This guide found exclusively at OSNews.com in PDF format is mostly focused on creating a decently secure installation of Windows XP Professional for an end-user. While the vast majority can be applied to Windows XP Home, and OEM Restore Disk Sets, there are a few instances where these two media will need to be setup in a different manner.
Yes, you’re totally right hcuar, the only problem being that most of the people already use that system. That’s why a guide might be usefull.
If at home I use a Mac, at work I use a PC with WinXP. It’s not my choice, it’s my employers’ choice and I have to comply with that.
Take care and best regards.
With enough rehabilitation along these lines, one could grow to tolerate Redmond products.
Eugenia: suggest hosting a wiki on the topic of WTF to do to make ‘Doze usable for the CLI lover. This material would make a great seed, if Vincent isn’t averse.
If you have to use IE, dropmyrights is a pretty good program. It allows admins to use IE and other software with less permissions. Not a bad idea, considering most people run as admin and never switch back to a normal user. You can grab it here:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dn…
You’re completely right there are a lot more items that can be turned off for a single computer one user system. However, I didn’t focus on that as its really not something I’ve dealt with – call it author’s bias if you will. You do have great points and these are very useful tips. I’d also like to explain why I didn’t mention some of them.
Most of the people I know, own a plurality of computers; usually a desktop and a laptop. For them the usage of windows file sharing is a large convenience to be able to right click and share a file, w/o using an FTP, SSH, or other file transfer program. While yes disabling it would make the system “more secure” in theory – for instance it squelchs the LM hash vulneralbity (a la backwards compatability) for gaining user account passwords – it would take away a lot of convenience for the above kind of end user. So rather than force them to find a completely foreign solution I though a little education about non-simple-file sharing, and NTFS permissions would be decent middle ground.
Telnet was removed – if it wasn’t it should have been.
I left uPnP for two reasons. First a lot of network printers and a few other accessories like scanners can use uPnP. While secondly I’d heard that supposedly some IM chat clients, and a few games for that matter are using it to traverse NAT routers for hosting servers and establishing direct connections. So given that it has been patched, and does work – I thought the prospect of leaving it in vs. nuking someone’s hopes of transfering files over IM, hosting a game server for their friends, or networking their printer to share with a roommate was a decent trade-off.
As for fast user switching and remote desktop, I’d mentioned many times before its really a matter of personal taste for a lot of things you keep or toss. I chose to keep fast user switching because sometimes, like in the case of my parents, even if you have a laptop and a desktop – the desktop might be a machine shared with everyone else in the household. I also tend to leave the RDP terminal service on systems set to manual loading just in case I get that evening phone call of “Vince, my computer is broken can you fix it” from my parents. Given I live about 360 miles from them, RDP is a good way to fix those little things that don’t bork the entire system. It also helps me save on gas money. However like you said – in a pure single user/stand-alone machine these are by no means necessary, and you can disable them if you don’t want them to ever load even on a manual basis.
For the most part this the things I wrote about were basic things can be done, to help improve windows security – its by no means every trying to pretend to be comprehensive. I just get annoyed sometimes at how little people understand what they can do to secure their system if they want to and wanted to introduce a few concepts.
What exactly does XP Pro offer that makes it so much more expensive than Home Edition?
Here are a few things, its basically it marketing speak but its easy to translate:
http://www.microsoft.com/windowsxp/pro/howtobuy/choosing2.mspx
gpedit.msc , and more various ‘admin’ type tools.
…is a non-networked, headless, powerless, driveless, processor-less Windows system.
No amount of kludging will fix an inherently flawed design. When will the Windows apologists and profiteers admit that?
>…is a non-networked, headless, powerless, driveless, processor-less Windows system.
Oh! you mean the bulletproof, steel bared and welded shut kind of window? You can easily cut yourself or fall out of the other kinds.
I am not sure what is the target audience? If recommendations are for corproate desktop- a lot of stuff there can and must be done through group policies.
If it is for the home user- home users I know usually have Windows XP Home preinstalled on their computers- no XP Pro OEM disks.
I wonder, where did author get his XP Pro OEM disk from? OK, OK, it is democratic country: innocent until proven copyright infringing.:)
If configuring computer for home user, I would often spend much less time and efforts to achieve the same result.
Also, the question is what is the budget? If user can afford $30 for hardware firewall box- over half of recommendations of how to secure Windows XP are not necessary.
