Tips & Tricks: Securing Windows XP

[cka]

I had a huge post ready to go last night but lost it and didn't feel like typing it out again. Anyway, this is a cumulative list of shit I've read around the internet and have done personally to try and avoid the seemingly rampant security holes that are found on a near weekly basis in Win XP. Some of these tricks also help against malware, worms, and related stuff. You don't have to follow all these rules (especially if you don't understand them - I won't be held responsible if you screw your computer up ), but it's in your best interest to at least keep the information pertained in this thread in mind.


Tip 1: For the love of god use NTFS
First off, if your copy of WinXP is running a FAT filesystem I truly feel sorry for you. NTFS has numerous advantages over FAT, which can be read here (for the record, NTFS5 is only available in XP Professional.) You can convert either by running convert in a dos box/safemode command shell or by formatting your PC and reinstalling windows. Convert has the benefit of not requiring to format, but data loss can happen.

If you've switched to NTFS, and are running XP Pro, what you should do next is encrypt the WINDOWS\Temp and WINDOWS\Cache folders by right-clicking them, going to properties and checking off "encrypt files and folders in this directory" or whatever it may say in the 'Advanced' menu near the attributes checkboxes. Make sure it applies to all sub folders and files too. EFS (Encrypted File System) unfortunately didn't make it into XP Home, which is a damn damn damn shame.


Tip 2: Default Accounts
Here, we're going to do something that's so painfully obvious it hurts me inside: Disable guest and the default administrator account. You can do this by right clicking on My Computer, going into Manage, clicking on Users, and disabling said accounts from there. Before that, however, you should set yourself up a dummy administrator account with a random name and password. It's typically never a good idea to run your computer as an administrator all the time, even if you're the only person running it. You with admin privs + unknowing malicious software download = headache city. Your personal account should be limited and secured properly with a good password.

Tip 3: Remote Desktop & Automatic Updates
Another Neddy no-no here, disable anything related to the Remote Desktop by right clicking My Computer, going to Properties, and disabling everything in the "Remote" tab. And while we're in here, set automatic updates to download at some time when you're either not on the PC because of sleep or work or school. That way patches can be downloaded and installed without much hassle.

I will post more later, and if anybody has any other tips to throw in feel free to go ahead and do so.

[ChaoofNee]

Does Tip 3 include turning off Sharing? If it doesn't, it should.
Should System Restore be off?

[Brotherman]

Does Tip 3 include turning off Sharing? If it doesn't, it should.
Should System Restore be off?

I'm not sure if it's an issue or not, but I know that getting rid of a virus can be a pain if it's on.

I still prefer windows update to automatic update since I like to see what I'm getting, but for those that don't care or simply don't have the time, automatic updates are a better solution.

To add to what cka said, don't use an ID with administrator priviledges. This take trial and error, but play around till you get a settings or rights that is just right for your needs, but don't include the right to install programs and things like that. Instead enable the run as feature by right clicking the file and it should allow you to run the file with admin. priviledges if you know the administrator username and password.

Also, let as few applications on your computer remember passwords as possible. Use a complex password, but also make sure it's something you can keep in your head. At bare minimum, make it 7 units long using any of your alphaneumeric keys. Add things like ! or @ for even more complexity.

As for service pack 2, currently security experts are impressed. They even say that it will be alot harder to create a virus like Sasser or Blaster with the improvements MS has made.

[Ryan]

You can do this by right clicking on My Computer, going into Manage, clicking on Users, and disabling said accounts from there.

I can't find "Users".

[cka]

You on XP Home? Probably another downfall of that... You can probably disable it via safe mode, if all else fails.

[Brotherman]

Disable guest and the default administrator account.

I wouldn't say disable the default admin. as it's what I call the if all else fails account. If XP is like windows 2000 however, you should be able to rename the default admin. account to something else.

[Kenshin]

Tip for WinXP's built-in encryption:
If you reinstall Windows, you're not fucking getting your encrypted files back.

[Psx]

Tip for WinXP's built-in encryption:
If you reinstall Windows, you're not fucking getting your encrypted files back.

If you plan to reinstall windows, you can backup you're encryption key(s) by using the cipher utility from the command line. Then just import the key into the fresh install of windows and you can access your encrypted data again.

[Kenshin]

If you plan to reinstall windows, you can backup you're encryption key(s) by using the cipher utility from the command line. Then just import the key into the fresh install of windows and you can access your encrypted data again.

Most of the time when people reinstall Windows, it's not necessarily planned.

[Rumpy]

yeah.