techbargains.com
Hot Tip #13 : Windows XP Security and Lockdown
By Chief Bargainmeister
(C) 2004 techbargains.com, LLC
12/29/04
Change History
1/9/2004 Started
1/26/04 Added IE security
3/26/04 Added content
8/23/04, 12/29/04 Windows XP SP2
Introduction
With the advent of fast spreading virus and worm attacks, security has
become important for all users, not just corporate IT departments. ALL
users need to take precautions to ensure they are not attacked or
utilized as an attacker by hackers. Windows is particularly vulnerable
to attack, so users must lockdown their system. While it is impossible
to make your computer 100% secure, we have compiled several security
procedures that should take you off the easily targeted list.
These tweaks are designed for Windows XP both Home and Pro. As with
any major change, BACKUP your System before attempting any of these
modifications! Make the changes slowly and test, so you can back off
changes that cause problems.
Microsoft's 3 Steps
Microsoft suggests 3 steps to protect your PC. You should follow this
as a BARE minimum, whether you have a dialup modem or use
DSL/Cablemodem.
1) Use an Internet Firewall
Enable the simple firewall built into Windows XP for protection. Most
XP installations do not have it enabled. This will block most
unintended access to your computer including Windows Messenger service
popups. This firewall is enabled by default by Windows XP Service Pack
2. It does not protect against rogue spyware programs sending outbound
requests. You must disable this built in firewall if you have other
firewall software installed.
Third party Internet Security or Firewall software is much more
flexible and configurable than the built in firewall, but they cost
money. More sophisticated software firewalls can tell you when rogue
programs aka spyware are trying to access the Internet. Users with
hardware routers should still run software firewalls to detect these
accesses.
Zonealarm has a free basic version for personal users. It works great
but requires some user assistance while it learns what programs access
what resource. See when programs are accessing their home servers.
Zonealaram's Pro version is an even better program.
Norton Internet Security is a commercial security package we have
tested and can recommend.
2) Get Computer Updates
Set your computer to automatically download the latest Critical
Updates and Service Packs from Microsoft. This allow you to
automatically get their latest fixes without remembering to do it.
Many machines have been compromised because they did not have the
latest Microsoft patches. Dialup Modem users will suffer, as download
times can be lengthy.
3) Use Up to Date Antivirus Software
Out of date Antivirus software is almost as useless as no antivirus
software. If you do not have Antivirus software, buy some and set it
automatically download the latest updates. If your subscription
expired, renew it. Your Antivirus software must support scanning your
email for viruses.
ClamWin is a GPL Licensed Windows Antivirus program.
Computer Associates has 1 year of free Antivirus/Firewall software. It
also has email protection.
Grisoft has free Antivirus software for Home Users. It also has email
protection.
avast! has free Antivirus software for Home Users. It also has email
protection.
H+BEDV has free Antivirus software for Home Users. No email
protection.
Bit Defender has free Antivirus software for Home Users. No email
protection.
Norton and McAfee charge about $20 for each yearly Antivirus
subscription update. We often have deals to purchase new versions for
free after rebates, if you own a previous version of either product.
This makes the cost minimal except for the initial first copy.
WindowSecurity Tips
Windowsecurity has several tips for locking down Windows XP.
Perform all the recommendations except the 3 we completed earlier.
(Firewall, Antivirus, Microsoft Updates) You can also disable the
Messenger service.
Blackviper has information on the services you disabled, as well as
other services you can disable.
Windowsecurity has some other general security tips.
Install a Router
If you have a fulltime connection to the Internet, such as a
Cablemodem or DSL, you need to get a hardware router for added
protection. Hackers are constantly probing the net for new targets.
This inexpensive box will add another layer between your computer and
the Internet, preventing many attacks. Linksys, a division of Cisco
Systems, makes the most popular ones. Wireless support does not add
much to the cost of the router, so buy one with at least 802.11b
wireless support even if you don't plan to use it right away.
Users should still run a software firewall in addition to the Router.
A software firewall can catch/prevent unauthorized access to the
Internet by rogue programs such as spyware.
grc.com has a Shield's Up test that can test your machine's Internet
security.
pcflank.com has several tests for your machine's Internet security.
Retina is a more sophisticated vulnerability scanner.
Add Password Protection
This site has pointers on how to setup a password for your Windows XP
user accounts. Many XP configurations bring the user to the Windows
desktop without the need of logging on. Adding a strong password will
make your machine safer.
You should also set the Screen Saver in the Display Control Panel to
ask for a Password when it resumes.
Email Security
Virus can sneak into your system through email, so ensure you have
virus protection that scans your email for viruses and worms.
Run a mail client that preview your email's header and subject
information, so you can delete email without actually reading it. A
spammer knows your email address once you've opened an email.
Previewing mail can allow you to delete worms before they infect your
email client.
Mailwasher does just this and helps you weed out spam.
Spampal is also available.
Popfile is also available.
Outlook Express Security
Many security holes or spam exsposure are exploited when Outlook
Express loads a renegade email. Here are some security settings to
help lock down your email client. Do this in addition to the security
tips we list above. Always write down your original settings so you
revert to them.
Use Secure Password Authentication - If your Email Server supports it,
use 'Secure Password authentication' to prevent sending your email
password unencrypted.
