This is the first of on ongoing series on securing standalone Windows XP machines. This information does not apply to Windows machines that are part of a corporate network with Active Directory, etc. Corporate security is an entirely different issue, and will be addressed in the future, as well as in the many related sections we already have in this Guide. For now, this will give a brief refresher for those of us who have one or more standalone machines at home, at a small office, etc. that are not secured via corporate policies.

This material may at first seem dated, and trite. However, it really is a good idea to go through all this and review your security again. For example, in the course of writing this, we found several things that we ourselves were doing wrong. Also, times are changing, so there are special cases like rootkits and other factors to consider these days.

The first few "Quick Tips for securing Windows XP" articles will simply give a brief overview of the main points, as a refresher. In subsequent articles, we will delve into some of these points in more detail.

Rename your Administrator Account and Set a Strong Password.

By default, WinXP uses the login name "Administrator." However, to crack the password, a hacker needs to brute force both the username and password combo. By changing the Administrator name (for example, to "Adminy," or preferably something even harder to guess), you've dramatically decreased their chances of brute force cracking your system.

Enable Windows Update.

WinXP flaws come out regularly in a steady stream. If you are not patching, you'll be vulnerable soon. You should turn on Windows Update and set it to automatic. You can do this under the Control Panel "Security Center" by setting Automatic Updates to "ON." If you prefer to install them yourself, you can choose that option as well. However, if you have multiple standalone machines, it may be best to set most of them to automatic updating.

Enable Port Filtering.

This is different from the Windows Firewall. To enable port filtering, you'll have to go to Control Panel > Network Connections and right click on your active LAN connection to select "Properties." This will bring up a list of a list of components, from which you should highlight "Internet Protocol (TCP/IP)". Once it is highlighted, you can click the next "Properties" button and you will see your IP address, gateway etc. Click Advanced on this page and go to the last tab (Options). Then highlight "TCP/IP filtering" and click "Properties" again. Check the box for "Enable TCP/IP filtering" and then click the radio button for "Permit Only." Then, if you have specific ports you need opened, you can do this one by one. For example, you might open a Port 110 and 25 if you are running an email server (POP3 and SMTP). This port filtering function is very powerful and will protect you from a great many malicious scans.

Run a Personal Firewall.

This is becoming harder to do. Many services and programs you running on XP now use online updates, so it can take a long time to set up and maintain a firewall. There are just so many rules to set. Still, if you have the time and inclination, you should do it. Windows has a built in Firewall which you can activate, or, you can look for a free or low-cost 3^rd party tool. We'll be looking into those in more detail in future articles.

Turn Off Any Unnecessary Services.

This takes some practice. Actually, it takes a lifetime of practice. You will need to do some research and experimentation to determine which services you really need, and which you don't. Be warned; turning off many services can make XP unstable or unusable. So this section is really for experts. The more you read about this subject, and the more you experiment, the better you will get with time.

To turn off services, go to Control Panel > Administrative Tools > Services. Then, click on the top of the column labeled "Startup Type" to easily group which start up automatically, which are disabled, and which require a manual start. In general, you want to disable anything you don't need. However, you won't know that right off the bat. It will day some days/weeks of reading for you to get comfortable with this, if you have not done it before. To turn off a service, right click it and go under Properties. Then, change the startup type from "Automatic" (for example) to "Disabled." Again, this could crash your machine if you turn off the wrong thing, so do a lot of Internet searching and reading on this topic first.

Log In With A Restricted Account

Windows XP conveniently comes with a default, restricted ("Limited") account that you can create. You should avoid using your Admin account for day to day use. That's because it is the most powerful, and hence the most vulnerable. For example, if you are surfing the web while logged into an Admin account, you could inadvertently hit a malicious webpage and install a hostile script. This is much harder to do from a restricted (user) account, since it will have less permissions and won't allow hostile scripts to install as easily.

To make a new account, go to Control Panel > User Accounts and select "Create new account." Then, name the account and select its type. You should select "Limited" type instead of "Administrator." Don't forget to add a password to this account, too.

You now have a more secure account for day to day use. If you want to give this user more powers, you can do so later. Windows allows for very granular control of what Limited users can and can't do. Finally, if there are any apps you want to share with this user, you should install them from the Administrator account into the "Shared" folder.

Written by Cyrus Peikari and Seth Fogie