Windows Security - Concerns of an XP Virgin

32 comments
Story Text:

Yesterday i spen an hour on the phone to a sales guy, ordering a wonderfully spec'd new PC as i have to finally run a Windows XP machine. The problem is, im frightened to even put it on my network...

I've run Linux for the last 3yrs exclusively, i've not even had a copy of Win in the house for over 2yrs so i know virtually nothing about XP other than the horror stories of security issues you read about on a daily basis.

  • Is Win XP Pro safe to put on a network out of the box?
  • What apps are essential to combat spyware and other nasties?

Many questions arise in fact...

Im hoping to run Gentoo's AMD64 profile on the new machine, as i understand it the Win XP kernel is not ready to fully utilize 64bit right? So, with that in mind, if anyone can offer some tips, links or help in what i might need to do to lock down security issues on my new Win that'd be great...

Comments

 

1 Word Answer - Win4Lin.

NO

Not an option...

 

Then download all the MS security updates to your Linux box, install them offline to your XP machine.

Get a decent AV app along with MS's Giant Spyware beta and install them.

Then go online.

Much easier today

With the automatic updates Windows seems so much easier today to keep "safe" - in general it's better, and you get all the updates in time.

On top of that I use Bullguard Antivirus/Firewall on my PCs here (about 6) and it seems to work fine (I also do work for Bullguard, so I am "neutral" :)). One of the PCs is running IIS on W2000 server but the IP is filtered by my ISP to only allow http requests on port 80 and with all th automatic updates I have never had problems with that.

 

Things i do..
Keep XP updated.
Zone alarm pro firewall - Good for detecting apps that try and use the net
MS antispy
AVG anti-virus
Turn off html emails.
Use this site http://www.blackviper.com/WinXP/servicecfg.htm to see what services to disable - offers greater protection and improves speed :)

 

I agree Mikkel except the concern I have with automatic updates on a fresh box is you'll be infected before you complete the initial downloads.

On an ongoing basis use auto update but to start I'd get them on there before going on the net

As Jason says, getting XP updated to SP2 with all the patches ought to be done before you consider opening it to the wider net. There was that sensationalist article a while back saying it takes just 20 minutes on average for an unprotected XP to get worm-infected. Being behind a NAT or hardware firewall obviously helps a mite, but IE is still going to be a weak point.

A good firewall is a must, and I'd go with Kerio personal or Outpost (ZA has in the past been fraught with issues, so I avoid it). Get adaware and another anti-spyware lark (MS' one was mentioned above) to routinely go through things. AVG is a must, too. As is Firefox or Opera, and potentially a mailwash app.

NT4

I've been running the *same* install of NT4/sp6a since 1998 without any having been hit by anything. The only three things I do are: tight browser settings, careful what attachments I open and a very tight kerio firewall. What I mean by the same install is that it -NT4- was installed in 1998 and all machine upgrades involved moving the drives to a new box and changing the video driver. Occasionally, failed drives have been replaced by plugging a new drive into the raid subsystem and letting the mirror rebuild, but the image has not changed.

The thing to do is firewall your machine properly, that is lockdown all unused ports, before going online for the first time to grab your patches. The alternative is to grab all patches and servicepacks onto a CD or a network share somewhere internal to you such as a samba share on your linux box and patch up before going external to your network. But you still have to be firewalled before going external. Give your box only a non-routable ip until such time as you are fully configured in that case.

Auto update is a disaster waiting to happen.

In a properly firewalled environment, anti-virus should not be a necessity.

By firewall I mean packet filtering as done by kerio, cisco pix or ras packet filters.
All three can be setup almost identically.

In the end, do everything the way you would on any other operating system to secure it. It's just another OS, the same considerations apply. The only difference is that the windows world is a much more tempting target to the ne'er do wells, so some things that you might have been safe in ignoring in another OS cannot be ignored when running XP.

of course it is

Just to address:

Is Win XP Pro safe to put on a network out of the box?

Not exposed to the external world. But of course once fully patched, yes.

