Jump to content

Welcome to MSFN Forum
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message will be removed once you have signed in.
Login to Account Create an Account



Photo

Windows XP security guide

- - - - -

  • Please log in to reply
26 replies to this topic

#1
AnX

AnX

    ...

  • Member
  • PipPip
  • 171 posts
  • Joined 20-June 12
  • OS:Windows 7 x64
  • Country: Country Flag

I know loads of people who still wish to use Windows XP as their main OS, and I'm cool with that for the most part.

 

So to help them out, I've created a security solution that should help secure your PC.

 

1: Set a password on the Admin account(s), and use a Standard account for everyday use.

2: Install the following software:

2a: avast! Free Antivirus: http://www.avast.com/en-in/index

2b: Comodo Firewall: http://personalfirewall.comodo.com/

2c: Malwarebytes' Anti-Malware: http://www.malwarebytes.org/

 

You should be all set then. The type of security provided here is quite high, such that it's more secure than your average supported OS ;)




How to remove advertisement from MSFN

#2
CharlotteTheHarlot

CharlotteTheHarlot

    MSFN Master

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,054 posts
  • Joined 24-September 07
  • OS:none specified
  • Country: Country Flag

More ...

- Turn off Remote Assistance

- Turn off Error Reporting

- Turn off uPnP

... and most important of all ...

- Put the computer behind a Router


... Let him who hath understanding reckon the Number Of The Beast ...


#3
-X-

-X-

    Member

  • Patrons
  • 2,454 posts
  • Joined 08-January 04
  • OS:XP Pro x86
  • Country: Country Flag

Donator

Also, do not use Internet Explorer! Get Firefox, Chrome or Opera if you can stand having no bookmarks. Opera now has some little heart things now instead of bookmarks. Forget what it's called now. Then immediately install Adblock (Its has a feature that Adblock Plus for chrome lacks - the resource list) for Chrome and/or Adblock Plus for Firefox. Additionally, NoScript for FF and for Chrome it's built in under chrome://settings/content. It's a pain whitelisting all the sites so even though I have it I disabled it after a week. Too lazy to use it.  :crazy:


[ Download all Windows XP Post SP3 High-Priority Updates with a simple double click @ xdot.tk Posted Image ]
If someone helps you fix a problem, please report back so they and others can benefit from the solution. Thanks!

#4
RacerBG

RacerBG

    Junior

  • Member
  • Pip
  • 61 posts
  • Joined 07-November 13
  • OS:XP Pro x86
  • Country: Country Flag

My solution is: Malwarebytes, legal AV, Firefox+AdBlock and of course every kind of firewall (if you have router firewall - nice).


banner-winxp-logo.gif


#5
submix8c

submix8c

    Inconceivable!

  • Patrons
  • 4,410 posts
  • Joined 14-September 05
  • OS:none specified
  • Country: Country Flag

?"Every kind of Firewall"? ANY firewall is OK. Routers are (usually) Incoming Only, MS is DEFINITELY Incoming Only (AFAIK) and is a "pain" to set up the "blocks" (look into the "TCP Filtering" on you NIC), but it's a -good- thing to replace MS' with one that does Incoming+Outgoing. "Error Reporting" is kind of irrelevant (but perhaps an unnecessary Service) since it just "disturbs" you to say "NO, don't send my Crash to MS". Mine's still on and I don't worry about it - usually it's IE6 that goobers (nope, haven't "upgraded" yet). Other than that, all of the above (in some form or another).

 

TCP Filtering...

Attached File  TCP-IP Filtering.jpg   46.5KB   2 downloads


Someday the tyrants will be unthroned... Jason "Jay" Chasteen; RIP, bro!

Posted Image


#6
CharlotteTheHarlot

CharlotteTheHarlot

    MSFN Master

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,054 posts
  • Joined 24-September 07
  • OS:none specified
  • Country: Country Flag
Yeah, I should have said it like this ...
 
- Put the computer behind a Broadband Router ( Network Hub + Hardware Firewall with NAT + Wi-Fi )
 
Security wise it is important because many packets will never even get to the computer in the first place as the hardware firewall tosses them away, which should actually increase overall performance since the computer CPU and Windows no longer has to handle them. Let the crappy Windows or 3rd party software firewall deal with whatever remains.
 
It's also nice to have logs to look at and also to have the ability to manually jump into the router firmware to do things that are normally a pain in Windows ( parental lock, site blocking, port forwarding, whatever ). Goodbye Facebook.
 
