Securing Windows XP

From Wikibooks, the open-content textbooks collection

A reader has identified this book as an undeveloped draft or outline. You can help to develop the work, or you can ask for assistance in the project room.

Contents 1 Fundamentals of Windows Security 1.1 What is computer security? And why should I care? 1.2 Users 1.3 Permissions 2 Practical Steps 2.1 Provide Physical Security for the machine 2.2 Disable or Delete Unnecessary Users 2.3 Remove Unnecessary Windows Services 2.4 Keep Your OS Updated 2.5 Use Antivirus Software 2.6 Firewall 2.7 Anti-Spyware 2.7.1 Note 3 Further measures of protection 3.1 Alternative browsers 4 Protecting your data from hardware failures 5 Further reading

[edit] Fundamentals of Windows Security

[edit] What is computer security? And why should I care?

Computer security is the control of access to resources and the steps taken to achieve this.

Why do I need it?

This section will not delve into the sociological reasons for computer security but will touch on practical reasons by example. Pretend that someone called Joe buys a personal computer to use the Internet on and the concept of computer security does not exist. Any time Joe connects to the Internet, everybody else using the Internet at the same time would have total access to Joe's computer not only severely compromising Joe's privacy but also risking the working integrity of his computer. In short if you either care at all about your computer working or any data you enter into it you need your computer to be as secure as possible.

[edit] Users

In Windows XP in order to use the operating system you must login as a user. Each user has information stored in a database (SAM). For each user the database must store a username, a password and at least one group. With these two pieces of information one can login to the operating system.

[edit] Permissions

Permissions define what resources may be accessed through Windows. Even for the most trivial tasks Windows XP requires access to computer resources. These resources are defined as "objects" and it is these "objects" that Windows XP screens access for. Common examples of objects include a file on a hard disk or the ability to add new users. Access to these objects is restricted to certain users or groups. Every time a user requests a resource or tries to perform an action Windows checks the ACL (Access Control Lists) to see if that particular user is allowed to, if for example the user is not allowed, access will be denied. Permissions are a fundamental concept in Windows XP and almost every other operating system.

[edit] Practical Steps

[edit] Provide Physical Security for the machine

This is self-evident. To prevent people from using your computer(s), deny them physical access. If you want to limit or monitor computer usage, physically monitor what they are doing with your computer! These simple steps alone can reduce a large number of potential threats.

[edit] Disable or Delete Unnecessary Users

Disable any accounts that are not used. For example always disable the Guest account (disabled by default on brand new computers or a "fresh" Windows XP install).

There are two ways to disable a user in Windows XP.

(a) Start >> Settings >> Control Panel [the control panel window should appear] >> User Accounts [the User Accounts window should appear] in the User accounts window there are two headings: "Pick a Task..." and "or pick an account to change". If you select the user you want to disable under "pick an account to change" new links will appear. Choose "Turn off the [username] account".

(b) Start >> Run... >> Enter "lusrmgr.msc" >> Click "Users" >> Double-click the user you want to disable, check the "Account is Disabled" box and click "Ok".

Additionally it may well be worth renaming the "Administrator" account as this may be targeted in any attempt to breach security or run/install programs. There are two methods.

XP Home Edition	XP Professional Edition
At a command prompt type control userpasswords2. Select Administrator and click on Properties. Change the user name, NOT the full name.	Type secpol.msc at a command prompt Open Local Policies/Security Options In the details pane, double click Accounts: Rename Administrator Account Type the new name for the account

[edit] Remove Unnecessary Windows Services

A service is a privileged program that is loaded on startup and provides some low-level functionality in the background. It can be started and stopped on request (via the Control Panel >> Administrative tools >> Services window).

Unneeded Windows services use up a (small) amount of resources, but may also cause problems. For example, if you do not use TELNET you can disable the service so as to deny other people an opportunity to remotely log on your computer and send commands to it to see what happens.