Assuming user is willing to spend $0, first, I do not mess with services. No reason. If I enable XP firewall and set it up to “No Exceptions”- that is all that needed to protect computer from remote exploits of vulnerable services.
Yes, yes, some service might have a bug which can be used by the rogue local application to elevate its priviledges and harm the computer. Well, virus and worm writers are lazy, they just wait for Microsoft to release patch- and reverse engineer it to find a bug.
Which brings me to the next point: Windows Updates is sure on and definitely installs everything automatically.
It is much safer than to mess with services- after all, the one service you can’t turn off may end up being vulnerable.
Antivirus- yes. Get one from Microsoft for free or find any free one. For extra protection sign with ISP which scans for viruses- plenty of ISPs offer that service for no extra charge. Mine does.
Also, antivirus will add extra protection from rogue applications trying to exploit bug in Windows service. Such applications are usually cathegorized as worms or viruses by any major antivirus vendor.
User must log to computer as regular user, not administrator- that is for sure.
Outlook Express- you can use it. I do. My parents do, too. Just set security settings to not allow opening executable attachments, and use common sense for other settings in Outlook Express security configuration section.
Internet Explorer- you can use it. I do. My parents do, too. Just dumb it down to the safe level: do not allow installation of ActiveX controls, disable Browser Helpers, do not allow installation on demand, and so on, and so on. Properly configured IE will protect you from malware and spyware up to the level of safe browsing even through free of charge adult content web sites (which I never in my life visited, and if I did- only to test security settings in IE:).
Backup- just do it.
That is almost it.
Also, in my opinion: it is wrong to suggest replacing IE with FireFox without discussing how to harden FireFox.
For example, all current versions of FireFox 1.* have an issue with domain name spoofing when UNICODE symbols are used.
The fix is easy: to disable that feature, takes a mintue or two, but article does not even suggest to check Mozilla/Firefox web site to find out if any issues has to be dealt with or patches installed.
++++++++++++++++++++++++++++++++
But I like that article. It shows how flexible Windows is, how much freedom it gives to different people to achieve the same result. You can replace half of commonly used Windows based software, or you can harden virgin Windows install with not much more software added to it than antivirus. Same result achieved- secure OS for common user.
For all of that, you do not need to recompile Windows kernel or have access to Windows firewall sources.
The author’s approach is preferrable for users who are completely unfamiliar with computer, or move to Windows from the different OS. They do not care what browser is provided for them, for example, or what Windows services are turned off.
My approach, just to harden Windows gently:), better fits the situation when user is familiar with the default Windows environment, wants safe computing but not very comfortable with ditching Email and Web browsing software he or she is accustomed to.
No amount of kludging will fix an inherently flawed design. When will the Windows apologists and profiteers admit that?
When I have my Windows computer infested with spyware, taken by worms and viruses and converted to zombie by hackers through remote vulnerabilities.
Heck, I can even make it easier: when one of the above happens to my parents’ Windows computer I configured for them.
Until then, I will continue to help people like you (but not you:) to set up their Windows computers properly.
The main target should be home users for this kind of article. And I agree with Ernst. MOST people do NOT have home networks or know how to connect them. MS should have all this stuff turned off by default and only opened if someone smartly or stupidly turns on services.
Out of the box Windows has pathetic security. Swiss cheese is solid and is like titanium in comparison.
What’s the average time of infection for a Windows computer that has just been purchased and hooked up to the internet and turned on. About 20 minutes. I’d be extremely embarrassed if I worked for MS. Especially if I was Bill Gates. But then he doesn’t give a damn as long as people keep buying.
I don’t anymore. My motto is “anything but Microsoft.” The only thing I’m missing is viruses and spyware and people successfully attacking my computers. My friends are starting to dump MS too as they are sick of having to call me up and have me come over and fix their computers.
Those that have changed to something else tell the others how they don’t have those problems anymore. None of them are techs like I am.
“What’s the average time of infection for a Windows computer that has just been purchased and hooked up to the internet and turned on. About 20 minutes.”
Firewall intentionally turned off. Intentionally not patched. Released in 2001.
Linux distro released in 2001 with firewall turned off and not patched was infected as fast as Windows.
Windows with firewall enabled was not infected for as long as test was running (reported by USA Today).
“My friends are starting to dump MS too as they are sick of having to call me up and have me come over and fix their computers… None of them are techs like I am.”
