docThe Digital Lifestyle Guide to Securing Windows XP
download 
Report Transcription
The Digital Lifestyle Guide to Securing Windows XP
The Digital Lifestyle Guide to
Securing Windows XP
By Jake Ludington
Copyright Notice ..................................................................................2
About the Author .................................................................................2
Introduction ........................................................................................2
Establishing a Security Baseline .............................................................3
Blank or simple passwords..................................................................7
Computer File System ........................................................................8
Disable the Guest Account ..................................................................9
Limit Administrator Accounts...............................................................9
More Administrator Changes ...............................................................9
Turn Off AutoLogon ......................................................................... 10
Password Expiration......................................................................... 10
Beyond the Baseline ........................................................................... 10
Prevent Everyone Access .................................................................. 10
Disable Unnecessary Services ........................................................... 10
Software Updates............................................................................... 13
Protect Your Internet Passwords........................................................... 14
Firewalls ........................................................................................... 15
Anti-virus Software............................................................................. 19
Spyware Detection and Removal .......................................................... 24
Data Backups .................................................................................... 29
Wireless Security ............................................................................... 33
Step 1: Change the password for your wireless router .......................... 33
Step 2: Turn off broadcast SSID ........................................................ 33
Step 3: Use MAC address filtering ...................................................... 33
Step 4: Enable the best encryption available ....................................... 35
Don't Get Scammed ........................................................................... 37
Conclusion ........................................................................................ 37
Copyright Notice
© 2003-2004 Ludington Media, Inc. All rights reserved. Distributed as part of
the Digital Lifestyle Guide series. Unauthorized copying of this material is
strictly prohibited. If you received this document without paying for it, please
visit jakeludington.com and register.
About the Author
Jake Ludington has written a variety of guides and tutorials for Windows and
Macintosh users. He is a Microsoft Certified Systems Engineer and regularly
provides support to home and corporate Windows users. For more of Jake
Ludington's writing, including a free subscription to his Digital Lifestyle
newsletter, visit jakeludington.com.
Find more tutorials online, including:
Converting VHS to DVD
Converting Vinyl LPs and Cassettes to CD
Creating a Child-Safe Home Office
Introduction
Despite Windows XP being the most secure consumer operating system
available from Microsoft, plenty of room for improvement remains. Many
security features included with Windows XP are not turned on by default.
User accounts with no password are readily exposed to anyone having a
basic understanding of Windows security. Unless the vendor who built your
computer included something, anti-virus is not a part of your computer; if
you have antivirus, it is only as good as the most recent update.
Anti-virus software isn't the only thing requiring updates. Other software
products require updates to keep your system safe. Especially if you are a
broadband customer, the threat of getting hacked exists (particularly if you
use wireless).
If something bad happens, do you have a backup plan?
All of a sudden, security sounds like a full time job. It doesn't need to be.
With proper planning ahead of time, you can protect yourself from potential
viruses and threats from beyond your home PC, without quitting your day
job.
Establishing a Security Baseline
Before you can improve your computer's security, you need to establish your
current level of security. Microsoft offers one of the best free tools for testing
computer security, but they don't make it very easy to find.
The Microsoft Baseline Security Analyzer (MBSA) scans for missing security
updates for Windows, Internet Explorer, and Windows Media player. It also
runs test for macro vulnerabilities in Microsoft Office applications, in addition
to testing for password security strength and a number of other issues vital
to securing your data.
You can download the MBSA from Microsoft TechNet.
After completing download and installation, launch the application by
navigating to Start/All Programs/Microsoft Baseline Security Analyzer.
Click the link that says Scan a computer.
Choose which options you want to scan. Most home users can uncheck the
boxes next to IIS vulnerabilities and SQL vulnerabilities.
Click on Start Scan to being the security checkup.
Scanning takes a few minutes.
Once the scan is complete, MBSA provides a security report, detailing
security information about your system. As you can see, the Security
Assessment for my system indicates I have a Potential Risk.
Results are summarized by type of security update first. This system has 5
updates that cannot be confirmed by Baseline Security Analyzer. In most
cases, this means you need to install something. Clicking on Result Details in
any of these sections provides a detailed list of what is missing.
