Windows

How do I... Secure Microsoft Windows XP Professional?

This site is on the list of phishing websites to avoid.

Step 9: Disable unnecessary services
Every service on your Windows XP system performs a function. However, not everyone needs every service. Every running service increases the "attack surface" of your Windows XP system. In short, an unnecessary running service has code running in your computer's memory that could be buggy and could be exploited by others to gain access. So, reduce your computer's attack surface by disabling services that you simply don't need. If you need to know which services are safe to disable and what the ramifications might be for each disabled service, use TechRepublic's Windows XP Services that can be Disabled spreadsheet.

For a look at how to enable and disable Windows XP services, watch this short video.

Step 10: Upgrade to Internet Explorer 7
Internet Explorer is widely considered to be the most insecure browser out there. Internet Explorer 7 aims to correct some of the product's shortcomings. IE 7 is available through Automatic Updates, and is also available for download from Microsoft. IE 7 includes these new features that help to protect your system:

  • A phishing filter: Helps to avoid accidentally giving your personal information away to criminals. When you browse to a known phishing site, the address bar turns red and IE7 informs you that the site is listed as a phishing site.

32 comments
Who Am I Really
Who Am I Really

where is the pic of the: > "Do Not connect to raw internet"? a small NAT, IPS, etc. Security router such as the Linksys/Cisco RVS4000 costs less than one year subscription to any of the Paid AV out there, especially if everyone in the house has a system and will generally last longer than 1 year I've had mine for almost 2

Gis Bun
Gis Bun

OK. Windows XP is 10+ years old by now. i think we can find information on the 'net on how to secure Windows XP. Maybe how to secure Windows 7 would of been more useful?

engsoft
engsoft

Upgrade to IE7? Why not IE 8?

ps.techrep
ps.techrep

Compared to standard business environment practices all these suggestions are laughably weak. If anyone has been running XP and these steps represent improvements to their existing security, chances are that their PC has already been infected if not hacked. Several comprehensive freeware security suites are available that are superior to Defender, IE continues to be one of Microsofts' biggest security issues. If all home users were to use Firefox, resist running with Administrator privileges, and use Run As Administrator only after simple checking to see if an application has been reported to be a vector for infection, a Trojan or spam generating adware, their lives wild be far more secure.

acer516
acer516

thanks for the extra security info I applied alot of it.Tech republic is great

alexisgarcia72
alexisgarcia72

Windows XP is an excellent OS. You can secure to the max if you apply this recommendations and some more: 1- Use a good antivirus and keep it updated. Karpersky, Avast, AVG. 2- Use your windows and Router firewall. A firewall is a good point of defense. If you are paranoic or depending on your sensible files, you can use third party firewall in your Computer with additional features like advanced rules and other stuff. 3- Rename the admin account but CREATE an ADMIN DECOY Account. Audit the use of this account. 4- AV / Firewall / Defender is not enough. You need to lock your IE and registry settings. Use Antimalware bytes or Spyboot with teatimer 5- You regular account must have regular or standard permissions. You need to avoid the use of admin accounts for daily work, only use it for new hardware or software install / configs. 6- Keep all your software updated!! (Roxio, Nero, Java, IE, Flash). Holes are everywhere!! 7- If your computer is installed in an Internet caf?, Hotel etc and you don't want changes and you want to minimize risks, install Microsoft Steady State. With this free app from MS, you can LOCK your computer (any change is lost after restart) or you can block lot of features (usb, cd, floppy, folders, icons, programs, etc)

ghbgiest
ghbgiest

Why IE 7 Yes we all know IE 6 has problems but why not IE 8. Isn't IE8 a better defense than IE 7.

dariced
dariced

It is especially helpful for us semi-novices :-) Dawn D.

lbindustries1
lbindustries1

How about renaming the guest account, this is another one that Micro$oft pushed for security as well.

snoozun
snoozun

Seems like pretty basic information to me.

ali40961
ali40961

Just curious, I understand the need for screenshots but wouldn't a simple PDF file be easier to use? Then I could print it and USE it without having to go screenshot to screenshot to screenshot.

cheth
cheth

Changing the user ID name from Administrator to a user name hardly provides added security. Any hacker can figure out who the administrator is. This is much like using WEP to secure a wireless network.

edodaniel
edodaniel

A bit more info about the pros and cons of encryption in step 11 would be wise as I can't count the number of times I have had people come to me to get their encryupted data back because "someone" told them to delete their user account because of some problem or corruption. No one EVER seems to tell users they should should backup their personal encryption certificate immediately after the service has been enabled nor how to do so. Most users are not on a domain where a recovery agent is created automatically but most people offering the advice to use EFS are on a domain so they don't seem to be aware that others have do do manually what is done automatically for them. Might want to link people to a URL such as the following that provides the detail they need: http://www.practicalpc.co.uk/computing/windows/xpencrypt2.htm This link tells them how to back up all their encryption certificates and agent certificates. http://www.practicalpc.co.uk/computing/windows/xpencrypt3.htm

zoranm
zoranm

Brilliant at all. Simple, clear, useful. I wish you all best. Zoran Mijanovic

cbrown0754
cbrown0754

Very informative and easy to follow - Thanks!

pintoosingla
pintoosingla

please sir tell me how to apply the securities polices on WinXP user account. whenver i have tried to implement securities on the user account, these are also aplied to admiistrator in win Xp. Pls sir help me in this topic

fred64
fred64

I agree Defender is outdated. Great free altenatives like Spybot, malwarebytes and super antispyware exist. In fact, MSE from Microsoft requires that you remove Defender. Maybe because parts are included within MSE? Point is this is an old article -- excellent as it may be, you need to read with that mind.

