This is the second in an ongoing series that deals with securing standalone Windows XP machines. This information does not apply to Windows machines that are part of a corporate network with Active Directory, etc. Corporate security is an entirely different issue, and will be addressed in the future (and is already discussed in many related sections we already have in this Reference Guide). For now, this section will give a brief refresher for those of us who have one or more standalone machines at home, at a small office, etc. that are not secured via corporate policies. In these first few introductory sections we will merely hit the highlights; future updates will delve into each of these subjects in greater detail.

Run Antivirus Software

Antivirus software is a mixed blessing. On the one hand, it uses massive system resources, causes slow document loading, requires a great deal of bandwidth for online updates, and leads to numerous false positive alarms. Worse, most scanners are reactive, based on signature updates, and thus completely miss some new variants. Many wonder if it is even worth using antivirus any more.

On the other hand, viruses are ubiquitous. Even experts have to have antivirus software, or else they will invariably become infected with hundreds of malware. Despite all the limitations and annoyances of modern antivirus products, the software can still detect important infections better than humans can, in many cases. It is irresponsible not to run updated antivirus software, since you are decreasing the "herd immunity" of the Internet and you are putting others at increased risk.

Use Anti-spyware

Hackers and organized crime use modern spyware for identity theft, financial exploitation, spam, etc. Unfortunately, antivirus companies have become overwhelmed by the thousands of new viruses and variants each year. To fill this gap, a cottage industry of sophisticated anti-spyware has grown up. These niche companies thrive, since many detect spyware more accurately, more rapidly, and more efficiently than traditional antivirus — often at a better value. Rather than replacing mandatory antivirus, these add-on programs provide an additional layer of security for the end user. By layering security, you can make yourself less attractive to hackers than the next target.

Put IE Security on High

Internet Explorer can be set to a custom level of security. You should set it to the default "medium security" at a minimum. "Medium-high security" or even "High security" is even better. These settings will prevent most unauthorized scripts from running. To do this, open IE and go to Tools > Internet Options > Security and click on the slider bar. That will allow you to set the default security level for the current zone. Then, click the button below that to apply that default security level to all zones. Don't forget to investigate alternative (especially open source) browsers, as we will discuss later.

Use a Registry Locker

Perhaps more important that having a spyware remover is to prevent spyware from installing in the first place. Spyware often uses the registry, in which it places hidden keys to control program startup. Thus, it is best if you can maintain control over the registry in the first place. A good example of a program to control the registry is TeaTimer.exe. This program ships with the free Spybot S & D software. It can be installed as an option. Once it is activated, any registry changes from then on must be explicitly approved or denied by you. For a little extra work, you get a great deal of protection.

Use 3^rd Party, Full-disk Encryption

Windows XP includes a built-in Encrypting File System (EFS). However, on a standalone machine, EFS is difficult to use, and incomplete. For example, you might encrypt the contents of a folder on your hard drive. To do this, right click the folder and select "Properties." Then, select "advanced." There will be a checkbox that allows you to encrypt the contents.

However, this is not 100% effective. For example, while encrypting, Windows may be moving some of your data around to various parts of memory, temp files, or even writing to slack space. Temp files may be deleted, but they are not securely overwritten using a "file shredder" that bit-wipes the memory. Thus, you may be leaving bits of information detritus smeared all over your hard drive.

The only real remedy for this is full-disk encryption. This can come in various forms. For example, Seagate and others have released hardware-based encryption that keeps the entire disk encrypted, except for a small area that is software-controlled and is accessible only by the user.

On the other hand, software-based solutions work by first encrypting the entire hard disk contents, and then decrypting them on-the-fly, at boot time, for example. For example, PGP Whole Disk Encryption can encrypt all the non-volatile memory of a laptop, desktop, external drive, or even USB flash drive, including boot sectors, system, and swap files. The encryption runs transparently, so the end user will not even notice it. It is very powerful and easy to use.

In fact, the US government has mandated the use of full disk encryption after a series of high-profile cases where it lost laptops containing sensitive data. The government is currently holding a large-scale, side by side comparison to see which vendor it will select.

Regardless of the method you choose, the key is in how the encryption tool manages the keys. For example, in recent articles we have shown on the Pocket PC that nearly every disk-encryption program has useless security. For example, some simply store the decryption key in the program header, or even the registry, in plain text! Thus, you will want to go with a brand that is widely tested, is preferably open-source, and which uses transparent, industry-standard encryption algorithms.

In the next part of this series, we'll continue our overview of security XP. We'll discuss rootkits, Trojaned game mods and more.

Written by Cyrus Peikari and Seth Fogie