Welcome to HBH! If you have tried to register and didn't get a verification email, please using the following link to resend the verification email.

Windows XP Pro Security: The Essentials


Windows XP Pro Security: The Essentials

By ghostghost | 14199 Reads |
0     0

I don’t need to tell you just how important security is’ in fact, I don’t even need to emphasize how crucial it is when you’re running WINDOWS. Most likely, though, I do need to tell you how to properly secure that Windows XP machine you’re running at home. All too often, people think that their XP security problems are just a download and install away from a fix’ and nothing could be further from the truth. Beneath your anti-virus, anti-spyware, and software firewall programs’ there are some real security issues that need to be addressed. As an added benefit, a number of these security fixes will boost your system’s performance substantially.

Now that I’ve gotten your attention, let’s bolt through the disclaimer and get to the point.

Disclaimer: This article is geared towards securing Windows XP Pro. If you are running Windows XP Home, I cannot guarantee that all the steps below will work; you should still try them, though. Also, as should always be done with registry hacks, verify references and backup keys before modifying the registry; in every case, I have included a web reference for each registry change. I do not take responsibility for you not knowing what you’re doing or anything you break as a result.

Alright, with that out of the way, let's get to step 1:  Unplug your network cable.  Why, you ask?  From now until you get to the end of this article, you MUST assume that your computer is not secure.  Only at the end will you have the proper measures in place to have confidence in your system again.  So, go ahead and unplug it.

Account Defaults

By default, there are a number of settings that put your Administrative powers in Windows XP at risk of being hijacked.  While these steps will not completely prevent this, they will certainly make it considerably more difficult for your Admin account to be compromised.

We're going to start by taking care of the two primary target accounts:  namely, the Guest and Administrator accounts.  Open Computer Management (Start, right-click My Computer, Manage or Start, Administrative Tools, Computer Management), expand Local Users and Groups, and click the Users folder; this will list all of the users on your computer.  

As a basic first step, make sure the Guest account is disabled (it should have a red circle with an ‘x’ in the middle); if it is not disabled, disable it now by right-clicking Guest, clicking Properties, and clicking the checkbox labeled ‘Account is disabled’. Also, right-click Guest and click Set Password, then put in an insanely-complex 15-character password as the password. Don’t worry, you don’t need to remember this password, since this account will not be used; also, you should probably type your complex password in Notepad, then copy and paste it into both password fields so that you can make sure they will match. Disabling the Guest account prevents any logins with it, and setting a complex password hinders accessing anything in any other way.

Next, we’re going to rename the Administrator account and put a dummy account in its place. Right-click Administrator, click Rename, and type in whatever you want your Administrator account to be named; just so you know, this will NOT be the account that you use regularly, so name it accordingly. Then, right-click an open area in the Users folder and click ‘New User,’ putting ‘Administrator’ as the User name and an (different from the one above) insanely-complex 15-character password as the password. Again, you don’t need to remember this password, since this account will be your dummy account (not an actual Administrator); also, use the Notepad tip from above. Click Create, then Close to get back to the Users folder; now, right-click the account you just created and click Properties. Click the ‘Member Of’ tab, click the Add button, click Advanced, and click Find Now; this will bring up a list of all the user groups on your machine. Click ‘Guests’ and click OK twice. Now that Guests have been added to the group list, you can click Users and click Remove to leave your new ‘Administrator’ account with measly Guest privileges.

Finally, you’re going to audit any remaining user accounts that belong to normal users on that system. You want to make sure that no other accounts are members of the Administrators group (except for the one that you renamed from Administrator above). To use administrative privileges from now on, you can right-click any executables or shortcuts, click ‘Run as’’, and supply the Admin account’s credentials; this is similar to the common tip in Linux that you should only switch to the root user when absolutely needed. Don’t log out now, though; there’s still work left to be done.

