If you're really concerned about the security of your computer and data
then you just will have to learn the rules how to keep secure. Review your
installed 3party software; Remove clutter.
1. Proceed with 'Hardening' your Operating System (OS) *and* use a
Non-Administrator Account i.e. enable Limited User Account (LUA).
http://www.5starsupport.com/tutorial/hardening-windows.htm
http://www.malwarehelp.org/Malware-Prevention-Hardening-Windows-Security1.html
http://labmice.techtarget.com/articles/winxpsecuritychecklist.htm
Note:
Both Plug & Play and DCOM can easily disabled manually in Services
(Local) panel and the Windows Messenger can be dealt with as mentioned
in 1d.
Therefore there is no need to download the below mentioned tools:
a) To disable Windows Plug and Play, go here:
http://www.grc.com/unpnp/unpnp.htm
b) To disable Windows DCOM, go here:
http://www.grc.com/dcom/
c) To disable Windows Messenger, go here:
http://www.grc.com/stm/shootthemessenger.htm
1a. In Folder Options | File Types tab add .CAB File.
1b. Right-click My Computer | Properties, System Properties - Advanced -
Performance/Settings - Data Execution Prevention is 'checked' Turn
on DEP...except those I select.
How to determine that hardware DEP is available and configured on your
computer.
http://support.microsoft.com/kb/912923
1c. Local Security Settings (Admin Tools - Local Security Policy)
Network security: Do not store LAN Manager hash value on next
password exchange = ENABLED.
1d. Uninstall/disable Windows Messenger
Windows Messenger in XP
http://www.kellys-korner-xp.com/xp_messenger.htm
Stop Windows Messenger from Auto-Starting.
Simply delete the following Registry Key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS
1e. Security Policy Recommendations.
www.nsa.gov/snac/support/sixty_minutes.pdf
Security Attribute (page 27/28).
a) Network access: Do not allow anonymous enumeration of SAM accounts
HKLM\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM = 1
Recommendet Setting: Enabled
b) Network access: Do not allow anonymous enumeration of SAM accounts
and shares
HKLM\System\CurrentControlSet\Control\Lsa\RestrictAnonymous = 1
Recommended Setting: Enabled
c) Network access: Let Everyone permissions apply to anonymous users
HKLM\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous = 0
Recommended Setting: Disabled
1f. Turn - Off Autoplay.
http://www.dougknox.com/xp/tips/cd_autoplay_pro.htm
To Disable CD autoplay, completely, in Windows XP Pro
a) Click Start, Run and enter GPEDIT.MSC
b) Go to Computer Configuration, Administrative Templates, System.
c) Locate the entry for Turn autoplay off and modify it as you desire.
Alternative:
http://www.microsoft.com/windowsxp/downloads/powertoys/xppowertoys.mspx
Scroll down to Tweak UI, download TweakUI.exe
Once you've installed TweakUI you'll find a lot of options in it. To
turn-off Autoplay, in TweakUI expand My Computer, and then AutoPlay.
Click on Drives and uncheck the drive letter that you no longer want to
AutoPlay. Click on Apply and that's it. No more "what would you like me
to do" dialogs.
2. For day-to-day work/browsing use the Limited User Account (LUA) and
refrain from using the Administrator Account (AC).
Least privilege
http://www.securityfocus.com/infocus/1848
It is important that administrators follow the rule of least privilege.
This means that users should operate their computer with only the
minimum set of privileges that they need to do their job. Typically
this means operating as a normal user, and only when absolutely
necessary use the Run As or MakeMeAdmin commands to elevate privileges.
The Importance of the Limited User Account (LUA).
http://blog.washingtonpost.com/securityfix/2006/05/the_importance_of_the_limited.html
How the right user account can help your computer security.
http://www.microsoft.com/protect/computer/advanced/useraccount.mspx
Aaron Margosis' "Non-Admin" WebLog
http://blogs.msdn.com/aaron_margosis/pages/TOC.aspx
The easiest way to run as non-admin.
http://blogs.msdn.com/aaron_margosis/archive/2004/06/17/158806.aspx
3. Keep your operating system (OS) and all software on it updated/patched.
"So, you didn’t patch the system and it got hacked. What to do? Well,
let’s see: ..."
