ProperGander

Security for the masses

Securing Windows XP

Use a normal user account

The biggest security flaw with the Windows XP operating system is that the default user account, the user account that is first created during install and then usually used for the lifetime of the install has complete control over the whole system. It is the administrators account. Despite this most ridiculous oversight, this administrative user can have a blank password. A result of this is that any code or program that is run by the default user account can do anything to any part of the operating system.

This flaw can be corrected by creating a non administrator user account in the windows account manager and logon using that account during normal windows use. There will be problems when attempting to run programs that attempt to change any of the system settings, but this is the whole point, any software that is run without user knowledge will have this problem too. Installing software and using the control panel are restricted from non admin users. A guide to setting up a normal user account can be found here. Should you wish to run a program as administrator or change settings, the "run as" command will show a dialogue in which to enter admin logon. It is accessed by right clicking or 'shift' right clicking on the program or icon you want to run.

Use Protection

It should go without saying but I will say it anyway;

  • Install and use anti-virus software and keep it updated.
  • Keep Windows updated with automatic updates.
  • Keep you applications patched and updated
  • Scan your hardisk regularly with decent anti spyware software.
  • Use strong passwords for logins: !Lik3bu773R? is a strong password, the name of your pet isn't.
  • Make sure Windows Firewall service runs automatically.
  • Use separate accounts for each family member.

Windows XP Services

XP runs a lot of programs (services) in the background automatically without user awareness, some of these services are essential to the smooth running of XP, some are essential for securing XP, and some are an actual security risk. The following recommendations apply to a home PC. In a corporate or business environmnet needs may differ. Windows update may re-enable some of the services you disable, so check the autorun of services after each update. A guide to controlling Windows services can be found here

Services that should run automatically at startup
  • Automatic Updates
  • Background Intelligent Transfer Service
  • Cryptographic Services
  • Protected Storage
  • Security Accounts Manager
  • System Event Notification
  • System Restore Service
Services that are a security risk or not needed in a home, stand alone environment and should be disabled
  • Alerter
  • Distributed Link Tracking Client
  • Indexing Service
  • Messenger
  • Net Logon (unless your computer connects to a home server)
  • Netmeeting Remote Desktop Sharing
  • Portable Media Serial Number
  • Remote Desktop Help Session Manager
  • Remote Registry Service
  • Routing and Remote Access
  • Secondary Logon
  • SSDP Discovery Service (Unplug n' Pray will disable this)
  • Telnet
  • Terminal Services
  • Universal Plug and Play Device Host
  • Upload Manager
  • Wireless Zero Configuration (unless you use a wireless connection)

Windows XP Firewall

XP has a built in firewall which is designed to prevent unauthorised access to your computer from the network or Internet. This should be run automatically. I find Windows firewall to be inadequate. Although it will stop unathorised access to your computer (ingress), it does nothing to stop programs accessing the network from your computer (egress) There are a number of free firewalls for XP which will stop all inbound and outbound communications except those you explicitly allow. Two such software firewalls are Comodo and Zonealarm

Hidden Shares

For admistrative purposes XP shares all your drives automatically, these are hidden shares such as C$ and ADMIN$. For home users these shares are a security risk, especially since XP will allow the admnistrator account to have a blank password. If these shares are deleted they are automatically recreated when the system reboots. To make sure they are deleted permanently follow this guide from Microsoft.

Application Updating

Securing Windows beyond what a default install offers will go some way to mitigate a trojan infection or a compromise of your computer but that is not the whole story. Your computer runs applications or programs and these too can have security vunerabilities. You should make sure that all you applications are upto date and patched with the latest updates. Secunia provide excellent resources that will allow you to identify potential vulnerabilities in the applications you use.

Physical Security

The Internet is not the only threat to the security of your personal data. You may think your PC is safe enough sat on its desk, and after all it is insured, isn't it? Easy enough to replace? Sure it is but what about the data your personal files and information. If the data is destroyed for whatever reason you can always resort to last nights back up. But what if your computer is stolen? All your personal information is now in the hands of thieves.

  • Back up important data regularly.
  • Avoid storing your bank and creditcard details or other secrets whatever they maybe on your PC.
  • If it is esential that you store personal information, encrypt it.
  • Keep your PC free of dust and fur. Overheating can cause data corruption.