The Evil Administrative Shares and The Weak LM Hashing

By default, Windows openly shares local hard drives, the C:\Windows folder, and a few other hidden utility shares.  Naturally, you do not want these to be shared, as they provide targets of attack.  Thankfully, there is a quick registry hack that can solve this problem; for both of the registry hacks listed in this section, the format will be:

Registry Key Added or Changed Key Name (Type) = New Value Reference Website

Also, when you see HKLM, it refers to the starting key HKEY_LOCAL_MACHINE.  If the key does not exist, you need to create it as the type listed; this can be done by opening regedit (Start, Run, regedit), browsing to the registry key listed, right-clicking on an open area in the right-hand pane, highlighting New, and clicking the type as listed.  To change the value, just double-click the new key after it is created.  Finally, you will need to restart your computer for these registry changes to take effect (no need to restart until you're done.  Now, for the default shares:

HKLM/System/CurrentControlSet/Services/LanManServer/Parameters ‘AutoShareWks’ (DWORD) = 0 http://www.petri.co.il/disable_administrative_shares.htm

As a final note on disabling the default shares, you may have programs that require some of those default shares to operate correctly.  Thankfully, there shouldn't be that many programs that do; if one does, just try re-enabling the $ADMIN or C$ shares first.

Now that we've taken care of those pesky default shares, let's move on to the weakness of LM hashing.  By default, Windows XP stores LM hashes in addition to the NTLMv2 hashes that are used for hashing user credentials; LM hashes are mainly in place for compatibility with older versions of Windows.  I personally haven't found any need for them and, as they are a large security risk, we'll go ahead and disable LM hashing with the following registry key:

HKLM\SYSTEM\CurrentControlSet\Control\Lsa ‘NoLMHash’ (DWORD) = 1 http://support.microsoft.com/default.aspx/kb/299656

Now our system will default to the stronger NTLMv2 hashing mechanism; as such, people will find it *much* harder to crack the hashes contained in the SAM file.  In fact, without hashtables, it's going to take a long, LONG time.

Remote Assistance and Remote Desktop

Again by default, Windows XP has Remote Assistance enabled.  This, along with Remote Desktop, poses an obvious security risk; after all, how many times do we hear about RDP being a target of attack on a Windows system?  We'll just disable them both by turning them off in the System Configuration (Windows key + Pause/Break or Start, right-click My Computer, Properties).  Click the Remote tab and uncheck both checkboxes.  Simple!

Windows XP Services and Startup

Disclaimer: All services recommendations are just that’ recommendations. If you find that some of your programs do not operate as they should (or at all), you may need to change the settings on some services. In this situation, you should be able to find enough information online.

Okay, now we’re getting into the more involved stuff. While it’s not difficult at all, it’s important to be meticulous here, as you do not want any services running that you don’t need. I’m going to split up the services into ones that you should disable completely and ones that you should set to Manual; to save space, I will not address services that can be left at their default setting, unless it is imperative that they be disabled.

To turn on / turn off services in Windows XP, you want to get to the Services window; this can be reached the easiest by clicking Start, Run, and typing 'services.msc'.  Before I start, you should always question the information you're given; that being said, if you wonder what a service does, read the description (double-click the service) or Google the service.  Now for the lists:

Disable Alerter, Automatic Updates, Clipbook, Distributed Link Tracking Client, Distributed Transaction Coordinator, Error Reporting, Fast User Switching Compatibility, Help and Support, Indexing Service, IPSEC services, Machine Debug Manager, Messenger, Net Logon, NetMeeting Remote Desktop Sharing, Network DDE, Network DDE DSDM, NT LM Security Support Provider, Performance Logs and Alerts, Portable Media Serial Number, Protected Storage, QoS RSVP, Remote Desktop Help Session Manager, Remote Registry, Routing and Remote Access, Server, Smart Card, Smart Card Helper, SSDP Discovery, System Event Notification, System Restore, TCP/IP NetBIOS Helper, Telnet, Terminal Services, Themes, Uninterruptible Power Supply, Universal Plug and Play Device Host, Windows Image Acquisition, Wireless Zero Configuration

Manual Application Management, Background Intelligent Transfer, Computer Browser, DHCP Client, Human Interface Device Access, Network Location Awareness, Print Spooler, Remote Procedure Call (RPC) Locator, Removable Storage, Security Accounts Manager, Shell Hardware Detection, Upload Manager, Volume Shadow Copy, WebClient, Windows Installer, Windows Management Instrumentation Driver Extension, Windows Management Instrumentation Performance Adapter

Reference Websites: http://www.scribd.com/doc/128816/Windows-XP-Services-That-Can-Be-Disabled http://www.majorgeeks.com/page.php?id=13

