Making Windows XP secure..

[jameswhite1979]

Wanting to understand what you would do with XP to make it secure. Currently I would:

Run the main accounts as Users (when required Run As.)
Have a Strong administrators password
Run auto updating AV (Mcafee or Norton or...), Weekly Scans
Run Auto updating MS patches
Change ports for common applications
Configure well routers firewall
Zone Alarm for software firewall
Adaware for Spyware weekly
Being carefull what I install and where is is from
Run a Virus Scan of files that have been downloaded

I do not really want to get in to the detail for each app but feedback on the main ones would be good personally I like to use a Mozzilla browser.

So what have I missed what more can be better protected?

 

[mechBgon]

If it's XP Professional, you can also add a disallowed-by-default Software Restriction Policy to bolster your Limited account.

Fully enable Data Execution Prevention like this.

Secunia has a checkup that looks for out-of-date versions of stuff: http://www.secunia.com/software_inspector (this checkup uses Java Runtime Environment )

Remove software that you don't actually use.

Never let anyone use the Admin accounts except yourself.

Establish a routine for backing up your data.

Don't run any publicly-accessible services (web, FTP, P2P, etc).

If the system has any Office software (Word, Excel, PowerPoint, Access, Publisher, Visio, etc), check it at Office Update monthly.

 

[Lemon law]

While mechbgon's advice is all very good---there is a consoladated security sticky in the software section of anand tech---or check out John's link for perhaps the best single place advice.---or check out security forums like spywarewarrior---or castle cops.

But your initial strategy is not all that bad---the three main areas where you need improvements are
(1) Get AOL active antivirus shield for your AV---free and very good (2) Nothing wrong with adaware.
But you should also be running spybot---the free windows defender--and maybe some more spyware scanners---add spyware blaster as a almost zero footprint blocker (3) Use some sort of process control.--Win patrol---cyberhawk--process guard--all of which will help prevent malware from installing without your permission.

There has also been many security threads on this forum in the past few weeks---very good for raising security concerns---but never forget---as our defenses get better---the bad guys then start working over time to get better offenses---so they can get their crap on our computers for fun and profit.

 

[Schadenfroh]

See my sig

 

[Slugbait]

Beyond the above advice...shut down when the machine isn't being used.

Seems like everybody forgot about Blaster...besides, shutting down extends the life of the machine.

 

[Nothinman]

Beyond the above advice...shut down when the machine isn't being used.

Then you can't leave downloads running or let other automated things run while you sleep.

Seems like everybody forgot about Blaster...besides, shutting down extends the life of the machine.

If you're behind a NAT device attacks like Blaster are irrelevant unless you forward the affected ports to your machine. And even if shutting down makes the hardware live longer it's not going to be by any amount that you'll notice, you'll almost certainly replace the stuff before it does from normal use.

 

[Slugbait]

Originally posted by: Nothinman
Then you can't leave downloads running or let other automated things run while you sleep.

Thus the part where I said "when the machine isn't being used". If there is a purpose: run it. If there is no purpose: power down.

If you're behind a NAT device attacks like Blaster are irrelevant unless you forward the affected ports to your machine.

There was a time people said Blaster wasn't realistic or possible.

If you secure it, they will come.

90% of the computing public don't know how to secure their machines, even in the most simplistic ways. For example, my MIL ignore my insistence to get a router before Comcast came over, and to call me before it was hooked up...you can imagine what happened next.

And even if shutting down makes the hardware live longer it's not going to be by any amount that you'll notice, you'll almost certainly replace the stuff before it does from normal use.

I watched three of my own power supplies lose their fans long before their useful lives ended. I lost GPU fans on two different cards, and saw two friends lose their GPU fans within a year of purchasing their cards. I lost my CPU fan on my old P5 (it ran too cool to be killed, tho). All except one PSU was discovered before permanent damage occurred...but most people don't catch the problem before a dead fan kills their hardware.

 

[Nothinman]

Thus the part where I said "when the machine isn't being used". If there is a purpose: run it. If there is no purpose: power down.

But there is always a purpose, especially with Vista since I believe it does a decent amount of automatic house keeping when the machine is idle. With XP at the very least it defaults to downloading updates at 3AM, yes it'll just download them the next time it's on if you shut it off so that one's not a big deal but it's the only one I can think of and I don't have any XP machines to look at right now.

There was a time people said Blaster wasn't realistic or possible.

Yes but as I said, if you're behind NAT anything that requires a direct connection to you, like Blaster did, will fail unless you forward the relevant ports to your machine. Most attacks these days require intervention on your part to open a malicious email, website, etc.

90% of the computing public don't know how to secure their machines, even in the most simplistic ways. For example, my MIL ignore my insistence to get a router before Comcast came over, and to call me before it was hooked up...you can imagine what happened next.