After all, Win XP is the same core as Win2K3 and it's doing just dandy out in the server world.

Not that bad

Windows has got some serious security flaws but, chee-rhist, it's not going to explode if you touch it! Assuming you've got a rudimentary firewall on your LAN and don't have any worm-infected systems on the inside, you can run updates as soon as you boot it, no need to wrap it in tinfoil first. I'd be surprised if it was shipped without SP2, so it will probably just be a few trivial patches.

Assuming your LAN is clean, you'll have to work pretty hard to infect the thing; read every spam you get with HTML email enabled, open every attachment, download dodgy software, visit dodgy sites and click "OK" every time a security box comes up and you should be able to do it.

I've run XP for years, and have never needed A/V or anti-spyware software - although I do run them these days, and recommend it, the only thing they've ever done on my own PC is tell me some attachment I deleted had a virus. The only time I've ever had to deal with malware was from f*ckwits bringing in laptops that they'd used according to my above suggestions and plugging them into the LAN. Even then it didn't hose my system, just flooded the network until I tracked them down and helped them clean their systems.

Seriously, Windows is flawed in many ways, and I would never use it for a server if given a choice, but your fear of plugging it into your LAN reminds me of people who are afraid to use email because they've read that baddies can use it to break into their bank accounts. Common sense and a bit of technical savvy goes a long way.

 

Paul H's list is a good one, with the only additions I would add being the use of Mozilla Firefox for the web instead of Internet Explorer and Thunderbird for email instead of Outlook if feasible in your individual setup.

SP2 has really done wonders for the general security of XP and it's managed to survive on both my parents machine and that of my brother and sister's, all of which are directly connected to DSL lines. (though I'd feel better if they took the simple precaution of using a $35 broadband router to act as a simple NAT firewall between them and the modem)

-- Ubuntu Linux and Windows XP Pro user

SP2 preinstalled

Any new XP machine should have SP2 preinstalled, and the CD's you get with it should include installers/images of XP with SP2 streamlined into it. No worries there.

New machines now should also likely have at least some of the updates released since SP2 was as well. I'd have no qualms about whacking a new machine straight on the net. I do it here all the time in fact :) New XP machines get plugged straight into the network so they can be added to the domain and get apps off the network. I don't do anything to them beforehand. But then, we also have an ISP based firewall that blocks all ports except those asked to be unblocked. I'd still do the same without that protection though.

AV, Firewall, Spyware cleaners (2 or 3) and that's the main stuff.

At home, I use Sygate's free firewall, PCCillan AV, Spybot S&D, MS AntiSpyware, K9 (for spam email filtering) and Opera as primary browser behind a router. Oh, and automatic updates on.
In 2 and a half yrs I've had no problems that have been more than trivial to deal with (odd little bits of spyware to deal with and Sygate warnings about sums it up).

Hardware firewall and ...

A good hardware firewall is obviously better than a router; clever people can walk right past that router.

As well, I don't know what you're using for web hosting, but if your WH account allows you to configure procmail (e.g., a virtual private server or dedicated server), you can set up filters to dev/null virus-laden email. No need to download them and *then* deal with them. I even quarantined viruses on the server for a while so that I could read them; no harm, no foul on my end.

Wealth of information!

Thanks everyone, that's a real wealth of info there :)

Im not actually going to use this machine at all for email, so no worries there - my mail is filtered at ISP mail, then filtered again with procmail and spamassin when it gets to my linux box, then whatever is left is read by a text only reader..

Im interested in the different firewalls mentioned. I've no intention of getting a hardware firewall, (i presume you mean another machine diane?) but an installable one to lock down ports and monitor apps..

I was going to use ZA Pro, but do any of the others mentioned monitor as well, aswell as block ports?

As for tin foil, well better safe than sorry i think, particularly for a newbie - i presume i can use whatever key MS give me to get their patches etc from the microsoft site?

then i'll download on lin, and burn+install on Win before puttig it on the network....

Thanks again, very much appreciated..

