Securing Windows XP, Section 2

Basic Steps to Installing XP Safely

Step 1 - A fresh install of Windows XP with Service Pack 2

   While this is an optional step we highly recommend it. This is especially true if you've not installed SP2 or upgraded SP2 over an old installation. There isn't any better way to get rid of viruses and spyware than a format and clean install. Do not connect to the Internet while installing your operating system. This means disconnecting the cable on the back of your computer that connects you to the Internet (Ethernet, phone line, USB, Firewire, etc.) Install all your protective software before attempting to connect to Microsoft's Windows Update site.  Download the most current versions of all your protective software before you reinstall your operating system, so they can be installed before you attempt a first connection.

Step 2 - Backup!

Backing up XP: 

Backups are critical to computing these days. Backing up your computer can prevent disaster and restore settings in a matter of a few minutes. You should backup the drive/partition that contains Windows XP:

·       After your initial installation.

·       Before installing XP updates, major applications, or applications of "questionable parentage" and major updates to them.

·       Before making major adjustments to XP. (network settings, tweaking, etc.)

The only backup that will truly restore a drive or partition is one that "images" your drives. That is, it makes a byte-by-byte copy of your drive/partition. "Imaging" is the best option for the partition that holds Windows XP. You can choose to backup images to another partition, hard drive, CD/DVD, or another computer. Examples of these programs are Acronis True Image and Norton Ghost.

Backing up other data:

It isn't necessary to do an image backup for data. You can choose other methods for backing up pictures, music, video, documents, etc. It is often advisable to use multiple backup methods!

·       Burn to CD or DVD - You can use any CD/DVD burning program to backup data. Remember to update these often. If that data is really important to you, consider storing that data at a separate location in case disaster strikes. A trusted family member’s house or a safe deposit box are good locations.

·       Backup to another hard drive - You can back your data up to another hard drive in your computer. This keeps the data safe in case the first hard drive goes bad. Using "Copy" and "Paste" or "Copy To Folder" isn't the best method for doing this, especially with large amounts of data. A good backup program will check the files you've copied after the job is done to make sure everything was copied and copied correctly. These programs often have the ability to schedule backups and backup only information that has changed. Examples of these programs are Second Copy 2000, Backup My PC, and Backup Pro 2004.  An excellent freeware alternative is Karen's Replicator.

·       Backup to another computer – Some backup programs have the ability to back up data to another computer. If you have several computers in the house, consider making one computer a secondary backup location for the other computers in the house.

System Restore

Windows XP has a feature called System Restore that backs up most of the system files. While this feature is far from perfect it can be effective in many situations. System Restore points are (usually) made automatically made “at the time of significant system events” such as when you install a new program or driver. You can also manually create a Restore Point. System Restore is not a true “uninstall” feature or backup. It only monitors and restores key parts of files and the system registry. It can however get you out a jam quickly.

To manually create/restore a restore point:

·       Go to Start > Programs > Accessories > System Tools > System Restore > click on Create a restore point and click Next > in the resulting screen type a name for the restore point, be descriptive i.e.: “b4 new video driver 12/03” then click Create.

·       To restore a system from a restore point:  Go to Start > Programs > Accessories > System Tools > System Restore > click on Restore my system to an earlier time and click Next > choose the desired restore point and click Next.

Use a password for your account

Unfortunately XP allows you to not have passwords for your user accounts. Not having a password is a very quick way to get hacked. Ensure that all accounts have a password. Passwords should be a mix of letters (upper and lower case), numbers, and symbols.

Valid symbols include: ` ~ ! @ # $ % ^ & * ( ) _ + - = { } | [ ] \ : " ; ' < > ? , . /

Passwords should not be dictionary words or proper names. Crackers run programs containing these and it won't take long for them to crack it. Make it hard to guess but easy for you to remember. The longer it is the harder it is to crack.

An example of a password strategy would be a phrase:

In 84 i Graduated ! And 8 Years Later i Was Married :-(

Using the above strategy we get I84iG!A*YLiWM:-( . Not only is that extremely difficult to crack, with all the unprotected computers out there it isn't worth the attempt for most crackers. This may sound difficult to do and remember but it isn't. After typing it a few times it will be as easy to remember as your telephone number. Still, it is a good idea to back up your password.