I thought most ISPs gave you a NAT router with the modem these days. But yes, there's no doubt that most people need some basic education on security and common sense.

I watched three of my own power supplies lose their fans long before their useful lives ended. I lost GPU fans on two different cards, and saw two friends lose their GPU fans within a year of purchasing their cards. I lost my CPU fan on my old P5 (it ran too cool to be killed, tho). All except one PSU was discovered before permanent damage occurred...but most people don't catch the problem before a dead fan kills their hardware.

You seem to have extremely bad luck with regards to fans, maybe you just live in a very dust area or something. I've got 4 machines here that are on 24x7 and I can only recall losing 1 fan and I caught that before it did any damage to the video card because it made an annoying squealing sound.

 

[Slugbait]

Originally posted by: Nothinman
But there is always a purpose,

Thoroughly incorrect.

especially with Vista since I believe it does a decent amount of automatic house keeping when the machine is idle.

As with all previous versions of Windows, automatic maintenance can occur when the system is idle or scheduled for a specific time. "Idle" does not mean "while you are sleeping".

Yes but as I said, if you're behind NAT anything that requires a direct connection to you, like Blaster did, will fail unless you forward the relevant ports to your machine.

Today, you are correct. Tomorrow, you may not be. Again, did anyone think Blaster was possible before the 'net practically went offline? No.

Does everybody have a NAT? Heck no. Some people think they're just fine with a software firewall. Many more have no firewall at all.

Another thing: you also need to know how to manage ports, especially for the "learning" types of firewalls. Most people have no clue how to do this.

Most attacks these days require intervention on your part to open a malicious email, website, etc.

Most attacks in the old days required the exact same thing.

I thought most ISPs gave you a NAT router with the modem these days.

I was totally unaware most ISPs do this, never even heard of such a thing. Mine certainly didn't give me one (Comcast).

You seem to have extremely bad luck with regards to fans, maybe you just live in a very dust area or something.

No...first, I've had a lot of fans cuz I've been doing this computer thing for a long time now. Second, they just die because they reached their MTBF from being left on 24/7, or the manufacturer went with the cheapest fan for their cheapest component. When I almost lost a videocard I wasn't ready to part with, that's when I decided to shut down whenever the system wasn't being used, and regularly check all fans.

 

[bsobel]

Again, did anyone think Blaster was possible before the 'net practically went offline? No.

Uh, not sure where your getting that from, but blaster wasn't a surprise to any of us in the security biz.

 

[Beatle34]

Originally posted by: Slugbait

Originally posted by: Nothinman

You seem to have extremely bad luck with regards to fans, maybe you just live in a very dust area or something.

No...first, I've had a lot of fans cuz I've been doing this computer thing for a long time now. Second, they just die because they reached their MTBF from being left on 24/7, or the manufacturer went with the cheapest fan for their cheapest component. When I almost lost a videocard I wasn't ready to part with, that's when I decided to shut down whenever the system wasn't being used, and regularly check all fans.

Haha, this is kinda funny. First of all most of these fans have like a 150,000 hour MTBF. That doesn't even mean what you think it means but it DOES mean that the fan is designed to run for like 10+ years 24/7.

This is the case unless you buy really cheap crap components. Personally having been dealing with computers at an advanced level for more than a decade, I have had more luck with reliability by leaving my computers on 24/7/365. I only shutdown when there is a very bad electrical storm or the like for equipment protection reasons. Having that many fans fail seems kinda strange to me too.

Cheers.

 

[Nothinman]

As with all previous versions of Windows, automatic maintenance can occur when the system is idle or scheduled for a specific time. "Idle" does not mean "while you are sleeping".

If you want to really be pedantic you said "shut down when the machine isn't being used." which isn't the same as "shut it down before bed".

Today, you are correct. Tomorrow, you may not be. Again, did anyone think Blaster was possible before the 'net practically went offline? No.

Sure they did, maybe not the general public but anyone with even a little bit of knowledge about how network connectivity works did. The sendmail worm thing in 1988 was worse than Blaster. Blaster is just more widely known because it happened after the Internet became more popular and it affected more client machines so users were directly affected. There were plenty of exploits targetting listening daemons before Blaster and there have been plenty since.

Does everybody have a NAT? Heck no. Some people think they're just fine with a software firewall. Many more have no firewall at all.

So? Many people also don't lock their doors at night, it's their decision and there's nothing we can do about that.

Most attacks in the old days required the exact same thing.

I doubt real numbers would support that since worms have been attacking daemons like Apache, bind and sendmail long before the client-side problematic technologies (HTML in email, ActiveX, etc) became so ubiquitous, but if someone can trick you into opening a malicious package you're screwed no matter what.

I was totally unaware most ISPs do this, never even heard of such a thing. Mine certainly didn't give me one (Comcast).

