Page 5 of 13
Windows XP
Securing Windows XP Vol. 1 - Version 2

Basic Steps to Installing XP Safely con't

Configure your firewall router

Every firewall router is different and you'll have to consult the user guide for your product as to the specifics as to how and what you can configure. The basics are:

Configure your firewall software

Every software firewall is different. Some will have wizards to walk you through the process. Nonetheless, here are some general rules to follow to "harden" your firewall protections:

General rules for configuring software and hardware firewalls

Baseline test your current firewall configuration. There are a number of sites which test your firewall, GRC is one. Click on the ShieldsUp link in the middle of the page. Then after doing the following re-test your new configuration:

  1. Block everything you can at the hardware level before it reaches your system, i.e., at the firewall router.
  2. Close everything, all ports/protocols as default. Open only those ports/protocols that you actually need to have open.
  3. Prohibit all inbound connections entirely unless you are running a secure VPN.
  4. To protect open ports/protocols, always get a hardware router/firewall that has Stateful Packet Inspection.
  5. If your router provides MAC address selection, exclude all MAC addresses except those MAC address actually on your LAN.
  6. Do exactly the same with software firewalls, but add to that outbound program control.
  7. Limit the NAT address range at the router to only enough internal IP addresses to accommodate the systems on your LAN.
  8. If your firewall has a "stealth" setting, use it.

Wireless 801.11x Settings

Wireless presents a slightly different set of security considerations. Most modern wireless firewall routers or Access Points have some additional important security features that should always be set. One important point is that you should generally disable XP's "Wireless Zero" service, and use connectivity software provided by your wireless hardware manufacturer. You should read your hardware's manual for more complete instructions specific to your firewall router or Access Point. Again, always update the firewall router or Access Point firmware to the latest versions.

The most critical settings are as follows:

  1. Change the "SSID" of your device from the manufacturer's pre-designated name. Disable SSID broadcasting if possible.
  2. Always password protect your device with a difficult to duplicate password (discussed earlier), and change the login name if this is supported.
  3. If the device has MAC Inclusion/Exclusion (most devices made these days do), exclude all devices by default and permit only the MAC addresses of your wireless devices.
  4. Enable wireless encryption at the highest level supported for WEP (usually 128 bit encryption), and remember to set the same access code for all your devices.  Note, recently more experienced crackers have found easy and fast ways to "break" WEP protection and to emulate MAC addresses, so be careful when using wireless devices where those are the highest levels of security.  Better yet, look for a wireless device and NIC that supports WPA-PSK a more modern, harder to break wireless encryption protocol.  We recommend that readers consider replacing older wireless devices with their more modern counterparts that provide higher levels of security.  While older wireless devices may have adequate protection from casual crackers, they cannot protect wireless LANs, or wired LANs to which an older wireless device is attached, from more serious cracking.

Disabling Services

These services are by default set to either Automatic or Manual. Disabling these services can help make your computer more secure. ***Important! - Read what every service does before you disable it or your computer may cease to function properly!

The description of these services has come from Microsoft. It has become a game to try and find these on the Microsoft web site because they have been slow to update the descriptions for SP2. It seems they would rather delete the pages than update them. As of this moment you can find them here and here.

After reading the descriptions, choose the ones you wish to disable and follow these steps: