Welcome to MSFN

Register now to gain access to all of our features. Once registered and logged in, you will be able to contribute to this site by submitting your own content or replying to existing content. You'll be able to customize your profile, receive reputation points as a reward for submitting content, while also communicating with other members via your own private inbox, plus much more! This message will be removed once you have signed in.


Sign in to follow this  
Followers 0
AnX

Windows XP security guide

27 posts in this topic

I know loads of people who still wish to use Windows XP as their main OS, and I'm cool with that for the most part.

So to help them out, I've created a security solution that should help secure your PC.

1: Set a password on the Admin account(s), and use a Standard account for everyday use.

2: Install the following software:

2a: avast! Free Antivirus: http://www.avast.com/en-in/index

2b: Comodo Firewall: http://personalfirewall.comodo.com/

2c: Malwarebytes' Anti-Malware: http://www.malwarebytes.org/

You should be all set then. The type of security provided here is quite high, such that it's more secure than your average supported OS ;)

0

Share this post


Link to post
Share on other sites

More ...

- Turn off Remote Assistance

- Turn off Error Reporting

- Turn off uPnP

... and most important of all ...

- Put the computer behind a Router

0

Share this post


Link to post
Share on other sites

Also, do not use Internet Explorer! Get Firefox, Chrome or Opera if you can stand having no bookmarks. Opera now has some little heart things now instead of bookmarks. Forget what it's called now. Then immediately install Adblock (Its has a feature that Adblock Plus for chrome lacks - the resource list) for Chrome and/or Adblock Plus for Firefox. Additionally, NoScript for FF and for Chrome it's built in under chrome://settings/content. It's a pain whitelisting all the sites so even though I have it I disabled it after a week. Too lazy to use it. :crazy:

0

Share this post


Link to post
Share on other sites

My solution is: Malwarebytes, legal AV, Firefox+AdBlock and of course every kind of firewall (if you have router firewall - nice).

0

Share this post


Link to post
Share on other sites

?"Every kind of Firewall"? ANY firewall is OK. Routers are (usually) Incoming Only, MS is DEFINITELY Incoming Only (AFAIK) and is a "pain" to set up the "blocks" (look into the "TCP Filtering" on you NIC), but it's a -good- thing to replace MS' with one that does Incoming+Outgoing. "Error Reporting" is kind of irrelevant (but perhaps an unnecessary Service) since it just "disturbs" you to say "NO, don't send my Crash to MS". Mine's still on and I don't worry about it - usually it's IE6 that goobers (nope, haven't "upgraded" yet). Other than that, all of the above (in some form or another).

TCP Filtering...

post-72994-0-20370300-1390149410_thumb.j

0

Share this post


Link to post
Share on other sites

Yeah, I should have said it like this ...

- Put the computer behind a Broadband Router ( Network Hub + Hardware Firewall with NAT + Wi-Fi )

Security wise it is important because many packets will never even get to the computer in the first place as the hardware firewall tosses them away, which should actually increase overall performance since the computer CPU and Windows no longer has to handle them. Let the crappy Windows or 3rd party software firewall deal with whatever remains.

It's also nice to have logs to look at and also to have the ability to manually jump into the router firmware to do things that are normally a pain in Windows ( parental lock, site blocking, port forwarding, whatever ). Goodbye Facebook.

Since pretty much all routers combine a hardware firewall, a network hub, and Wi-Fi all in one, it is simply crazy to not plunk down the $50 or $100 and get one ASAP. They have become even more useful as time has passed. For example I still come across people who are sitting in their house blabbing on their cellphones using cellular rather than Wi-Fi even though their phone can easily do it. A router is a vital device in the home today.

0

Share this post


Link to post
Share on other sites

?"Every kind of Firewall"? ANY firewall is OK. Routers are (usually) Incoming Only, MS is DEFINITELY Incoming Only (AFAIK) and is a "pain" to set up the "blocks" (look into the "TCP Filtering" on you NIC), but it's a -good- thing to replace MS' with one that does Incoming+Outgoing. "Error Reporting" is kind of irrelevant (but perhaps an unnecessary Service) since it just "disturbs" you to say "NO, don't send my Crash to MS". Mine's still on and I don't worry about it - usually it's IE6 that goobers (nope, haven't "upgraded" yet). Other than that, all of the above (in some form or another).