Duggeek
Duggeek

Maybe this sounds picky, but there's really only two useful items in your list that weren't already mentioned in the article. Quid-pro-quo: 1 - (covered) Antivirus is mentioned on Image 12 as "Step 5: Install and anti-virus software package" All of the current packages are distributed with some type of online update subscription. 2 - (covered) On the same Image 12, it reads "Step 6: Use a third-party software firewall and hardware [router] firewall" 3 - (omitted on purpose) Creating a decoy Admin account is clever, but also risky. Some bona-fide software (especially a/v packages) are buggy about this and may actually break or encounter both false-positive [excessive limitations] as well as false-negative [non-detections] with a "fake" Administrator. Just audit the use of actual Administrator account. I'm not surprised that this was left out. 4 - (mostly covered) TFA fully admits, "Defender is far from your only choice..." Updating IE to 7 or 8 will integrate Defender features, which is also (sort of) mentioned. Those 3rd-party packages are not necessary to do that. 5 - (covered) If you look at Image 6, it says right on Step 2, "Don't run with an administrative account unless necessary" 6 - (implicit) TFA does cover how to keep Windows platform updated. If there's someone here that doesn't see the need to update applications/drivers, I doubt they would have joined TR in the first place. Regardless, you have a point in that individual apps should be regularly updated along with Windows itself. 7 - (irrelevant) I think the case for SteadyState is when you install Windows XP as the basis for a public (pay-per-use) workstation. This is way beyond the scope of TFA and should be grouped with reviews of e-cafe packages and other pay-per-use security frameworks. Good point, but wrong article. You have 4/7 for supplementing the article, but only half of those count as new or relevant information. In the future, you would do well to read the entire article before judging its omissions.

jgrazz
jgrazz

The article references IE7 because it was originally written in 2007. This is just a repost without any updated information.

edodaniel
edodaniel

and you will see that you can download it.

Starrdaark
Starrdaark

This post is a bit late as it goes, but after reading the post and considering the audience for whom the text seems to be directed (that being a user with one or both legs on the 'beginner admin' side of the fence), it seems only decent to post a word of caution or three regarding Windows XP on-disc encryption use. I state the following words of caution from the perspective of one who has himself been burned by non-discretionary use of both Windows XP 'private folders' and folder encryption. The things that make XP encryption great are, unfortunately, the same very things which make it a bit dangerous. That is, dangerous if the data you place and accumulate on your pc is of any value. I think it's safe to assume most people would answer such a question with, "duh". With regard to answering the XP User Accounts setup and password entry question of "Make folders private?" with an affirmative mouse click, keep this in mind. If you should ever either forget your password or for any reason cannot access your pc via the standard Windows user account method, you can pretty much kiss everything on the pc residing in "Documents and Settings" goodbye. Sure, nobody can view or modify anything within these directories without logging in via the good, old fashioned method. But....in the event that someone is you, "...up the creek". I've found over a number of years it's USUALLY best just to answer the "Make folders private" question with a mouse click of negative intent. Encrypting other directories and/or files via the manual Windows XP encryption method is basically the exact same thing. The only difference is the above mentioned user account encryption automatically decides which directories will be protected. The manual method just enables the user selection of those folders to be encrypted. I personally make solid use of the manual folder encryption method, primarily for things like password storage for online accounts, etc. Once again, just keep in mind the data can be snatched from your desperate keyboard molded fingers if you should ever lose access via the XP user login process. In all fairness, it is possible to backup the XP encryption keys in case the unthinkable occurs. However, plan on some head scratching while discerning how this is to be performed, and then again when attempting to determine whether the disc in your hand containing the backed up keys is actually valid. Sound advice for the novice folder and file encryption junkie.

ctrogers
ctrogers

I have run across this problem myself, and below is how I solved this problem. Note that these directions are from my admittedly poor memory, so they may not be exact. What I do is use the NTFS file permissions to deny administrators all access to the group policy folder (should be C:\WINDOWS\system32\Group Policy). When you want to change policy, just uncheck the deny policy, apply, make your changes (gpedit.msc), and then reapply the administrator-deny ntfs settings in Windows Explorer.

justagallopin
justagallopin

number 6 I have been installing software such as Secunia psi to help users stay up to date with all these apps. Good article, I downloaded the pdf version and will be sharing this with those that need to 'wake up' and keep it more secure.

Duggeek
Duggeek

While the overall article is a re-post, there was clearly some updated info. It's pretty evident from the very first paragraph; "Vista and Windows 7 have been out for a while..." That would certainly have NOT been the case in 2007. Granted, they could have done more to update the information. (e.g., mention SP3/IE8 and current A/V packages) A fine article, nonetheless, and a worthwhile read for anyone wanting to brush-up on some "healthy paranoia" for this roughly ten-year-old platform.

gcrook
gcrook

This is so much better - thank you. The ever increasing use of slide shows for everything across the web is crazy.

porlex
porlex

I find no group policy folder as mentioned

Frostyone
Frostyone

I believe the question was." How do I apply this policy without it affecting administrators" I too have ran into this

quintar51
quintar51

You could also just deny admin 'apply group policy' permission when setting up your GP.

Stimpi
Stimpi

Was that a real question - how do I put a GP on the administrator account??? Dis able remote access, filter TCP - real basic stuff - but don't lock your self out of your house.