5 Ways to Harden and Improve Security in Windows XP

Out of the box, a fresh installation of Windows XP is weak, full of holes, and a guaranteed zombie if connected to the Internet. This post is not a guaranteed way to ensure your computer’s security, but should definitely add to the existing Windows XP hardening guides available.

Manage Window’s Users and Groups

While logged in as the Administrator, right click the My Computer icon, then left click Manage. The Computer Management window appears. Under System Tools, expand Local Users and Groups to reveal two folders. Left click the Users folder to display the existing user accounts in the right window. At this point you must decide which accounts are important to you. On my workstation, for example, the following accounts exist:

• root (renamed, default, built-in Administrator account)
• user (default user account created during Window’s installation)
• IUSR_DESKPC001 (anonymous account used to view Internet Information Services)
• IWAM_DESKPC001 (account used by IIS to start out of process apps)

If you share a workstation with others, it’s probably not a good idea to delete their accounts. Anything that’s unfamiliar should not exist, and disabling, even deleting the Guest account is advised. As mentioned above, I’ve renamed the default administrator account. This is an additional security measure that produces positive effects in a variety of situations, just make sure you don’t forget what you’ve renamed the account to or you’ll prevent yourself from getting in!

Next, click on the folder labeled Groups. Make sure the only objects listed in the Administrators group are the Administrator account and a user account of your choice. The fewer accounts in this group, the better. Go through the other groups and manage appropriately. Make sure each group has only the necessary user(s) based on the group’s description.

Remove Built-in Default Administrative Shares

In the Computer Management window, expand Shared Folders, then click Shares. If ADMIN$ or C$ exists, your entire hard drive is setup as a file share that’s accessible to other devices in your network, a coffee shop, wherever. To prevent access to these shares, we’re going to remove them.

Click Start, Run, clear the text input box of any existing data and type regedit. (without the period) Click OK. Expand HKEY_LOCAL_MACHINE, SYSTEM, CurrentControlSet, Services, lanmanserver, and finally, click parameters. In the right window pane, look for an entry labeled AutoShareServer and change the value to 0 by double clicking the entry. If the entry doesn’t exist, right click a blank area in the right window pane and select New, then DWORD Value. Label the new entry as AutoShareServer with a value of 0 (zero).

I’ve also read somewhere adding an entry labeled AutoShareWks with a value of 0 helps, too. Close everything and restart your machine for the changes to take effect.

Disable Unnecessary Services From Running

Most servers are compromised by exploiting holes in unused services, services that aren’t necessary to maintain intended functionality. Good server administrators won’t disable a service that isn’t required, they’ll completely purge the thing from the operating system. This, unfortunately, isn’t an option in Windows XP.

I highly recommend you perform research on each available service if you’re unsure of its purpose. For this article, I’m going to list all the services I disable, which historically works for me.

Load up the trusty Computer Management window the same way mentioned in the first tip (users and groups). Once open, expand the item on the left labeled Services and Application, then click Services.

Here are the services I’ve disabled:

• Alerter
• Ati HoyKey Poller
• ClipBook
• Computer Browser
• Cyberlink RichVideo Service(CRVS)
• Error Reporting Service
• FW Live Update
• FW User-Mode Helper
• Help and Support
• Human Interface Device Access
• IIS Admin (enabled when developing locally)
• Messenger
• NetMeeting Remote Desktop Sharing
• Network DDE
• Network DDE DSDM
• Network Location Awareness (NLA)
• Performance Logs and Alerts
• Print Spooler
• QoS RSVP
• Remote Desktop Help Session Manager
• Remote Registry
• Routing and Remote Access
• Security Center
• Simple Mail Transfer Protocol (SMTP)
• SSDP Discovery Service
• System Restore Service
• Task Scheduler
• Telnet
• Themes
• WebClient
• Windows Firewall/ICS
• Windows Time
• Wireless Zero Configuration
• World Wide Web Publishing
• Remote Desktop Help Session Manager

Again, disabling these services is what works for me. In addition to the security benefits, an increase in system performance is definitely noticeable, too.

Get a Better Firewall - Windows XP’s Built-in Firewall is Terrible

The firewall on my workstations is no longer supported, or maintained, so here are a few alternatives to consider. Some research shows Jetico, Agnitum, and Kaspersky make fantastic products. Don’t be a cheap ass when it comes to security software, spend the money and get a good product. Freeware firewalls are garbage, and on the basis of personal experience and my client’s past remarks, stay away from Symantec, McCfee, and ZoneAlarm, they cause more problems than they solve.

Firewalls take time to configure, but a good rule of thumb is to start off blocking all (incoming and outgoing) traffic, then, one-by-one, allow traffic based on need. For example, if you’re using an instant messaging client to communicate with friends, you’ll want to allow outgoing connections to the provider’s server, but prevent connections intended to display advertisements in your chat window. Good firewalls will show source and destination addresses, so if your firewall pops up with a message saying, “InstantMessage.exe -> Outgoing Connection -> ADS.SOME-SERVER.COM” you should probably deny that connection attempt, unless you prefer seeing ads.

Stop Malware/Spyware From Ever Having A Chance

This is easy - prevent advertisements from over fifteen thousand potentially malicious servers. Some ad companies employ tactics that exploit web browsers, and simple ignorance, to install ad software. Common culprits are bareshare, weather bug, the gator company, among others. The results typically include random pop ups, altered active desktop settings, modified home page settings, and sometimes worse. Real malicious adware will disable the Window’s Task Manager, the Control Panel, turn your computer into a spam relay, and more. A quick, effective way to prevent these types of attacks is to follow the instructions outlined in my previous post, “Easily Block Unwanted Ads Without 3rd Part Software.”

Take the time to configure and care for your machine. The fruits of your labor produce a secure, efficient, happy operating system. With the right firewall, anti-virus software, and the steps mentioned in this post, I’ve been virus free for over five years.