Since pretty much all routers combine a hardware firewall, a network hub, and Wi-Fi all in one, it is simply crazy to not plunk down the $50 or $100 and get one ASAP. They have become even more useful as time has passed. For example I still come across people who are sitting in their house blabbing on their cellphones using cellular rather than Wi-Fi even though their phone can easily do it. A router is a vital device in the home today.

... Let him who hath understanding reckon the Number Of The Beast ...


#7
CharlotteTheHarlot

CharlotteTheHarlot

    MSFN Master

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,054 posts
  • Joined 24-September 07
  • OS:none specified
  • Country: Country Flag

?"Every kind of Firewall"? ANY firewall is OK. Routers are (usually) Incoming Only, MS is DEFINITELY Incoming Only (AFAIK) and is a "pain" to set up the "blocks" (look into the "TCP Filtering" on you NIC), but it's a -good- thing to replace MS' with one that does Incoming+Outgoing. "Error Reporting" is kind of irrelevant (but perhaps an unnecessary Service) since it just "disturbs" you to say "NO, don't send my Crash to MS". Mine's still on and I don't worry about it - usually it's IE6 that goobers (nope, haven't "upgraded" yet). Other than that, all of the above (in some form or another).


About "Error Reporting" ... this thread mentions Windows XP so it is absolutely un-necessary to have that feature enabled since nothing is ever going to come of any crash reports sent to Microsoft. Indeed they could use the reports as a clue as to how to kill Windows XP even quicker if they were so inclined. Moreover, there are reports now of Error Reports being potentially used by hackers to identify exploitable bugs. Truthfully I don't know if this has been completely fleshed out ( i.e., does disabling the feature in the GUI or killing the service actually stop Watson from actually writing the file or just transmitting it ). But I think killing "Error Reporting" is a step in the right direction on Windows XP, though you are probably right that it isn't a critical security checklist feature with what we know so far.

About Routers ... they are not incoming only, perhaps such devices exist but I have never seen one. Even in the simplest firmware there are broad parental controls, but there is much more than that on most. You easily can manage your network per chassis ( via MAC ) or as a monolith blocking outbound comm via ports, protocols, services, or to specific sites by address or even using keywords found on a site *** ( good for parents, you can drive your know-it-all computer geek kids crazy :lol: ). The point is that the Router ( HUB/Firewall/Wi-Fi ) is truly a configurable I/O firewall these days, and is absolutely vital. And perhaps the most important reason of all is that all filtering/blocking/logging/everything is done off the computer, hence no computer CPU or I/O bandwidth or storage or anything is ever spent. Anything accomplished there is a "freebie" ( well after you spend the $50 ) that spares computer resources and performance. There is no software firewall or any kind of software that can do anything without using the computer resources and must by definition lower performance. Routers should be viewed are kind of a home super-PBX that deals with all incoming/outgoing comm traffic but with value-added features like wireless and details management, or, they can simply be seen as a super filter standing between the broadband modem and the computer/network. Truthfully I cannot imagine a single good reason to NOT have one considering what is going on these days. DISCLAIMER: I do NOT sell routers. :lol:

*** that last example, "block site by keywords" obviously has an inbound component to it as well. Indeed it is almost splitting hairs talking about Inbound/Outbound since they actually overlap. A good router design should block the outgoing comm to a banned site so that the request never gets there ( better for the overall Internet too ) rather than sending the request to the banned site and then blocking the received pages. I think the only difference to the end-user will be what error page or feedback they receive. Kind of interesting subject though ( "What is the best way to do this kind of thing?" ).

Edited by CharlotteTheHarlot, 20 January 2014 - 04:11 PM.

... Let him who hath understanding reckon the Number Of The Beast ...


#8
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,863 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag

DISCLAIMER: I do NOT sell routers.  :lol:

 

But you would be a good routers seller :yes:.

Though I also don't sell routers, nor other hardware, JFYI I have found a (of course cheap ;)) way to fully control network traffic (additional/before the DSL router).

Basically you can get for a handful of bucks (between 20 and 40) an oldish "terminal", I have found that excellent ones are Fujitsu Siemens Futro 200/300, add a 5 bucks NIC and install to it (or use an old USB stick) either Zeroshell (Linux) or Monowall (BSD).