About "Error Reporting" ... this thread mentions Windows XP so it is absolutely un-necessary to have that feature enabled since nothing is ever going to come of any crash reports sent to Microsoft. Indeed they could use the reports as a clue as to how to kill Windows XP even quicker if they were so inclined. Moreover, there are reports now of Error Reports being potentially used by hackers to identify exploitable bugs. Truthfully I don't know if this has been completely fleshed out ( i.e., does disabling the feature in the GUI or killing the service actually stop Watson from actually writing the file or just transmitting it ). But I think killing "Error Reporting" is a step in the right direction on Windows XP, though you are probably right that it isn't a critical security checklist feature with what we know so far.

About Routers ... they are not incoming only, perhaps such devices exist but I have never seen one. Even in the simplest firmware there are broad parental controls, but there is much more than that on most. You easily can manage your network per chassis ( via MAC ) or as a monolith blocking outbound comm via ports, protocols, services, or to specific sites by address or even using keywords found on a site *** ( good for parents, you can drive your know-it-all computer geek kids crazy :lol: ). The point is that the Router ( HUB/Firewall/Wi-Fi ) is truly a configurable I/O firewall these days, and is absolutely vital. And perhaps the most important reason of all is that all filtering/blocking/logging/everything is done off the computer, hence no computer CPU or I/O bandwidth or storage or anything is ever spent. Anything accomplished there is a "freebie" ( well after you spend the $50 ) that spares computer resources and performance. There is no software firewall or any kind of software that can do anything without using the computer resources and must by definition lower performance. Routers should be viewed are kind of a home super-PBX that deals with all incoming/outgoing comm traffic but with value-added features like wireless and details management, or, they can simply be seen as a super filter standing between the broadband modem and the computer/network. Truthfully I cannot imagine a single good reason to NOT have one considering what is going on these days. DISCLAIMER: I do NOT sell routers. :lol:

*** that last example, "block site by keywords" obviously has an inbound component to it as well. Indeed it is almost splitting hairs talking about Inbound/Outbound since they actually overlap. A good router design should block the outgoing comm to a banned site so that the request never gets there ( better for the overall Internet too ) rather than sending the request to the banned site and then blocking the received pages. I think the only difference to the end-user will be what error page or feedback they receive. Kind of interesting subject though ( "What is the best way to do this kind of thing?" ).

Edited by CharlotteTheHarlot
0

Share this post


Link to post
Share on other sites

DISCLAIMER: I do NOT sell routers. :lol:

But you would be a good routers seller :yes:.

Though I also don't sell routers, nor other hardware, JFYI I have found a (of course cheap ;)) way to fully control network traffic (additional/before the DSL router).

Basically you can get for a handful of bucks (between 20 and 40) an oldish "terminal", I have found that excellent ones are Fujitsu Siemens Futro 200/300, add a 5 bucks NIC and install to it (or use an old USB stick) either Zeroshell (Linux) or Monowall (BSD).

jaclaz

0

Share this post


Link to post
Share on other sites

- don't use Java, its a nesting place for viruses

0

Share this post


Link to post
Share on other sites

DISCLAIMER: I do NOT sell routers. :lol:

But you would be a good routers seller :yes:.

The funny thing is, if all the sheeple that bring me infected ( mostly Windows 7 ) computers listened to this advice I would have nothing to do! I'd be my own worst enemy. :lol:

0

Share this post


Link to post
Share on other sites

1: Set a password on the Admin account(s), and use a Standard account for everyday use.

Why this?

0

Share this post


Link to post
Share on other sites

1: Set a password on the Admin account(s), and use a Standard account for everyday use.

Why this?

Why the password or why the standard account?

The password for "Administrator" will prevent non-Admin users from running any dangerous command line or batch file with same or any application that requires Administrator level privilege. This includes malware accidentally executed by that user. Note that when I say "any", I actually mean most. Some might say some. :lol: Leaving the password blank is a bad idea because the bad guy or hostile script or malware ( or the good guys as well ) wouldn't need to know it in order to RUNAS or other things. This is a highly recommended item.

The use of a Standard Account just expands that concept to day-to-day experience, it means that most of the time that user will be prevented from most risky activities, by accident or intention. He ( or the hostile script or malware ) would need to specifically provide the Administrator password to proceed, or, switch users which takes time.