As you can see above, I need to update a few things on my system.
In addition to scanning for missing updates, Baseline Security Analyzer
checks a variety of other danger zones on your PC.
Areas requiring correction include:
Blank or simple passwords
MBSA looks for user accounts with blank passwords or passwords that are
too short. It is good practice to use passwords that are at least 8 characters
in length, contain at least one number, one capital letter, and one special
character like a '*' or '$'. This might seem harder to remember than using
your pet's name or child's date of birth, but it's also harder for intruders to
guess your password when you use a more random group of characters. If
your pet's name is Spot, even using something like 'Sp0tTheD*g' would be
harder to guess than simply using 'Spot' or 'spot' as your password.
A great tool for generating strong passwords is a random password
generator, like the free Quicky Password Generator. AI RoboForm also
includes a random password generator.
Computer File System
When Windows XP is installed, you are given the option to use either FAT or
NTFS as the computer's file system. Unless you are dual-booting between
Windows XP and Windows 98 or Me, don't use FAT. FAT is very insecure.
FAT can only lock down files to the folder level. If someone gains access to
your system and you've shared a folder, everything in that folder is open for
them to view.
NTFS locks files down on an individual basis, so you could share a folder,
allowing only certain files within the folder to be available on a shared basis.
NTFS also supports encryption of files using the Encryption File System,
providing an additional layer of security.
If your computer was originally formatted using FAT, Windows XP allows you
to convert it to NTFS (this conversion is permanent and cannot be undone).
Microsoft offers an easy method for making the conversion, just follow these
steps:
1. Click Start, and then click Run.
2. Type 'cmd' in the Run line, then hit the ENTER key, which launches a
command prompt.
3. At the command prompt, type this:
convert {drive}: /fs:ntfs
replacing 'drive' with the letter of the drive you want to convert. For
example, to convert your D: drive you would type:
convert d: /fs:ntfs
The computer will display the following in the command prompt window:
The type of the file system is FAT.
Enter the current volume label for drive {drive}:
To stick with the previous example, if you are converting the D: drive, you
would type 'd' followed by the ENTER key.
Once your drive is converted to NTFS the command prompt will indicate:
Conversion complete
4. Quit the command prompt by typing 'exit' or clicking the X in the upper
right hand corner.
Another added bonus to using NTFS is avoiding the FAT file size limit of 4GB.
NTFS has a 2TB limit, which is bigger than all drives currently available to
consumers. If you've never had files bigger than 4GB, wait until you start
editing home movies on your computer; the files get big fast.
Disable the Guest Account
Windows XP includes a 'Guest' user account, allowing users to login to
systems where they don't have an account This Guest account has access
rights similar to regular users and shouldn't be necessary in most cases.
Unfortunately, Windows XP Home does not allow you to turn off this account,
so make sure it has a difficult password, in order to prevent intruders from
exploiting this security hole.
To disable the Guest account or change the Guest password go to:
Start/Control Panel/User Accounts
To disable:
Click on the Guest user, and then click turn off the guest account
To change password:
Click on the Guest user, and then click Change the password and input a
password.
Limit Administrator Accounts
The Windows XP Administrator account is a powerful tool. Administrators are
allowed absolute control of all parts of the Windows XP operating system. In
addition to the built-in administrator account, it's possible to give other users
administrative access. In order to keep your system secure, Microsoft
recommendeds giving administrator privileges to no more than two accounts
on any machine. This reduces the chances of someone really screwing up
your system by having too much access.
More Administrator Changes
Another trick for making administrator access more secure is renaming
Administrator to something else. This doesn't stop anyone from breaking in,
however, it does eliminate Administrator as an obvious option for gaining full
control of your computer.
People looking to have fun with hackers often rename Administrator to
something else and then create a new user named Administrator with
minimal access privileges and a long, complicated password. If the system is
breached and the password for the new "Administrator" account is
discovered, the intruder will be sadly disappointed to find they don't have
administrative level access.
Turn Off AutoLogon
AutoLogon might save you a couple seconds typing in your password; it also
means anyone sitting down at your computer will have the same access to
your data as the account automatically loggin in when the system is turned
on.
