A Guide to Security and Privacy for Windows XP Home Edition

Hidden File Extensions in Windows XP

By default, Windows XP tries to make life 'simpler' (have I mentioned before how simplifying things can be counterproductive?) by hiding file extensions for all filenames. File extensions are the letters after the full stop, e.g. the 'txt' of a text document. Unfortunately, this can be used to disguise executable files (which can harbour malware) as less risky files (such as text files). To prevent this, open a window on any file location (e.g. My Documents or C:) and go to Tools... Folder Options and click the 'View' tab. Untick 'Hide extensions for known files types'. It may also be worthwhile selecting Show hidden files and folders, as this can also be used to hide malware in certain situations. Once done, click 'Apply to All Folders' to apply the change system-wide.

All files will now show their full filenames with extensions. As a general rule, be careful not to change the file extension when renaming a file, as this will cause Windows to lose track of what program it's supposed to use to open it.

Windows is now about as secure as it can be at this stage. Reboot, and and if your BIOS has boot sector protection and/or BIOS flashing protection, then take the opportunity to enable these features. Whilst editing the BIOS settings, you might want to also consider setting a BIOS password and disabling the BIOS from booting your PC from anything except the hard drive. Reboot back into the normal (i.e. non-safe mode) version of Windows. The PC is almost ready to be connected to the internet, so now would be a good time to perform a final check of settings. [Link to the checklist at the start of this article]

If you've installed Windows from a system restore CD or partition, or from a copy of Windows that came bundled with a new PC, then your computer manufacturer may have added extra programs to the basic Windows system that aren't really needed. For comparison, here's a...

List of Processes Running on a Minimal Install of Windows XP

The following is a list of the processes running on a basic Windows XP Home system after the securing process above, and before any other software is installed.

The list is shown as it appears in the Windows Task Manager, accessed by pressing ctrl-alt-del, [and then, for XP Pro only, selecting Task Manager] and then selecting the Processes tab.

Csrss.exe (Client/server runtime subsystem)
ctfmon.exe - Provides various user input services
explorer.exe (GUI/file manager - much of the visible part of Windows)
lsass.exe (Local security authority subsystem)
services.exe (Service control manager)
smss.exe (session manager subsystem)
spoolsv.exe (Print spooler service - print queue manager)
svchost.exe (Service host)
System (Handles kernel-mode threads e.g. device drivers)
System Idle Process (A component that runs to use up idle processor time)
taskmgr.exe (The Windows task manager used to view the process list)
winlogon.exe (handles ctrl-alt-del sequence and performs various tasks related to logins)
Svchost.exe acts like a container for Windows services. Unfortunately, the standard Windows Task Manager doesn't show which services are running in the containers, however the free Process Explorer application can. Hovering the mouse over each instance of svchost.exe will show what services are being run by that particular host process. The complete list of running services should match the services shown as running in Control Panel... Administrative Tools... Services. Be suspicious of unexpected services.

In addition to the processes listed above, Process Explorer will also show an entry for hardware interrupts and itself (procexp.exe) rather than Task Manager (taskmgr.exe). [More info on using Process Explorer]

Any process not shown here may not be needed and may just slow down the computer. Research the name of the process if in doubt - some machines need additional processes to handle things like custom keyboard buttons, or touch pads on laptops.

The free PC Decrapifier program may offer an easier method of removing unwanted programs, though please read the list of applications it removes to ensure it's useful to your particular circumstances.

Time to connect to the internet (preferably via a router).

Connect to the Internet and Run Windows Update

Windows update
Once connected to the internet, immediately choose Windows Update from the Start Menu and install any updates available that might have been missed - repeat this process until there are no more updates, rebooting if asked.

If you haven't already installed security software, download some and install it (there's a list of free security software at the end of this article, all of which I've personally used at one point or another).

Congratulations. The basic software infrastructure of your PC is now about as secure as it can be, or at least as secure as I know how to make it, anyway.

Next, in order to further protect your privacy and security online, it's a good idea to install and/or configure your web browser to make your online presence as invisible and secure as possible.

Web Browser Configuration - Privacy, Security, Cookies etc.

There is some debate over which web browser is the most secure, and it's not something I can give a definitive answer to. I happen to like Firefox, especially as it has the NoScript extension, which I'm pretty sure is a better script disabler than anything available on any other browser. So Firefox is what this section will concentrate on.

Use the add-ons manager to install the following additions: "Noscript", "Cookie Monster" (note: other comparable Firefox cookie control programs are available).

Consider disabling some of the add-ons in the Tools... Add-ons... Extensions menu. Disabling the Java quick starter, Java console and the Microsoft .NET framework assistant seems to have no ill effects and may improve security.

