Securing Your Windows XP System

Overview

Windows XP needs a few customizations to help keep your computer safe.

Essentials

• Keep your system up to date
  This is one of the easiest, most effective things you can do to keep your computer secure. To update manually, visit Windows Update. This will take you to the Microsoft Update web page. Select any available critical updates, and then click "Download and Install."
  
  If you don't want to need to remember to run Windows Update manually each week, you can also configure your computer to check for patches and download them automatically. When new patches have been released, your computer will prompt you with a Microsoft butterfly in the task bar and a pop-up window on your desktop. To enable automatic updates, double-click on Automatic Updates in the Control Panel (found at Start -> Settings -> Control Panel). Follow the wizard's prompts to choose the options you want.
  
  If you run common applications such as the Microsoft Office suite (Word, Excel, Outlook, etc), you should also check the Office Update page regularly. Microsoft Office applications frequently need security patches, and the Windows Automatic Update system does not check for Office updates.

• Use a firewall:
  Automatic firewalling has been available since the release of Service Pack 2. Since this firewall may block some traffic from campus web sites, such as Banner, you may wish to edit the firewall settings for campus use. CITES has developed a click-and-go program (available HERE) that will update your firewall for you, or you can change the settings manually using instructions from the Windows XP Firewall Customizations page.
• Install antivirus software:
  The vast majority of viruses are designed to affect Windows systems. The University of Illinois at Urbana-Champaign provides free site-licensed antivirus software that is configured to automatically update itself and protect your system.
  
  If your computer is not connected to the Internet for a while, then the antivirus software may not have had the opportunity to perform its automatic updates. Make sure that you run a manual update as soon as you reconnect. To run a manual update, right-click on the VirusScan logo and select Update Now.

• Install anti-spyware software:
  Many of the nuisance-level problems afflicting Windows computers are caused by spyware rather than viruses. Spyware can cause effects ranging from a noticeable slowing of your computer to pop-ups and hijacked web browsers; spyware can also be malicious, reporting personal information from credit cards to passwords to other unauthorized websites. Fortunately, the campus has site-licensed anti-spyware software for students, faculty, and staff. For more information, see the CITES Anti-spyware pages.

• Choose a good password:
  Any computer that will have multiple users or be attached to a network needs to have good password protection for each user. Password tips and advice can be found in the CITES Guide to Passwords.
  
  In many versions of Windows, a user name can have a blank password, which allows anyone to log in to the computer simply by clicking. Make sure that all user accounts on the machine have passwords to protect access to your computer.

More security

These steps can be done offline to increase basic security before you connect to the Internet. They're presented in order from simplest to most complex; you can start at the top of the list and work toward the bottom.

• Disable the guest account:
  If the guest account isn't disabled already, you should turn it off. The guest account allows anonymous access to your system and can be used for dangerous exploits. Right-click on My Computer and select Manage. In the Local Users & Groups view, make sure the Guest account is disabled. (There should be a small red X over the corner of the icon; right click and make sure the "Account is disabled" box is checked.)

• Disable Windows file sharing if it's not in use:
  If you aren't using Windows file sharing to connect to other computers or printers on your local network, it's safer to disable it.
  
  From the Control Panel (Start > Settings > Control Panel), double-click the "Network and Dial-Up Connections" icon. Right-click "Local Area Connection" and select Properties. Make sure the "File and Printer Sharing for Microsoft Networks" box is not checked and then click OK.
  
  (Note: This is not the same as disabling client-server or peer-to-peer file sharing; this affects only Windows-native file sharing. For more information about the different types of file sharing and their risks and benefits, see File Sharing.)

• Don't give out too many "administrator" group memberships:
  The Administrator account is the most powerful account on a Windows system. Most users shouldn't log in with administrator privileges for everyday work; the administrator privileges should be reserved for actions such as installing software and patching the system.
  
  If only the administrator and guest accounts have been created on the computer, you'll want to create an individual user name so that you can have a regular account for daily use without administrator privileges.
  
  Right-click on My Computer and select Manage. In the Local Users & Groups view, open the Users folder, and make sure most of the user names don't belong to the Administrators group.
  
  However, make sure that the administrator account does still have administrator privileges; it's important that at least one user has that ability at all times.

• Disable remote access:
  From the Control Panel, double-click the System icon. Next, click the Remote tab near the top of the window and then click the Settings button. Make sure the box next to "Allow this computer to be controlled remotely" is not checked.

• Adjust your Internet applications settings:
  Even if you keep your operating system up to date, you still run the risk of allowing unauthorized access if your applications are not configured correctly. Important things to check are whether the application will run executables (such as ActiveX) without asking, how the application handles cookies, and whether it connects to the Internet on its own.

• Restrict access to the registry (if you've disabled the firewall):
  If you've chosen to disable the Windows XP firewall, follow the instructions on the CITES Security group's Windows Lockdown page to prevent registry access by remote and anonymous users. While this step may seem intimidating, it will help keep attackers from learning your account names and prevent them from locking out your users.