Security practices should be implemented on every computing platform. It’s a general rule and of course people should *play by the rules*… right

Windows XP Home computers don’t necessarily start out doing that right out of the box. Why?

First, many users on Windows XP Home may not be experienced computers users. Therefore, they may not know what the rules are and how best to follow them. This is one reason.

Second, Windows XP Home was developed at a time when the Windows Client and Windows Server kernel were on separate development tracks. This means that Windows XP did not benefit from robust architecture of it’s Server parent. In addition, Windows XP Home has certain differences (even among XP Client operating systems) in it’s security features from XP Professional. These differences include features that are available on Windows XP Pro but are *significantly not available* in the Windows XP HOME version.

So what can we secure in Windows XP Home?

Here are the basics for securing a Windows XP “Home” computer. These are common practices for those *in the know* and are written here with adjustments to suit the Windows XP Home operating system. They are reasonably simple to implement and most users should be able to follow these directions and complete these tasks within an hour.

SECURITY 101 – Windows XP Home

1. DISCONNECT your computer from the Internet
2. Computer Name and Workgroup Name – change the default names
3. Enable Windows Firewall
4. Disable Allow Remote Assistance Invitations
5. Password Protect the Guest account (and turn it off)
6. change the account type of your every day account to Limited
7. Password Protect every other account
8. make your My Documents folder Private (as well other folders that you store data in)
9. CONNECT your computer to the Internet to download and install updates

1 Disconnect your computer from the Internet

This is step1. Before you do anything else, unplug the cable OR disconnect from the wireless router.

2 Rename the “default” COMPUTER and WORKGROUP names

When Windows XP Home is first installed, their are some common elements in place to help home users more easily network their computers together. These include things like having Simple File Sharing enabled, having Universal Plug and Play services enabled (like SSDP nad UPnP) and writing a workgroup name to the computer called…. WORKGROUP.

The workgroup name and the computer name that are set “by default” should be changed. Why? If you connect to a network in a small office, or another home network and the router assigns you an IP address on the subnet with other Windows XP Home computers that are using the default workgroup name, Your Computer can then be discovered on the network by those sharing the same workgroup name. This is good for ease of use and when you want to make the connections. It is bad when you consider the kinds of automated scripts that hackers use to gain access to computers on a network. If you are not a member of the same workgroup (or Domain) as other computers, your computer is not so easily exploited by bad guys that use default data values as part of their hacking scripts. Renaming your COMPUTER and WORKGROUP helps in this area so, please, rename your COMPUTER and rename your WORKGROUP to other then the defaults. This is a best practice.

Also computer names and workgroup names should be

• alpha-numeric
• contain the hyphen symbol … ( – )
• and NOT contain dictionary words

How to change the Computer Name and Workgroup Name

• got to Start | My Computer
• right click on My Computer and select Properties
• select the Computer Name [tab] and then click the Change [button]
• you will now see fields for Computer Name and Workgroup
• type in a new Computer Name (using the guidelines above)
• type in a new Workgroup name (using the guidelines above)
• click OK, click OK

3 Enable Windows Firewall

Windows XP Home (and Professional) were originally shipped with a default installation that did not have a firewall enabled! This changed with Windows XP Service Pack 2 but some users still may be running computers without all the updates and Service Packs. This Firewall is called the Internet Connection Firewall and can be accessed one of two ways. We demonstrate access through the Security Center.

In addition, even if you have Windows Firewall installed already, it is a good practice to verify any Exceptions to the rules and the ICMP settings that allow other computers to seek out you computer without you knowing you are answering back.

