how to automate registry settings for security enhancements?

[sid]

I'm wanting to get some non tech users to make changes to windows default
settings to enhance their security. Specifically this would involve making
all file extensions visible (except maybe .LNK). I'm thinking this should be
poss by using a .REG file for the users to simply open and merge containing
NeverShowExt deleted for various file types but I'm unsure as to exactly
what goes into such a file, detailed syntax etc.

Is this feasible? Can anyone advise please? Also any other assinine defaults
that could and should be changed similarly?
tia

 

[Wim Cossement]

Is this feasible? Can anyone advise please? Also any other assinine defaults

that could and should be changed similarly?

Well, I'm quite sure the regedit app has a few command line options
(maybe skippig the confirmation when you merge); and knowing this you
could put yr customised reg file somewhere in their homedir and execute
a batch, command or shortcut that has the parameters in it by putting it
in the Startup folder of the specific user.

 

[null]

I'm wanting to get some non tech users to make changes to windows default
settings to enhance their security. Specifically this would involve making
all file extensions visible (except maybe .LNK). I'm thinking this should be
poss by using a .REG file for the users to simply open and merge containing
NeverShowExt deleted for various file types but I'm unsure as to exactly
what goes into such a file, detailed syntax etc.

Something like this?:
http://www.irchelp.org/irchelp/security/trojanext.html

Is this feasible? Can anyone advise please? Also any other assinine defaults
that could and should be changed similarly?
tia

There are tons of them but the specifics depend on the particular OS.
Here's a XP "hardening" example:

http://winxp.uwaterloo.ca/Documentation/Hardening_WXP.asp

You can Google up all kinds of info using key words such as
"hardening", "survival guide", "securing", along with the particular
version of Windows of interest.

A couple of the things I've done in the past include:

1. Toggling WSH on and off using Symantec's utility:

http://www.symantec.com/avcenter/venc/data/win.script.hosting.html

2. Associating certain file extensions such as .SCR (screen savers)
with a hex editor or Notepad.


Art
http://www.epix.net/~artnpeg

 

[FromTheRafters]

I'm wanting to get some non tech users to make changes to windows default
settings to enhance their security. Specifically this would involve making
all file extensions visible (except maybe .LNK). I'm thinking this should be
poss by using a .REG file for the users to simply open and merge containing
NeverShowExt deleted for various file types but I'm unsure as to exactly
what goes into such a file, detailed syntax etc.

I think that you would have to investigate which keys are applicable for
each computer you desire to affect, and make your reg file from there.

I'm wondering if you could text edit (find NeverShowExt and replace
with AlwaysShowExt). Of course *always back up the registry* before
messing around with it. Make a REG file to re-hide the LNK and any
other, such as CLSID extensions, that you would rather have hidden.

I haven't tried it - and don't intend to - you assume the risk if you do so.

Is this feasible? Can anyone advise please? Also any other assinine defaults
that could and should be changed similarly?

There is one for associating unregistered extensions with notpad so that
that aren't executed according to what their internal structure indicates
that they are. I don't have it handy, but Bart may know it by heart.