Windows XP Pro Security: The Essentials
Windows XP Pro Security: The Essentials
I don’t need to tell you just how important security is’ in fact, I don’t even need to emphasize how crucial it is when you’re running WINDOWS. Most likely, though, I do need to tell you how to properly secure that Windows XP machine you’re running at home. All too often, people think that their XP security problems are just a download and install away from a fix’ and nothing could be further from the truth. Beneath your anti-virus, anti-spyware, and software firewall programs’ there are some real security issues that need to be addressed. As an added benefit, a number of these security fixes will boost your system’s performance substantially.
Now that I’ve gotten your attention, let’s bolt through the disclaimer and get to the point.
Disclaimer: This article is geared towards securing Windows XP Pro. If you are running Windows XP Home, I cannot guarantee that all the steps below will work; you should still try them, though. Also, as should always be done with registry hacks, verify references and backup keys before modifying the registry; in every case, I have included a web reference for each registry change. I do not take responsibility for you not knowing what you’re doing or anything you break as a result.
Alright, with that out of the way, let's get to step 1: Unplug your network cable. Why, you ask? From now until you get to the end of this article, you MUST assume that your computer is not secure. Only at the end will you have the proper measures in place to have confidence in your system again. So, go ahead and unplug it.
Account Defaults
By default, there are a number of settings that put your Administrative powers in Windows XP at risk of being hijacked. While these steps will not completely prevent this, they will certainly make it considerably more difficult for your Admin account to be compromised.
We're going to start by taking care of the two primary target accounts: namely, the Guest and Administrator accounts. Open Computer Management (Start, right-click My Computer, Manage or Start, Administrative Tools, Computer Management), expand Local Users and Groups, and click the Users folder; this will list all of the users on your computer.
As a basic first step, make sure the Guest account is disabled (it should have a red circle with an ‘x’ in the middle); if it is not disabled, disable it now by right-clicking Guest, clicking Properties, and clicking the checkbox labeled ‘Account is disabled’. Also, right-click Guest and click Set Password, then put in an insanely-complex 15-character password as the password. Don’t worry, you don’t need to remember this password, since this account will not be used; also, you should probably type your complex password in Notepad, then copy and paste it into both password fields so that you can make sure they will match. Disabling the Guest account prevents any logins with it, and setting a complex password hinders accessing anything in any other way.
Next, we’re going to rename the Administrator account and put a dummy account in its place. Right-click Administrator, click Rename, and type in whatever you want your Administrator account to be named; just so you know, this will NOT be the account that you use regularly, so name it accordingly. Then, right-click an open area in the Users folder and click ‘New User,’ putting ‘Administrator’ as the User name and an (different from the one above) insanely-complex 15-character password as the password. Again, you don’t need to remember this password, since this account will be your dummy account (not an actual Administrator); also, use the Notepad tip from above. Click Create, then Close to get back to the Users folder; now, right-click the account you just created and click Properties. Click the ‘Member Of’ tab, click the Add button, click Advanced, and click Find Now; this will bring up a list of all the user groups on your machine. Click ‘Guests’ and click OK twice. Now that Guests have been added to the group list, you can click Users and click Remove to leave your new ‘Administrator’ account with measly Guest privileges.
Finally, you’re going to audit any remaining user accounts that belong to normal users on that system. You want to make sure that no other accounts are members of the Administrators group (except for the one that you renamed from Administrator above). To use administrative privileges from now on, you can right-click any executables or shortcuts, click ‘Run as’’, and supply the Admin account’s credentials; this is similar to the common tip in Linux that you should only switch to the root user when absolutely needed. Don’t log out now, though; there’s still work left to be done.
The Evil Administrative Shares and The Weak LM Hashing
By default, Windows openly shares local hard drives, the C:\Windows folder, and a few other hidden utility shares. Naturally, you do not want these to be shared, as they provide targets of attack. Thankfully, there is a quick registry hack that can solve this problem; for both of the registry hacks listed in this section, the format will be:
Registry Key Added or Changed Key Name (Type) = New Value Reference Website
Also, when you see HKLM, it refers to the starting key HKEY_LOCAL_MACHINE. If the key does not exist, you need to create it as the type listed; this can be done by opening regedit (Start, Run, regedit), browsing to the registry key listed, right-clicking on an open area in the right-hand pane, highlighting New, and clicking the type as listed. To change the value, just double-click the new key after it is created. Finally, you will need to restart your computer for these registry changes to take effect (no need to restart until you're done. Now, for the default shares:
HKLM/System/CurrentControlSet/Services/LanManServer/Parameters ‘AutoShareWks’ (DWORD) = 0 http://www.petri.co.il/disable_administrative_shares.htm
As a final note on disabling the default shares, you may have programs that require some of those default shares to operate correctly. Thankfully, there shouldn't be that many programs that do; if one does, just try re-enabling the $ADMIN or C$ shares first.