 

jaclaz



#9
vinifera

vinifera

    <°)))><

  • Member
  • PipPipPipPipPip
  • 976 posts
  • Joined 27-August 09
  • OS:Windows 7 x86
  • Country: Country Flag

- don't use Java, its a nesting place for viruses


If you want true Windows user experience
try Longhorn builds: 3718, 4029, 4066

#10
CharlotteTheHarlot

CharlotteTheHarlot

    MSFN Master

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,054 posts
  • Joined 24-September 07
  • OS:none specified
  • Country: Country Flag

DISCLAIMER: I do NOT sell routers.  :lol:


But you would be a good routers seller :yes:.


The funny thing is, if all the sheeple that bring me infected ( mostly Windows 7 ) computers listened to this advice I would have nothing to do! I'd be my own worst enemy. :lol:

... Let him who hath understanding reckon the Number Of The Beast ...


#11
Eastwood

Eastwood
  • Member
  • 2 posts
  • Joined 25-January 14
  • OS:none specified
  • Country: Country Flag

1: Set a password on the Admin account(s), and use a Standard account for everyday use.

Why this?



#12
CharlotteTheHarlot

CharlotteTheHarlot

    MSFN Master

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,054 posts
  • Joined 24-September 07
  • OS:none specified
  • Country: Country Flag

1: Set a password on the Admin account(s), and use a Standard account for everyday use.


Why this?


Why the password or why the standard account?

The password for "Administrator" will prevent non-Admin users from running any dangerous command line or batch file with same or any application that requires Administrator level privilege. This includes malware accidentally executed by that user. Note that when I say "any", I actually mean most. Some might say some. :lol: Leaving the password blank is a bad idea because the bad guy or hostile script or malware ( or the good guys as well )  wouldn't need to know it in order to RUNAS or other things. This is a highly recommended item.

The use of a Standard Account just expands that concept to day-to-day experience, it means that most of the time that user will be prevented from most risky activities, by accident or intention. He ( or the hostile script or malware ) would need to specifically provide the Administrator password to proceed, or, switch users which takes time.

Nothing is perfect by a longshot, but some things are closer to perfect than others. Using an umbrella will keep you mostly dry. Using a condom ... you can figure it out  :whistle:

... Let him who hath understanding reckon the Number Of The Beast ...


#13
Eastwood

Eastwood
  • Member
  • 2 posts
  • Joined 25-January 14
  • OS:none specified
  • Country: Country Flag

Ok, thanks.

 

For Malwarebytes do I need the pro version or is the free one enough?



#14
CharlotteTheHarlot

CharlotteTheHarlot

    MSFN Master

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,054 posts
  • Joined 24-September 07
  • OS:none specified
  • Country: Country Flag
MBAM free is fine. I believe the main difference is that the realtime component is what they want you to pay for.

In fact, when you install MBAM free, be aware that the default checkboxes in the setup in fact enable the realtime component as free trial.

Speaking for myself I avoid realtime protectors because I don't like them spending CPU and other things for dubious purposes. There is also the possibility that the realtime component will either be passive or passive-aggressive, the former means that it simply spots potential problems and prompts you, the latter will revert suspicious changes and may or may not let you decide.

So when I install MBAM, I disable the free trial, and use it entirely on-demand. And indeed, it is very good. I love it how it takes maybe 5 seconds to update the signatures while Windows Update takes some minutes to update MSSE signatures.

Added: I don't know what MBAM realtime actually does ( aggressive or not ), perhaps someone else can comment. I do know that MBAM focuses heavily on scanning the registry for suspicious entries, so it may very well lock down and protect keys, or it may not.

Edited by CharlotteTheHarlot, 29 January 2014 - 02:26 PM.

... Let him who hath understanding reckon the Number Of The Beast ...


#15
Kelsenellenelvian

Kelsenellenelvian

    WPI Guru

  • Developer
  • 8,876 posts
  • Joined 18-September 03
  • OS:Windows 7 x64
  • Country: Country Flag
Real time mbam is super aggressive and annoying as hell.

#16
Dogway

Dogway

    Advanced Member

  • Member
  • PipPipPip
  • 394 posts
  • Joined 24-December 11
  • OS:XP Pro x86
  • Country: Country Flag

I was using Comodo, but had some issues with it, and it also started to feel bloatware. I recently read about Kerio Personal Firewall 2.1.5 from -X-, so what about:

-Avira Antivir (quarantine its own spam files)
-Kerio Personal Firewall 2.1.5
-Palemoon (Firefox fork) with
    -Adblock Plus
    -Adblock Plus Pop-up
    -BetterPrivacy

I don't know what Malwarebytes' Anti-Malware is for, can't it be done with Avira?


