Secure XP - A Windows XP Security Guide

Secure XP Improve Windows XP's security on computers not connected to a Domain (Home Users).

Notes - Windows XP Home does not include all the security features Windows XP Professional does, so some security options may be unavailable to the Home user.

Advisory Windows XP is still supported by Microsoft through April 8, 2014


Step 1 - Malware Removal

Malware infection is the #1 security issue facing Windows users.

Malware Removal Guide Malware Removal Guide - Clean Adware, Rootkits, Spyware, Trojans, Viruses and Worms. Malware is short for malicious software. It is a general term that refers to any software or program code designed to infiltrate or damage a computer system without the owner's informed consent. This guide will show you how to remove these infections and protect yourself from future infections using free software.

FACT: 89% of consumer PCs are infected with spyware


Step 2 - Windows Update

Warning - Steps to take before you install Windows XP Service Pack 3

WinUpdate Windows Update - Home Page
Install All of the critical updates. This may have to be run multiple times. Run it over again until it says 0 critical updates available.

Notes - Windows Update requires the following services be enabled:

- Automatic Updates - Automatic
- Background Intelligent Transfer Service - Manual or Automatic


Step 3 - Software Updates

One of the most overlooked areas in terms of security is updating everyday applications. The majority of applications installed on your system have had updates released for them at some point. These updates not only address bugs and additional features but also security updates.

Secunia Secunia Software Inspector - Home Page
A free service that detects insecure versions of software that you may have installed in your system. When insecure versions are detected, the Secunia Software Inspector also provides thorough guidelines for updating the software to the latest secure version from the vendor.


Step 4 - Firewall

Firewalls are systems designed to prevent unauthorized access to or from a private network. Firewalls can be implemented in both Hardware and Software, or a combination of both. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet. Everyone connected to the Internet should be using a Firewall. The Windows XP Firewall is more than sufficient for most users. Those seeking more advanced features should get ZoneAlarm. Certain routers come with a built-in Hardware Firewall, you can use a Software Firewall in conjunction with this for added security. Do not use more then one Software Firewall, since this can cause various problems.

Firewall Windows XP Firewall - Home Page
Windows XP has always come with a firewall built-in that is highly recommended for most users since it offers the best performance and is the easiest to use. However, it was not enabled by default pre-SP2 but is automatically enabled if SP2 or higher is installed. SP2 or higher includes significant security enhancements to the original Windows XP Firewall such as boot time protection.

Instructions - Go to "Start", "Settings", "Control Panel", "Windows Firewall", select "On (recommended)". In the exceptions tab uncheck all of them unless you are sharing Files or Printers, then leave "File and Printer Sharing" enabled.

Notes - The Windows XP Firewall is more then sufficient for most users with full inbound protection. Advanced users may find it lacks any outbound monitoring, logging and other advanced features found in ZoneAlarm. If you do not need these features stick with the Windows XP Firewall since all third party firewall solutions will reduce performance and are harder to use. In Windows XP there is no way to guarantee 100% outbound protection once your system is compromised. - Source - Source 2

ZoneAlarm ZoneAlarm Firewall - Download - Home Page
Includes full inbound protection, outbound monitoring, logging and other advanced features. Recommended for advanced users only.

Instructions - Download and install, then disable the Windows XP Firewall.

Notes - The free version provides solid Firewall protection. The Pro version includes enhanced privacy, e-mail and security controls. If you are interested in purchasing an enhanced version compare them using the ZoneAlarm Security Feature Comparison Chart.

GRC GRC Shields Up! - Shields Up! - Home Page
The Internet's quickest, most popular, reliable and trusted, free Internet security checkup and information service. After you have properly configured your Firewall, use Shields Up! to test your Internet security.

Instructions - Select "Proceed", on the next page select "File Sharing", then "Common Ports" and finally "All Service Ports". Check for any security breaches and if found, check your Firewall to make sure it is enabled and configured correctly.

Notes - If you have a Router with a Hardware Firewall, Shields Up! will show results relating to it, not your Software Firewall. Any security issues can usually be rectified by updating the Router's Firmware or by properly configuring the Router's Firewall. Direct all inquiries to the documentation or manufacturer of the Router.


Step 5 - Utilities

Autoruns Autoruns - Download - Home Page
Utility to display and control startup applications. Disabling unnecessary startup applications improves boot up time and overall system performance.

Instructions - Unzip and launch Autoruns.exe, wait until it says "Ready" in the bottom left corner, then select the "Logon" Tab. Next select "Options", check "Hide Microsoft Entries" and press the refresh button or press the "F5" key. The remaining items are third party applications. Uncheck all that are not needed, this will disable them from loading at Windows startup. AntiVirus and Firewall applications are necessary applications that should be running on startup. If you are unsure of what something is, highlight it, select "Entry" then "Google" to launch a search for more information regarding the highlighted application. You can permanently remove items by deleting them. Do not "Delete" anything unless you are 100% positive you do not need it. Disabled (Unchecked) items can be activated again by rerunning Autoruns, checking the item and restarting Windows.

Notes - You can control the startup applications for separate user accounts by selecting "User" and the account you want to edit. This is a much more powerful tool then the built-in System Configuration Utility (msconfig).