Now that we've taken care of those pesky default shares, let's move on to the weakness of LM hashing. By default, Windows XP stores LM hashes in addition to the NTLMv2 hashes that are used for hashing user credentials; LM hashes are mainly in place for compatibility with older versions of Windows. I personally haven't found any need for them and, as they are a large security risk, we'll go ahead and disable LM hashing with the following registry key:
HKLM\SYSTEM\CurrentControlSet\Control\Lsa ‘NoLMHash’ (DWORD) = 1 http://support.microsoft.com/default.aspx/kb/299656
Now our system will default to the stronger NTLMv2 hashing mechanism; as such, people will find it *much* harder to crack the hashes contained in the SAM file. In fact, without hashtables, it's going to take a long, LONG time.
Remote Assistance and Remote Desktop
Again by default, Windows XP has Remote Assistance enabled. This, along with Remote Desktop, poses an obvious security risk; after all, how many times do we hear about RDP being a target of attack on a Windows system? We'll just disable them both by turning them off in the System Configuration (Windows key + Pause/Break or Start, right-click My Computer, Properties). Click the Remote tab and uncheck both checkboxes. Simple!
Windows XP Services and Startup
Disclaimer: All services recommendations are just that’ recommendations. If you find that some of your programs do not operate as they should (or at all), you may need to change the settings on some services. In this situation, you should be able to find enough information online.
Okay, now we’re getting into the more involved stuff. While it’s not difficult at all, it’s important to be meticulous here, as you do not want any services running that you don’t need. I’m going to split up the services into ones that you should disable completely and ones that you should set to Manual; to save space, I will not address services that can be left at their default setting, unless it is imperative that they be disabled.
To turn on / turn off services in Windows XP, you want to get to the Services window; this can be reached the easiest by clicking Start, Run, and typing 'services.msc'. Before I start, you should always question the information you're given; that being said, if you wonder what a service does, read the description (double-click the service) or Google the service. Now for the lists:
Disable Alerter, Automatic Updates, Clipbook, Distributed Link Tracking Client, Distributed Transaction Coordinator, Error Reporting, Fast User Switching Compatibility, Help and Support, Indexing Service, IPSEC services, Machine Debug Manager, Messenger, Net Logon, NetMeeting Remote Desktop Sharing, Network DDE, Network DDE DSDM, NT LM Security Support Provider, Performance Logs and Alerts, Portable Media Serial Number, Protected Storage, QoS RSVP, Remote Desktop Help Session Manager, Remote Registry, Routing and Remote Access, Server, Smart Card, Smart Card Helper, SSDP Discovery, System Event Notification, System Restore, TCP/IP NetBIOS Helper, Telnet, Terminal Services, Themes, Uninterruptible Power Supply, Universal Plug and Play Device Host, Windows Image Acquisition, Wireless Zero Configuration
Manual Application Management, Background Intelligent Transfer, Computer Browser, DHCP Client, Human Interface Device Access, Network Location Awareness, Print Spooler, Remote Procedure Call (RPC) Locator, Removable Storage, Security Accounts Manager, Shell Hardware Detection, Upload Manager, Volume Shadow Copy, WebClient, Windows Installer, Windows Management Instrumentation Driver Extension, Windows Management Instrumentation Performance Adapter
Reference Websites: http://www.scribd.com/doc/128816/Windows-XP-Services-That-Can-Be-Disabled http://www.majorgeeks.com/page.php?id=13
To finish cleaning out our excess processes, we're going to sift through the listings in our Startup entries and Startup folder. For the Startup entries, click Start, Run, and type 'msconfig'; this will open the System Configuration Utility, in which you will click the Startup tab. The great thing about this set of startup items is that none of them are absolutely essential so, really, you could disable all of the startup items and still be able to function. You'll want to look at each of the listed processes, figure out what they do (expanding the Command column if necessary), and uncheck anything you don't absolutely need or recognize. In most cases, the only things that should be checked are your anti-malware programs (AV, AS, 3rd party firewall), their update utilities, and your anonymous browsing tools (Tor, Privoxy, etc.). All of the Windows / Microsoft entries can be unchecked, as well as any messenger programs, CD / DVD burning programs, and any other non-essential entries. This will give you the freedom to only start those programs when needed, which will save system resources. Similarly, for the Startup folder (click Start, All Programs, Startup), make sure there aren't any unwanted or unneeded programs listed.