A friend of mine has Verizon and I can't remember if they did give him a NAT device or not, but the whole segment he's on is behind NAT so in his case it doesn't matter either way. So that's one example both ways.

No...first, I've had a lot of fans cuz I've been doing this computer thing for a long time now. Second, they just die because they reached their MTBF from being left on 24/7, or the manufacturer went with the cheapest fan for their cheapest component. When I almost lost a videocard I wasn't ready to part with, that's when I decided to shut down whenever the system wasn't being used, and regularly check all fans.

Two of the machines that I leave on 24x7 are somewhere around a decade old and their fans are still going strong. Granted I'm sure they haven't been on 24x7 for the entire decade but I've definitely had them running constantly for the past 4 years.

 

[xtknight]

I think that most DSL companies give you a modem/router combo with NAT enabled by default.

I wouldn't know what cable companies do these days. The last time I had to deal with a Comcast was about 6 years ago when it wasn't even called Comcast. They just gave me a regular 3com cable modem but I've gotten a better one since, along with a NAT router.

Anyway, to answer the OP:

Be behind a NAT
Run as a user, not administrator
Run programs in restricted environments (sandbox/VM)
Disable image viewing in your e-mail app (by default)
Use Firefox or Opera, not IE
Make backups of your data and maybe even encrypt it (face it, nothing is every completely secure)

Install Vista with BitLocker within a virtual machine and disable network access to that virtual machine. You'll be extremely hard-pressed to find anyone able to steal data from your VM.

 

[Slugbait]

OK, fine. You folks obviously know far more about computer usage and security than I do. I shouldn't have replied at all, sorry.

 

[Nothinman]

Install Vista with BitLocker within a virtual machine and disable network access to that virtual machine. You'll be extremely hard-pressed to find anyone able to steal data from your VM.

I thought the BitLocker stuff required a TPM chip.

 

[xtknight]

Originally posted by: Nothinman

Install Vista with BitLocker within a virtual machine and disable network access to that virtual machine. You'll be extremely hard-pressed to find anyone able to steal data from your VM.

I thought the BitLocker stuff required a TPM chip.

I'm not sure. You could always just use NTFS encryption as well. Just having an OS in a VM and disallowing network access alone will stop 99.9% of attempts, and encryption is just icing on the cake.

 

[fyleow]

..

 

[Nothinman]

This[1] seems to be really poorly worded then. Yes it says you can get to the data with a password in "recovery mode" but it really seems like a TPM chip is required for normal use.

[1] http://technet2.microsoft.com/WindowsVi...57-b031-97b4d762cf311033.mspx?mfr=true

 

[fyleow]

..

 

[ForumMaster]

disable your network card! :Q

my computer is behind a router firewall plus the ZoneAlarm Internet Security Suite. i have never had any spyware/viruses. the most important part of your defense is too be smart. all the protection in the world can't help someone who opens things sent by unknown people from their email.

 

[mechBgon]

Originally posted by: ForumMaster
disable your network card! :Q

my computer is behind a router firewall plus the ZoneAlarm Internet Security Suite. i have never had any spyware/viruses. the most important part of your defense is too be smart. all the protection in the world can't help someone who opens things sent by unknown people from their email.

Actually, the combo of a Limited account and a disallowed Software Restriction Policy should protect them from executable files and such, unless the filetype isn't covered by the SRP.

 

[bsobel]

Originally posted by: Nothinman

Install Vista with BitLocker within a virtual machine and disable network access to that virtual machine. You'll be extremely hard-pressed to find anyone able to steal data from your VM.

I thought the BitLocker stuff required a TPM chip.

As I recall, Bitlocker can't be used in a VM by license (yea yea, I know, but I didn't write the license)

 

[Nothinman]

As I recall, Bitlocker can't be used in a VM by license (yea yea, I know, but I didn't write the license)

Well it makes more sense to just encrypt the host filesystem holding the VM's disk images anyway, but telling you that you can't do it for no real reason seems kind of stupid.

 

[xtknight]

Originally posted by: Nothinman

As I recall, Bitlocker can't be used in a VM by license (yea yea, I know, but I didn't write the license)

Well it makes more sense to just encrypt the host filesystem holding the VM's disk images anyway, but telling you that you can't do it for no real reason seems kind of stupid.

How does the encryption really work though? Once you had a virus executed it seems like it could just open files and steal info just like on an unencrypted file system. I thought it was just encrypted to disk (and tied to your XP password) but other than that there was no password requests?

 

[Nothinman]

How does the encryption really work though? Once you had a virus executed it seems like it could just open files and steal info just like on an unencrypted file system. I thought it was just encrypted to disk (and tied to your XP password) but other than that there was no password requests?

Yea, with encrypted filesystems once you open them up they're open to any process that you run. They're for protecting against someone stealing your drives not protecting you from yourself.