The Windows Messenger service (nothing to do with the popular chat program) is a typical nuisance. It allows you to send/receive messages over a network (using the net send command). The text appears in a dialog box on the target computers' screens. People can thus spam the Internet with annoying messages.

Deactivating unneeded Windows services requires some caution, since stopping the wrong services may render your computer unusable. Be sure of what you're doing. A useful tool in this respect is Starter by Codestuff. This is free and allows you to deal with both Startup items and Services (and links to internet searches for items). While care is needed security can be improved as well as start up time.

To modify services select Start >> Run... >> type "services.msc" and click Run (this is a shortcut). Right click the service you wish to modify in the list to access options such as Disable.

[edit] Keep Your OS Updated

Security vulnerabilities are continuously discovered and exploited by virus writers and crackers. Microsoft's policy is to regularly release cumulative patches, available on the Windows Update site. Since SP2 Windows also has an Automatic updates feature (to find it right click on My Computer, choose Properties, select the Automatic updates tab).

[edit] Use Antivirus Software

The cyberworld is full of threats to computer security. Among the most common are computer viruses.

Broadly speaking, a computer virus is a program that when executed attempts to "infect" other programs by modifying them (embedding a copy of themselves in the code) or by changing their execution path system-wise (so that a request to run program X causes the viral code to be executed too). Usually it stays active in memory, infecting programs run by the user.

Being self-replicating is damaging enough (they tend to clog the system's resources) but since virus writers are mostly malicious, they often include a payload - a damaging action triggered by an event the coder decided upon. The payload may cause data loss, damage to Windows' integrity and/or leakage of valuable information (passwords, email addresses, credit card numbers).

An active antivirus is a necessity when connected to the Internet, since some modern viruses (in the like of Sasser, MyDoom, etc.) try to exploit known security flaws (hopefully patched with a Windows security update... eventually) to remotely infect a computer without any user interaction.

Windows XP does not include built in antivirus functionality, but many products, free and commercial, exist to protect your computer in real time. Here is a short list of software that does the job.

• AVG™ Antivirus (Commercial product but includes free version)
• Clamwin Free Antivirus (GNU GPL - opensource project)
• avast! Antivirus (Commercial product by Alvil Software, offers free "Home" edition)
• Avira Antivirus (Commercial product by Avira, offers free "Personal" version)

Has an incremental update feature, ideal for slow Internet dialup connections

• Norton™ Antivirus (Commercial product)

Bundled on many OEM PCs. A rather heavyweight suite of programs.

• Trend Micro™ Antivirus (Commercial product)

Trend Micro™ also offers a free web-based scan.

Keep in mind however that all antivirus products essentially do a best-effort attempt to recognize and remove "code patterns" in an executable that resemble known viruses (some also use heuristics and behavioral analysis to guess if viral activity is taking place). Therefore:

• The viral definitions must be updated regularly for the software to remain effective
• They cannot detect all possible viruses, so always use caution with unknown executables (consider the circumstances: e.g. if emailed to you from someone you know ask the sender anyway before opening them)

For more information on the various Antivirus products, and for test results by independent bodies, visit: AV-Comparatives and/or AV-Test. Also check the Sunbelt blog periodically, where clearly summarized results from AV-Test.org are published regularly.

[edit] Firewall

A firewall basically monitors and filters network activity directed to and from your computer. It is first of all a security concept which involves a security policy, software and/or hardware components.

• By filtering Ping ICMP requests from the Internet (that mean "Is anybody there?") your computer will stay silent and hidden from hackers.
• Malformed messages may cause undesirable behavior if, as usual, there are known glitches in the software to exploit.

The main feature of the personal firewalls (e.g. Norton, McAfee etc.) is to block open ports so that they cannot be accessed from the Internet. This allows you to deny suspicious requests. The (very basic) Windows XP firewall does this too, and versions after the Service Pack 2 update should be sufficient to protect most home users with basic needs.

Since software firewalls also check outbound traffic, they should in theory prevent Trojan horse programs that have breached the system from sending data to their creator. Unfortunately certain advanced malware is capable once in control of disabling specific firewalls (and antiviruses).