If you have roommates or your computer gets stolen, turning off AutoLogon
helps keep unwanted eyes from browsing through your personal information.
This is also smart if you have small children who might be curious about the
computer. While kids are harmless in terms of identity theft, they might
accidentally delete your accounting files or some other important document if
given unrestricted access to your system.
Password Expiration
Remembering a new password may be frustrating, but it's considerably less
painful thnan having your personal information stolen. Creating a new
password every 60-90 days helps keep your system safe. Really aggressive
security experts recommend password changes once every 45 days.
Beyond the Baseline
Prevent Everyone Access
By default, Windows XP allows Everyone to access things like shared printers.
Folders are shared this way too. If your home or office has more than one
computer connecting to the Internet, delete Everyone access and replace it
with Authenticated Users, forcing anyone who wants to use a shared
resource to have a username and password. This may seem inconvenient at
first, but it closes an obvious hole potentially impacting your entire home or
office network.
Disable Unnecessary Services
Windows XP runs services, which are programs used by the operating
system, in the background. Some of the services are unnecessary in most
home and small office environments. Turning off these unnecessary services
frees up system resources, like memory and CPU cycles, as well as closing
potential security holes.
To view the Services available on your system, click on:
Start/Control Panel/Administrative Tools/Services
Right click on the service you want to disable and choose Properties from
the menu.
Disable a service by clicking the Startup Type dropdown menu and choosing
Disabled. If the service is currently running click the Stop button, then click
OK for your changes to take effect.
following list of services are ones most users can disable without any impact
on their computing experience.
Messenger - Don't worry, this isn't Instant Messenger. Messenger transmits
messages between clients and servers. This service is commonly exploited to
send advertisements. Disable this service to eliminate junk transmissions and
close a potential security hole.
NetMeeting Remote Desktop Sharing - If you don't use NetMeeting,
disable this service. It allows a remote computer to share your desktop. If
you do use NetMeeting, but only infrequently, disable this service. Enable it
on the rare occasions when you need it.
Remote Desktop Help Session Manager - This manages sessions for
Remote Assistance. If it is disabled, Remote Assistance won't work. Disable
this service until you need Remote Assistance.
Remote Registry - This service allows remote computers to modify Registry
settings on your machine. Most people never encounter a need for this
service; disable it.
Routing and Remote Access - Unless you dial in to your machine when
you are away from home, disable this service.
SSDP Discovery Service - This enables discovery of all Universal Plug and
Play devices on your home or office network. Disable this service for more
security.
Telnet - Enables users to logon remotely to a command line interface on
your system. Disable this service to prevent unnecessary access to your
system.
Universal Plug and Play Device Host - Designed to automatically connect
your computer to network enabled appliances, this service has few, if any,
practical applications. Disable this service.
Software Updates
From the moment you first install Windows XP, or take your new computer
out of the box, Windows XP requires updates. Windows Update will check for
new updates automatically, with the option to have updates automatically
download and install.
If you prefer more control over your system, at the very least, make sure
Windows Update is keeping you informed when new updates are available.
One place Microsoft fails at keeping the desktop safe is unification of its
update systems. To keep Microsoft Office current, you must run Office
Update, which is completely separate from Windows Update and isn't even
integrated with Office.
http://office.microsoft.com/officeupdate/
Check for Office updates at least once each month (set a reminder in your
calendar). For an additional reminder, subscribe to E-mail News About Office,
which always includes information about updates as they become available:
http://www.microsoft.com/office/using/newsletter.asp
Protect Your Internet Passwords
Making your Internet passwords simple (or all the same) is tempting,
because every site seems to require a password. It's virtually impossible to
remember dozens of passwords without simplifying some part of the process.
The best solution for maintaining strong passwords without losing your mind
is installing a password management tool. This category of software securely
stores all your Internet password data behind one master password, with the
added feature of logging you in to your favorite sites automatically.
AI RoboForm, mentioned several times throughout this guide, works as a
password management tool, automatic Web form filler, and random
password generator. AI RoboForm protects your data with DES encryption, a
security standard since the early 1970's. A free version of AI RoboForm is
available from JakeLudington.com.