It would be far-fetched to call a tech someone who does not know how to configure a silly Windows desktop.
xplite? check it out if you guys have time. this gets rid of an insane amount of kludge and krap that when running on your machine is like inviting every malicious user out there. this is a very nice little gizmo that allows you to get rid of stuff that you have always dreamed of removing from an xp install but never could!! also http://www.blackviper.com is a great website to check out what services you absolutely will never need. i have my xp install installed as tightly as i thought is fine for me. so far no viruses, malware etc. *knock on wood*
Also, in my opinion: it is wrong to suggest replacing IE with FireFox without discussing how to harden FireFox.
For example, all current versions of FireFox 1.* have an issue with domain name spoofing when UNICODE symbols are used.
If you know enough to fix this issue, do you really need to fix it in the first place? IMHO, if you know what phishing is and still enter a credit card number on a web page as a result of an email you got, then you deserve to be ripped off.
No it wasn’t. In 2001 they were turning off telnetd
.
And I’ve witnessed the 20 minute windows nt* issue. Really wish I’d remembered to turn that firewall on! Oh well, gave me reason to move the machine to XP after finding out a day later that cutting 2k Pro support is on the table.
“I wonder, where did author get his XP Pro OEM disk from? OK, OK, it is democratic country: innocent until proven copyright infringing.:)”
I’d suggest looking at Micorsoft’s volume licensing plans. My “OEM copy” that, I think you are hinting I somehow am using illegally, comes from purchasing it through the microsoft open license value program. I bought a volume license for 5 copies of Windows XP Professional to cover all the computers everyone in my family owns. It makes better sense to do it this way since the per-copy cost of Windows XP Professional then approaches the Windows XP Home retail cost at Best Buy.
“Also, antivirus will add extra protection from rogue applications trying to exploit bug in Windows service. Such applications are usually cathegorized as worms or viruses by any major antivirus vendor.”
I’d have to respectfully disagree with you. Anti-virus software does nothing in the way of “protection” from rogue applications. Thats like saying taking penicillin once you have a fever, runny nose, and muscle pain “protects” you from getting the cold – no it doesn’t – its to late you are already sick. At that point you are just exercising damage control.
“For example, all current versions of FireFox 1.* have an issue with domain name spoofing when UNICODE symbols are used.”
Its not technically an issue – Firefox executes correctly and does exactly what the standard states it should do. Rather its the “brilliant” minds who developed what the standard behavior should be that created an issue for any browser that correctly implements this feature.
Missing Target? Well I don’t agree with you. I would in fact like for you to point a single person that reads OS news who is not an end-user. Maybe you should consider that the definition of “end-user” is not someone who has no idea what they are doing with their computer.
To that end, while most end-users in the world don’t need to have networking enabled I have a feeling that the mass majority of end-users on this site actually do use networking. So since this is being published here for this audience of end-users I’d think its a rather good fit.
Furthermore, most of what I talk about isn’t really something that a person who can’t man an etch-a-sketch would probably attempt to do on his own if he even managed to find this article. However, he might ask his “tech support friend” (aka you) to help him do it, and you can selectively apply things you’ve read here. The assumption is that not everyone here already knows absolutely all of these things – so this is a bit of a heads up to increase your tool-box.
I know when a new Windows vulnerability is exploited. Thousands of zombie win32 computers fill up my firewall logs trying to spread their gifts.
OEM versions of Microsoft products are produced and maintained by the computer manufacturer : IBM, HP and all
These are modified versions of original product versions, with specific drivers included and an allready syspreped product.
These OEM versions are not supported nor maintained by Microsoft : if you want to open an incident to Microsoft’s support, you’ll be asked to call your computer manufacturer support who maintains this OEM product.
You cannot buy OEM products from Microsoft.
Open or Select licence yes, but no OEM.
Linux distro released in 2001 with firewall turned off and not patched was infected as fast as Windows.
Actually, not quite as fast as Windows. IIRC, it was 20 minutes for a basic Windows install and 72 hours for a basic Red Hat install.
Unless you find a ratio of 1 to 216 to be “as fast”…
“You cannot buy OEM products from Microsoft.
Open or Select licence yes, but no OEM.”
I’m guessing this is directed at me for saying this:
“My “OEM copy” that, I think you are hinting I somehow am using illegally, comes from purchasing it through the microsoft open license value program.”
If you will notice I placed OEM copy in quotation marks because that was the term he used to refer to the kind of version of windows xp professional that I was using in his original statement. I was merely reusing his terminology to answer his statement. You might find its common practice to use the terminology other people use when conversing with them, despite its incorrectness, in order to help them better understand your point.
