Sunday, 20 November 2011 - 21:31

A Guide to Security and Privacy for Windows XP Home Edition

Physical PC Security

It is sometimes said that if an attacker has physical access to a machine, then it's already game over. That's pretty much true, but there are some things that can help:

• Set the BIOS to boot only from the harddrive (and not from CDs, memory sticks etc).
• Disable any BIOS boot menus.
• Password protect the BIOS.
• Physically protect the BIOS against reset by locking the PC case shut with lockable screws, or similar.
• Remove or disconnect floppy disc drives and CD/DVD drives.
• Disable USB ports by unplugging them from the motherboard (if they're not integrated), disabling via motherboard jumpers/switches (if available) or by glueing them shut. However, if you've got to the stage where you feel it necessary to disable CD drives and glue up USB ports then you probably need a more advanced guide to security than I can provide (and probably a more secure OS than Windows XP Home).

Final Thought - The Problem of Asking an Operating System to Check Itself and the Bigger Picture

As I've alluded to a few times earlier, there is always a fundamental problem with having an OS try to detect whether or not it is suffering from a malware infection (leaving aside the issues around undiscovered or unreported malware and exploits).

Like any other application, anti-virus software is a program that runs inside another set of programs - the Operating System. To at least some extent, the anti-virus software has to depend on the operating system to do some work for it. If important parts of the operating system are compromised and overwritten by malicious software, the operating system may start to deliberately deceive the anti-virus software. For example, whilst reading the contents of files, the operating system could hide the presence of malware by switching malicious code for benign code at the point at which it is delivered to the virus-checker for inspection.

Running virus checks from safe mode can work around this problem in some cases, but not all. The only way to completely work around the problem is to check the files of an operating system from a different operating system. This means booting the system from an operating system on a CD/DVD or removable drive and checking it from there or, best of all, removing the harddrive(s) from the computer in question and plugging them into a known-good machine, and then checking the drives from that machine.

The Bigger Picture

If you consider that malware often can't be detected by any anti-malware program until it has been manually identified and reported (this problem is mitigated by anti-malware programs that use heuristic analysis), and that software security flaws are often exploited for some time before they're identified, and that every month Microsoft and a number of other manufacturers of important system software release fixes for recently reported security flaws, and that this is true of all operating systems and has been for many years... then you can probably see the scale of the problem. Hence the need for a 'defence in depth' approach, and for articles such as this.

I've done my best to provide a comprehensive, understandable and accurate guide to Windows XP Home security that goes beyond the usual "get anti-virus software and a firewall, and don't click on all the things you see on the internet".

If anyone reads this page and notices something I've missed, or something that seems dangerously wrong, please leave a comment below or email me.

Free Security Software and Resources

Internet-based Security

Virus Total - Check any internet address for viruses before you visit.
Shields Up - Test your router and firewall for leaks.
Trend Micro Housecall - Online Virus scanner.

Security Software

AVG - Antivirus software.
Avira - Antivirus software.
Microsoft Security Esentials - Antivirus software.
Lavasoft - Anti-malware software.
Malware Bytes - Anti-malware software.

Firewall Software

Zone Alarm
Comodo

Misc Software

Process Explorer (previously a Sysinternals program)
Process Monitor (previously the Sysinternals programs Filemon and Regmon)
Wireshark (previously known as Ethereal) - packet sniffer (records and analyses all network traffic)
TweakUI
PC Decrapifier* (Automated method of removing unwanted programs bundled with PCs)
Secunia PSI - monitors installed programs and notifies the user when updates are available Clonezilla* - disk imaging tool.
VirtualBox - virtualisation package


*Virus checked, but not personally tested.

Further Reading

Summary of the Windows boot process and lots of other useful information.
Securing Windows XP - US National Institute of Standards and Technology

---

Article revision history

21.11.11: Article date corrected - article orginally displayed 21.11.11 as the publish date. Original article was actually published 20.11.11, 21.31.
22.11.11: Updated firewall sections.
24.11.12: Links updated.
22.12.12: Additional info and Comodo secure DNS addresses added to networking section.
26.01.13: Correction to services list on page 2 (two services were listed twice).
05.10.13: Typo correction (page 5) and slight layout change.
31.12.14: Typo correction in autorun section, addition of Firefox/Ghostery section.
18.01.15: Comodo DNS IP addresses updated.