AccountLogon is the password manager I prefer. AccountLogon uses 448bit Blowfish encryption, which is one of the strongest encryption standards
available. In addition to strong encryption, AccountLogon keeps password
data encrypted at all times, even when your passwords are active in the
computers memory. AccountLogon offers additional protection by
automatically locking your passwords when your computer remains inactive
for a specified period of time. A feature-limited free version of AccountLogon
is available from JakeLudington.com.
Firewalls
Firewalls come in two varieties, hardware and software. For maximum
security, using both is a good strategy. Windows XP has a built-in software
firewall, available to all users, providing a good first line of defense. In order
to use this software firewall, you need to turn it on.
If you haven't already, you should turn the Windows XP firewall on following
these steps:
1. Click Start and then Control Panel, followed by Network and Internet
Connections.
2. Click Network Connections
3. Double-click your Internet connection
4. Click Properties
5. Click the Advanced tab
6. Click the check box under Internet Connection Firewall
The Internet Connection Firewall prevents anyone outside your computer
from gaining access without explicit permission. It does not prevent
applications on your computer from accessing the Internet without your
permission.
To get more advanced Firewall protection, I recommend downloading a
commercial firewall software application, like the free Sygate Personal
Firewall, available here:
http://smb.sygate.com/products/spf_standard.htm
If you connect to the Internet using cable or DSL, adding a hardware firewall
is a good additional measure. Hardware firewall products are available for
under $75 at your local electronics store or online.
For your convenience, I've compiled an Amazon search of available products
in the Routers and Firewalls category.
Anti-virus Software
If you don't have an anti-virus application installed on your computer, it's
only a matter of time before something bad happens.
If you already have a solution...
Update your anti-virus software religiously!
Set the automatic update to check for new virus definition files at least once
a week, if not daily.
AVG Anti-Virus, from Grisoft represents the most affordable anti-virus
solution: a free version for home users. The interface is simple to work with
and, while it lacks a couple custom features found in the commercial version,
AVG Free Edition will keep you virus free, as long as you keep it up-to-date.
Download your copy of AVG Free Edition here:
http://www.grisoft.com/us/us_dwnl_free.php
After downloading the software, follow the installation instructions. The
install process does require a valid serial number, which is obtained by
providing a valid e-mail address.
To date, I know of no instances where Grisoft has used an e-mail address for
anything other than sending you this serial number.
The AVG install process allows you to turn on three components: AVG
Resident Shield, AVG E-mail Scanner, and AVG Control Center.
Keeping all three active provides you with maximum protection. Since the
most common method for virus spreading is via e-mail, I recommend turning
on the AVG E-mail Scanner, at the very least. You will be prompted to reboot
following installation.
The first time you run AVG, it asks you to check for updates. The software
build may not contain the most recent virus definitions, do this.
After the update has completed, you will be returned to the Update screen,
where you can click Skip Update to avoid being stuck in an infinite update
loop.
Next, the software asks you to create a rescue disk. This helps recover your
system in the event a virus slips through. Always have a backup plan.
After creating your rescue disk, you are prompted to test your computer.
This step makes sure your computer is virus free, so you aren't unknowingly
running an infected machine.
Following the system test, AVG is ready to protect your system.
Click the Continue button to perform additional configuration.
AVG provides easy access to all features.
Notice each of the buttons on the left provides indication of status for the
features; with the Virus Database button letting you know the date of your
current virus definition files.
By default, AVG schedules a complete system check every 24 hours at 1:00
a.m. If 1:00 is a time when your frequently use your system, change the
time to something that won't inconvenience your computing habits.
Right-clicking the AVG logo in your task bar accesses AVG Control Center.
To configure automatic updates, click the Update Manager tab.
By default, Allow Scheduled Update is scheduled to run if the database is
older than 14 days. I recommend checking for updates at least weekly, if not
daily, especially because new virus outbreaks seem to occur more and more
frequently.
Spyware Detection and Removal
Spyware is best defined as software that reports information about your
usage habits to a computer somewhere else on the Internet, without your
knowledge. Most spyware installs itself on your system using tactics that are
less than scrupulous, often attempting to automate the install process when
you visit Web sites, or by installing itself bundled with other applications.
