SECURING WINDOWS XP

Version 2 BETA

September 30, 2005

We are soliciting comments for this version.

Please do not email me with comments. All comments must be made in this forum thread.

  This guide will show you how to secure Windows XP. While it covers the basics it also goes beyond them without going into "paranoid" mode. Protecting yourself from all the "bad guys" on the Internet requires a multi-tiered approach. There is no single product, either hardware or software based that will adequately protect you from the perils of being connected to the Internet. Only you can protect yourself and that will require some effort to understand the nature of the threats, the potential ways to protect yourself, and how these protective measures can be integrated together.

   This guide is for home users in a stand-alone or workgroup environment. It is intended as a step-by-step guide and we highly suggest you read through the entire article before taking any action. We welcome suggestions and feedback.

Before we begin allow us to share a few of our thoughts with you. This is simply our opinion nothing more...

1 - There is no such thing as a secure OS (operating system), or web browser. If you want true security (read something like this somewhere at some time); disconnect your network card, turn off/unplug your computer, take out the hard drive and smash it to bits, take computer to a construction site and ask the bulldozer operator to run over it.

2 - In the real world, Windows operating systems are less secure than the newest versions of Linux (distro) and Mac OS X. We'll leave the argument over why that is and the advantages of one OS over another to internet forums/discussion boards.

3 - A fully patched Windows XP and to a lesser degree Windows 2000 are the only non-server Microsoft OS's that are even remotely secure. If you care about security you shouldn't be running any other Microsoft OS's. If you have machines on your home network that run anything less than a fully patched XP, 2k, Linux (distro), OS X then the security of any machine on your network is lessened.

To give you a feel for how dangerous some of these threats can be, let us talk about port scans. A "port"  is the doorway by which computers communicate with each other. A "port scan" often takes place with the use of programs called "port scanners". Crackers use port scanners to identify open ports on your system. Once an open port is found they attempt to enter your system to collect data or place malicious programs on it. Scary, isn't it? But, is this threat real or imagined? DShield.org tracks port scans in real time. Reports on attempted port scans from participating companies and individuals are sent to DShield on a real time basis. At the time of writing, the number of reported entry attempts is averaging over 1.1 BILLION attempts per month. Remember that this only represents a small percentage of the actual number of port scan attacks, those that are reported by participants.

In fact, the current "survival time" (the average time for an unprotected system to be attacked and compromised) is only 27 minutes. This means that a newly installed unprotected operating system connecting to the Internet for the first time will, on average, be attacked within 27 minutes and compromised in some way. That further implies that there is insufficient time for a new system to connect to the Windows Update site and download the latest security and critical updates from Microsoft before the system is attacked and compromised. Yes, the Internet is a dangerous place for the unwary.

Let us describe another, far more subtle form of attack. Recently it was discovered that viruses, Trojans and other executable files could be embedded within a simple .jpg (picture) file. If an infected .jpg is downloaded by your browser or email client, the embedded executable could run and install a Trojan or virus. Microsoft, software and anti virus developers have been working hard to close this vulnerability.

Another, more recent and far more dangerous threat, is crackers' use of "rootkits", "dll injection" and "global hooks" to take over systems "invisibly". These threats are difficult to prevent, detect and almost impossible to remove once they have successfully been deployed on your system. Prevention is the best way to stop these threats, as removal tools are only now being developed to clean a system after infection from one of these new threats. Removal tools for this type of threat are in their early infancy, and cannot be relied upon to clean a system once it has been compromised. Once infected, the only way to dependably remove one of these threats is to either restore a backup known to be made prior infection, or to completely reformat all your hard drives and reinstall your operating system and hardware.

One cannot depend on others to protect your system and valuable data. It is our responsibility to make our systems as resistant as possible to these kinds of threats. That requires a combination of protections. At a minimum, we recommend the following protective measures be taken by all users who connect to the Internet for any purpose:

1. Protect the gateway to your systems with a good hardware firewall/router with at least port blocking (stealthing is even better) and Stateful Packet Inspection ("SPI").

2. Install a good software firewall on your system. At a minimum a good software firewall should have application control, i.e., the ability to set permissions for Internet access on a program-by-program basis.

3. Install a good Anti-Virus package.

4. Install a good Anti-Spyware package, or two or more, if they are compatible and handle spyware in different ways.

5. Install protective software that prevents the execution of unknown software on your system, and requires user permission (at the administrative level) to install services and drivers, global hooks, and dll injections.

Note, we strongly recommend that these protections should be in place before connecting to the Internet for the first time on newly installed operating systems.

What You Need To Protect Yourself

In addition to the above software you'll need a few things:

Software firewall - Windows XP's built-in firewall isn't enough. 3rd party firewalls offer protection and configurations that Windows Firewall doesn't. Did you know that Windows Firewall only protects inbound communications and not outbound?

Firewall router - If you connect to the Internet via a broadband connection, buy a good hardware firewall router. Most quality cable/DSL routers have firewalls built-in today. Many people buy these to share an Internet connection, not knowing the built-in protection that these devices offer. Even if you only have one computer connected to the Internet you should have this. Configured correctly, it is an excellent first layer of defense against crackers (more on this later).  Basic firewall routers are not expensive; many on-line shops sell name-brand ones for as little as $50 (US).

Options the router should include:

·       Network Address Translation (NAT) - This hides the IP address of the computer you are on to computers outside your home network.  Please understand that NAT is not, and never was, intended to be a “firewall”.  It was designed to provide “many to one” Internet access for a LAN with one or more systems to connect to the Internet using a single IP address.

·       Port Blocking - blocks access to Internet ports and protocols that are either unused or unnecessary.  Even better, higher quality firewall routers offer port stealthing, but more on that later.

·       Stateful Packet Inspection (SPI) - A more advanced form of packet inspection. Knows which information to filter out.

·       Virtual Private Network (VPN) - If you connect to your computers at home while at another location, this is a must. VPN creates a tunnel between 2 computers so that no other computers can listen in.

A Brief Explanation of SPI

In order to use the Internet, you do have to open some ports and protocols on your firewall router to outbound packets. In return, you need to be able to receive return packets back from the Internet in order to say, get your email. That means that there is an open vulnerability to attack via those open ports and protocols that can be exploited IF a cracker is sophisticated enough to be able to break through your NAT protections, and there are some that certainly can do exactly that.

What SPI does is create a "one way door" so to speak. It "remembers" requests that have been made, again say for your email, and will permit entry only for those packets which are being received in response to that request. So, unrequested packets, spoofing say a response to a request for email will not be permitted entry because there was no corresponding outbound request. Thus, it protects necessary open ports and protocols from inbound attacks.

Anti Virus (AV) software - This is critical.  Virus and Trojan outbreaks are a daily occurrence, and statistics show that an unprotected system will become infected by a virus or Trojan in an average of 16 minutes.   This time is called “Survival Time” and is tracked by SANS – Internet Storm Center.