Just got an IBM/Lenovo X30 with XP loaded on it, so I figured it'd be fun to try to secure it. ;)
I ran through:
- U Waterloo's Hardening XP doc, which covers User/Group/Security Policy changes.
- I created a new Administrator level account and disabled the Administrator account and all other built-in accounts.
- installed cygwin, so I could have a usable shell.
- ran bash.exe, ran
cd /cygdrive/c/Documents\ and\ Settings/$USER
for i in `/usr/bin/find * -maxdepth 0 -type d`; do
cacls.exe "$i" /E /R SYSTEM
cacls.exe "$i" /E /R Administrators
- encrypt all files and folders in my home directory and create a recovery certificate with "cipher /r:filename" and save the certificate files to a cd.
- Installed BSD's firewall for windows, wipfw. My ruleset looks like:
ipfw -f flush
ipfw add pass all from any to any via lo0
ipfw add check-state
ipfw add pass tcp from me 135-145 to local_windows_server
ipfw add pass udp from me 135-145 to local_windows_server
ipfw add deny tcp from me 135-145 to any
ipfw add deny udp from me 135-145 to any
ipfw add deny tcp from me 445 to any
ipfw add deny udp from me 445 to any
ipfw add pass ip from me to any out keep-state
ipfw add count all from any to any
ipfw add deny all from any to any
- I installed firefox and openoffice.org.
What else should one do to secure XP, should you try? ;)
When I end up needing to work with Win* (often trying to help friends from getting fried), I generally load it up with a variety of protections (which, granted, many of which are reactive rather than proactive).
First, it's hard to remember to do updates for me, let alone users who don't care about computers, so I generally have their machines do auto-updates each night. Perhaps for someone like yourself, just doing the download and notifying you of their existance would suffice.
In addition to Firefox and non-usage of Outlook, I throw on Ad-Aware and Spybot, and tell folks to run them at least once a month. I've recently begun putting on Windows Defender (MS anti-spyware), it can be configured to automatically run at night (which is good for those who don't listen to the above advice about frequently running Ad-Aware and Spybot but still bring you their computers to fix :-) The good thing about Defender is that it's memory resident, so it should help keep some things from getting on in the first place.
I used to put AVG onto computers without virus protection (which now often covers some spyware/trojan software), but I recently read some good things about Active Virus Shield by AOL. If you can get over the brand name, it apparently uses Kaspersky under the hood, which is one of the best on the market. Except that the AOL version is free.
What are you using to encrypt files?
Windows Defender: http://www.microsoft.com/athome/security/spyware/software/default.mspx
Virus Test: http://tech.cybernetnews.com/2006/09/04/and-the-best-antivirus-is/
Virus Shield by AOL: http://www.activevirusshield.com/antivirus/freeav/index.adp
XP has encryption built-in (file or folder properties, General tab - Advanced button, checkbox for encryption), cipher.exe will allow you command-line script this. XP uses AES-256 by default but can be switched to 3DES by running secpol.msc (Local Policies -> Security Options -> System Cryptography: Use FIPS compliant algorithms). --patrick.