An XP security tips feature recently appeared in PC Format Magazine. Most of what it said was complete common sense, some of which was obvious to most, and consisted of things we should all be doing anyway if we're interested in security. I've not copied the whole article, nor have I covered everything it said, but I have re-written parts of it here to offer the same advice to a wider audience, aiming particularly at less experienced users in a bid to try to help reduce the number of infections appearing. I'd have just copied it out, but it's three pages long, I don't have the images, and I dodn't want to breach copyright! Anyways, the advice...

Assuming you've just freshly installed XP (which we'll all do sooner or later), this will hopefully help make sure that your PC is secure, though I see no reason that even an old install shouldn't benefit from this. There are simple things you can do above and beyound anti-virus, firewall, and windows update. Allmost all of it is completely free too! The one and only thing that would cost money is this first point, here...

1, ...Consider, if you don't have one already, getting an ADSL router (if you have an ADSL connection that is). You can pick up a single port router for as little as £30/$40, and the security benefit for this one little investment is pretty substantial.

2, Disconnect the internet connection - If it's active, disconnect it. If you have a router, this doeasn't really matter all that much, unless of course you haven't yet changed the default passwords for it. Statistically, a computer is attacked within 2 minutes of going online on average, and your's isn't ready yet.

3, Use a limited account! - This can't be stressed enough. To be using an acount with administrator status for day to day stuff is just asking for trouble. Log into your administrative account, install the programs you intend to use, add a strong password to the account (ONE YOU CAN REMEMBER!), create a limited account for day to day use (browsing the web, using programs, etc), and add a password to that account too. After setting up your computer, only ever log into the administrative account if you need it's priviledges. For the most part, use the limited account.

4, Display hidden file extensions - open "my computer", and go to tools -> folder options. Under the view tab, scroll down a little and deselect the "hide extentions for known file types", and click apply. That way, you can see that files such as "this is funny.jpg.vbs" aren't what they appear to be.

5, Protect your guest account - The guest account can be used by hackers and/or malware to gain greater access to your machine, even when turned off. The guest account can't be removed. However, you can disable it, but this can affect the functionality of your computer. Instead, what you can do, and what you probably should do, is put a strong password on it, and then leave it safely turned off. You do this by opening a command window (start -> run -> type "cmd" and press enter). at the command prompt, type net user guest <password> (where <password> is your chosen password, being something you can remember). After hitting the enter key, the guest account will be password protected. If your machine is networked and authenticating as guest, then you'll need this password to access network shares - if you tell it to remeber the password, it will only ask the once.

6, disable memory dumps - when an application on your PC crashes, windows makes a note of it in a memory dump file by default. It's useful for troubleshooting, but can unfortunately store passwords used in applications, making it a prime target for Crackers (like hackers, but evil, and given that at least one variety of CoolWebSearch was recently discovered to send personal details to a remote server for ID theft, it may be a matter of time, however unlikely, that malware could be written to use such files for purposes of finding targets for cracking.) Right-click "my computer" -> properties -> advanced tab -> the "settings" button in the startup and recovery section. Where the window says "write debugging information", change the "small memory dump (64KB)" to "none" and click ok. If your computer ever starts crashing, you can re-enable it if you need the file to investigate.

7, Safeguard the "Administrator" account - All things nasty on the internet head straight for this account. It's not the same as an account with administrator status - It's far more powerful and is concerned with the inner workings of XP. Simply changing it's name can make it far more secure, detering all but the most determined of Crackers, and leaving a lot of malware completely confused.
For XP-Pro go to start --> run --> and type gpedit.msc, which will open the group policy editor window. Go to computer configuration -> windows settings -> security settings -> local policies -> security options. Double click on "accounts: rename administrator account" and give it a new name (but don't go making it obvious, like calling it admin or something.)
For XP-Home see the instructions here.

8, Clear the page file - The page file isn't cleaned out regularly, and as a result can accumulate data, personal info, and passwords, all of which can me extracted by someone with the right tools and knowledge. A quick registry change can have windows clear it out every time the machine is shut down. Open "regedit" and make your way to HKEY_Local_Machine\SYSTEM\CurrentControlSet\Control\SessionManager\MemoryManagement. Create a new DWORD value called ClearPageFileAtShutdown if it's not already there, and set its value to 1. This will take effect the next time windows is restarted, and will purge the pagefile every time thereafter.

