By Scott Lowe
where is the pic of the: > "Do Not connect to raw internet"? a small NAT, IPS, etc. Security router such as the Linksys/Cisco RVS4000 costs less than one year subscription to any of the Paid AV out there, especially if everyone in the house has a system and will generally last longer than 1 year I've had mine for almost 2
OK. Windows XP is 10+ years old by now. i think we can find information on the 'net on how to secure Windows XP. Maybe how to secure Windows 7 would of been more useful?
Compared to standard business environment practices all these suggestions are laughably weak. If anyone has been running XP and these steps represent improvements to their existing security, chances are that their PC has already been infected if not hacked. Several comprehensive freeware security suites are available that are superior to Defender, IE continues to be one of Microsofts' biggest security issues. If all home users were to use Firefox, resist running with Administrator privileges, and use Run As Administrator only after simple checking to see if an application has been reported to be a vector for infection, a Trojan or spam generating adware, their lives wild be far more secure.
Windows XP is an excellent OS. You can secure to the max if you apply this recommendations and some more: 1- Use a good antivirus and keep it updated. Karpersky, Avast, AVG. 2- Use your windows and Router firewall. A firewall is a good point of defense. If you are paranoic or depending on your sensible files, you can use third party firewall in your Computer with additional features like advanced rules and other stuff. 3- Rename the admin account but CREATE an ADMIN DECOY Account. Audit the use of this account. 4- AV / Firewall / Defender is not enough. You need to lock your IE and registry settings. Use Antimalware bytes or Spyboot with teatimer 5- You regular account must have regular or standard permissions. You need to avoid the use of admin accounts for daily work, only use it for new hardware or software install / configs. 6- Keep all your software updated!! (Roxio, Nero, Java, IE, Flash). Holes are everywhere!! 7- If your computer is installed in an Internet caf?, Hotel etc and you don't want changes and you want to minimize risks, install Microsoft Steady State. With this free app from MS, you can LOCK your computer (any change is lost after restart) or you can block lot of features (usb, cd, floppy, folders, icons, programs, etc)
How about applying hardening standards such as CIS? http://cisecurity.org/en-us/?route=downloads.benchmarks
How about renaming the guest account, this is another one that Micro$oft pushed for security as well.
Just curious, I understand the need for screenshots but wouldn't a simple PDF file be easier to use? Then I could print it and USE it without having to go screenshot to screenshot to screenshot.
Changing the user ID name from Administrator to a user name hardly provides added security. Any hacker can figure out who the administrator is. This is much like using WEP to secure a wireless network.
A bit more info about the pros and cons of encryption in step 11 would be wise as I can't count the number of times I have had people come to me to get their encryupted data back because "someone" told them to delete their user account because of some problem or corruption. No one EVER seems to tell users they should should backup their personal encryption certificate immediately after the service has been enabled nor how to do so. Most users are not on a domain where a recovery agent is created automatically but most people offering the advice to use EFS are on a domain so they don't seem to be aware that others have do do manually what is done automatically for them. Might want to link people to a URL such as the following that provides the detail they need: http://www.practicalpc.co.uk/computing/windows/xpencrypt2.htm This link tells them how to back up all their encryption certificates and agent certificates. http://www.practicalpc.co.uk/computing/windows/xpencrypt3.htm
please sir tell me how to apply the securities polices on WinXP user account. whenver i have tried to implement securities on the user account, these are also aplied to admiistrator in win Xp. Pls sir help me in this topic
I agree Defender is outdated. Great free altenatives like Spybot, malwarebytes and super antispyware exist. In fact, MSE from Microsoft requires that you remove Defender. Maybe because parts are included within MSE? Point is this is an old article -- excellent as it may be, you need to read with that mind.