"The only way to clean a compromised system is to flatten and rebuild.
That’s right. If you have a system that has been completely
compromised, the only thing you can do is to flatten the system
(reformat the system disk) and rebuild it from scratch (re-install
Windows and your applications)..."
http://www.microsoft.com/technet/community/columns/secmgmt/sm0504.mspx
Windows update.
http://www.update.microsoft.com/windowsupdate/v6/default.aspx?ln=en-us
Secunia Software inspector
http://secunia.com/software_inspector
and
M/S Security Baseline Analyzer 2.0
http://www.microsoft.com/technet/security/tools/mbsa/default.mspx
can assist also.
4. Internet Explorer7.
IE7 safe/secure settings
Internet Explorer7 Desktop Security Guide
http://www.microsoft.com/downloads/...DA-6021-468E-A8CF-AF4AFE4C84B2&displaylang=en
The Internet Explorer 7 Security Status Bar
http://www.microsoft.com/windows/products/winfamily/ie/ev/security.mspx
Extended Validation SSL Certificates
http://www.microsoft.com/windows/products/winfamily/ie/ev/default.mspx
*Tight security settings will break down some websites. You need to add
these websites into the Trusted Zone for smooth access.*
Utilizing another browser application and e-mail provider can add to
the overall security of the OS. But,
Microsoft says Internet Explorer more secure than Firefox
http://www.heise-security.co.uk/news/99955
Alternative Browsers:
Operaâ„¢
http://www.opera.com/download/
Firefoxâ„¢
http://www.mozilla.com/en-US/
Reconsider using OE
Good alternatives are:
Opera's built-in e-mail client
http://www.opera.com/products/desktop/m2/
Firefox's built-in email client - Thunderbirdâ„¢
http://www.mozilla.com/en-US/thunderbird/
Pegasus Mailâ„¢
http://www.pmail.com/downloads.htm
Windows Live Mailâ„¢ (Version 2008)
http://www.windowslive.com/?ocid=TXT_MSCOM_Wave2_MSCOMDLCNotifEm
http://www.microsoft.com/downloads/...05-45f6-4d14-a7dc-51e13d11a950&DisplayLang=en
Good newsreaders (Google for more)
40tude Dialogâ„¢
http://www.40tude.com/dialog/
Agentâ„¢ 4.2 Newsreader + Email
http://www.forteinc.com/main/homepage.php
Motzarellaâ„¢
http://www.pmail.com/downloads.htm
Xnewsâ„¢
http://xnews.newsguy.com/
5. Don't expose services to public networks. Review and manually disable
unnecessary services presently active in your OS.
(This can be a tedious exercise but will bear fruits later on; Initiate
a good record of your doings).
Security is a balance between usability and protection.
Beginners Guides: Understanding and Tweaking WindowsXP Services
http://www.pcstats.com/articleview.cfm?articleid=1759
Page 1: Beginners Guides: Understanding and Tweaking WindowsXP
Services
Page 2: Which services are running?
Page 3: Getting Information on Specific Services
Page 4: Properties of Services
Page 5: Why do does WinXP need Services?
Page 6: What services should be running?
Page 7: Services to disable for better security and performance
Page 8: Creating your own services
Page 9: Creating Services Continued
Windows XP Service Pack 2 Service Configurations
http://www.blackviper.com/WinXP/servicecfg.htm#
Windows XP SP2 default Services #1.
http://www.ss64.com/ntsyntax/services.html
Default settings for services #2.
http://www.microsoft.com/resources/.../en-us/sys_srv_default_settings.mspx?mfr=true
6. Activate and utilize the Win XP SP2 built-in Firewall; Uncheck *all*
Programs and Services under the Exception tab and review exceptions
frequently (the less exceptions the better).
