Securing Windows XP

[rasczak]

what suggestions do you have for a newb trying to make XP more secure for a home computer?

i've already disabled telnet. setup account policies, (pwd and acct lockout), Local policies (not displaying last names in the log on screen). both user accounts are just user accounts with only one administrative account( renamed admin account as well)

but i want to make it more secure. (there are only two ppl who use this computer, myself and my wife) i'm careful with my browsing habits, but my wife is a click-aholic. i've got avg anti virus and anti rootkit installed, plus spybot for spyware. i've got a router/firewall in front plus windows firewall running. but I'm not sure which ports i should leave open aside from 80 and 443.

ideas are most welcome!

 

[Lemon law]

That subject is very well covered in the security resource thread which is a sticky at top on this forum. Inside you can also find John Malware guide and a plethora of other links.

But man with clickaholic wife advised to secure PC.

Two biggies.

a. Use non administrative account when surfing. With full software restriction policy if you have XP pro.

b. A better software firewall that combines a firewall and prevention. Comodo version three and online armor free cost nothing and offer some process control and HIPS. You will have to disable the SP2 firewall because you are limited to only one software firewall at a time. You can continue to use your hardware firewall.

I would recommend an AV with a better detection rate than AVG. Antivirus by Avira has a free version. But the free version lacks incoming e-mail prescanning. NOD32 and Kaspersky are both excellent but not freeware. But often you can find rebates on Kaspersky making it almost free. You should probably also add another spyware program.
A2, AVG anti malware, and superantispyware all spring to mind as excellent freeware.

 

[rasczak]

Originally posted by: Lemon law
That subject is very well covered in the security resource thread which is a sticky at top on this forum. Inside you can also find John Malware guide and a plethora of other links.

But man with clickaholic wife advised to secure PC.

Two biggies.

a. Use non administrative account when surfing. With full software restriction policy if you have XP pro.

b. A better software firewall that combines a firewall and prevention. Comodo version three and online armor free cost nothing and offer some process control and HIPS. You will have to disable the SP2 firewall because you are limited to only one software firewall at a time. You can continue to use your hardware firewall.

I would recommend an AV with a better detection rate than AVG. Antivirus by Avira has a free version. But the free version lacks incoming e-mail prescanning. NOD32 and Kaspersky are both excellent but not freeware. But often you can find rebates on Kaspersky making it almost free. You should probably also add another spyware program.
A2, AVG anti malware, and superantispyware all spring to mind as excellent freeware.

Great stuff, thanks! I didn't realize they had that thread at the top. I had kapersky for a while but they changed versions on me (from free to non free lol) but i am not averse to paying for a great product.

thanks!
Joe

 

[mechBgon]

Here's a how-to for Software Restriction Policy, too: http://www.mechbgon.com/srp If you have WinXP Home, then SRP isn't an option, but otherwise it's definitely worth trying out since you're on Limited user accounts already :thumbsup:

Whether you prefer IE or another browser for your own use, get your IE updated to IE7 for security reasons, if you didn't already. I also like to change the Privacy settings like this:

1) go to the Internet Options panel
2) go to the Privacy tab
3) set Privacy to Medium High and Apply
4) click the Advanced button and override automagic cookie handling, then allow first-party cookies and block third-party cookies

If you have antispyware apps that detect on tracking cookies, this should make them much happier

The bad guys do like exploiting stuff such as QuickTime, Adobe Reader, and other third-party apps through scripted attacks, so check that stuff periodically with the Secunia Personal Software Inspector for known vulnerabilities too.

Oh, and if the CPU supports hardware Data Execution Prevention, it couldn't hurt to fully enable that: enable DEP You can add exceptions for legit software that has DEP problems.