Page 1 of 13
Windows XP
Securing Windows XP Vol. 1 - Version 2


This guide will show you how to secure Windows XP. While it covers the basics it also goes beyond them without going into "paranoid" mode. Protecting yourself from all the "bad guys" on the Internet requires a multi-tiered approach. There is no single product, either hardware or software based that will adequately protect you from the perils of being connected to the Internet. Only you can protect yourself and that will require some effort to understand the nature of the threats, the potential ways to protect yourself, and how these protective measures can be integrated together.

This guide is for home users in a stand-alone or workgroup environment. It is intended as a step-by-step guide and we highly suggest you read through the entire article before taking any action. We welcome suggestions and feedback.

Security Threats

There are two basic categories of threats to your system security: inbound and outbound. Let's examine the difference. Inbound threats are threats to your system security that come from outside your local network. These include such things as port scans, executable software, Trojans and viruses automatically installed by a malicious web site without warning, etc. Outbound threats are threats that originate on your local systems. These include malware installed by downloaded software, outbound packets containing personal information from installed software, keyloggers, etc. Several of these categories are both inbound and outbound in nature, i.e., an inbound threat that creates an outbound one, or an outbound threat that creates an inbound one. Mixed examples of inbound/outbound threats include: Trojans on your system that "call home" and then either sends information about you or asks for malware to be installed on your system, port scans that find open ports and then use them to gain control over your system, and downloaded software that installs malware.

To give you a feel for how dangerous some of these threats can be, let us describe one type of port scan. A port scan originates from outside of your system. The Internet uses ports (or protocols) to establish communications with your system. An example is port 80, the html port. This port is used by browsers to access web sites. If a port scanner can see port 80 on your system, and can inbound access your system via that port, they can mount your hard drives just as if they were connected to their system. They can read EVERYTHING on your hard drive - every file, all your data, and when they are finished, they can reformat your hard drives, or otherwise completely destroy your system. Scary, isn't it? But, is this threat real or imagined? tracks port scans in real time. Reports on attempted port scans from participating companies and individuals are sent to DShield on a real time basis. At the time of writing, the number of reported entry attempts is averaging over 1.1 BILLION attempts per month. Remember that this only represents a small percentage of the actual number of port scan attacks, those that are reported by participants.

In fact, the current "survival time" (the average time for an unprotected system to be attacked and compromised) is only 16 minutes. This means that a newly installed unprotected operating system connecting to the Internet for the first time will, on average, be attacked within 16 minutes and compromised in some way. That further implies that there is insufficient time for a new system to connect to the Windows Update site and download the latest security and critical updates from Microsoft before the system is attacked and compromised. Yes, the Internet is a dangerous place for the unwary.

Let us describe another, far more subtle form of attack. Recently it was discovered that viruses, Trojans and other executable files could be embedded within a simple .jpg (picture) file. If an infected .jpg is downloaded by your browser or email client, the embedded executable could run and install a Trojan or virus. Microsoft, software and anti virus developers have been working hard to close this vulnerability.

Another, more recent and far more dangerous threat, is crackers' use of "rootkits", "dll injection" and "global hooks" to take over systems "invisibly".  These threats are difficult to prevent, detect and almost impossible to remove once they have successfully been deployed on your system.  Prevention is the best way to stop these threats, as removal tools are only now being developed to clean a system after infection from one of these new threats.  Removal tools for this type of threat are in their early infancy, and cannot be relied upon to clean a system once it has been compromised.  Once infected, the only way to dependably remove one of these threats is to either restore a backup known to be made prior infection, or to completely reformat all your hard drives and reinstall your operating system and hardware.

One cannot depend on others to protect your system and valuable data. It is our responsibility to make our systems as resistant as possible to these kinds of threats. That requires a combination of protections. At a minimum, we recommend the following protective measures be taken by all users who connect to the Internet for any purpose:

  1. Protect the gateway to your systems with a good hardware firewall/router with at least port blocking (stealthing is even better) and Stateful Packet Inspection ("SPI").
  2. Install a good software firewall on your system. At a minimum a good software firewall should have application control, i.e., the ability to set permissions for Internet access on a program-by-program basis.
  3. Install a good Anti-Virus package.
  4. Install a good Anti-Spyware package, or two or more, if they are compatible and handle spyware in different ways.
  5. Install protective software that prevents the execution of unknown software on your system, and requires user permission (at the administrative level) to install services and drivers, global hooks, and dll injections.

Note, we strongly recommend that these protections should be in place before connecting to the Internet for the first time on newly installed operating systems.