HOW TO: Secure Windows XP

[Minkey]

This thread (in 2 parts) will be a guide to setting up Windows so you can be confident that if you leave your PC on and connected to the internet for any length of time unattended that you will not pick any nasties or be 'hacked' by some spotty nerk, it should also ensure you can be confident in browsing and using e-mail (Outlook) without being constantly paranoid and prevent you posing as a weak target.

There are a few things to bear in mind:

1) This is guide is written with Windows XP Pro in mind without any services packs (SP) applied so some of the services will already be disabled if you have SP2 and if you have XP Home some of the services will not be there.

2) It's written from a 'fresh' install in mind i.e. if you have install or re-install windows from scratch (after a format of your hard drive) though many of the tips will still apply if your running XP already.

User Accounts

Your account - don't be an admin

Why ?

You should know that the first account you setup is a FULL admin on the system, do your really need that ? You can always be a power user this will give you the ability to do anything except alter critical Windows files, you can always setup a different admin account to install new software that does alter Windows files after all it doesn’t take long to switch user accounts.

How ?

WinXP Pro - Start > Control Panel > User Accounts set a new admin account then reduce your account to power user by selecting your account and clicking on change account type.

WinXP Home - Unfortunately the power user rights don't apply under XP Home the limited account does not allow alteration the critical system files.

Disable Windows default 'Guest' account

Why ?

The Windows default guest account is ALWAYS there even if you remove it from user accounts in the control panel all you have done (or all that Windows has done) is remove the icon from the log on screen. The reason for this is that peer to peer (P to P) networks actually use the guest account to authenticate.

How ?

If you don't use P to P, file share, printer share or Internet connection sharing disable it permanently - Start > Control Panel > Admin Tools > Local users and groups > users - right click on guest and disable (for XP home - start > Run and type net "user Guest /active:no" without the quotes)

Disable vurnable/ unwanted services

Why ?

Windows starts a load of services that are required for certain applications and process to run but some of these are either not needed and are therefore slowing down your machine or are a security risk.

How ?

Start > run and type "services.msc" without the quotes, right click on the properties. Here is a handy guide:
clicky - some of these are a MAJOR security risk so please read carefully.

The critical ones you should disable are:

Messenger - This is not MSN messenger it was originally made for administrators to send you messages over the network.

NetMeeting Remote Desktop Sharing - Unless you want to share your desktop in a netmeeting session

Remote Procedure Call (RPC) Locator

Remote Registry Service - If you know what the registry is that you'll realise how bad this is to have running

Routing and Remote Access - remote access I think not

SSDP Discovery Service - Even Microsoft says this is a security risk (disabled in SP2)

TCP/IP NetBIOS Helper Service - Unless your network uses NetBIOS (which I doubt any one does anymore)

Telnet - Big security risk! Disable this as it can allow users access to your system remotely.

Universal Plug and Play Device Host - Used in conjunction with SSDP Discovery Service

Please bare in mind some applications require some of these services for example Windows Defender requires Automatic updates and IPSEC services to install (but not to run), Visual Basic requires Background Intelligent Transfer Service, if you do get an error message Google it and chances are you will be able to troubleshoot it.

Protect yourself

Why ?

Erm duh

How ?

Use a firewall - Not windows default firewall (it doesn't even block outgoing traffic) so get a decent one - you don't even have to pay for it - Outpost and Zonealarm are both free and very good (see my free software thread here and make sure you disable the windows one to prevent false positives.

Get decent Anti-virus/ anti-spyware/ anti-adware software, once again check my free software thread for free downloads.

Remember to update them regularly (at least once a week)

Update Windows regularly - there are updates for a reason download and install the critical updates at least ! I prefer to set Windows update to notify me but don't automatically install them (see control panel > Automatic updates to change the settings)

 

[Minkey]

HOW TO: Secure Windows XP Pt.2

Other settings

Change the default setting in certain Windows applications.

Why ?

By default some Windows applications don't have many of the security 'options' enabled (probably to "enhance the user experience") so here are the 2 prime candidates:

Why ? and How ?

Outlook - Do you use Outlook or Outlook Express then please turn off the preview pane, this is the same as actually reading the e-mail - if it's infected it's been read and this can be exploited.
Also it's very wise to disable html formatting in Outlook (an e-mail that contains html can also contain code) go to tools > options > preferences > e-mail options > and tick read all standard mail in plain text.