Windows Firewall
If you haven't already installed Service Pack 2, do so now; trust me, it's an improvement. In addition to other improvements, Service Pack 2 comes with the built-in Windows Firewall, which performs some basic firewall functions (program & port connectivity); while it's rather mediocre as far as firewalls go, it does add another layer of protection. To access Windows Firewall, click Start, Control Panel, Windows Firewall. When it opens, click the 'On (recommended)' radio button and make sure that 'Don't allow exceptions' is unchecked. Next, click the Exceptions tab, where you will find all of the program and port settings. Before you do anything else, uncheck 'File and Printer Sharing' and 'UPnP Framework'; you don't want those allowed at all. Now, go through all of the listings and decide if you really use / need them. For everything that you don't need or use, uncheck it and it will no longer be allowed to make outside connections.
Finally, to round out the firewall settings, click the Advanced tab, highlight your network interface (usually ‘Local Area Connection’, possibly followed by a number) and click Settings. This will allow you to configure allowances for services and ICMP (inbound and outbound ping packets). This is real simple, so I’m only going to say this once: uncheck everything in both tabs. You don’t need any of it right now (but remember it’s here just in case you run a web server or anything).
Automatic Updates, System Restore, and Error Reporting
This is really simple: you want to disable all of them. System Restore is a resource hog (and is no more useful than regular backups) and no one EVER agrees to send Microsoft anything when that stupid Error Reporting window comes up. Also, too many times, I've seen a 'hotfix' screw up something; you need the freedom to choose what updates are installed on your computer. More on that in the section below but, for right now, let's get into System Properties again (Windows key + Pause/Break or Start, Control Panel, System). Click the Automatic Updates tab and click the radio button that says 'Turn off Automatic Updates'. Now, click the System Restore tab and check the 'Turn off System Restore on all drives' checkbox. Finally, click the Advanced tab, Error Reporting (at the bottom), and click the radio button that says 'Disable error reporting'; leave the checkbox under it checked, though, just in case.
Scheduled Maintenance
Well, this is the last section of this article and, fittingly, it ties up all of the loose ends. You've done all of the manual work to secure your system; now, it's time to do some automated recovery and maintenance. For the first few steps, we're going to be using the built-in Task Scheduler (Start, All Programs, Accessories, System Tools, Scheduled Tasks) to schedule our regular maintenance. We'll run through the basic operation of Task Manager, then I'll go into detail about what we'll be scheduling.
To schedule a task, double-click 'Add Scheduled Task'. Click Next, then you'll see a listing of the common programs on your computer. Go ahead and have a look at the list, since it is pretty extensive. Once you pick a program (or browse for one), click Next and you can choose a name for the scheduled task and the frequency with which it will occur. Once you set those, click Next and you get to pick the start time and start day, mainly. Clicking Next again' you get to the part where you can supply user credentials if needed; it's likely that you'll need them for the tasks you're about to schedule, so you'll want to enter your renamed admin user's credentials here. Click Next and Finish, and you have a scheduled task.
First, we want to schedule a task that opens Windows Update every week so that we can pick and choose our updates. When creating the task, choose 'Windows Update' as the program that you want to run. Set it for Weekly and remember to put in your admin credentials; also, remember to schedule it for a time when you'll see it so that you can manually update.
Next, we want to take good care of our hard drives by running Defrag on them every week. Pop open a Notepad window and type in 'defrag' followed by the drive letter of your first hard drive; do this on separate lines for each hard drive in your system. Save the file with a filename that ends in .bat, which will create a batch file. Now, create the scheduled task and, when it gets to the part where you need to pick a program, click Browse and choose the batch file you just created. This time, you can set it to run weekly at a time that you won't be at your computer (as long as the computer will be on).
Third, we need to schedule AV (anti-virus) and AS (anti-spyware) scans. Ideally, these scans should happen no less than every 12 hours; personally, I run these scans every 3 hours (because I'm paranoid). Do these tasks just like the ones above, using your AV and AS programs as the program to run. For each of these two tasks, right-click the task, click Properties, click the Schedule tab, and click Advanced. Here, you can specify a smaller interval than daily. We'll do that now by checking 'Repeat task', changing the number by 'Every:' to the number of hours (your choice), changing the drop-down beside it to say 'hours', and changing the number by 'Duration:' to be at least 2 hours. Not so bad, eh?