There are a few other things you can do before you go online, but in the interests of keeping it simple, these are probably the most effective and easiest, and are probably enough for your average user. Now it's about time to reconnect your internet connection and take windows online, but it's not quite finished yet - there are still a few more things to do...

9, Firewall first - You're about to connect to the internet. Windows update should NOT be the first thing on your mind. You need to do things in the following order. Get a Firewall (at the very least, XPSP2's integrated firewall), get an Antivirus and update it, and only THEN update windows.

10, Update your HOSTS file - Go to www.mvps.org/winhelp2002/hosts.txt and download the file. Use it to replace the original HOSTS file which can be found in "C:\windows\system32\drivers\etc". This will then stop many nasties that you could ever potentially contract from contacting their home server.

11, Ditch Internet Explorer and Outlook Express - Download and install Mozilla Firefox for your web browsing, and Mozilla Thunderbird for your email, unless you are paying for pop access to your hotmail account - Thunderbird doesn't play well with hotmail. You may also want to consider using an anonymous proxy server for your web browsing.

12, Immunise against malware - Download and install "Spybot search and destroy", update it, and hit the immunise button in the program. Self explanatory really. You may also want to download and install Lavasofts "Ad-aware" to occasionally scan with in order to clear lists of recently opened files etc, and to clear the minor nasties that firewalls and the like tend to miss (tracking cookjies and such rubbish, for example). This program, as with Spybot, should be updated periodically, if not before each scan.

So there you have it, a far more secure PC that is. Log out of that administrative account, and start using the limited account!

Of course, these aren't the only things you can do to make your PC more secure, and they are certainly not compulsory (though they all make sense in one way or other and are fairly advisable). There are other things you can do such as encrypting certain files (XP Pro only), disabling certain services, setting up audit policies and disabling "simple file sharing" etc, but I will leave services and simple file sharing for somebody else to advise on on account of the fact that I am unsure about how these may affect networking, or the functionality of certain applications/setups, and of course, I'm not all that sure that security auditing is all that useful to your average user. Hopefully following the above after your next re-install (or even now!) should give you a far more trouble free experience of your computer.

If anybody has anything to add or correct, feel free.

Should you be in the mood for more information on how to make XP even more secure, read the excellent Guide to Windows Online Security & Privacy @ Techspot.

Group Policy editor Window

I have tried to safeguard the "Administrator" account as per :-

but when I type:- gpedit.msc in the "run" box I get the message "Windows cannot find 'gpedit.msc'". I tried searching for any similarly named file without success.

Thanks Mictlantecuhtli. I hadn't realised when I wrote it. I've added a direction on point 7 (safeguarding the administrator account) for XPHome users now (At least, I think it's correct - I acctually haven't seen XP home in quite a while now.)

Thanks for that.

I went to user accounts but can only see three accounts - two I created, one with administrator rights the other a limited account - and Guest account ( which is off)
At the moment I get access denied when I try to log on to the limited account - but I will raise that issue elsewhere if it persists.

does it show the administrator account in safe mode?

Adminitrator account

No I cannot find it in safe mode either.
At the moment the new XP setup is proving troublesome. When I try to shut down it freezes & I have to cut the power off in order to close down & I cannot get any email on Thunderbird. I am thinking of formatting the hard drive & starting over !

I'm not entirely sure what you've done there! I've had 4 machines in various places running this setup for wuite a while now as, I dare say, have a number of PCF readers.

If the freezing is anything to do with the above, you should be able to trace your steps backwards and undo it - I rather doubt it though.

Thanks . The freezing seems to have stopped - a scan initiated automatically by some AOL utility detected two undesirable items of software & after they were deleted things improved. The email problem is just because I have not got it set up properly yet. still can't see how to change the Administrator account - it does not seem to show up in safe mode either - & I don't know how to replace the original HOSTS file with the downloaded one . Do I simply save & opt to replace existing file ?

