks. Can create major security problems and allow a hacker to compromise your system by scheduling Trojans to run.Recommends: Disabled unless absolutely required
TCP/IP NetBIOS Helper Service - enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution. Only required if you need to share files with others.
Recommendation: Disabled
TCP/IP Printer Server - Not installed by default, but if needed, you may install it later off of the WinXP CD. Used for setting up a local UNIX print server. If you do not need this function, leave it uninstalled.
Recommendation: Leave not installed or Disabled
Telephony - provides Telephony API (TAPI) support for programs that control telephony devices and IP-based voice connections on the local computer and through the LAN on servers that are also running the service. If you never use a dial-up modem on a PC but connect via a router then disable.
Recommendation: Automatic (if using Dial-Up Networking/Faxing/ or PC Phone Services) Disabled otherwise
Telnet - Not available on Windows XP Home and for good reason!! allows a remote user to log on to the system and run console programs by using the command line. Very dangerous. .
Recommendation: Disabled, preferably deinstall
Terminal Services - provides a multi session environment that allows client devices to access a virtual Windows 2000 Professional desktop session and Windows-based programs running on the server. Big security risk!
Recommendation: Disabled, preferably deinstall
Themes - Used to display all those new XP themes and colors on your desktop. Lots of space needed.
Recommendation: Disabled
Uninterruptible Power Supply - manages communications with a UPS connected to the computer by a serial port.
Recommendation: Disabled
Universal Plug and Play Device Host - Used in conjunction with SSDP Discovery Service, it detects and configures UPnP devices on your home network. For security reasons disable this service immediately. Please read the section in the guide on UPnP. Please note that even the FBI recommends disabling and preferably deinstalling this!!
Recommendation: Disabled for security reasons, better still removed totally as per the Steve Gibson instructions in the UPnP section.
Upload Manager - As with BITS, this service manages file transfers between clients and servers on the network. This service is NOT required for basic File and print sharing.
Recommendation: Disabled
Volume Shadow Copy - Used in conjunction with the MS Software Shadow Copy Provider Service. Microsoft Backup uses these services.
Recommendation: Disabled
Web Client - Disable this for security reasons.
Recommendation: Disabled
Windows Audio - This service is required if you wish to hear any audio at all. If your computer does not have a sound card, Disable this service.
Recommendation: Automatic unless you do not have a sound card, then set it to Disabled.
Windows Image Acquisition (WIA) - Used for some scanners and cameras. If, after disabling this service, your scanner or camera fails to function properly, enable this service.
Recommendation: Disabled
Windows Installer - installs, repairs, or removes software according to instructions contained in .MSI files provided with the applications Recommendation: Manual
Windows Management Instrumentation - provides system management information.
WMI is an infrastructure for building management applications and instrumentation shipped as an integral part of the current generation of Microsoft operating systems.
Recommendation: Automatic
Windows Management Instrumentation Driver Extension - Not available on Windows XP Home. Tracks of all of the drivers that have registered WMI information to publish.
Recommendation: Manual
Windows Time - sets the computer clock. W32Time maintains date and time synchronization on all computers running on a Microsoft Windows network. NTP can be dangerous. Not worth the risk.
Recommendation: Disabled
Wireless Zero Configuration - Automatic configuration for wireless network devices. If you do not have any wireless network devices in use, Disable this service.
Recommendation: Disabled
WMI Performance Adapter - ??
Recommendation: Disabled
Workstation - provides network connections and communications. If this service is turned off, no network connections can be made to remote computers using Microsoft Networks. Use if you require drive-mapping connections to other Windows PC's.
Recommendation: Disabled, Automatic if required
World Wide Web Publishing Service - Not available on Windows XP Home. Provides HTTP services for applications on the Windows platform. Required if you are running a web server, but consider firewalling such a local web server so it is not visible to the world. Use an ISP web server for greatest security. Most common entry point for hackers!
Recommendation: Leave not installed or Disabled
As you can see from the above, not very much is actually needed to keep your Windows XP installation functioning in a home environment. All the enabled services just pose an enormous security risk, bring little or no benefit, consume resources and can be safely turned off.
Also disabling permanently Hidden Administrative Shares is best. This might help:
Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\LanManServer\Par ameters
Name: AutoShareServer for servers
Name: AutoShareWks for workstations
Type: REG_DWORD
Value: 0
Затем ставим Аутпост. Все настройки фаера пропускаю, но самое главное замечание в настройках у многих опытных юзеров остаётся долго без внимания:
Сначала заходим на hччp://www.dnsstuff.com/tools/aboutyou.ch
Даже после установки ВПН и использовании проксей палится ДНС!