Edited by Dogway, 30 January 2014 - 06:10 PM.


#17
vinifera

vinifera

    <°)))><

  • Member
  • PipPipPipPipPip
  • 976 posts
  • Joined 27-August 09
  • OS:Windows 7 x86
  • Country: Country Flag

MBAM is more generic than specific
its not bad to use both

 

I just hate how MBAM plants itself into startup for no reason and you can't remove the **** thing


If you want true Windows user experience
try Longhorn builds: 3718, 4029, 4066

#18
bphlpt

bphlpt

    MSFN Addict

  • Member
  • PipPipPipPipPipPipPip
  • 1,828 posts
  • Joined 12-May 07
  • OS:none specified
  • Country: Country Flag

It is not a bad idea to have more than one on-demand antivirus scanner available,  Many of them focus on one type of virus or another and many are available in a portable form that do not need to be installed at all.

 

Cheers and Regards


Posted Image


#19
vinifera

vinifera

    <°)))><

  • Member
  • PipPipPipPipPip
  • 976 posts
  • Joined 27-August 09
  • OS:Windows 7 x86
  • Country: Country Flag

problem with portables is you can't update them


Edited by vinifera, 31 January 2014 - 03:01 PM.

If you want true Windows user experience
try Longhorn builds: 3718, 4029, 4066

#20
JodyT

JodyT

    Member

  • Member
  • PipPip
  • 251 posts
  • Joined 05-April 11
  • OS:none specified
  • Country: Country Flag

problem with portables is you can't update them

Just download a new instance once a week.



#21
dencorso

dencorso

    Iuvat plus qui nihil obstat

  • Supervisor
  • 6,126 posts
  • Joined 07-April 07
  • OS:98SE
  • Country: Country Flag

Donator

problem with portables is you can't update them


Just download a new instance once a week.


+1 :thumbup

#22
CharlotteTheHarlot

CharlotteTheHarlot

    MSFN Master

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,054 posts
  • Joined 24-September 07
  • OS:none specified
  • Country: Country Flag

MBAM is more generic than specific
its not bad to use both
 
I just hate how MBAM plants itself into startup for no reason and you can't remove the **** thing


You should be able to disable that. Make sure you are in an admin account before modifying AutoRuns stuff. Also, inside MBAM, go to thhe preferences and disable the realtime component or else it will always re-insert itself.

MBAM can definitely be restrained to on-demand status unless something changed in the past couple weeks.

... Let him who hath understanding reckon the Number Of The Beast ...


#23
vinifera

vinifera

    <°)))><

  • Member
  • PipPipPipPipPip
  • 976 posts
  • Joined 27-August 09
  • OS:Windows 7 x86
  • Country: Country Flag

the autorun is hardcoded

even if you manually remove it, on next app run it will re-insert itself (real time scanner doesn't matter here, this is its service)


If you want true Windows user experience
try Longhorn builds: 3718, 4029, 4066

#24
CharlotteTheHarlot

CharlotteTheHarlot

    MSFN Master

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,054 posts
  • Joined 24-September 07
  • OS:none specified
  • Country: Country Flag

the autorun is hardcoded
even if you manually remove it, on next app run it will re-insert itself (real time scanner doesn't matter here, this is its service)


So the service is auto-starting? I thought you meant something in HKLM\...\Run

Can you set the service to manual?

IIRC, it does place a SYS file in the System32 folder tree no matter what you do ( on Windows XP in previous versions of MBAM I was able to physically delete it and place it in the local MBAM folder, but haven't tried it lately ).

Can you remember what happened when you installed? Did the free trial ( checked by default ) get installed? I'll bet that this is their way to quantify the 30-day ( or whatever ) period before it stops working.

I'm thinking that maybe you can uninstall, then re-install and clear all the checkboxes.

Gosh I would hate if they too went down this road with autostart processes and services.

... Let him who hath understanding reckon the Number Of The Beast ...


#25
Kelsenellenelvian

Kelsenellenelvian

    WPI Guru

  • Developer
  • 8,876 posts
  • Joined 18-September 03
  • OS:Windows 7 x64
  • Country: Country Flag

Or you could just NOT register mbam.

 

The service only works on registered mbam






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users