Maybe this sounds picky, but there's really only two useful items in your list that weren't already mentioned in the article. Quid-pro-quo: 1 - (covered) Antivirus is mentioned on Image 12 as "Step 5: Install and anti-virus software package" All of the current packages are distributed with some type of online update subscription. 2 - (covered) On the same Image 12, it reads "Step 6: Use a third-party software firewall and hardware [router] firewall" 3 - (omitted on purpose) Creating a decoy Admin account is clever, but also risky. Some bona-fide software (especially a/v packages) are buggy about this and may actually break or encounter both false-positive [excessive limitations] as well as false-negative [non-detections] with a "fake" Administrator. Just audit the use of actual Administrator account. I'm not surprised that this was left out. 4 - (mostly covered) TFA fully admits, "Defender is far from your only choice..." Updating IE to 7 or 8 will integrate Defender features, which is also (sort of) mentioned. Those 3rd-party packages are not necessary to do that. 5 - (covered) If you look at Image 6, it says right on Step 2, "Don't run with an administrative account unless necessary" 6 - (implicit) TFA does cover how to keep Windows platform updated. If there's someone here that doesn't see the need to update applications/drivers, I doubt they would have joined TR in the first place. Regardless, you have a point in that individual apps should be regularly updated along with Windows itself. 7 - (irrelevant) I think the case for SteadyState is when you install Windows XP as the basis for a public (pay-per-use) workstation. This is way beyond the scope of TFA and should be grouped with reviews of e-cafe packages and other pay-per-use security frameworks. Good point, but wrong article. You have 4/7 for supplementing the article, but only half of those count as new or relevant information. In the future, you would do well to read the entire article before judging its omissions.
The article references IE7 because it was originally written in 2007. This is just a repost without any updated information.
The download version is a PDF. http://downloads.techrepublic.com.com/abstract.aspx?docid=304246
Ali40961, This gallery is also available as a TechRepublic blog post (http://blogs.techrepublic.com.com/window-on-windows/?p=472) and download (http://downloads.techrepublic.com.com/abstract.aspx?docid=304246).
This post is a bit late as it goes, but after reading the post and considering the audience for whom the text seems to be directed (that being a user with one or both legs on the 'beginner admin' side of the fence), it seems only decent to post a word of caution or three regarding Windows XP on-disc encryption use. I state the following words of caution from the perspective of one who has himself been burned by non-discretionary use of both Windows XP 'private folders' and folder encryption. The things that make XP encryption great are, unfortunately, the same very things which make it a bit dangerous. That is, dangerous if the data you place and accumulate on your pc is of any value. I think it's safe to assume most people would answer such a question with, "duh". With regard to answering the XP User Accounts setup and password entry question of "Make folders private?" with an affirmative mouse click, keep this in mind. If you should ever either forget your password or for any reason cannot access your pc via the standard Windows user account method, you can pretty much kiss everything on the pc residing in "Documents and Settings" goodbye. Sure, nobody can view or modify anything within these directories without logging in via the good, old fashioned method. But....in the event that someone is you, "...up the creek". I've found over a number of years it's USUALLY best just to answer the "Make folders private" question with a mouse click of negative intent. Encrypting other directories and/or files via the manual Windows XP encryption method is basically the exact same thing. The only difference is the above mentioned user account encryption automatically decides which directories will be protected. The manual method just enables the user selection of those folders to be encrypted. I personally make solid use of the manual folder encryption method, primarily for things like password storage for online accounts, etc. Once again, just keep in mind the data can be snatched from your desperate keyboard molded fingers if you should ever lose access via the XP user login process. In all fairness, it is possible to backup the XP encryption keys in case the unthinkable occurs. However, plan on some head scratching while discerning how this is to be performed, and then again when attempting to determine whether the disc in your hand containing the backed up keys is actually valid. Sound advice for the novice folder and file encryption junkie.
I have run across this problem myself, and below is how I solved this problem. Note that these directions are from my admittedly poor memory, so they may not be exact. What I do is use the NTFS file permissions to deny administrators all access to the group policy folder (should be C:\WINDOWS\system32\Group Policy). When you want to change policy, just uncheck the deny policy, apply, make your changes (gpedit.msc), and then reapply the administrator-deny ntfs settings in Windows Explorer.
number 6 I have been installing software such as Secunia psi to help users stay up to date with all these apps. Good article, I downloaded the pdf version and will be sharing this with those that need to 'wake up' and keep it more secure.
While the overall article is a re-post, there was clearly some updated info. It's pretty evident from the very first paragraph; "Vista and Windows 7 have been out for a while..." That would certainly have NOT been the case in 2007. Granted, they could have done more to update the information. (e.g., mention SP3/IE8 and current A/V packages) A fine article, nonetheless, and a worthwhile read for anyone wanting to brush-up on some "healthy paranoia" for this roughly ten-year-old platform.
This is so much better - thank you. The ever increasing use of slide shows for everything across the web is crazy.
I believe the question was." How do I apply this policy without it affecting administrators" I too have ran into this
Was that a real question - how do I put a GP on the administrator account??? Dis able remote access, filter TCP - real basic stuff - but don't lock your self out of your house.