Open email in a safe zone -
In Tools Menu - Options - Security Tab - Click on Restricted sites
Zones (More Secure), Check Warn me when other applications try to send
mail as me, Check Do not Allow attachments to be saved or opened that
could potentially be a virus.
Lockdown the safe zone -
In Tools Menu - Options - Connection - Change...,
Click on Security Tab - Restricted Sites icon, Custom Level... button
Download Signed ActiveX controls Disable
Download unsigned ActiveX controls Disable
Initialize and script ActiveX controls not marked as safe
Disable
Run ActiveX controls and plug-ins Disable
Script ActiveX controls marked safe for scripting Disable
File download disable
Font download prompt
Microsoft VM Disable Java
Allow data sources across domains Disable
Allow Meta Refresh Disable
Display Mixed content Disable
Don't Prompt for client certificates Disable
Drag and drop or copy and paste files Prompt
Installation of desktop items Disable
Launching programs and files in an IFRAME Disable
Navigate sub-frames across different domains Disable
Software channel permissions High safety
Submit nonencrypted form data Prompt
Userdata persistence Enable
Active scripting Disable
Allow paste operations via script Disable
Scripting of Java applets Disable
Logon prompt for user name and password
Click OK, OK, OK
Don't let spammers know you're home -
In Tools Menu - Options - Receipts Tab - Click on Never send a read
receipt
Don't let email message open automatically - Click on an email folder
then
In View Menu - Layout - Turn off Show preview Pane
Internet Explorer Security
Many security holes are exploited when Internet Explorer loads a
renegade web page. Here are some security settings to help lock down
your browser. Do this in addition to the security tips we list above.
Always write down your original settings so you revert to them.
Lock down your security zone, this may cause some websites to display
warning prompts - In Tools Menu - Internet Options - Security Tab
Click on Internet icon and Custom Level.. button
Download Signed ActiveX controls Prompt
Download unsigned ActiveX controls Disable
Initialize and script ActiveX controls not marked as safe
Disable
Run ActiveX controls and plug-ins Prompt
Script ActiveX controls marked safe for scripting Prompt
File download Disable
Font download Prompt
Microsoft VM Disable Java
Allow data sources across domains Disable
Allow Meta Refresh Disable
Display Mixed content Prompt
Don't Prompt for client certificates Disable
Drag and drop or copy and paste files Prompt
Installation of desktop items Prompt
Launching programs and files in an IFRAME Prompt
Navigate sub-frames across different domains Prompt
Software channel permissions High safety
Submit nonencrypted form data Prompt
Userdata persistence Enable
Active scripting Prompt
Allow paste operations via script Prompt
Scripting of Java applets Prompt
Logon prompt for user name and password
Click OK, OK, OK
In Tools Menu - Internet Options - Advanced Tab
Enable Check for publisher's certicate revocation, Enable Empty
Temporary Internet Files when browser is closed, Enable Check for
signatures on downloaded programs, uncheck Enable Install on Demand
(Other)
Spyware Protection
Spyware, hidden software that causes problems or fraud, is a lot more
prevelant now. You need to run spyware killing software periodically
to kill it. Norton Antivirus 2004 and McAfee 2004 now include spyware
removal. We have not found a single tool that works alone, so use more
than 1 tool.
Adaware is a good freeware spyware killer.
Spybot is also a good spyware killer.
Bazooka is also a spyware killer.
Advanced Security
Labmice has a useful Windows XP Security Checklist. We suggest you
perform: Disable the Guest Account, Disable Remote Desktop (If you
don't use it). Some of the other items are for more advanced users or
users connected to business networks.
Labmice also has a page full of links to useful Windows XP Security
articles.
NSA also has a guide to securing Windows XP. Most of it is focused on
more advanced items.
Hidden File Sharing
Microsoft has note on how to disable filesharing of some hidden shares
that you may not need. This affects Windows XP Pro and Media Center
Users. You need to ensure that software such as backup software does
not use these shares, before disabling them.
Security Checklist
Microsoft has a security checklist to ensure you have performed the
most important fixes.
Microsoft has a Baseline Security Analyzer that can tell you ways to
make your system more secure. It is targeted towards IT professionals.
Microsoft has a program that will help you lock down XP.
Data Execution Protection
Microsoft has included support for Data Execution Protection in
Windows XP Service Pack 2 and higher. Enable it by selecting My
Computer – Properties – Advanced tab – Performance Settings button –
Data Execution Tab. It works even better if you have a processor like
the Xeon DP, Athlon 64, and Opteron that supports it in hardware.
Execution protection (also known as NX, or no execute) prevents code
execution from data pages.
Windows 2000 and XP Security is a good book on Windows XP Security.
We do not claim to know it all. Please contact us with additional
tips, questions, and suggestions!
<a rel="nofollow" style='text-decoration: none;' href="http://www.techbargains.com/hottips/hottip13/index.cfm" target="_blank">http://www.techbargains.com/hottips/hottip13/index.cfm</a>
===
"Women... They're all the same. They're just after my money."
-- 2004 WWE Tough Enough winner, Daniel Puder
FAQ
Search
Profile
Private Messages
Log in
Windows XP