Restrict access to the OS/2 and POSIX subsystem

Windows NT has support for several subsystems, the most common ones are DOS and 16 Bit Windows. It also has support for OS/2 1.0(No GUI), and it is regarded as a security issue to have the OS/2 and POSIX support enabled. Before disabling OS/2 support make sure that you are not using OS/2 dependent legacy applications or cross-platform executables with OS/2 support (Like HIEW).

Disable OS/2 and POSIX subsystem
  1. Start the registry editor and remove the following entries:
    • [HKEY_LOCAL_MACHINE \SOFTWARE \Microsoft \OS/2 Subsystem for NT]
    • [HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Control \Session Manager \Environment]
      Os2LibPath=
    • [HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Control \Session Manager \SubSystems]
      Optional=
      OS2=
      Posix=
  2. Enter the %Windir%\System32\Dllcache directory and remove these files (Because of Windows File Protection)
  • os2.exe
  • os2ss.exe
  • os2srv.exe
    1. Enter the %Windir%\System32 directory and rename/remove these files:
  • os2.exe
  • os2ss.exe
  • os2srv.exe
  • psxss.exe
  • posix.exe
  • psxdll.dll
    1. Enter the %Windir%\System32\OS2 directory and rename/remove these files:
  • All files except the DLL folder and its contents

More Info MS KB101270

Note that with Windows XP the OS2 and POSIX subsystem is not installed, though the registry entries are still created. More Info MS KB308259

Credits NSA Win2k Security Guide
Credits NSA WinXP Security Guide