Настройка VPN
Чтобы настроить VPN-соединение необходимо знать ip-адрес сервера, где расположена служба VPN, а также логин и пароль на соединение.
Итак, для настройки тестового/постоянного доступа Вам необходимо:
Войти в Панель управления, выбрать пункт "Сетевые подключения" и запустить мастер новых подключений.
Щелкнуть кнопку "Далее", выбрать тип "Подключить к сети на рабочем месте", затем отметить "Подключение к виртуальной частной сети". В следующем окошке необходимо задать имя подключения. Пишите, что хотите (например, можно назвать соединение "Vpn service"). Далее у Вас попросят выбрать метод подключения к Интернету, отметьте, что не хотите предваритально набирать номер. В следующем окне нужно ввести IP-адрес сервера, где находится служба VPN. Этот адрес мы предоставим Вам по предварительной договоренности. После настройки мастер предложит добавить ярлык подключения на рабочий стол. Делать это или нет - решать Вам.
В появившемся окне нажмите кнопку "Свойства", затем перейдите во вкладку "Сеть", и выберите из списка протоколов "Протокол Интернета (TCP/IP)". Затем нажмите кнопку "Дополнительно". Во вкладке "Общие" будет стоять галочка напротив опции "Использовать основной шлюз в удаленной сети". Если Вы пока еще не купили полный доступ к VPN, снимите ее. В случае, если Вы наш клиент - установите опцию. Этот параметр позволяет перенаправлять все данные через VPN, что гарантирует Вашу абсолютную безопасность в сети.
Не закрывайте свойства соединения. Перейдите в раздел "Безопасность" и убедитесь, что у вас выбран пункт "Требуется данных шифрование (иначе отключаться)". Только в этом случае мы гарантируем шифрование всех данных, переданных через VPN.
Теперь вернитесь к первому окну подключения, введите тестовый/купленный логин и пароль и нажмите кнопку "Подключение". Если все настроено верно, Вы соединитесь с сервером и у Вас в трее появится новое подключение. Если Вы настраиваете купленный аккаунт - это последний шаг конфигурации.
Если настраивается тестовый доступ, то после подключения нужно открыть командную оболочку (Пуск-> Выполнить-> cmd.exe) и написать команду route add 195.2.91.125 192.168.2.50 (именно так, и никак иначе!). Затем убедитесь, что в свойствах Вашего браузера не выставлено использование прокси-сервера и перейдите на страницу http://www.leader.ru/secure/who.html. Если настройка выполнена верно, на странице высветится IP-удаленного сервера, а не Ваш адрес до подключения к VPN.
Делаем в Агнитуме так:
Options->Plug-Ins Setup->DNS Cache->Properties->Block extra long DNS requestsОпять проверяемся hччp://www.dnsstuff.com/tools/aboutyou.ch
Должно помочь. Если нет – причина может быть в другом.
Лекарство при палеве ДНС: _http://www.opendns.com/start/
Настраиваем
Два компьютера и ВПН - настраиваем локальную сеть.
Допустим, у нас стоит на компьютере № 1 Windows 2000, а на компьютере № 2 Windows XP Pro SP2.
Компьютер № 1 выходит в Интернет через dial-up, а компьютер № 2 через LAN connection.
Для начала проверим настройки локальной сети компьютера № 1:
1. Start - Settings - Network and Dial-up Connections - кликаем на Local Area Connection Properties.
2. Internet Protocol (TCP/IP) ->Properties->Use the following IP address:
IP address (прописываем локальный адрес 192.168.100.1)
Subnet mask - 255.255.255.0
-Use the following DNS server addresses:
Preferred DNS server: пусто
Alternate DNS server: пусто
Кликаем на Advanced - IP Settings - IP address 192.168.100.1 - Subnet mask 255.255.255.0
Ниже Default Gateways - Gateway …… Metric
Interface Metric: 1
Кликаем DNS: Все пусто, кроме Append primary and connection specific DNS suffixes
Кликаем WINS: Enable LMHOSTS lookup (стоит галка) + отмечено Enable NetBIOS over TCP/IP
Остальное - пусто
Кликаем Options - TCP/IP filtering не тронуто - IP security - Properties - Do not use IPSEC
Теперь проверим настройки локальной сети компьютера № 2:
1. Start - Settings - Network and Dial-up Connections - кликаем на Local Area Connection
Properties.