Rumsfeld can you stop over and configure my Knoppix so that it works properly with my SB Audigy?
It has never worked, on any kernel, yet works fine in windows.
Simple unplug every for your computer, unplug internet, network, hard drive, floppy, cpu, ram, dessemble your computer into pieces, then I guess you can have secured WinXP.
puzzled by the descriptionof XP as ‘media’.
then understood – xp is the medium of transmission for computer viruses and worms.
XP sp2 is an improvement but the architecture is the problem.
Vincent,
I apologize for bad OEM XP joke. That was wrong of me. I did not expect you’ll take it that personally.
After all, I am Russian guy, many of my Russian friends run Windows XP Pro and Windows 2003 Server on their desktops and laptops- because they can afford it, for less than $5 per CD.
As for your article, you are trying too hard. I would achieve same results much easier, I believe. But if what you do works for you- good for you.
I would only strongly object to tweaking services. It is not, how can I say it politely, wise to do that. Turning off Windows File Protection just because MS Game Zone folder bothers you? It is overkill.
As for Antivirus, I do not follow you. For me Antivirus is like a flu shot: only protects you from known strain of flu. If previously unknown flu strain hits you, you are as good as dead (for 24-72 hours at least:). That does not make flu shots useless.
To support my point: I am still getting Netsky email worms in emails. My ISP kills them, so I do receive just emails with notifications about virus killed, but if I had a different ISP and not as well hardened Outlook Express as I have, I would definitely need Antivirus to protect me from accidentally launching 6 months old worm.
So, for protection from email worms I have the following: Norton Antivirus installed, Outlook configured not to allow opening of executable attachments, and ISP which scans emails for email worms. That should be enough.:)
Your light attitude to firewall surprises me. Common sense tells that firewall enabled, with “No exceptions” setting turned on will protect you from Internet-originated compromises easily. The only time it can’t- it is when bug is found in firewall itself, like it was in SuSe distro of Linux and may happen one day with Windows.
Still, better with firewall than without. So much better than firewall should always be on for computer of a regular home user.
“Actually, not quite as fast as Windows. IIRC, it was 20 minutes for a basic Windows install and 72 hours for a basic Red Hat install.”
According to Red Hat CTO praising SELinux the time for basic Red Hat install compromise was in minutes, not hours.
But I can work with your numbers, too.:)
“Unless you find a ratio of 1 to 216 to be “as fast”…”
Well, to be precise I find it as pathetic.
If you believe that having desktop OS connected to the internet compromised in 72 hours is proof it is inherently more secure- you are not alone. Over 80% of Linux developers interviewed in 2001 thought that Linux is inherently more secure, too.
Talk about perception and reality.
Fast forward to end of 2004 and 2005. Windows XP with firewall enabled, according to USA Today, was not compromised for as long as test was running. That alone is a good argument for firewalls.
You must manually disable Windows firewall on a new Windows computer that has just been purchased, ignore Windows warnings about your stupidity, disable automatic Windows Updates, ignore even more Windows warnings about your stupidity, roll back SP2 and roll back last 6 months of security updates, and after that stay connected to broadband for 20+ minutes to finally get infected and prove that Microsoft sucks and Windows is inherently not secure.
“Actually, not quite as fast as Windows. IIRC, it was 20 minutes for a basic Windows install and 72 hours for a basic Red Hat install.”
“Unless you find a ratio of 1 to 216 to be “as fast”…”
So, in your opinion, having an extra 48 hours of hack-time is worth re-learning an entirely new operating system? One in which there is a fair chance your wireless card will not work, or parts of your sound card/video card will not function, or acpi… etc, etc, etc. Then there is having to relearn how to use all the “application replacements”, not to mention still having to patch and update the system constantly.
It seems like an aweful lot of work for an extra 48 hours to me.
You are comparing two systems that are left unprotected… There is no proof of “who’s the most secure” in there…
I’m using at work WinXP SP2 and at home Mandrake 10.0. I am quite happy with both of them but the main difference is that I need to continually check my WinXP SP2 for security issues and at home, everything is quite secure and I am not in a paranoid mode everytime there is a new issue…
I have to say that my WinXP SP2 is firewalled and protected with anti-virus. The 2.6g CPU seem as fast as my old 486 some times but that is the price to pay to be secured…
Just my two cents…