Read through:
Deconstructing Common Security Myths.
http://www.microsoft.com/technet/technetmag/issues/2006/05/SecurityMyths/default.aspx
Scroll down to:
"Myth: Host-Based Firewalls Must Filter Outbound Traffic to be Safe."
Exploring the windows Firewall.
http://www.microsoft.com/technet/technetmag/issues/2007/06/VistaFirewall/default.aspx
"Outbound protection is security theater—it’s a gimmick that only gives the
impression of improving your security without doing anything that actually
does improve your security."
How to Configure Windows Firewall on a Single Computer
http://www.microsoft.com/technet/security/smallbusiness/prodtech/windowsxp/cfgfwall.mspx
Troubleshooting Windows Firewall settings in Windows XP Service Pack 2
http://support.microsoft.com/default.aspx?kbid=875357
Understanding Windows Firewall.
http://www.microsoft.com/windowsxp/using/security/internet/sp2_wfintro.mspx
Using Windows Firewall.
http://www.microsoft.com/windowsxp/using/networking/security/winfirewall.mspx
Use Windows Firewall in conjunction with:
Seconfig XP 1.0
http://seconfig.sytes.net/
Seconfig XP is able configure Windows not to use TCP/IP as transport
protocol for NetBIOS, SMB and RPC, thus leaving TCP/UDP ports 135,
137-139 and 445 (the most exploited Windows networking weak point)
closed.
OR
Configuring NT-services much more secure.
http://www.ntsvcfg.de/ntsvcfg_eng.html
The only reasonable way to deal with malware is to prevent it from being
run in the first place. That's what AV software or Windows' System
Restriction Policies are doing. And what Personal Firewalls fail to do.
7. Routinely practice Safe-Hex.
http://www.claymania.com/safe-hex.html
8. Back Up regularly.
Back up manually or use Windows XP Backup utility.
http://www.microsoft.com/protect/yourself/data/backup.mspx
Powerful backup that is easy to do!
http://www.acronis.com.sg/homecomputing/
Casperâ„¢ Backup Solution for Windows
http://www.fssdev.com/
Norton Ghostâ„¢
http://www.symantec.com/norton/products/overview.jsp?pcid=br&pvid=ghost12
Free Back-Up Programs; There are many more - mileages will vary - get
appropriate advice
http://www.karenware.com/powertools/ptreplicator.asp
http://www.2brightsparks.com/downloads.html#freeware
http://www.sover.net/~wysiwygx/WinUtils5.html
http://xxclone.com/
http://www.educ.umu.se/~cobian/cobianbackup.htm
9. Familiarize yourself with Re-installing OS (reformat HDD).
Be prepared...
Perform a clean install of Windows XP
http://support.microsoft.com/kb/316941/en-us
"How to Perform a Windows XP Repair Install":
http://michaelstevenstech.com/XPrepairinstall.htm
10.Familiarize yourself with Crash Recovery applications.
... don't get caught flatfooted
Beginners Guides: Crash Recovery - Dealing with the Blue Screen Of Death
http://www.pcstats.com/articleview.cfm?articleID=1647
NTFS4DOS Personal is free.
http://www.free-av.com/antivirclassic/avira_ntfs4dos.html
How to create a bootable floppy disk for an NTFS or FAT partition in
Windows XP
http://support.microsoft.com/kb/305595
Bart's Preinstalled Environment (BartPE) bootable live windows
CD/DVD
http://www.nu2.nu/pebuilder/
How to obtain Windows XP Setup boot disks
http://support.microsoft.com/kb/310994
Windows XP Professional Utility: Setup Disks for Floppy Boot Install
http://www.microsoft.com/downloads/...db-5039-4955-bcb7-4fed408ea73f&displaylang=en
Inspirational reading:
http://home20.inet.tele.dk/b_nice/index.htm
Windows XP Security Guide
Chapter 5: Securing Stand-Alone Windows XP Clients
http://www.microsoft.com/technet/security/prodtech/windowsxp/secwinxp/xpsgch05.mspx
Install a good (free) real-time av application and some monitoring tools
(Autoruns, Process Explorer) similar to the ones developed by Mark
Russinovich.
Good luck