Finally, we want to schedule a weekly backup of our OS and any important files to an alternate location (a second hard drive or USB external drive). Let's go ahead and open up Windows Backup: Click Start, All Programs, Accessories, System Tools, Backup. When the window comes up, click the 'Advanced Mode' link and click the Scheduled Jobs tab; then, you will click the 'Add Job' button at the bottom. As there are quite a few steps after this, I'm going to quickly highlight the important considerations:
- Back up selected files or drives
- Use ‘Normal’ or ‘Copy’ backup type, and tell it to verify the backup
- Unless you have the space, have your backups overwrite the previous one
- Schedule the task to run Weekly on a slow day of the week (like Sunday)
- Set it to wake the computer to run the backup, in case it’s in standby (likely)
Completed the Essentials
Well, we've gotten all of the essential steps out of the way and, as such, this concludes Part 1 of my 'Windows XP Essential Security and Performance' article. Hopefully, I will be able to follow this one up soon with another article to address (or begin to address) recommended practices with browsing, email, file sharing, and other common activities in Windows XP. Hope you all enjoyed it!
ghost 17 years ago
Nice article although i done most of those, you used grammar and paragraphs rated awesome
ps FIRZT POST LULULULULULZ ZOMGZ
ghost 17 years ago
great article. awesome work, very useful information. why turn off automated backups tho? you never went into detail as to why you would pick and choose updates. i keep my updated automated right now.
ghost 17 years ago
i assume this is only for remote accessing problems, as you missed out disabling cmd for any other non-admin users present, and disabling AT(its sometimes auto-enabled for all users on XP). great article though, rated awesome :)
ghost 17 years ago
DigitalFire: System Restore, like Indexing Service, eats resources. Scheduling backups lets you free that up. As for picking and choosing updates, M$ has a habit of trying to force ALL updates upon you… even the ones you don't need. Also, many times, I've seen an update or hotfix break functionality on a system that was otherwise fine. Make sure you only update with what you need. Oh, and I really didn't have much room to go into detail… as you can tell, the article is already massive as it is. :p ** mrnoob:** I didn't miss out on disabling cmd, task scheduling, etc. This article only covers the basics that home users should be concerned with. I did plan on writing an article (at some point) that concerns multi-user environments and domains, but Group Policy alone would fill up 3 or 4 articles. I'll see what I can do for that one… most likely, it would be a Server 2003 article, since I hardly ever bothered with local GPOs.
ghost 17 years ago
Brilliant, Id like to say though if anyone has a problem with an Ipod after changing the services, try enabling Terminal Services. this fixed a problem with my ipod a while back (Itunes not being able to detect it)
10/10 Zephyr, hopefully XP users will take notice cause this stuff really is the way to go about it.
korg 17 years ago
As you stated these are YOUR recommendations, Really don't agree on most,Making a dummy admin account? Still get's jacked Super admin your box for better security. Disable all those services, If you can see a difference you need to upgrade now! You need most of them to run programs properly. I would never shutoff system restore it uses little resources (takes a few seconds for it to ghost your files) And can be the easiest way to recover from massive failure.You don't need a batch file to run defrag(add scheduled task>browse>system32>defarg.exe>)I would suggest to defrag unless you see a problem,Every time you do you stress the drive and overwrite it,Seen systems crash from a defrag)I agree with back-ups all the way,I back-up when I install new programs and such but use dvd's.As far as A/V scans go there only as good as the software itself. I run McAfee and it stops everything dead no need to run a full scan.(I have and it never finds anything) Same goes with the firewall if your using windows firewall your an idiot,I use McAfee.Auto updates you can still choose custom install.I could keep going but I won't, Still a good article just not for experienced XP users.