A hardware firewall is a physical device that interfaces two network segments. Most routers have one built-in that is sufficient for most home networks when used in conjunction with a good software firewall. If you need better security a dedicated firewall can be used (like Cisco Pix if the budget allows it) or for instance a Linux-based firewall system run on a older computer (e.g. IP-Cop).

Most hardware firewalls also support VPN (Virtual Private Network) connections and are capable of NAT (Network Address Translation), a feature that hides the real IP addresses of your network's computers from the outside world.

Some personal firewall programs (software firewalls):

• Comodo Firewall (Free. Commercial Pro-Plus version also available)

Comodo's firewall has come to be regarded as one of the best free firewalls available by many experts. Having said that, it is more suitable for advanced users as it is highly configurable and produces more frequent warnings - which requires more decision-making by the user than other firewalls. Also included with the comodo firewall are a Host Intrusion Prevention System (HIPS) and a feature called "Clean PC Mode", which profiles a new PC and its applications and registers the existing applications as safe. From then on, only applications that are specifically allowed by the user, or those listed on Comodo's white-list of trusted applications are allowed to be installed on the PC.

• Zone Alarm (Free. Commercial "Pro" version also available)

The Zone Alarm firewall is relatively easy to use, but it has become slightly bloated over time with tutorials, wizards, et cetera. It is an improvement over the Windows XP firewall though. Update: The Zone Alarm firewall now comes bundled with the Ask toolbar. This toolbar has been rumoured to border on spyware, and is produced by InterActiveCorp (IAC), which is a company with a dubious past. Although the former is open to debate, the option to install the ask toolbar is pre-checked during the installation of Zone Alarm, which in any case renders the ask toolbar foistware in many security analysts' view.

Unfortunately, these personal firewalls implement some features in a highly ineffective way (e.g. "stealthed ports") and some other security measures employed by them can be avoided quite easily, like ZoneAlarm's privacy protection.

[edit] Anti-Spyware

The term spyware refers to a relatively new breed of malicious software (that first came under scrutiny around 1999) that focuses on stealing personal information and valuable data for unsavory purposes like identity theft. (Adware is a slightly tamer version of spyware that tracks your web surfing and sends you targeted advertisement, usually in the form of popup windows.)

Spyware typically installs on a computer without the user's informed consent, either bundled with another program or by exploiting one of the many bugs of Microsoft's Internet Explorer (the mammoth web browser bundled with Windows) to perform a "drive-by download" on visiting a specially crafted web page.

Antiviruses and firewalls have a hard time with these programs. Once compromised the computer may be instructed to download more spyware. The user will then experience massive slowdowns and system instability.

To cut a long story short, prevention is the best strategy. The point is to try reducing your computer's "window of exposure." A passable, free solution could consist in the following programs that complement each other:

• Ad-Aware (Commercial, free "Personal" edition)

Can fix most spyware issues. To enable preemptive blocking you would have to buy the payed-for version.

• Spybot S&D (Free program distributed under a "Dedication License")

Slightly glitchy. Detects known malware using heuristics. It has several features (mostly accessible in "Advanced mode"). Useful ones are the 'Immunize' function, the download-blocker BHO, and a blacklist of "bad" URLs that can be added to your HOSTS file.

Note: to minimize the hassle of updating you can insert the following commands into a batch file (.bat or .cmd extension) (replace %SBPATH% with the installation path):

@echo off
CD %SBPATH%
SpybotSD.exe /taskbarhide /autoupdate /autoimmunize /autoclose

Consider also trying Microsoft's Windows Defender (freely downloadable if you use a "genuine copy" of Windows).

If you discover that you are heavily infected (with "advanced spyware" that self-repairs and/or kills known anti-spyware products), also consider if making a backup of your files, erasing your hard drive and reinstalling a clean version of Windows would be less time-consuming than trying to recover a completely compromised system.