Yes

Yes, I meant another machine, Nick; email if you want info.

 

I've not hooked up XP to a network - you may have a few annoyances with network connections being blocked on a default setting - but as a standalone should be safe enough.

Security protection for XP is pretty basic:

1. Have a Firewall set up (Zonealarm software is good for that - and basic is free)

2. Have anti-virus software with auto-update (I use McAfee @ £25/year - there are plenty of alternatives)

3. Surf with Firefox instead of IE - as if you would need telling that. :)

4. Don't do stupid things

I think 4 is the most important. '

To run safe:

Install the Firewall, then install the anti-virus - and only then connect to the internet (probably to download Firefox first).

The biggest security risk to a machine is poor admin. Leave your machine to auto-update Windows patches to cover exploits, ensure that the Firewall and anti-virus are up to date, keep with the latest Firefox, and avoid free software downloads from 'see Britney nude' sites.

That an avoid opening e-mail attachments with the filename .scr or .exe and you should be fine and dandy.

MS update

>> i presume i can use whatever key MS give me to get their patches etc from the microsoft site?

MS update is "built in" so that you can reach it with internet explorer. As you navigate to the web page it first asks for permission to download and install an ActiveX component, which scans your whole system to determine which software versions you are running, and which patches you have already downloaded.

Then it recommends the newest patches for download and install. It's all very slick and automatic. You don't need to install all that MS update suggests - there's a difference between "critical updates" (security stuff) and "suggestions" (mostly products or product enhancements)

So, you will probably not be able to navigate to windows update on your linux box and get the right components easily.

Anyway, i would not worry at all about just pointing IE to win update on the new box. But, of course installing firewall and antivirus first is a nice thing.

---

On my win partition, i run:

1) AVG antivirus (free, scans daily, autoupdates daily)
2) Spybot Search and Destroy (with Immunization)
3) Javacool Software Spyware Blaster (a gem)
4) Lavasoft Ad-Aware (once in a while)
5) PeerGuardian (IP-blocklists)
6) Windows software firewall (built in)
7) External firewall as well
8) Windows update (frequently, but not automatic)
9) Firefox for browsing (on linux too)
10) Java and Flash disabled
11) Thunderbird for email (on linux too)
12) Internet Explorer for windows update

After i switched to (9) and (11), items one to four have never found anything, not even before i got firewalls up.

...and after writing all this

... i find out that some script kiddies have tried defacing my main site (which runs on Linux of course) due to some security hole in Cpanel. They didn't get far, but i got one of their neato tools to play with *lol*

XP Firewall

Reading through some of the comments again, I'm reminded of the XP Firewall. Since SP2, that has been the single biggest problem I've had with XP. Now I just disable it and use something else.

Althought it says it does, it doesn't alwyas let you know when it blocks something. So you're there wonder why the hell something isn't working, then discover it's fine with the firewall off, and you got no messages or warnings about it.

ZA is popular, but I've generally heard people talk up Sygate (which I then started using, and have always found pretty decent) more and how it's more secure etc... They are probably lower end things though, not like some of the pricey software/hardware you can get. Depends what you're after.
ZA/Sygate will offer fair protection, and along with some auto updating AV software, will protect you from the large bulk of problems.

Consider this, the main people who get affected by security problems are those who don't do updates and/or don't have AV and/or don't have any kind of firewall. By having all 3, you're already limiting yourself to the cleverer and more tenacious nasties out there.

For all the talk of security flaws etc, it's really not difficult to be protected from about 99% of issues when you've only got a machine or 2 to worry about.

Now on a large corporate network (and I'm talking more WAN terms here) where all parts are linked together, and hardly any machines update windows patches, lots of machines have AV, but it doesn't get updated, and a very strong firewall and virus protected email system. It doesn't take much for say a single laptop to be plugged in and infect huge parts of that WAN with something like Nachi and requires the attentions of a hundred strong IT dept for several days, as well as ongoing resolution from a smaller team to deal with. That is when windows security flaws get a tad annoying :D

a final word

As suggested in a sense by Adrian, if you are secure at your network interface, you are safe. That is the reason for my emphasis on port blocking. If it/they cannot connect, it/they cannot harm you. On a clean machine the rest of the stuff is just a waste of cpu cycles, and hence your time.