ghost 17 years ago
**korg: **The point of the "dummy admin" account is just a small bit of misdirection; not a necessary step, but couldn't hurt. Also, if the dummy admin gets "jacked", it won't matter: it only has Guest privs. The important part is not being logged in as admin all the time; just use admin privileges when absolutely needed. As for needing most of the services to run programs properly, feel free to provide sources as I have; I have researched those services and found that my recommendations are relatively on-point. Concerning system restore, the point is to give the user control of his / her system; you don't want System Restore backing up a system image that has whatever condition caused the problem that causes you to restore. Also, maintaining backups is good real-world practice, as you somewhat agreed with. Scheduling the defrag.exe instead of a batch file will most likely only defrag the C: drive; for those of us that use multiple partitions (me included), this is not a complete unattended solution. For Windows Firewall, I agree that there are better software firewall solutions out there; however, there is no reason not to take advantage of the built-in firewall. For that matter, hardware firewall > both those options. Despite all of this… I respect and appreciate all of your feedback. These disagreements make for good discussion on the subject! As a final note, this article is meant as a substantial starting point, not as an absolute solution. For those of us that are "experienced XP users", we know that there is no single document that will make us such… only trial and error and years of experience. :happy:
ghost 17 years ago
**korg: **The point of the "dummy admin" account is just a small bit of misdirection; not a necessary step, but couldn't hurt. Also, if the dummy admin gets "jacked", it won't matter: it only has Guest privs. The important part is not being logged in as admin all the time; just use admin privileges when absolutely needed. As for needing most of the services to run programs properly, feel free to provide sources as I have; I have researched those services and found that my recommendations are relatively on-point. Concerning system restore, the point is to give the user control of his / her system; you don't want System Restore backing up a system image that has whatever condition caused the problem that causes you to restore. Also, maintaining backups is good real-world practice, as you somewhat agreed with. Scheduling the defrag.exe instead of a batch file will most likely only defrag the C: drive; for those of us that use multiple partitions (me included), this is not a complete unattended solution. For Windows Firewall, I agree that there are better software firewall solutions out there; however, there is no reason not to take advantage of the built-in firewall. For that matter, hardware firewall > both those options. Despite all of this… I respect and appreciate all of your feedback. These disagreements make for good discussion on the subject! As a final note, this article is meant as a substantial starting point, not as an absolute solution. For those of us that are "experienced XP users", we know that there is no single document that will make us such… only trial and error and years of experience. :happy:
korg 17 years ago
Well as far as services go heres a few: Indexing service:Indexes contents and properties of files on local and remote computers; provides rapid access to files through flexible querying language. This actually speeds things up. Distributed Transaction Coordinator:Coordinates transactions that span multiple resource managers, such as databases, message queues, and file systems. Disabled these will not happen at all. TCP/IP NetBIOS Helper:Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution. Alot of sites use this to ping their server not much anymore but alot of online games do. Google each one to see if you need them but that wasn't my point. You don't need to disable them unless you have a piece of shit box you will never notice a difference. I've done stress test,cpu tests and benchmarks running services and not, no change in performance. The defrag.exe will run on all disks try it, I've seen hundreds of articles like this both pro and con, For disabling things but I try things for myself to know what works for me. I never take someones word if you know what I mean. One guy says yes another says no "Who do believe" Best advice for everyone is to try things on your own whatever works ROLL with it. Not trying to be a dick there Zephyr Just what I've experienced. And believe me I've work on alot of fucked up boxes over the years and more to come, got 2 sitting on the bench now.
ghost 17 years ago
(Apologizes in advance for that horrendous massive double-post.) **korg: ** For Indexing Service, I've had it disabled for years because, for years before that, I really saw no increase. The performance may be negligible, but I don't like running anything that isn't really useful. DTC could've probably gone in the Manual column; I can give you that one. :) Not NetBIOS Helper, though… NetBIOS is weak and can be exploited easily. For defrag.exe, I will try that… in my experience, I've always specified the target drives.["For disabling things but I try things for myself to know what works for me. I never take someones word if you know what I mean."I do know what you mean! In fact, I recommended that in my article! :) Everyone will find their own mix… I just made the suggestions I did so that people would learn to stop looking for the ready-made solution, and start looking to tweak those things through thorough research. You have worked on a lot of fucked-up boxes over the years, and I have administered Windows-based networks for years. You respect me enough to not be a dick, and I respect you enough for the knowledge you bring to the argument. Hopefully, the people that read this article can appreciate the argument as well. :D
korg 17 years ago
I forgot system restore if you go back to before your problems started and restore from there it has always worked for me. As far as exploited any services it's only as good as the protection you have, Firewalls, port alerters etc. But Like we said everyone will try there own ways to make them happy. I only commented because I get so pissed when people bring me thier box and say "I did some tweaks and now it won't boot" ETC. Don't go nuts disabling or removing things if you don't know what they are! (FireSaleHaxor) for example. Although those idiots keep me in business. HEE>HEE
Uber0n 17 years ago
This is the best WinXP security article I've read in a long time, and your correct spelling and grammar made me happy :D Awesome.
ghost 17 years ago
Thanks for the random Poor rating, AndriusZz. Those are always a bit humorous. :happy:
ghost 16 years ago
Windows XP has Remote Assistance enabled. This, along with Remote Desktop,
this is service pack dependent .
but othewise vry nice :D
ghost 16 years ago
I'm not sure I understand your argument about those being "service pack dependent". There is nothing in the initial XP install, or SP1 / SP2, that requires you to keep Remote Assistance and/or Remote Desktop enabled. Thanks for the compliment on the article, though.