Internet Explorer - Well what's to say this is riddled with security risks, personally I don't use it* (unless I absolutely must - some web sites do not follow the standard www practices for web design and they will only work properly by using IE !)
If you have to use it change some of the default setting the increase security go to Tools > Internet Options > Security > custom Level and change the following settings:

ACTIVE X
Download unsigned ActiveX controls - Prompt
Initialise and script ActiveX controls - Prompt
MISC
Allow scripting of IE Web browser controls - Disable
Allow Web pages to use restricted protocols for active content - Prompt
Don't prompt for client certification selection when no certificate exist - Disable
Installation of desktop items - Prompt or Disable
Open files based on content** - Enable
SCRIPTING
All to Prompt

But the most important is AutoComplete turn this off for Forms and User names and passwords - found under Tools > Internet options > AutoComplete. (Do you really want IE to save your logins and passwords ?)

*again see my free software thread for alternatives
** VERY important - I'm not going to explain why in too much detail but Windows by default only recognises file types based on their header NOT their content and hence in very easy to exploit.

Wireless security

Wireless modems and routers are becoming much more popular recently and can be configured and ready to go easily and quickly by anyone with basic knowledge but they are also very insecure if the security features are not enabled. I can't go into details of exactly how to change them but the majority of them you need to log into the box as an admin and find the following entries:

Enable WEP (Wireless Encryption Protocol)
OR Enable WPA (Wi-Fi Protected Access)
Change the default password
Change the default IP address
Change the default SSID (Service Set ID)
Disable SSID broadcast
Enable MAC address filtering (You’ll also need to add all your wireless cards to routers table)
Limit the number of connections

To find out your wireless card MAC address go to Start > Run and type cmd in the command prompt type ipconfig/all - your MAC address is listed under the Physical Address entry.

If you don't every person with an interest in accessing access your wireless connection has all the default information for every manufacturer of every device (default IP and admin password in particular) - don't believe me - Google it !

Other bits

Obvious, I know but just in case :

Don't ever open an e-mail from anyone you do not know (especially if it contains an attachment) delete it.

Never unsubscribe to any spam - see that link that can stop you getting 'newsletters' from us or click here to unsubscribe ? it's simply a way of confirming to the spammer that your e-mail address is a valid and working account and you will get more of it !

Don't click on links in an e-mail from an untrusted source - type them instead (if you must)

Spam - You'll get sent every type of spam especially if you have a hotmail account - ignore them ALL even the ones that claim you have had an unauthorised withdrawal from your account bla bla bla please contact us to rectify the situation etc etc - they look genuine but trust me they are not.

Ransomware - A newish threat but very debilitating, it's a virus variant that rather than destructing or corrupt your files it renders them useless unless you make a payment to a particular account (within a certain number of days) to get access to antidote software which will re-enable them.

You shouldn't get one of these if you are vigilant and have anti-virus software installed but they are very complex and use a very high level of encryption which of course takes time to crack (even by security experts) - if you do happen to get one you could spend a fair amount of time manually getting rid of it and normally I would recommend this but to be certain I would do a full format and reinstall of Windows.

This may seem drastic but it the best (and quickest) way to be certain of getting rid. Your should always be in a position to do a full reinstall of Windows at any time without loosing critical files how? well that another thread which I will be happy to compose if I get a good response

The good news !

OK I've covered a lot of ground here and hopefully some of it you will find at least some of it useful (or maybe boring if you already know this stuff) but trust me I know of various methods of exploiting a PC that would scare you off the internet for good (and I'm no cracker/ hacker) but by using some of this advice you can be protected and happily use the worlds greatest information resource (and IMO the greatest invention* of the modern age) securely.

* Invented by a Brit BTW

If anyone has some thing to add please post (my fingers are a bit tired )

Last thing

Be (reasonably) paranoid but not destructive - If you suspect something odd happening (slowing down of your PC, odd behaviour, unusual activity) don't panic ! check your process’s from task manager (search the internet for any you think could be suspicious), check your startup applications (Start > run > "msconfig" without the quotes) and check the startup tab) don't go deleting stuff if you think it could be a virus/ exploit etc. check first !

Enjoy and happy (and secure) surfing