To finish cleaning out our excess processes, we're going to sift through the listings in our Startup entries and Startup folder.  For the Startup entries, click Start, Run, and type 'msconfig'; this will open the System Configuration Utility, in which you will click the Startup tab.  The great thing about this set of startup items is that none of them are absolutely essential so, really, you could disable all of the startup items and still be able to function.  You'll want to look at each of the listed processes, figure out what they do (expanding the Command column if necessary), and uncheck anything you don't absolutely need or recognize.  In most cases, the only things that should be checked are your anti-malware programs (AV, AS, 3rd party firewall), their update utilities, and your anonymous browsing tools (Tor, Privoxy, etc.).  All of the Windows / Microsoft entries can be unchecked, as well as any messenger programs, CD / DVD burning programs, and any other non-essential entries.  This will give you the freedom to only start those programs when needed, which will save system resources.  Similarly, for the Startup folder (click Start, All Programs, Startup), make sure there aren't any unwanted or unneeded programs listed.  

Windows Firewall

If you haven't already installed Service Pack 2, do so now; trust me, it's an improvement.  In addition to other improvements, Service Pack 2 comes with the built-in Windows Firewall, which performs some basic firewall functions (program & port connectivity); while it's rather mediocre as far as firewalls go, it does add another layer of protection.  To access Windows Firewall, click Start, Control Panel, Windows Firewall.  When it opens, click the 'On (recommended)' radio button and make sure that 'Don't allow exceptions' is unchecked.  Next, click the Exceptions tab, where you will find all of the program and port settings.  Before you do anything else, uncheck 'File and Printer Sharing' and 'UPnP Framework'; you don't want those allowed at all.  Now, go through all of the listings and decide if you really use / need them.  For everything that you don't need or use, uncheck it and it will no longer be allowed to make outside connections.  

Finally, to round out the firewall settings, click the Advanced tab, highlight your network interface (usually ‘Local Area Connection’, possibly followed by a number) and click Settings. This will allow you to configure allowances for services and ICMP (inbound and outbound ping packets). This is real simple, so I’m only going to say this once: uncheck everything in both tabs. You don’t need any of it right now (but remember it’s here just in case you run a web server or anything).

Automatic Updates, System Restore, and Error Reporting

This is really simple:  you want to disable all of them.  System Restore is a resource hog (and is no more useful than regular backups) and no one EVER agrees to send Microsoft anything when that stupid Error Reporting window comes up.  Also, too many times, I've seen a 'hotfix' screw up something; you need the freedom to choose what updates are installed on your computer.  More on that in the section below but, for right now, let's get into System Properties again (Windows key + Pause/Break or Start, Control Panel, System).  Click the Automatic Updates tab and click the radio button that says 'Turn off Automatic Updates'.  Now, click the System Restore tab and check the 'Turn off System Restore on all drives' checkbox.  Finally, click the Advanced tab, Error Reporting (at the bottom), and click the radio button that says 'Disable error reporting'; leave the checkbox under it checked, though, just in case.

Scheduled Maintenance

Well, this is the last section of this article and, fittingly, it ties up all of the loose ends.  You've done all of the manual work to secure your system; now, it's time to do some automated recovery and maintenance.  For the first few steps, we're going to be using the built-in Task Scheduler (Start, All Programs, Accessories, System Tools, Scheduled Tasks) to schedule our regular maintenance.  We'll run through the basic operation of Task Manager, then I'll go into detail about what we'll be scheduling.

To schedule a task, double-click 'Add Scheduled Task'.  Click Next, then you'll see a listing of the common programs on your computer.  Go ahead and have a look at the list, since it is pretty extensive.  Once you pick a program (or browse for one), click Next and you can choose a name for the scheduled task and the frequency with which it will occur.  Once you set those, click Next and you get to pick the start time and start day, mainly.  Clicking Next again' you get to the part where you can supply user credentials if needed; it's likely that you'll need them for the tasks you're about to schedule, so you'll want to enter your renamed admin user's credentials here.  Click Next and Finish, and you have a scheduled task.

First, we want to schedule a task that opens Windows Update every week so that we can pick and choose our updates.  When creating the task, choose 'Windows Update' as the program that you want to run.  Set it for Weekly and remember to put in your admin credentials; also, remember to schedule it for a time when you'll see it so that you can manually update.