Nothing is perfect by a longshot, but some things are closer to perfect than others. Using an umbrella will keep you mostly dry. Using a condom ... you can figure it out :whistle:

0

Share this post


Link to post
Share on other sites

Ok, thanks.

For Malwarebytes do I need the pro version or is the free one enough?

0

Share this post


Link to post
Share on other sites

MBAM free is fine. I believe the main difference is that the realtime component is what they want you to pay for.

In fact, when you install MBAM free, be aware that the default checkboxes in the setup in fact enable the realtime component as free trial.

Speaking for myself I avoid realtime protectors because I don't like them spending CPU and other things for dubious purposes. There is also the possibility that the realtime component will either be passive or passive-aggressive, the former means that it simply spots potential problems and prompts you, the latter will revert suspicious changes and may or may not let you decide.

So when I install MBAM, I disable the free trial, and use it entirely on-demand. And indeed, it is very good. I love it how it takes maybe 5 seconds to update the signatures while Windows Update takes some minutes to update MSSE signatures.

Added: I don't know what MBAM realtime actually does ( aggressive or not ), perhaps someone else can comment. I do know that MBAM focuses heavily on scanning the registry for suspicious entries, so it may very well lock down and protect keys, or it may not.

Edited by CharlotteTheHarlot
0

Share this post


Link to post
Share on other sites

Real time mbam is super aggressive and annoying as hell.

0

Share this post


Link to post
Share on other sites

I was using Comodo, but had some issues with it, and it also started to feel bloatware. I recently read about Kerio Personal Firewall 2.1.5 from -X-, so what about:

-Avira Antivir (quarantine its own spam files)
-Kerio Personal Firewall 2.1.5
-Palemoon (Firefox fork) with
-Adblock Plus
-Adblock Plus Pop-up
-BetterPrivacy

I don't know what Malwarebytes' Anti-Malware is for, can't it be done with Avira?

Edited by Dogway
0

Share this post


Link to post
Share on other sites

MBAM is more generic than specific
its not bad to use both

I just hate how MBAM plants itself into startup for no reason and you can't remove the **** thing

0

Share this post


Link to post
Share on other sites

It is not a bad idea to have more than one on-demand antivirus scanner available, Many of them focus on one type of virus or another and many are available in a portable form that do not need to be installed at all.

Cheers and Regards

0

Share this post


Link to post
Share on other sites

problem with portables is you can't update them

Edited by vinifera
0

Share this post


Link to post
Share on other sites

problem with portables is you can't update them

Just download a new instance once a week.

0

Share this post


Link to post
Share on other sites

problem with portables is you can't update them

Just download a new instance once a week.

+1 :thumbup

0

Share this post


Link to post
Share on other sites

MBAM is more generic than specific

its not bad to use both

I just hate how MBAM plants itself into startup for no reason and you can't remove the **** thing

You should be able to disable that. Make sure you are in an admin account before modifying AutoRuns stuff. Also, inside MBAM, go to thhe preferences and disable the realtime component or else it will always re-insert itself.

MBAM can definitely be restrained to on-demand status unless something changed in the past couple weeks.

0

Share this post


Link to post
Share on other sites

the autorun is hardcoded

even if you manually remove it, on next app run it will re-insert itself (real time scanner doesn't matter here, this is its service)

0

Share this post


Link to post
Share on other sites

the autorun is hardcoded

even if you manually remove it, on next app run it will re-insert itself (real time scanner doesn't matter here, this is its service)

So the service is auto-starting? I thought you meant something in HKLM\...\Run

Can you set the service to manual?

IIRC, it does place a SYS file in the System32 folder tree no matter what you do ( on Windows XP in previous versions of MBAM I was able to physically delete it and place it in the local MBAM folder, but haven't tried it lately ).

Can you remember what happened when you installed? Did the free trial ( checked by default ) get installed? I'll bet that this is their way to quantify the 30-day ( or whatever ) period before it stops working.

I'm thinking that maybe you can uninstall, then re-install and clear all the checkboxes.

Gosh I would hate if they too went down this road with autostart processes and services.

0

Share this post


Link to post
Share on other sites

Or you could just NOT register mbam.

The service only works on registered mbam

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.