• go to Start | Control Panel
• in Control Panel select Security Center
• in Security Center look at the bottom of the window for the heading Manage Security Settings for: and select Windows Firewall
• under the General [tab] select On (recommended)
  • You have now turned on Internet Connection Firewall
• ABOUT EXCEPTIONS and ICMP:
• under the Exceptions [tab] in the programs and services box select uncheck every one of the boxes
  • why? – Because you don’t know for sure what you are allowing through until you check!
  • After unchecking the “allow” boxes, you can then audit what is allowed. When you begin to launch each of these programs, you can verify programs that prompt you, verify the program where the program came from and whether (or NOT) it should be allowed pass through the firewall. Be very careful to verify these Exceptions are needed
• under the Advanced [tab] select the Settings (button)
  • on the Services [tab] de-select every service (they are unchecked by default)
  • on the ICMP [tab] de-select every form if Internet Control Message Protocol (ICMP). ICMP allows other computers on a network to *ping* your computer, locating it and discovering information about it. Not necessarily the option you want to leave enabled.
• click OK, click OK (exit Security Center)

4 Disable Allow Remote Assistance Invitations

Remote Assistance is a component that enables technicians and computer professionals to assist persons on a network with Fixes, Troubleshooting, and help with Productivity issues. On most home networks this service is not used. It is a potential vulnerability. Hackers can exploit this resource and the ability it offers to control your computer remotely. Turn off Remote Assistance if you don’t actively use the feature.

• go to Start | My Computer
• right click on My Computer and select Properties
• select the Remote [tab]
• under Remote Assistance un-check the box Allow Remote Assistance invitations to be sent from this computer
• click OK

5 Password Protect the Guest account and turn it Off

User names should have passwords. Seems simple right. In Windows XP it’s not quite so simple when it comes to the Guest account. The reason?… in Windows XP Home, the use of the command line is required to set the password for the Guest account. This is far different than accessing other accounts in the Control Panel as the Guest account is not available through the Control Panel by selecting the User Accounts icon! This is how we access and change the password for the Guest account:

• go to Start | Run
• in the Run box type cmd.exe and click OK
• at the command prompt (in the black window) type: net user Guest <password>
  • <password> represents the password that you type. This password should be long. Have numbers (ex. 1234), letters (ex. abc), UPPERCASE LETTERS, and symbols %^&
  • If we choose a password such as P@ssw0rdPr0t3ct10n then you would type
  • net user Guest P@ssw0rdPr0t3ct10n
  • and press Enter
• If all goes well the command windows will echo back to you the following text: The command completed successfully
• close the command window
• that’s it

Finally, *IF* the Guest account is not OFF. Please turn the guest account OFF. It is not generally needed in most environments.

6 Change the account type of your every day account to Limited

Running an administrator account is great!… until you get hacked Why is that? Because an administrator account has lots of juice. What do I mean by juice? Well, the administrator account has the privileges to do anything in needs to do OR WANTS TO DO on your system. This is great when all those needs and wants are nice, friendly and benign. However, when those needs are not nice and friendly, having the Administrator account executing those commands becomes an instant death sentence to the security of your computer.

To explain: if you are surfing the internet and somehow a virus, malicious code or spyware program gets on your computer, that program has access to your computer based on the context of the account that is active when the virus/malware/spyware gains access. In other words, if you are logged in with the Administrator account and something bad happens, the bad thing happens in the context of the Administrator account. If you are logged in with a Limited account and something bad happens that means that the *something that is happening* can only happen in the limited context of the Limited account. In plain simple language, this practice of using a Limited account for your daily computing needs protects your computer.

If you need to install some new software or create a new user, simply log out and log in again using your other Super All Access To Everything ADMINISTRATOR Account. Once you are done with the task that requires the Super account, then log back out and log in again as the limited user. YES… it’s a few of extra steps but its worth it’s weight in gold when it comes to computer security. This practice is actually enforced in Windows Vista but you have to manually follow it in Windows XP.

To limit your everyday user account:

CREATE A NEW ADMINISTRATOR ACCOUNT FIRST

• go to Start | Control Panel
• in the Control Panel select User Accounts
• in the User Accounts window, select the Create new account link
• type a Name for the new account and click Next
• under Pick an account type, select ( * ) Computer administrator
• click the Create account (button)
• select the new account (whatever you have named it)
• select the Create a password link
• under Create a password for TheNewAdministratorName account give the administrator account a complex password – EXAMPLE: 123abcABC!@#
  
  • Type the new password
  • Type the new password again to confirm
  • Type a word or phrase to use as a password hint
• click the Create Password (button)
• NOW… before you do anything…. LOG OUT!
  
