How do you configure your Windows XP for security?

[Engineering]

What do you do to secure your Windows XP OS?

Let's brainstorm:

*Only crucial system services running (less exploitable processes + performance improvement),

*Hardened Hosts files (blacklists),

*Uninstalling Telnet/Net meeting/Messenger/WMP/DCOM vulnerabilities, what else?, etc (generic Windows bloatware),

*Disabling UPnP, Administrative shares (IPC$,etc), LMHash, Null sessions, epmap (port 135), SMB (port 445), SSDP (port 1900), etc

*Disabling DCOM, paging from executives, remote desktop, remote registry, TCP/IP NetBIOS Helper (NetBT), etc

*Secure file deletion (DOD 5222.20-M),

*Any server based network hosting capabilities unavailable,

*Group Policy Enforcement set in place (based on NSA checklists)

*Latest Windows Patches,

*Firewall + AV + Peerguardian (ipblock lists) + IDS app, etc

*Registry tweaks (which?),

*HDD encryption (which?),

*User without Admin privileges,

*etc etc... What else can you think of?

HTTP + SSL + HTTPS + Nothing else. Uber security.

See where I'm getting to?

What else can you think of?

[MagicAndre1981]

run with non-admin user account!!!!!!!!

[gamehead200]

Please refrain from crossposting. I have removed your other posts.

[CoffeeFiend]

What do you do to secure your Windows XP OS?

Ideally, you don't use XP

You're missing a bunch of simple stuff, like strong passwords (not only on user's accounts). You also need to monitor your event logs and such.

Other things you could think about:

-changing which accounts some services run under

-renaming the administrator account

As for latest windows patches, it's not just about having the latest applied at install (obviously), it's about making sure they keep getting updated. And not just Windows' either.

Either ways, a LOT of the stuff on your list seems pretty extreme, and I certainly wouldn't put up with using a box that severely limited (100% useless for me). I'd be reformatting that box in less than 5 minutes (and not reinstalling XP either )

[Groucho2004]

What do you do to secure your Windows XP OS?

Let's brainstorm:

*Only crucial system services running (less exploitable processes + performance improvement),

*Hardened Hosts files (blacklists),

*Uninstalling Telnet/Net meeting/Messenger/WMP/DCOM vulnerabilities, what else?, etc (generic Windows bloatware),

*Disabling UPnP, Administrative shares (IPC$,etc), LMHash, Null sessions, epmap (port 135), SMB (port 445), SSDP (port 1900), etc

*Disabling DCOM, paging from executives, remote desktop, remote registry, TCP/IP NetBIOS Helper (NetBT), etc

*Secure file deletion (DOD 5222.20-M),

*Any server based network hosting capabilities unavailable,

*Group Policy Enforcement set in place (based on NSA checklists)

*Latest Windows Patches,

*Firewall + AV + Peerguardian (ipblock lists) + IDS app, etc

*Registry tweaks (which?),

*HDD encryption (which?),

*User without Admin privileges,

*etc etc... What else can you think of?

HTTP + SSL + HTTPS + Nothing else. Uber security.

See where I'm getting to?

What else can you think of?

Hm, let's see - This is what I do:

- Windows XP SP3 (patched up to December 2008)

- Kerio Personal Firewall 2.15 (from 2003)

- Administrator account with a 6 character password

- None of the stuff you mentioned above except the Firewall

In 15 years I only caught a virus once (back in 2003 with Windows 2000). This was quickly solved by restoring the OS from a Ghost image, takes only 2 minutes.

I sometimes run virus and spyware scanners manually but they never turn up anything...

Edited August 14, 2009 by Groucho2004

[CoffeeFiend]

In 15 years I only caught a virus once (back in 2003 with Windows 2000). This was quickly solved by restoring the OS from a Ghost image, takes only 2 minutes.

I sometimes run virus and spyware scanners manually but they never turn up anything...

Same here. I don't actually do any of that. And the last time I ran into a virus is 2003 or 2004 (around the SP2 days -- never caught one on Vista or Win7). And that was entirely my fault too (willingly ran it as admin). None of this would have helped one bit (only took a couple mins to get rid of it too). None of this is replacement for the user not doing stupid things, like running shady executables from stange places as admin, which probably accounts for 99.9% of infections all by itself. I wouldn't waste too much time on that other 0.1%, especially when it more or less makes your computer useless. We're not using any AV or antispyware type of app on any of our boxes. When it happens again in 5+ years, I'll remove it manually.

[Tripredacus]

I'm pretty simple I guess. I don't go through so much work like the OP.

As I've posted elsewhere, I'm using the same install of XP from when it came out. I did a repair install earlier this year only because I changed motherboards and got an 0x7b afterwards.

1. Hardware firewall, blocks everything unless I say otherwise

2. Use webmail only, and only ones with built in AV

3. Windows firewall is on, but at default unless blocking certain ports already forwarded through the HWFW

4. Use Firefox with NoScript

5. Do not use P2P programs

its really that simple. Oh and I do not use Anti-virus.

[Zenskas]

The OPs list was used for a guide, so I probably missed some stuff. Here goes:

1. Firstly I have Windows XP Pro SP3 which has been moderately nLited.

2. I have all of the latest MS updates, and ALL of my programs, games, etc are up to date as well as hardware drivers.

3. Many services have been either removed with nLite, disabled, or set to manual.

4. Lots of MS stuff disabled/removed. Remote desktop, remote assistance, remote registry, IE, telnet, net meeting, messenger, windows update (I use AutoPatcher), other stuff disabled using Autoruns, other stuff I can't think of.

5. Lots of network features I don't need removed with nLite (TCP/IP, NetBIOS and others I can't remember).

6. Not that important, but I basically empty the recycle bin as soon as I delete something.

7. Windows firewall+semi-effective firewall in modem, AVG 8.5 (which has been stripped down a little bit), Spybot S&D (which has immunized my system every update).

8. Registry tweaks which were done by nLite and AutoPatcher. Not sure of all the security ones but there were a few.

9. Using the latest version of Firefox at all times as my browser (as IE was removed with nLite).

There's my list. Like I said, there is probably more, but that was what I could think of using the OPs first list and a few other things. I do not know everything that was removed with nLite as I do not have the preset anymore or the install disk that was originally used. Anyway, I reckon I am pretty secure (well a hell of a lot more secure than the average user anyway ).

Edited August 15, 2009 by Zenskas

[wfunction]

Um... I don't?

Actually, one things: I don't open emails that are OBVIOUSLY spam, and I don't give my good email to a someone who claimed that I have wone $13.5 billion. (Sorry, that was two, not one...)

Nothing more.. no anti-virus (remove them by hand when they come every few years), just the Windows Firewall (which I don't even know if helps or not), NO HOTFIXES (original SP2 installation).

And it's been runnin' fine for quite a while...

[Zenskas]

Um... I don't?

Actually, one things: I don't open emails that are OBVIOUSLY spam, and I don't give my good email to a someone who claimed that I have wone $13.5 billion. (Sorry, that was two, not one...)

Nothing more.. no anti-virus (remove them by hand when they come every few years), just the Windows Firewall (which I don't even know if helps or not), NO HOTFIXES (original SP2 installation).

And it's been runnin' fine for quite a while...

Either you only use you PC for email...or you only use your PC for email