The administrator account I'm not sure of in XP home - as I said, I'vr not even seen a copy of home edition for quite some time now. There are various methods for changing the admin account name in xp home posted all over the web, but as I don't have a Home Edition installation, I can't test them out.

I'm happy to hear that you've resolved your freezing problem (probably the first time I've ever heared of the AOL software helping someone!).

As for the hosts file, it should be just a simple case of renaming the downloaded file from "hosts.txt" to "hosts" and placing it in the appropriate directory, as described above. If you are having trouble with this because windows won't let you over-write the original, the simplest method I can give for getting it done is booting into safe mode and doing it from there.

Can you give me more information on protecting the guest account? I did what you said and I went into it... I went in without putting a password in (a box didn't pop up like password protected accounts) so I obviously did it wrong..

It shows:
"The syntax of this command is:

NET USER
[username [password : *] [options]] [/DOMAIN]
username {password : *} /ADD [options] [/DOMAIN]
username [/DELETE] [/DOMAIN]"

Thanks

No problem...

To protect the guest account, you should be in an account with computer administrator priveledges. Once there, assuming you want a password of abcd1243 (for example - a bad example. Choose your own password )...

at the command prompt, type (without the quotes) "net user guest abcd1234"

That should be all there is to it.

If there are spaces in the password, do you use underscores?

lol! Good question, never thought about it.

I'll get back to you after I've experimented Or if anyone else knows, they may tell you instead.

EDIT: I've just looked at it. Only took a few minutes, I just needed to get around to it.

To have a space in the password, assuming your password is abcd 1234 you need to use quotation marks just as you would at the run box on the start menu...

net user guest "abcd 1234"

I've been thinking about this so much that the simplest solutions always elude me. Such as going into Add/Remove programs for a malicious file (it worked) - fake ZoneAlarm (must've been, windows wouldn't boot). Thanks!

Suspect A Virus? Read!!!!

:bounce: Folks, it is NOT ENOUGH to post a HJT log. You must check out your system with anti trojan horse programs used in combination ALONG with an anti-virus program.

The following ATH programs are recommended:
Spybot search and destroy
Ewido
Microsoft anti trojan horse (beta)
Ad-aware

Reading a HJT log without knowing other symptoms is like telling a doctor you have a fever and nothing else. It doesn't do much for us to help you.

:dead:

Followed Advice ... Now Can't Log Into Administrator Account!

Hi.

I followed all the advice in the original post as to how to make my Windows XP more secure. I have XP PRO SP2.

When I logged off and logged on under my new limited account, all was okay. But I'm very tired and didn't feel like customizing tonight, so I tried to log back in as the administrator. I couldn't!

I had renamed it from "Administrator" TO something else, and when I tried to log in under that "something else", it wouldn't admit me. I tried both the OLD name and NEW name, with the password that it should be, and it won't allow me. There is no password hint available there.

How do I get the admin account back to normal, considering I only have access to my computer now through this limited account??!? :-/

Thanks...

~H

The only thing possible here is that I can see, is that you've either misstyped your new administrator password, or alternatively, you've mistyped the new name for your administrator account (or forgotten either one of these/thought you used something else/had capslock on for the pwd)

If you have a user account with administrative privelidges, you can fix this easily by logging in with it and fixing it from there. Failing this, you may be able to restart the computer in safe mode, where the logon screen will show you the name of the administrator account.

If not, you're going to need to use the SAM reghive (at least, I would think it will work!) to discover the name of the administrator account, or crack the password, or use the NT offline password recovery program to change/reset it.

If, in the absolute worst case, you require help with the SAM reghive route, I will PM you a link to instructions for using Auditor to do so.

using an admin account and accessing
run->control userpassword is the same as the control panel->user accounts
and this will not show the Administrator Login
the suggestion was to use
run->control userpassword2 which does show that login and thus you can
change the password

btw: the Administrator login XP is an obvious backdoor to anyone familiar with
booting into SAFE MODE. Once they've gained access (ie, you forgot to give
it a password) they've got you! This is an important recommendation!