Windows XP Security Tips
As a security professional and a longtime Unix, Linux and Mac OS X user, I do a lot of complaining about the security problems inherent in Windows. On the other hand, I've run every version of Windows from 3.1 to XP on both work and home machines and have never been infected with a virus or compromised by a piece of malware. You're probably thinking "Of course not! You do security for a living, how does this help me?" I imparted the following tips to my mother, whose machine used to get compromised at least once a year, about two years ago. She hasn't had a problem (and I haven't had to rebuild her computer) since then.
Never run with Administrator Privileges
The biggest thing you can do to help keep your Windows system from becoming compromised is to not use an Administrator account for your day to day computer work. Using an Administrator account allows you to make changes to the operating system without any further authentication. Malware authors count on this to get their software installed on your system without your knowledge. Doing all your day-to-day work with a 'Limited Account' eliminates this exposure.
Open Control Panel → User Accounts
Create a new 'admin' account for yourself. Give it a different password than the one that you use for your regular user account. Only use this account for installing software, applying patches and other administrative tasks.
Select your regular user account and change the account type to 'Limited'. This will remove administrator rights from your account. This may break some older programs that weren't designed for the user security model that was introduced in Windows 2000. If it does, you should check with the vendor to see if there is a newer version that's designed for Windows 2000 or XP.
Turn on Automatic Updates
If you're not getting Windows updates from Microsoft, then you're leaving a huge hole for attackers to exploit. Microsoft releases updates on the second Tuesday of each month. Occasionally, they will release out of cycle updates as well. Turning on the Automatic Updates feature allows your system to go out and fetch the updates as soon as they are available.
Open Control Panel → Automatic Updates
Select "Automatic". This will automatically download and install the updates from Microsoft. It is best to have it check every day so that you will catch any out of cycle updates. Also, be sure to schedule it to check at a time when your computer will be on. If you turn off your computer at night, you might want to have it check for updates at noon each day while you're away at lunch.
Anti-Virus and Anti-Spyware
If you're Brown faculty member, staff member or student, you have no excuse for not running anti-virus software. If you don't have anti-virus software installed, stop right now, login to that admin account you just created and download and install Symantec Anti-Virus from the CIS Software Download Page. If you're not part of the Brown community, there is still no reason to run without anti-virus software. Grisoft provides their excellent AVG Anti-Virus for Windows free of charge for home use.
With attackers using browser and other client side vulnerabilities to get their code onto your machine, I wouldn't consider running Windows without some sort of anti-spyware software running. One of the first and best of these packages is Spybot Search and Destroy. Be sure to install the Search and Destroy Resident tool. It will run in your Systray at all times watching for programs that try to add themselves to the startup keys in the registry. When it sees a program try to do this, it will ask you if you would like to allow it or not. Not only will it help block spyware, it will also help block other annoyances like the RealPlayer agent that likes to create obnoxious popups about junk media that you don't care about.
Enable the Windows XP Service Pack 2 Firewall
Windows XP Service Pack 2 includes a very basic firewall. While not as good as using a separate hardware firewall, it is better than nothing and can stop a number of network based attacks that would previously have gotten through. Even if you are using a hardware firewall, it is a good idea to have it running in the event that another machine on your local network might be compromised and trying to attack you.
Open Control Panel → Windows Firewall
Turn on the firewall by setting it to 'On'. Once you turn on the firewall, you may occasionally need to allow certain services running on your machine to be contacted by other machines. This is done with the exceptions tab. There is an excellent article on configuring Windows firewall exceptions on Technet
Surf Smart and Safe
Most importantly, use common sense on the Internet. Don't install software from untrusted sources. "Toy" applications like WeatherBug tend to be full of spyware or adware. If you're not sure about an application, do a quick Google search with the name of the application and the word spyware and review the results. If you find reports of the application containing spyware or adware, don't install it. Open source software is a good choice when you're looking for a malware-free piece of software. When everyone can read the source code, there's no place to hide malware. Try to only browse trusted websites. If your gut tells you that a site looks sketchy, trust your instincts and go to some other site for the information you desire.
There are many steps to completely securing a Windows machine. What has been presented here is just the tip of the iceberg. However, using this information and a little common sense can go a long way toward keeping your Windows systems from getting compromised. For more information, see the resources below and keep an eye out for our security classes on the Computer Education site.