Jump to content

Windows XP security guide

AnX

By AnX
in Windows XP

 Share

Recommended Posts

AnX

AnX

Posted
Posted

I know loads of people who still wish to use Windows XP as their main OS, and I'm cool with that for the most part.

So to help them out, I've created a security solution that should help secure your PC.

1: Set a password on the Admin account(s), and use a Standard account for everyday use.

2: Install the following software:

2a: avast! Free Antivirus: http://www.avast.com/en-in/index

2b: Comodo Firewall: http://personalfirewall.comodo.com/

2c: Malwarebytes' Anti-Malware: http://www.malwarebytes.org/

You should be all set then. The type of security provided here is quite high, such that it's more secure than your average supported OS ;)

Link to comment
Share on other sites

Guest

Guest

Posted
Posted

Also, do not use Internet Explorer! Get Firefox, Chrome or Opera if you can stand having no bookmarks. Opera now has some little heart things now instead of bookmarks. Forget what it's called now. Then immediately install Adblock (Its has a feature that Adblock Plus for chrome lacks - the resource list) for Chrome and/or Adblock Plus for Firefox. Additionally, NoScript for FF and for Chrome it's built in under chrome://settings/content. It's a pain whitelisting all the sites so even though I have it I disabled it after a week. Too lazy to use it. :crazy:

Link to comment
Share on other sites
submix8c

submix8c

Posted
Posted

?"Every kind of Firewall"? ANY firewall is OK. Routers are (usually) Incoming Only, MS is DEFINITELY Incoming Only (AFAIK) and is a "pain" to set up the "blocks" (look into the "TCP Filtering" on you NIC), but it's a -good- thing to replace MS' with one that does Incoming+Outgoing. "Error Reporting" is kind of irrelevant (but perhaps an unnecessary Service) since it just "disturbs" you to say "NO, don't send my Crash to MS". Mine's still on and I don't worry about it - usually it's IE6 that goobers (nope, haven't "upgraded" yet). Other than that, all of the above (in some form or another).

TCP Filtering...

post-72994-0-20370300-1390149410_thumb.j

Link to comment
Share on other sites
CharlotteTheHarlot

CharlotteTheHarlot

Posted
Posted

Yeah, I should have said it like this ...

- Put the computer behind a Broadband Router ( Network Hub + Hardware Firewall with NAT + Wi-Fi )

Security wise it is important because many packets will never even get to the computer in the first place as the hardware firewall tosses them away, which should actually increase overall performance since the computer CPU and Windows no longer has to handle them. Let the crappy Windows or 3rd party software firewall deal with whatever remains.

It's also nice to have logs to look at and also to have the ability to manually jump into the router firmware to do things that are normally a pain in Windows ( parental lock, site blocking, port forwarding, whatever ). Goodbye Facebook.

Since pretty much all routers combine a hardware firewall, a network hub, and Wi-Fi all in one, it is simply crazy to not plunk down the $50 or $100 and get one ASAP. They have become even more useful as time has passed. For example I still come across people who are sitting in their house blabbing on their cellphones using cellular rather than Wi-Fi even though their phone can easily do it. A router is a vital device in the home today.

Link to comment
Share on other sites
CharlotteTheHarlot

CharlotteTheHarlot

Posted
Posted (edited)

?"Every kind of Firewall"? ANY firewall is OK. Routers are (usually) Incoming Only, MS is DEFINITELY Incoming Only (AFAIK) and is a "pain" to set up the "blocks" (look into the "TCP Filtering" on you NIC), but it's a -good- thing to replace MS' with one that does Incoming+Outgoing. "Error Reporting" is kind of irrelevant (but perhaps an unnecessary Service) since it just "disturbs" you to say "NO, don't send my Crash to MS". Mine's still on and I don't worry about it - usually it's IE6 that goobers (nope, haven't "upgraded" yet). Other than that, all of the above (in some form or another).

About "Error Reporting" ... this thread mentions Windows XP so it is absolutely un-necessary to have that feature enabled since nothing is ever going to come of any crash reports sent to Microsoft. Indeed they could use the reports as a clue as to how to kill Windows XP even quicker if they were so inclined. Moreover, there are reports now of Error Reports being potentially used by hackers to identify exploitable bugs. Truthfully I don't know if this has been completely fleshed out ( i.e., does disabling the feature in the GUI or killing the service actually stop Watson from actually writing the file or just transmitting it ). But I think killing "Error Reporting" is a step in the right direction on Windows XP, though you are probably right that it isn't a critical security checklist feature with what we know so far.

