Securing Windows XP

| Forums | Site Guide |

Introduction

Windows XP is riddled with security holes. Studies have shown that a computer with a freshly installed, unpatched, unsecured copy of Windows XP will generally be overrun with viruses after a few minutes of being connected to the Internet.

Worms, a certain kind of virus, take advantage of security holes in software, and use those holes to spread. Once infected with a worm, your machine will start to search the Internet for more computer which have the same security hole, and for each one they find, the worm will spread to it. This means that your computer is not just infected with a virus, it is also helping other computers become infected. Note: having written that I realise that a lot of people may need to print this article, so I grant permission to print this under the following conditions: you do not modify the copyright message, and you recycle the paper after use.

This tutorial has been written to complement my earlier tutorial Optimizing Windows XP. The aim is to remove all of the unnecessary security holes from Windows XP, and hopefully in doing make it unlikely to contract viruses or be hacked into. Please note however that I am NOT a security expert. My knowledge and experience in this area results from years of programming and general computer tinkering. Please make sure you follow instructions carefully, and if you are worried about doing something then I recommend you don't do it. Also remember to backup your data before following these instructions. I will accept absolutely no responsibility for any damage to yourself, others, your equipment, files, or anything else resulting from following these instructions. In other words: use at your own risk!

Notes: (1) Some of this information may also be applicable to Windows 2000, but this has not been tested! (2) Hyperlinks in this article will open in a new window

Step 1: the essentials...

The first thing that you should do with Windows (and especially on a new install) is download the latest patches from Microsoft. If for some reason you do not want to install any patches or service packs then you can still secure down your installation without any patches, but I don't recommend it, as any holes in the security would leave old Windows security flaws wide open.

The problem with patching is that you will need Internet access to do it; and as soon as you connect, you could be bombarded with viruses. Now if you connect to the Internet through a hardware router or firewall then you should be defended against the incomming traffic. At this point I would advise the following: if you know you are behind a router, continue with the patching instructions. Otherwise, install a software firewall and virus scanner first.

At the time of writing, the latest major Windows service pack is Service Pack 2. The easiest way to download this and extra patches is by using Automatic Updates. This page contains information on how to activate and use Automatic Update, and tells you how to download SP2 manually. The updater will need several hours to download all of the updates. For this reason you may find it quicker to download SP2 manually, and forego installing any other patches. This especially applies if you have a dialup connection, in which case you will have to ask someone else to download it for you and put it on cd. If you have a fast enough connection then I recommend leaving your computer on overnight to download the updates.

A firewall, in case you don't know, is something which prevents certain data passing across a network link. In this case you need a firewall primarilly to prevent other computers on the Internet from connecting to yours without permission, and infecting your computer with viruses.

Now Windows XP already has a basic firewall and for most users it should be sufficient. If you're slightly more paranoid then you'll want to download a third party firewall which will let you explicitly determine which programs may access the Internet, and the rules they must follow. I recommend Outpost Firewall (download the free version, and if it asks you to update once you've installed it, don't - it only wants to make you switch to the pro version. If you find that you like outpost then you shouuld consider paying for the pro version). You will have to read the manual to learn how to use this program however, as there isn't room to go into detail here.

If you've decided to stick with the built in firewall, then follow these steps to activate it. Note: you may find that it is already turned on, especially if you've installed Service Pack 2

• Go into control panel (from start menu/settings/control panel or in 'my computer')
• Go to 'network and Internet connections'
• Your connection will be in here. What exactly is in this folder depends on your connection: if you use a router, then there will probably be an icon labelled 'Local Area Connection'. Otherwise, it will be called something else (like 'DSL dialer')
• Right click on your connection and click on 'properties'
• In either case go to the 'advanced' tab and make sure the check box below 'Internet Connection Firewall' is checked
• Make sure to click 'ok' to save the changes

Next you need a virus scanner. I recommend the free AVG scanner. This program is very good, and one of the most popular virus scanners available.

Finally you may wish to install a decent spyware scanner. Spyware is a term applied to a lot of different things which are designed to collect demographic data and/or offer you targetted advertising. Some of these things are quite malicious while others are relatively harmless I guarantee that none of them serve a useful purpose good enough to outweigh the risk to privacy and security they leave, as well as how much slower they can make your computer. I personally use and recommend Spybot: Search and Destroy

Step 2: Prevention...

If you've followed those steps then you probably think your computer is pretty secure now... well I wouldn't bet on it. There are two programs from Microsoft which I would never trust.

The first is Internet Explorer. If you ran Spybot S&D (or another spyware scanner) and found a ton of spyware, then I can say with 99% certainty that almost all of it got on your computer through Internet Explorer's lax attitude towards security. It is quite easy to write malicious code on a webpage which can change your homepage, put links in your favourites, and even install software to monitor things you type into forms online. Internet Explorer is one of the biggest threats to your security. So what can you use instead? Well a very good browser (and one that I use) is Firefox. This browser is free, very secure, more stable, and quite well designed. Try it out even if you're sceptical - if it doesn't impress you, uninstall it.

And the second program? Microsoft Outlook Express... while it isn't anywhere near as bad as Internet Explorer, it has some problems. There are two options: you can replace it, or continue using it but with some changes to its settings. Now I will admit I stil use it in Windows. If you want a replacement however, try Mozilla Thunderbird. If you want to keep using Outlook Express, then there is one thing you MUST do: disable the preview pane. Then only open emails which do not look like spam. This is because it is possible to place images in emails which tell the sender if you've opened it - and if the sender happens to be a spammer, then they will mark your address as someone who reads spam and you will just get more. To disable the preview pane go to the 'view' menu, click 'layout' and uncheck 'Show preview pane'. From now on you will only be able to view messages by double clicking them.