Delete everything possible from Noscript's whitelist. Configure Cookie Monster to block all cookies by default. You may also wish to enable the 'Global Override' and 'Delete cookies when changing permissions to Deny'. Ensure Betterprivacy has found the Flash LSO directory (you should have installed Adobe Flash before this point). If you're not familiar with the workings of Noscript and Cookie Monster then you may need to read up on them to get the most out of them [Noscript's website]. Knowing a little about Javascript and cookies will help.

In Firefox's options menu, set the privacy settings to maximum (Never Remember my History, or Private Browsing at all times etc.) Tick the 'do not track me' box. When asked, never allow Firefox to remember passwords for websites.

Bear in mind that some sites, particularly internet banking sites and net-based email, require very permissive cookie and Javascript permissions in order to work correctly (and internet banking sites may lock your account if you try to log in too many times with cookies disabled, as I once discovered). In general, though, you should be cruising round the internet with Javascript disabled and all cookies refused (and only selectively enabling scripts and cookies as required). This eliminates all sorts of privacy issues and internet annoyances. For example, the recent Facebook cookie tracking mini-scandal was already thwarted by proper use of Noscript and Cookie Monster.

Please consider enabling Javascript on websites you like and trust, as web advertising (and the site owner's revenue) may depend on it.

If you're used to using a browser with very low security and privacy settings, you may find the new experience a bit irritating at times, as drop down menus won't automatically fill in your name and address, passwords won't get remembered for you etc. The price of eternal vigilance in the field of browser security is some extra typing practice and a better memory for passwords. Those who seek convenience over security...

Web Browser Configuration - Using Proxy Servers and User Agent Strings to Prevent Tracking

If you want even more privacy, then install the Tor software bundle and the User Agent Switcher Firefox extension. This combination of software can (from the point of view of any website trying to track you) make your browser appear to be a different type of browser (by changing the user agent string), and to be coming from a different part of the world from where you are (Tor uses proxy servers to hide your real IP address from websites). Note that 'fingerprinting' a browser is still possible if Javascript is enabled, so remember to use NoScript.


Also available for Firefox is the Ghostery add-on. This prevents browser tracking by such things as advertising beacons and social media widgets. For example, any website you visit that has one of those Facebook widgets with a 'like' button and a grid of images of people who 'like' the site is effectively passing on information to Facebook about what pages you visit on that site, and how long you spend between page clicks, and so on. At its most basic level, this information is tied to your IP address, which in theory is anonymous. However, a long period of tracking over many sites on a non-changing IP address might be considered less anonymous. In the above example, if the website visitor happens to have a Facebook account, then these widgets also offer Facebook the chance to build up a profile of your activity on websites outside of Facebook and tie that activity to what they already know about you - whether or not you happen to be signed into Facebook at the time.

A correctly configured instance of the Ghostery add-on should fix this, though my opinion is based on some fairly brief testing with Wireshark and long-term visual observation against a few sites to ensure offending items are blocked.

The configuration of Ghostery is fairly straightforward - simply enable blocking of every category of threat it is aware of. Once enabled, there seem to be very few websites that require it to be temporarily switched off - mostly it can be allowed to work away in the background, quietly protecting your privacy.

Email Clients

Email clients (e.g. Thunderbird or Outlook) seem to have fallen out of fashion in recent years in favour of webmail services such as Gmail or Hotmail.

Personally I prefer to have my emails and contacts stored where I can see them (and back them up), rather than entrusting them to whichever cloud-based webmail provider happens to be flavour of the month. (As for Gmail... I won't deny it's not a good service, and I do like Google as a company, but do you really want one company to handle all your internet searches AND all your emails as well?)

As with internet browsers, there's probably no definitive answer to which one is best. However, Thunderbird is free, has nifty features and I prefer it, so that's what this section is about.

Once Thunderbird is installed, investigate the Options menu and disable all add-ons and extensions. Every add-on, every extension, is a potential security risk. Disable in-line attachments.

Thunderbird can be configured to download mail from any email provider that allows POP3/SMTP or IMAP access, which is true of most providers. The process of setting it up varies a little from provider to provider, but here's a very brief overview of how to do it:

Open up the Accounts config menu option. Your email provider should be able to provide you with the information you need to set up your client. You'll need your account user-name, password, POP3 address, SMTP address (or IMAP address/password). You might also need to know what type of encryption/authentication your email provider is using e.g. STARTLS/TLS, and which port number they expect to receive your traffic on - Thunderbird may be able to automatically detect these details given some basic information). You may need to open ports on your router and firewall (if you're using them) for the auto-detection and subsequent email traffic.

The Thunderbird support section and your email provider should be able to provide more detailed help and advice.