Fortunately, software is available to help you remove spyware. Many of these
applications are even free. The application I currently use and recommend is
SpybotSD.
After installation, launch SpybotSD by navigating to Start/All
Programs/Spybot - Search & Destroy/Spybot S&D (easy mode).
An advanced mode allows you to configure more options, but the easy mode
provides a solid introduction to the program.
Launching the program lets you choose your language preference.
Notice English is not represented by the U.S. or British flags.
Next, Spybot warns you that eliminating advertising robots from your system
may make programs not function. If you are currently using an application
like Gator, which is spyware and should be removed from your system, I
recommend downloading AI RoboForm first, and importing your Gator
settings. AI RoboForm will not spy on you; in addition, it works even better
for filling online forms.
Click the Search & Destroy link to start scanning your system.
Notice, my system has several cookies and Gator related entries. Once the
scan is complete, click Fix selected problems at the bottom of the screen.
If for some reason, a Spybot repair disabled an otherwise harmless app, you
can fix your app by visiting the recovery screen.
For additional protection, Spybot will install a blocker to prevent your system
from downloading files that are known spyware products.
The one downside to using SpybotSD is a lack of customer support. If
something goes wrong, you've got to rely on your own skill to solve the
problem. SpybotSD does a great job of finding and eliminating spyware,
however, if you prefer a solution with customer support I recommend trying:
GhostSurf Pro, which does all the blocking of spyware offered by SpybotSD,
in addition to blocking pop-ups, and offering additional privacy protection
Spy Sweeper, which actively protects your system from spyware, neutralizing
and quarantining Internet nasties, similar to the way anti-virus software
stops viruses.
Data Backups
If you aren't backing up your data on a regular basis:
You deserve to lose it!
I repeat, if you don't backup your data regularly, you deserve to lose it!
Am I being too harsh? No!
Hard drives fail or get corrupted all the time. An angry spouse or child might
delete important data. A virus will potentially wipe out many of your
important files. A malicious cracker could break in and delete or corrupt your
important files.
If you don't have a backup strategy in place, you will either lose your data,
or spend thousands of dollars to get it back.
Windows XP comes with a built-in backup solution, leaving no excuse for not
making regular backups of your data.
XP Home users will need to install Backup from their Windows XP Home CD.
To find Backup on the CD, open the ValueAdd folder, then navigate to
MSFT\NT BACKUP\NTBACKUP.MSI
Double click NTBACKUP.MSI and follow the install wizard.
To find the built-in backup solution once it's installed, navigate to Start/All
Programs/Accessories/Backup
The first time you run this application, a wizard launches, guiding you
through the process of setting up a backup.
If you store most of your important information under the My Documents folder,
choosing the first option will save the majority of your information.
Selecting Let me choose what to back up, makes sure you backup things like your
e-mail files, Quicken, ACT, MS Money, and other important data.
Choosing a location to backup the data is an important step. If your only
viable backup solution is to burn your backup to CD, save the backup to your
hard drive first, and then burn a copy. If you have an external hard drive, or
a second computer, backing up your data to one of those locations, before
burning a CD, will make sure you don't lose your data.
For an even simpler way to grab all the important stuff, Eazy Backup can
gather all your important information and back it up for you. Eazy Backup
will save your data from Outlook, Outlook Express, Incredimail, MS Money,
Quicken, Quick Books, ACT, AI Robo Form, My Documents, and a number of
other user-specified options.
Easy Backup isn't free, but it's easier to configure than the built-in solution.
You can download a free trial version of Eazy Backup from
JakeLudington.com.
Wireless Security
With the widely pervasive use of wireless Internet connections, securing
those connections is becoming a growing concern. Protecting your data while
you are connected to a public wireless service is an even bigger concern. If
you haven't taken steps to block any shared volumes on your computer,
anyone connected to the public wireless network may have access to your
shared volumes while you are also connected.
If you haven't already, follow the steps in the section on firewalls to make
sure you are keeping unwanted visitors out of your system. Requiring
authentication to access your shares, as outlined in the section Beyond The
Baseline, is also recommended. An even better idea would be to create a
special user with no shared volumes, which you use to login to public
networks.