About Routers ... they are not incoming only, perhaps such devices exist but I have never seen one. Even in the simplest firmware there are broad parental controls, but there is much more than that on most. You easily can manage your network per chassis ( via MAC ) or as a monolith blocking outbound comm via ports, protocols, services, or to specific sites by address or even using keywords found on a site *** ( good for parents, you can drive your know-it-all computer geek kids crazy :lol: ). The point is that the Router ( HUB/Firewall/Wi-Fi ) is truly a configurable I/O firewall these days, and is absolutely vital. And perhaps the most important reason of all is that all filtering/blocking/logging/everything is done off the computer, hence no computer CPU or I/O bandwidth or storage or anything is ever spent. Anything accomplished there is a "freebie" ( well after you spend the $50 ) that spares computer resources and performance. There is no software firewall or any kind of software that can do anything without using the computer resources and must by definition lower performance. Routers should be viewed are kind of a home super-PBX that deals with all incoming/outgoing comm traffic but with value-added features like wireless and details management, or, they can simply be seen as a super filter standing between the broadband modem and the computer/network. Truthfully I cannot imagine a single good reason to NOT have one considering what is going on these days. DISCLAIMER: I do NOT sell routers. :lol:

*** that last example, "block site by keywords" obviously has an inbound component to it as well. Indeed it is almost splitting hairs talking about Inbound/Outbound since they actually overlap. A good router design should block the outgoing comm to a banned site so that the request never gets there ( better for the overall Internet too ) rather than sending the request to the banned site and then blocking the received pages. I think the only difference to the end-user will be what error page or feedback they receive. Kind of interesting subject though ( "What is the best way to do this kind of thing?" ).

Edited by CharlotteTheHarlot
Link to comment
Share on other sites
jaclaz

jaclaz

Posted
Posted

DISCLAIMER: I do NOT sell routers. :lol:

But you would be a good routers seller :yes:.

Though I also don't sell routers, nor other hardware, JFYI I have found a (of course cheap ;)) way to fully control network traffic (additional/before the DSL router).

Basically you can get for a handful of bucks (between 20 and 40) an oldish "terminal", I have found that excellent ones are Fujitsu Siemens Futro 200/300, add a 5 bucks NIC and install to it (or use an old USB stick) either Zeroshell (Linux) or Monowall (BSD).

jaclaz

Link to comment
Share on other sites
CharlotteTheHarlot

CharlotteTheHarlot

Posted
Posted

1: Set a password on the Admin account(s), and use a Standard account for everyday use.

Why this?

Why the password or why the standard account?

The password for "Administrator" will prevent non-Admin users from running any dangerous command line or batch file with same or any application that requires Administrator level privilege. This includes malware accidentally executed by that user. Note that when I say "any", I actually mean most. Some might say some. :lol: Leaving the password blank is a bad idea because the bad guy or hostile script or malware ( or the good guys as well ) wouldn't need to know it in order to RUNAS or other things. This is a highly recommended item.

The use of a Standard Account just expands that concept to day-to-day experience, it means that most of the time that user will be prevented from most risky activities, by accident or intention. He ( or the hostile script or malware ) would need to specifically provide the Administrator password to proceed, or, switch users which takes time.

Nothing is perfect by a longshot, but some things are closer to perfect than others. Using an umbrella will keep you mostly dry. Using a condom ... you can figure it out :whistle:

Link to comment
Share on other sites
CharlotteTheHarlot

CharlotteTheHarlot

Posted
Posted (edited)

MBAM free is fine. I believe the main difference is that the realtime component is what they want you to pay for.

In fact, when you install MBAM free, be aware that the default checkboxes in the setup in fact enable the realtime component as free trial.

Speaking for myself I avoid realtime protectors because I don't like them spending CPU and other things for dubious purposes. There is also the possibility that the realtime component will either be passive or passive-aggressive, the former means that it simply spots potential problems and prompts you, the latter will revert suspicious changes and may or may not let you decide.

So when I install MBAM, I disable the free trial, and use it entirely on-demand. And indeed, it is very good. I love it how it takes maybe 5 seconds to update the signatures while Windows Update takes some minutes to update MSSE signatures.

Added: I don't know what MBAM realtime actually does ( aggressive or not ), perhaps someone else can comment. I do know that MBAM focuses heavily on scanning the registry for suspicious entries, so it may very well lock down and protect keys, or it may not.

Edited by CharlotteTheHarlot
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...