|
|
Basic security
principles for a Windows XP box.
This is a mini-tutorial covering the
basics on how to configure your
Windows XP computer against
malicious attacks. It deals with the
operating system itself, and
discusses some tools of the trade.
By no means is this tutorial meant
to be complete.
This tutorial is geared towards
Windows XP, but the general
principles go for all Windows
operating systems. Some principles
are even platform-independent.
Some tips mentioned may only apply
to Windows XP Pro with SP2
installed.
|
|
Windows installation
Securing your XP box starts at
installation.
- A basic principle here is
“If
you don't need it, don't install
it.” This goes for all
operating systems. There's no use in
installing Apache or IIS if you
don't plan on using a webserver. All
you'd do is give an attacker more
possibilities to get into your
system.
-
Partition your hard disk.
Partitioning is the process of
dividing your hard disk into
“isolated” sections. In Windows,
this will be visualized by different
hard disk assignments:
C:,
D:
and so on. In this case, C: would be
the first partition of your hard
disk, and D is the second partition
of your hard disk. What you're
basically doing here, is making
“virtual” hard disk: both partitions
are on the same physical hard disk,
but are treated as different hard
disk by Windows.
The huge advantage to this approach
is that in case of a virus infection
on one of your partitions, the
chance of crossing over is dropped
by a good degree.
What you'll want to do is install
your operating system on your first
partition, and all your other files
on your second partition (you could
make as much partitions as you
want).
In case your operating system (on C:
) becomes corrupted, you could
simply reinstall the operating
system without loosing all your data
(on D: ).
Partitioning is done during
installation. It's one of the first
steps in the Windows installation
process, and Windows will handle it
all for you.
Use NTFS as your file system. During
the Windows installation you'll have
the choice (in XP Home) between
FAT32 and NTFS. XP Pro only offers
NTFS. If you have the choice, go
with NTFS. It's much more stable,
offers more error control, is much
more configurable,..
Initializing Windows
XP.
After your install, and upon your
first reboot, Windows will ask you
some questions.
- Your
name
and organization: don't use
your real information here. All
you'd do, is give an attacker
useable information.
-
Administrator password: Make
sure your password is long, uses
special characters, mixes upper and
lower case, uses alphanumerical
characters,...
Do not OVER-estimate an
administrator-password. With
physical access to your box, it
takes an experienced attacker less
than 3 minutes to get past your
administrator password.
Network Settings:
This is where the fun starts. Make
sure to choose the Custom Settings
upon reaching the Network Settings
dialogue, and configure as follows:
Client for MicroSoft Networks:
required for log-in, so leave it on.
File and Printer Sharing for
MicroSoft Networks: If you
don't share files or printers on
your home network, TURN IT OFF.
QoS:
(Quality of Service) Leave this
setting on.
Internet Protocol TCP/IP:
Required for internet access.
Configuring Windows –
BEFORE connecting to the net
First off: according to the
SANS Institute, you only have
17
minutes after you connect
your newly set-up XP box to the
internet to secure it. If you don't,
you have a close-to-100% chance of
getting infected or compromised. It
takes way more than 17 minutes to
install all security updates, and
additional security software, so you
can be almost sure that if you do it
this way, your system
will be compromised.
The solution? DO NOT PLUG IN YOUR
BOX until you've taken some basic
security measures. Make sure you
have the following software on a CD
and install it
before you connect your box.
Install antivirus
software:
This should be your first step
before you install any other
third-party software. Remember,
you're still working on an
unconnected box, so don't worry
about updating your antivirus
software yet.
Free Anti-Virus software:
AVG
Avast
AntiVir
BitDefender
Don't install two antivirus
solutions on the same box.
Firewall:
YES, a firewall is ABSOLUTELY
NECESSARY if you connect to the
internet. Install a firewall BEFORE
you connect to the internet.
For a basic intro to firewalls,
check
this site.
Possibilities here are hardware or
software solutions.
If you have a router: most routers
(wireless included) come with a
built-in firewall, and most do a
good enough job. If you have options
to configure this firewall, don't
bother with getting an extra
software firewall (it'd be like
wearing two condoms on top of
eachother).
Don't install two firewalls on the
same box.
Free Software Firewalls:
Sygate
OutPost
Kerio
Sygate
These are the only free firewalls
I'd ever recommend.
Anti-Spyware/Adware:
This subject has been beaten to
death. Again, install before you
connect your box to the internet.
Free Anti-Spyware/Adware Software:
LavaSoft Adaware
Spybot S&D
SwatIt
HiJackThis
Learn how to read HiJackThis logs!
Check
this tutorial for more info on
the use of HiJackThis and its logs.
Make sure to get the latest Spybot
and install its resident scanner!
In the case of spyware/adware
solutions, the rule is: “The more
the better!”.
Configuring Windows –
The Rest
After you've installed a firewall,
an antivirus-solution and at least
one anti-spyware solution, you're
ready to connect to the internet.
First things first: UPDATE UPDATE
UPDATE.
Start with your
antivirus-definitions, your
antivirus-software, your firewall
software, your antispyware-definitions.
Move on to UPDATING Windows: install
all those service packs, security
updates!
If you don't have a high-speed
internet connection, order update
CD's from MicroSoft (they're free!
They even cover shipping &
handling).
Get Software Downloads Here |