Even your home wireless network is not safe. The kid next door might have
wireless too. He's going to be able to connect to your network unless you
take the appropriate steps to lock down your network.
Step 1: Change the password for your wireless router
Changing the default password may seem obvious, but few people actually
do this. The default passwords for the various routers are readily available in
free downloadable product manuals. Outsiders wanting access to your
network know where to find these passwords and will try the default
password in order to control your router.
The good news is, if someone takes over your router, you can regain control by using the
reset button.
Step 2: Turn off broadcast SSID
This won't stop anyone serious about gaining access to your wireless
network, but it will eliminate the casual bandwidth borrower.
Step 3: Use MAC address filtering
This doesn't mean you are using an Apple computer. MAC address filtering
allows only computers you trust to connect to your wireless network. A MAC
address is a hardware specific number unique to your wireless network card.
To find your computer's MAC address, click the Start button and then click
Run. In the Run line, type 'cmd' and click ENTER. This launches a command
prompt window. In this window, type 'ipconfig -all' followed by the ENTER
key, to display all the vital details about each network card in your computer.
A screen like this will be displayed:
In the section with your Wireless Network Connection, look for the Physical
Address. The group of letters and numbers following the colon on this line
represent the MAC address of your wireless card. Your wireless router should
have a section where you can turn on MAC address filtering and enter this
information.
Enabling MAC filtering keeps the majority of outsiders from using your
bandwidth.
Below is an example of MAC address filtering for a D-Link router. Notice DLink automatically grabs the MAC address of my machine, making it easier to
enter the information into the router.
Step 4: Enable the best encryption available
While MAC address filtering keeps outsiders from using your network, it won't
keep them from "seeing" what you are doing on your network. Wireless
networks broadcast information using radio waves, making your
transmissions available to anyone with the right equipment to decode them.
This is where encryption comes in.
Most wireless routers offer Wired Equivalent Privacy (WEP) encryption.
Basically, WEP encrypts the information traveling between your computer
and the router, making it about as secure as using a regular wired
connection. Most WEP configurations come in 40, 64, 128, and 256-bit
variations. Use the strongest one available. All WEP encryption can be
cracked, but the more complicated it is, the longer it takes.
Newer wireless products are now supporting Wi-Fi Protected Access (WPA).
By the end of 2003, this will be required for all out-of-the-box configurations.
WPA improves on WEP by making the encryption keys dynamic. The way
WEP works, a key never changes, so if someone cracks the encryption,
they're able to access data. With WPA, the encryption keys change on a
periodic basis, making it considerably harder for crackers to discover a way
through the encryption. If your wireless router and Wi-Fi card support WPA,
use it; your data will be much safer.
For further information on Wireless Networking, I highly
recommend the Peachpit book, Wireless Networking Starter Kit.
Don't Get Scammed
Deception is the most likely way someone will violate your privacy.
Microsoft never sends security patches as e-mail attachments. They never
have, they never will. Recent deceptive e-mail transmissions would like you
to believe otherwise. Don't be fooled! The message actually links to a real
virus.
Anytime you get a message suggesting you need an update from Microsoft,
check Windows Update first. If the update is real, it will be available from
Windows Update. Fake updates will not appear on the Microsoft site.
Other recent scams have involved e-mail messages attempting to trick users
into giving out their PayPal passwords and / or eBay information. These email messages are also fake. Someone is trying to get your information so
they can steal your money. Don't be fooled!
Companies storing your personal information will never ask you to verify
information via e-mail. If they do, consider switching companies. E-mail is
one of the least secure methods for transmitting sensitive information.
Conclusion
While there are many danger zones, keeping your computer safe isn't
impossible. Tools exist to make the job easier, automating the process of
keeping your data safe from would-be spies and thieves. Many of these tools
are built-in to Windows XP.
To create a secure computing environment, remember these steps:
Find out where security holes in your computer are located.
Close security holes, either with software solutions, or by keeping your
system up-to-date.
Take preventative measures, by using software to keep out hackers, virus
infections, and spyware.
Don't blindly trust everything you read. Investigate before you take action on
any information that might negatively impact your operating system or your
personal data.
