[olug] OT: "Securing" a WinXP Home Edition Machine

Kent Tegels ktegels at gmail.com
Sat Feb 5 02:29:12 UTC 2005


Just to second what Phil says, running as non-admin (NA) is clearly
the best choice. Everybody gets an individual NA account. Consider
renaming the admin account to your name so folks will be less temped
to use it. And yeah, you'll eventually need to give somebody SUDO, so
go look at MakeMeAdmin
(http://blogs.msdn.com/aaron_margosis/archive/2004/07/24/193721.aspx)

Wait until after next Tuesday if you can to make your installs. Theres
a spate of fixes and patches comming down. Install XP SP2 first,
enable the firewall and so.

Disable the Indexing Service and the Computer Browser service. The
indexer has historically been a bad vector for attacks that doesn't
really have much benefit for the end user (and yes, it really hurts to
say that because I love the service as a technology...). Computer
Browser is only need if you have more than two machines on the network
then only if you're going to use NTLM/SMB discovery to "share
folders." Sneakernet is safer.

I would, however, recommend giving GIANT's...er Microsoft's new
AntiSpy-Crap program an install since its going to be much more
proactive than doing nothing for when the crap does get through.

Getting rid of OE is a no brainer. I didn't care much of Thunderbird
though. Give Omea from JetBrains a try. Email+NNTP+RSS in one. I don't
have a problem making Firefox the default browser either.

Also install the Sun JVM ASAP. Microsoft can't legally make any
updates to their JVM going forward including security patches. Just in
case there's been some hanky-panky here, get the JVM ID tool
(http://www.microsoft.com/downloads/details.aspx?FamilyID=4e38f4f9-ce7e-4271-8836-a7d7293a992f&DisplayLang=en)
and run that.

Thanks
Kent

On Fri, 04 Feb 2005 19:40:27 -0600, Phil Brutsche <phil at brutsche.us> wrote:
> Jake Churchill wrote:
> > Black Ice for a firewall
> 
> IMO you should remove such thoughts from your head immediately.
> 
> You're taking the wrong standpoint in securing the machine.
> 
> By the time the malicious software has executed on the machine, it's
> already too late, the firewall software is no longer functioning.  Ditto
> for AV software and anti-spyware software.
> 
> You need to keep the malicious software from running in the first place,
> which is *really* hard, considering some the tendency of some people to
> download and install random "freeware".
> 
> The *best* way to protect a Windows machine is:
> * The built-in XP firewall is *more* than good enough, if you disagree
>   get a Linksys tonka toy or the equivalent.  Most host-based firewalls
>   are worthless and are trivially bypassed, especially when the user
>   has admin rights (see bullet 3).
> * Up-to-date AV software.  Trend Micro is a good choice, and even works
>   correctly when the user doesn't have admin rights ;) (once again
>   bulllet 3)
> * Do not, under any circumstances, run with Admin privileges!
> 
> Do you do everything as root on your *NIX boxes?  No, you don't.  You
> "su" or "sudo" to get root when you need it.
> 
> So why don't you do the same on a Windows box?  XP users can use FUS
> (fast user switching) to switch over to an admin acount when you need to
> install something.
> 
> It's not easy, considering the high number of clueless Windows
> developers out there.  But I can speak for experience that is *highly*
> effective at keeping a machine clean.  40+ Windows machines are under my
> care, and over 3 years I have had *zero* spyware infestations.
> 
> --
> 
> Phil Brutsche
> phil at brutsche.us
> _______________________________________________
> OLUG mailing list
> OLUG at olug.org
> http://lists.olug.org/mailman/listinfo/olug
> 


-- 
Thanks!
Kent Tegels



More information about the OLUG mailing list