2. Internet Protocol (TCP/IP) ->Properties->Use the following IP address:
IP address (прописываем локальный адрес 192.168.100.2)
Subnet mask - 255.255.255.0
Default gateway: 192.168.100.1
-Use the following DNS server addresses:
Preferred DNS server: пусто
Alternate DNS server: пусто
Кликаем на Advanced - IP Settings - IP address 192.168.100.2 - Subnet mask 255.255.255.0
Ниже Default Gateways -192.168.100.1 Interface Metric: Automatic
Ниже Automatic Metric: 1
Кликаем DNS: Все пусто, кроме Append primary and connection specific DNS suffixes
Кликаем WINS: Enable LMHOSTS lookup (стоит галка) + отмечено Disable NetBIOS over TCP/IP
Остальное - пусто
Кликаем Options - TCP/IP filtering - Properties - Enable TCP/IP Filtering (All adapters)
->Permit All (для всех)
Windows Firewall - off
Для уверенности правильной настройки локальной сети пингуем компьютер № 1, с компьютера № 2.
Для этого заходим на Far или Command Prompt -> ping 192.168.100.1
Все работает? ОК.
Проверяем работу ВПН с компьютера № 1.
1. подключаемся к ВПН (настройки ВПН пропускаем) компьютером № 1
2. Far или Command Prompt -> C:\>ipconfig /all -> enter
PPP adapter ISP (Internet Service Provider):
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
Physical Address. . . . . . . . . : 00-XX-XX-00-00-00
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : XXX.XXX.XXX.XXX (реальный IP адрес)
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : XXX.XXX.XXX.XXX
DNS Servers . . . . . . . . . . . : YYY.YY.YY.YY
ZZ.ZZ.ZZ.ZZ
NetBIOS over Tcpip. . . . . . . . : Disabled
PPP adapter ☺:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
Physical Address. . . . . . . . . : 00-XX-XX-00-00-00
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : AA.AAA.A.AAA (показывает локальный адрес ВПН)
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : AA.AAA.A.AAA
DNS Servers . . . . . . . . . . . : 00.000.00.97 (DNS VPN Server)
00.000.00.97
NetBIOS over Tcpip. . . . . . . . : Disabled
3.набираем команду в Far или Command Prompt route delete 0.0.0.0 mask 0.0.0.0 XXX.XXX.XXX.XXX (Enter). Таким образом
убиваем Default Gateway. Далее проверяем:
ipconfig (Enter), и видим, что там, где у нас был прописан Default Gateway, теперь у нас пусто.
Таким образом мы имеем возможность работать с компьютера № 1, через ВПН + Socks Cap + Socks Chain. Если
разорвется соединение с ВПН, то связь с Интернетом будет потеряна.
Проверяем работу ВПН с компьютера № 2.
1. подключаем компьютер № 1 к Интернету
2. подключаем компьютер № 2 к ВПН, используя LAN
3. набираем команду ipconfig /all и видим, что наш реальный IP адрес нигде не виден.
Следовательно, даже при включенных ActiveX and Java в нашем браузере, IP адрес компьютера № 2, будет виден:
192.168.100.2
Объяснив своему компьютеру его Ай Пишник, работаем спокойно с вебманей, а также с другими системами.
Надо учитывать, что некоторые провайдеры не дадут пользоваться ВПН без письменного договора.
В любом случае, при правильных настройках ВПН, надо пользоваться Socks Cap + Socks Chain или другими аналогичными
прогами.
FireFOX:
Directions -
Type "about:config" in your firefox address bar.
Search for the following settings:
1. network.http.pipelining
Set to true
2. network.http.pipelining.firstrequest
Set to true
3. network.http.pipelining.maxrequests
Set to 32
4. network.http.proxy.pipelining
Set to true
5. nglayout.initialpaint.delay
Set to 0
Its very likely that you won't have an entry for network.http.pipelining.firstrequest. Thats ok. Just add one.
Right-click on the preferences list, select 'New' then select 'Boolean'
On the first prompt, type:
network.http.pipelining.firstrequest
On the second prompt, set it to 'true'
Its also likely that you won't have an entry for nglayout.initialpaint.delay
Right-click on the preferences list, select 'New' then select 'Integer
On the first prompt, type:
nglayout.initialpaint.delay
On the second prompt, set it to '0'
Подбор материалов сделан из различных источников и опробован в разных странах. Некоторые вещи написаны лично. Удобно иметь такую подборку под рукой, чтобы не вспоминать каждый раз азы, при настройке очередного рабочего компьютера. Зашёл на форум – проверился.
Всем удачи и процветания.
 
	 
 
		 
 
		