Next, we want to take good care of our hard drives by running Defrag on them every week.  Pop open a Notepad window and type in 'defrag' followed by the drive letter of your first hard drive; do this on separate lines for each hard drive in your system.  Save the file with a filename that ends in .bat, which will create a batch file.  Now, create the scheduled task and, when it gets to the part where you need to pick a program, click Browse and choose the batch file you just created.  This time, you can set it to run weekly at a time that you won't be at your computer (as long as the computer will be on).

Third, we need to schedule AV (anti-virus) and AS (anti-spyware) scans.  Ideally, these scans should happen no less than every 12 hours; personally, I run these scans every 3 hours (because I'm paranoid).  Do these tasks just like the ones above, using your AV and AS programs as the program to run.  For each of these two tasks, right-click the task, click Properties, click the Schedule tab, and click Advanced.  Here, you can specify a smaller interval than daily.  We'll do that now by checking 'Repeat task', changing the number by 'Every:' to the number of hours (your choice), changing the drop-down beside it to say 'hours', and changing the number by 'Duration:' to be at least 2 hours.  Not so bad, eh?

Finally, we want to schedule a weekly backup of our OS and any important files to an alternate location (a second hard drive or USB external drive).  Let's go ahead and open up Windows Backup:  Click Start, All Programs, Accessories, System Tools, Backup.  When the window comes up, click the 'Advanced Mode' link and click the Scheduled Jobs tab; then, you will click the 'Add Job' button at the bottom.  As there are quite a few steps after this, I'm going to quickly highlight the important considerations:
  1. Back up selected files or drives
  2. Use ‘Normal’ or ‘Copy’ backup type, and tell it to verify the backup
  3. Unless you have the space, have your backups overwrite the previous one
  4. Schedule the task to run Weekly on a slow day of the week (like Sunday)
  5. Set it to wake the computer to run the backup, in case it’s in standby (likely)

Completed the Essentials

Well, we've gotten all of the essential steps out of the way and, as such, this concludes Part 1 of my 'Windows XP Essential Security and Performance' article.  Hopefully, I will be able to follow this one up soon with another article to address (or begin to address) recommended practices with browsing, email, file sharing, and other common activities in Windows XP.  Hope you all enjoyed it!

Comments
korg's avatar
korg 16 years ago

I think he means there defaulted as on but can still be removed with no problems.

ghost's avatar
ghost 16 years ago

I saw some stuff on Defragging in the comments and i must say: "Why in the name of god would you not want to defrag?" If your that worried about your drive being "over stressed" Make backups! (do that anyway) And use RAID 1. Defragmenting after deleting/installing an application or doing any kind of maintenance will increase overall system performance, your AV scanner will work faster also. Korg: Mate, even if you have an amazing box, why waste it on crap services you dont need anyway, and slow it down by not performaing the most basic of maintenance?

korg's avatar
korg 16 years ago

@PureEvil: Read what I posted defragging will not speed your box up to where you'll notice it, Same with shutting down services, Defrag when needed (If you do see problems or every so often depending on what you do) And as I posted always back-up. And Raid 0 is better for perfomance.

ghost's avatar
ghost 16 years ago

What i dont get here is following If Guest or any other account is disabled how anything can be accessed with it? Anyways i do this somewhat different i use group policy and remove any accounts from "Access this computer from network".same goes with shares Can enyone tell me does this protects anything because im not so sure now. Thanks Bye

ghost's avatar
ghost 16 years ago

And yes, i forgot,renaming accounts is good but the SID remains.

ghost's avatar
ghost 16 years ago

There's nothing wrong with doing things that will keep performance constant, rather than "speeding it up". I agree that RAID 1 and backups are a bit overkill… RAID 0 will go faster and, for home use, the mirrored redundancy isn't needed. global, for the disabled accounts, it is not possible to log in to the machine, but it may still be possible to access networked resources on that machine. As mentioned above, Group Policy was outside of the scope of this article; if I have time in the near future, I will be writing an article on W2K3 security through AD and GPOs. A lot of that article will end up useful to Windows XP users in some ways, too. As for the SID remaining… I know of that, but I'm not aware of any way that it could be used pre-authentication. I will have to look into that.

ghost's avatar
ghost 16 years ago

Hi Zephyr_Pure, I also dont have any "exotic" use of SID for auth.on my mind.I ment it could be used to find original admin account and i guess theres no defence against it?!? Thanx for reply

ghost's avatar
ghost 16 years ago

Very interesting read. Not sure I would use such lengths to free up resources but I understood the functionality of everything you posted. Helped me out a lot.