How To Secure Windows XP

How to secure Windows2000 / XP

IMPORTANT INFORMATION REGARDING WINDOWSXP SP2 Some security softwares have had problems with Service Pack 2, like for example ZoneAlarm and some antivirus software. Also, there has been other issues regarding the SP2, I have personally found out that after installing it my computer stops working properly, I have not yet managed to solve the situation. Also, the SP2 has some changes regarding the settings of Internet Explorer, Windows ICF and other issues, so this page is not updated to meet SP2 details for now. My suggestion regarding SP2 is, that you should backup and try it out. If it works, fine, Microsoft has fixed some major security issues with it so you likely safe enought for now on default install on SP2 if you follow its security center guides. If you cannot install SP2 or get it working, then restore the old WindowsXP and use the settings and tips in this page as it is. Try later to install SP2 when Microsoft either fixes its bugs or we can discover some way to counter them.

These settings can be used with both Windows 2000 and WindowsXP to *really* secure the system and also boost up its performance. Depending upon your version and whether it is Win2k or XP, you might notice that some of the features/options arent there. Just skip and move on until you hit something that IS on YOUR Windows2k/XP. The "best" option of all is to have WindowsXP professional, since the screenshots are from WindowsXP professional. However, please notice that you can access some of the features in WindowsXP professional even if you are installing home edition, by booting into "Safe Mode" some time.

WindowsXP offers pretty good security features, but only if you know how to use them. By default, WindowsXP is clumsy and has many possible security holes due to its poor default settings. If you use WindowsXP pro, you can really make your computer your fortress against almost any invader. The build-in EFS (Encrypting File System with NTFS), strong authentication methods, firewall, etc. give you good tools for it. Home edition does not have all these features but you can always implement your own according to these guidelines. These principles are designed for ONLY single-user "home" computers (standalone), NOT computers in, lets say, corporate networks! On standalone computers you can and should fill all holes possible but in corporate enviroment, the whole point is to allow computers to be used via corporate networks or intranet. You can still take suggestions and clues here and implement them properly if you are installing or using Windows2k/XP in corporate enviroment or are using multiple user accounts.

PLEASE READ THIS CAREFULLY! Even if you are not planning on securing WindowsXP of yours, please read this and implement it. Even if you dont care about computer security or think this is not important to do, read and implement it anyway. Trust me on this one. If you think you dont know how to do it or are not sure on whether or not to do it, do it anyway. Its very easy and implementing just these 7 simple things will GREATLY improve your security. Its just 7 easy steps to make! You can ofcourse also print this page to help you look at it better and implement it.

If you want to download and print this page, you can do it easily by downloading/printing this .rtf document. It has everything that is sayed in this page. I recommend that if you are about to install Windows 2000 / XP, download and print it so you can easily use it to secure your computer offline.


Important information about Windows 2000 and Encrypting File System insecurity
There is very little reason to use EFS on Win2k standalone installation since it does not offer real protection in Windows2k. It is possible to reset the administrators passphrase (even with Syskey enabled and stored in floppy) and login as admin. This can be done by simply booting the computer in other operating system and deleting the SAM file and manipulating the registry so that Windows does not want to have Syskey during startup. If Syskey is not present, resetting the administrators passphrase is much easier. Administrator can do many things and is the default recovery agent of EFS. In any case, once you have logged in as admin, you can decrypt all data encrypted with EFS in that computer.

In theory, it *is* possible in standalone Windows 2000 to have secure EFS, but it is very, very, very complicated to archive. In theory, by exporting the administrators recovery certificate or designating some other recovery agent AND implementing Syskey to passphrase or floppy, it *might* be possible to prevent anyone from reading EFS encrypted files. It is always possible to login as administrator, but if the administrator does not have the recovery keys, he cant decrypt EFS files... And since the Syskey *prevents* tampering the other accounts, it is in *theory* safe (if hacker deletes SAM file, then other accounts loose their vital piece of information and cant be used and therefore they cant get access to private key). But in practise...well...who really knows? I STRONGLY recommend not to use EFS in Windows 2000 unless the computer is a part of domain and the settings/security policies are good and the actual computer where the certificates are stored is in safe place so nobody can get a physical access to it and Syskey for each computer is stored in passphrase or in floppy format. Use PGPdisk instead and you dont have to worry about these kinds of issues with Windows 2000!