If its not directly connected to the internet you should be fine

If you have a router/firewall making your internet connection then it doesn't really matter what type of boxes you have behind it.

The router firewall kills 99% of intrusions.

After that sensible security will keep you pretty safe. ZA as a local firewall, AVG Anti Virus, Anti Syware software, don't use IE (use Firefox instead), automatic updates (keep up to date)

Do not use Windows firewall.

I've never had any major issues, and apart fron the router/firewall I've totally ignored most of my own suggestions.

 

A router is my next step. I've been very very lucky in my years online, and I don't plan to rest on those laurels.

Of course, once I migrate to linux, I will no doubt sleep easier all 'round!

Benchmarking will be a bugger

I went through somehting quite similar recently. I had a very high spec machine built for me by a custom company of the Isle of Wight. 32/64 proc.
Try benchmarking it, it failed most test for benchmarking, I sent it back to get some of the most important elemnts BM'd and it eventually passed on them.

Security became an issue and we tested several last defense firewalls on this machine while it was hooked to the network via router. None of them were really any good including Zone Alarm, McAfee and Norton.

What did work: Outpost Firewall 2.5 and in conjuntion with antivirus NOD32. At first Outpost gave a few problems, when we reported this to Agnitum they had a fix within a week that let it ride smoothly with the 64 proc.

All is well now and it runs like a dream.

i should corret myself above

- actually it turned out that it wasn't my site that the kids had been playing with, but the explanation is a bit complicated so i'll spare you for that. Anyway, no harm was done and i got a nice tool to play with anyway.

Btw. Those 64-bit machines... as i understand, there's no real benefit in Win64 as opposed to Linux64 because the applications must be made for 64-bit as well. The OS running 64-bit should not really be interesting by itself.

 

here ya go, claus

Overview of the compatibility considerations for 32-bit programs on 64-bit versions of Windows Server 2003 and Windows XP

In the end, I suspect it'll say much the same as you did above --get 64b programs.

AMD's list

Not sure when this was last updated, but here's AMD's take on 64-bit software availability:

link

No reason to rush out to get Win-64.

 

My amd64 arrived on monday, but had to be sent back as it arrived in components and the last time Ivana and I had a motherboard out on the table we blew up the processor :)

but, when it does arrive, hopefully tomorrow, i'll be running Gentoo's AMD64 branch on it - from what i've seen, it's the most advanced 64bit system available right now, though some apps do still have to run through a 32bit emulator...

Finally...

So, i have now gone over the dark side and have a fully working XP install in the office :)

I settled on the ZoneAlarm security suite as it bundles antivirus and other stuff into the package - at $60 I can't find a good reason not to buy it as i quite like it...

I burnt it to disk and installed it before i even put the wifi card in heh!

Thanks again for all the advice!

just installed XP SP2

- service pack two was waiting for me at the windows update website today. 113Mb to download and install

..and uninstalled it again...

..duh. Of all possible programs it of course chose to make my anti-virus program unstable - so, XPSP2 off and AVG on.

I bet it's better security after all, but I also bet it will give me problems with windows update down the road. I wish I didn't have to use windows, but unfortunately it's the best tool for doing windows specific development.

Just typing apt-get is a wonderful experience compared to all the worries and hassles that comes each time windows f*cks something up.

 

Agreed claus

On gentoo i just do;

emerge sync // syncs the local programs lists with latest ones
emerge -uDav world // lists all the packages that need updating and asks if i want to continue
emerge -av depclean // cleans out any unneeded dependencies
revdep-rebuild -v // looks deep into the program trees to make sure i've not removed anything vital
glsacheck -f new // security updates

It's a few commands, but it's a doddle to do, and really looks after the system so it's lean and mean AND working right...

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.