• Log in again using the NEW Administrator account
  
• Test your access and verify that you know the user name and password and can LOGIN without any difficulty
• OK

LIMIT YOUR EVERYDAY USER ACCOUNT

• go to Start | Control Panel
• in the Control Panel select User Accounts
• in the User Accounts window, select the Change and account link
• choose the account Name or your original account
• select the link Change my account type
• select ( * ) Limited and click the [Change Account Type] button
• Thats it! Your every day account is now Limited and you are much better protected

7 Password all other User accounts

As you followed the steps in the next item (number 7) and learned how to access your accounts, you also learned how to set passwords. Please use this information to set passwords on ALL accounts for ALL users. This is vital to your computer’s security. Every account should have a password and passwords should be complex. Great job! Now… on to number 8

8 make your folders Private

Windows XP Home promotes a feature (by default) known as Simple File Sharing. This feature does just exactly what it says… it makes sharing files and data simple. Unfortunately, computer security and data protection is not simple and so the use of this feature is in question. We suggest you protect your files by turning off Simple File sharing (Windows XP Pro only) and for Windows XP Home, we suggest making Folders private. Here’s how…

The method by which folders and files are protected in Windows XP Home is unique. (It is different in Windows XP Pro). To make your folders Private in Windows XP Home:

• Open the container to the folder(s) you want to make Private
  • Example : to make your My Documents folder Private – - open My Computer (My Computer contains the My Documents folder)
• right click on the folder(s) you want to make Private and select Properties
• select the Sharing [tab]
• under Local sharing and security, check the box [ x ] Make this folder private
• Repeat this step for every folder that contains data you would prefer to keep private and not share with others

9 Connect to the Internet and go to http://update.microsoft.com

Updating your computer with the latest updates and service packs is vital to your computer’s health, security and overal well being. The internet is a wide open space more akin to the Wild West than say Yosemite National Park on a beautiful Spring day. Updating your computer regularly helps keep you secure in these “wild” open spaces. Security professionals at Microsoft continually monitor threat levels and release patches to better secure the operating system. Take advantage of them. They’re free!

CLOSING THOUGHTS

In closing, you will find many excellent articles on the Internet regarding Windows XP security. Some do not specify whether they are written for Windows XP Professional or Windows XP Home. Some are written for both. As you do more reading and more research, please be certain that what you read applies to your version (XP Home in this case) otherwise you may be a little frustrated trying to follow the guides.

As a reminder, what we have written here today is purely for Windows XP Home and written in the language of Windows XP Home users. Hopefully these users benefit from this content.

Windows Services (the components of the operating system): Windows XP Pro and XP Home have Services running under the hood (these are the components that actually make up the Operating System). Some of these should be on Automatically, some should come on Manually and some should be Disabled. The subject of Services is a detailed topic that also relates to security and it is very important. However, we have not chosen to cover the topic here as this article is not written for advanced users. Many services should not be active, however setting these services properly depends entirely on your knowledge of the software installed on your computer, the way in which you use your computer and your understanding of repercussions that occur when turning these services on and off. Making changes in Services should be reserved for advanced users who understand how to get things back to normal should a certain piece of software (that requires Service is running) suddenly fail because of changes. (note: you will see many Internet articles on this subject arbitrarily making “absolute” statements about which Services should be running. These articles are written without regard for your particular installation and do not take into account all software that may require specific Services. Please be careful when applying this information )…. ~ end article ~

Thank you for reading.

As always, if you need help securing your computer or need help recovering from circumstances in which your computer was not secure and you learned the hard way…. call WIGITAL, we fix computers and we’re here to help. Have a great day!

Further Reading

• Microsoft Security Checklists (Windows XP)