Useful links:

• DOXDesk (contains a lot more information and removal instructions)

[edit] Note

Beware of "rogue" security applications! Rogue security applications are programs that pretend to clean and protect computers from malware, when in reality they are themselves malicious. Visit Wikipedia's Rogue Software Article for more information on rogue applications. For a frequently updated list of rogue programs, visit: Spywarewarrior and Wikipedia's list of fake anti-spyware programs. As a general rule, stick to well-known and trusted security applications such as the ones mentioned in this wikibook.

[edit] Further measures of protection

The previous sections mainly focus on reactive measures (antivirus programs, for example, only pick up viruses once a computer has been infected). A good firewall and up-to-date operating system are crucial preventive measures against infections, but they should only be seen as the first two layers of security. In this section we will explore further steps that can be taken to actively protect a computer before it gets infected.

[edit] Alternative browsers

One of the fundamental preventive security measures is switching to a browser other than Internet Explorer. Internet explorer is well known for its lack of compliance with browser standards set by the World Wide Web Consortium (W3C). This includes usability issues and also serious security flaws. It is therefore recommended to switch to an alternative browser such as the following:

• Firefox:

Firefox is a highly customizable open source browser, published by the Mozilla Project. Thousands of free add-ons provide superior customizability and added functionality.

• Opera:

Opera is another highly secure alternative to Internet Explorer. It comes with many inbuilt features for which other browsers require additional plug-ins. It is also highly customizable and, like firefox (and only recently Internet Explorer), has built-in phishing protection. Opera is considered by many to be the best out-of-the-box browser.

[edit] Protecting your data from hardware failures

Hardware eventually breaks down, like many other things. What matters is that your files survive the ordeal.

Making manual backups of your data is rather tedious, so we would just postpone the hassle... until Murphy strikes. A catastrophic event (a power spike, fire, spilling coffee on your keyboard?) or normal wear and tear will lead to losing several years of work. Maybe you were also in the middle of something and needed the data.

Beware of clacking noises from the hard disk during seeks (a tell-tale sign that the drive's controller is failing). One day your system may just not start because the boot sector has become unreadable.

Recovery should still be possible - after all, data has been recovered from drives destroyed by fire - but may be very expensive. If your data is of value to you store a copy on persistent media and avoid the grief.

If you find yourself in this situation, note that usually technicians' first move is to connect the drive to another disk and attempt a low-level data transferral using a specific (software) recovery tool.

The most efficient software for direct disk editing and recovery is WinHex(commercial product), it can edit the hard disk directly, make images of it, and recover files.

The other way is to make the image and edit it with your favorite hex-editor. An image can be made with SelfImage, an easy to use open-source utility.

CD/DVD-ROMs are a good choice for the home user (choose a good quality brand [Verbatim?] to avoid mischief like the CD's coating flaking off). A DVD is several Gigabytes worth but takes a long time to burn (each session must write at least 1GB of data; less than that will be padded with dummy values). Ah - you also need a DVD recorder ([some/all?] models can burn CDs too).

If you want to avoid "wasting" CD storage space you can use a few rewritable (RW) CD/DVDs for "minor" backup sessions and then make a contiguous copy on a write-once (R) medium.

• Disk imaging versus file backup?

A disk image is a snapshot of the filesystem's state, preserving file positions too. Frequently used with OEM PCs to restore a bundled Windows installation customized by the manufacturer (Note: you appear to get bundled software for free but it actually forms part of the retail price; if you want to use a Linux-like system try to return Windows and get refunded [how?]).

After creating a "master" image you can save "diffs" (changes to the file system) that usually take much less space. However defragmenting your files will change their positions on disk, so this

• What about tape/Zip drives (are they obsolete? if not state capacity & speed of both)
• Windows XP Professional has a backup utility. Is it usable/useful? What about XP Home edition? Any good (possibly open-source) third-party sw?

[edit] Further reading

• Computers for Beginners/Security
• minimizing hard disk drive failure and data loss
• How To Backup Operating Systems