Backup your user password (requires a floppy drive)

Go to Start > Settings > Control Panel > User Accounts > click on the name of the account whose password you wish to backup > in the next window, in the upper left of the screen click on “Prevent forgotten password”, the Forgotten Password Wizard will launch. Simply follow the steps in this wizard. If you forget your password at startup XP will ask if you want to use this disk.

***Important – This disk contains the key to unlock your entire system. Lock it away in a safe location. Preferably in a room other than the one that computer is in.

Rename the Administrator account and disable the Guest account (Windows XP Professional only.)

Crackers need both a password and a user name to get into your computer. Windows XP Pro comes with a default account called Administrator that has full privileges on your system and Guest that has limited privileges on your system. This gives crackers half of what they need to get into your computer.

Rename the Administrator Account:

Go to Start > Settings > Control Panel > Administrative Tools > Computer Management > in the resulting screen in the left pane double-click Local Users and Groups and then double-click Users > in the right pane you'll see the Administrator account, right-click on it and choose Rename > enter a new name > This account will have the same password as before. If you want to change the password or create one, right-click on the name you just created and choose Set Password... > a warning screen should appear, click the Proceed button > in the resulting screen fill in the password and click OK.

While you're there change the description of the account. Right-click on the account name and choose Properties > In the description box change or delete the contents.

Disable the Guest Account: (XP Pro)

Now you are back at the Computer management screen. Right-click on the Guest account and choose Properties > in the resulting screen check the box that says Account is disabled > click Apply and OK. A red circle with an X should now be over the icon next to the Guest account.

While you're there change the description of the account. Right-click on the account name and choose Properties > In the description box change or delete the contents.

Disable the Guest account (Windows XP Home)

Go to Start > Settings > Control Panel > User Accounts > in the resulting screen click on Change an account > in the resulting screen click on the Guest account > in the resulting screen click on Turn off the guest account > close out the User Accounts screen.

Configure your router

Every router is different and you'll have to consult the user guide for your product as to the specifics as to how and what you can configure. The basics are:

·       Change the default password - make it hard to guess!

·       Disable remote administration - ensures people on the outside of your home network can't access your router.

·       Get the latest firmware - Firmware contains the router's operating instructions. Periodically these instructions are update to provide better security. Check with your manufacturer's web page to see if you need to update your firmware.

·       Enable port blocking and enable stealth mode if the firewall router supports it.

Configure your firewall software

Every software firewall is different. Some will have wizards to walk you through the process.  Nonetheless, here are some general rules to follow to “harden” your firewall protections:

General rules for configuring software and hardware firewalls

Baseline test your current firewall configuration.  There are a number of sites which test your firewall, GRC is one. Click on the ShieldsUp link in the middle of the page.  Then after doing the following re-test your new configuration:

1.    Block everything you can at the hardware level before it reaches your system, i.e., at the firewall router.

2.    Close everything, all ports/protocols as default. Open only those ports/protocols that you actually need to have open.

3.    Prohibit all inbound connections entirely unless you are running a secure VPN.

4.    To protect open ports/protocols, always get a hardware router/firewall that has Stateful Packet Inspection.

5.    If your router provides MAC address selection, exclude all MAC addresses except those MAC address actually on your LAN.

6.    Do exactly the same with software firewalls, but add to that outbound program control.

7.    Limit the NAT address range at the router to only enough internal IP addresses to accommodate the systems on your LAN.

8.    If your firewall has a "stealth" setting, use it.

Wireless 801.11x Settings

Wireless presents a slightly different set of security considerations.  Most modern wireless firewall routers or Access Points have some additional important security features that should always be set.  One important point is that you should generally disable XP's “Wireless Zero” service, and use connectivity software provided by your wireless hardware manufacturer.  You should read your hardware's manual for more complete instructions specific to your firewall router or Access Point.  Again, always update the firewall router or Access Point firmware to the latest versions.

The most critical settings are as follows:

1.    Change the “SSID” of your device from the manufacturer's pre-designated name. Disable SSID broadcasting if possible.

2.    Always password protect your device with a difficult to duplicate password (discussed earlier), and change the login name if this is supported.

3.    If the device has MAC Inclusion/Exclusion (most devices made these days do), exclude all devices by default and permit only the MAC addresses of your wireless devices.

4.    Enable wireless encryption at the highest level supported (usually 128 bit encryption), and remember to set the same access code for all your devices.