TCPView TCPView - Download - Home Page - Port Authority Database
An advanced monitoring utility that will show you detailed listings of all open TCP and UDP ports on your system, including the local and remote addresses and the connection state. On Windows 2000 and XP, TCPView also reports the name of the process that owns the open port. - IP Address - Port Number
iexplorer.exe:1000 - Process Name
iexplorer.exe:1000 - PID

Instructions - Unzip and launch TCPView.exe. You can use the "A" toolbar button to toggle the display between IP Addresses and their Domain Names. By default, TCPView updates every second, ports that change state from one update to the next are highlighted in yellow, those that are deleted are shown in red, and new ones are shown in green. Use this to quickly see what is accessing the Internet and on what ports. General port information can be looked up in the Port Authority Database. It is common to have certain ports open such as Port 80, the primary port used by the world wide web (www) system, it will be open any time a web browser such as Internet Explorer is running. Ports can be open for various legitimate reasons, some pose an unnecessary security risk and others are open for malicious reasons (Spyware and Viruses). Firewalls such as the Windows XP Firewall or ZoneAlarm will secure all open dangerous ports. It is still a good idea to close all unnecessary ports.

Notes - Svchost.exe is related to various Windows Services. A Remote Address of *.* means the port is open but not connection to anything. TCPView may show that the System Idle process (PID 0) is using some TCP ports. This behavior may occur if a local program connects to a TCP port, and then stops. The program's TCP connection to the port may be left in a "Timed Wait" state even though the program is no longer running. In this case, TCPView may detect that the port is in use. However, TCPView cannot identify the program that is using the port because the program has stopped and the PID was released.

TweakUI TweakUI - Download + Control Panel - Home Page
This Windows XP PowerToy lets you disable AutoPlay. The Windows AutoPlay feature is the method Sony's Music CD Rootkit used to install itself. Disabling this will protect you from these sorts of exploits in the future. This has the added benefit of bypassing most DRM systems on Audio and Video CDs/DVDs. Data CDs can still be accessed through Windows Explorer. DRM Audio CDs can be played in Windows Media Player by going to "Play", "DVD, VCD or CD Audio", "CD Drive (X:)". In Winamp select the Main Menu Icon in the top left corner, "Play", "Audio CD X:".

Instructions - Download, install, add to the Control Panel and run. Go to "My Computer", "AutoPlay", "Drives" then uncheck each drive letter for each drive you want AutoPlay disabled on. It is recommended to do this on all Optical Drives.

XP-AntiSpy XP-AntiSpy - Download - Home Page
Disables all the known 'Suspicious' Functions in Windows XP.

Instructions v3.97 - Install and run. Go to "Profiles", select "Neutral", then check all but the following:

[MediaPlayer Functions]
_ Do not acquire licenses automatically - This prevents Windows Media Player from downloading any necessary licenses.
_ No automatic updates - This prevents Windows Media Player from automatically updating.
_ Disable automatic codec downloads - This prevents Windows Media Player from downloading required codecs.
_ Don't get meta data from the internet - This prevents Windows Media Player from getting CD/DVD information.
[Miscellaneous Settings]
_ Don't synchronize with internet time - This prevents Windows from automatically keeping your clock accurate.
_ Clear pagefile at shutdown - This will cause Windows XP to take much longer to shutdown but increases security for the paranoid.
_ Deny starting regedit.exe - This prevents future use of the very useful regedit tool.
_ Deactivate Scripting Host - This will cause features to stop working in web browsers and e-mail.
_ Always show *.lnk suffixes - This adds .lnk to desktop shortcuts.
_ Always show *.url suffixes - This adds .url to web browser bookmarks.
_ Don't autostart CD's - This prevents CD's from running automatically when put in the CD/DVD drive.
_ Disable Java Script in the PDF-Reader - Security vulnerability is patched in Adobe Reader v8.1.2
_ Disable integrated Firewall - This will disable the Windows XP firewall.
_ Hide Computer in Network - This prevents your Computer from showing up in Network Neighborhood.
_ Disable Network crawling - This prevents Windows from searching your network for network resources.
[Internet Explorer 6] (This will not show up if IE7 is installed)
_ Disable automatic updates - This prevents Windows Update from checking for and downloading updates.
_ Disable scheduled updates - This prevents Windows Update from installing updates.
_ Disable Integrated Windows Authentication - Disables Kerberos authentication, which is more secure than NTLM.
_ Disable Javascript - This will cause some web pages to lose their menus or functionality completely.
_ Disable ActiveX Controls - This will cause some web pages to lose their menus or functionality completely.
_ Clean website cache on shutdown - This will cause Windows XP to take longer to shutdown.
_ Disable auto-updates service - This prevents Windows Update from running Automatically.
_ Disable time server service - This prevents Windows from automatically keeping your clock accurate.
_ Disable task-scheduler service - The Windows Prefetcher, BootVis and Norton AV require this service to be running.
_ Disable firewall/connection sharing service - This will disable the Windows XP firewall.
_ Disable Security Center - This prevents necessary security warnings.
[Microsoft Messenger]
_ Uninstall completely - If you use or plan on using Microsoft's Instant Messenger leave this unchecked.
[Regsrv32 dll's]
_ licdll.dll - Only select this if Windows is already activated.
_ Disable ZIP Functionality - Only select if you have another .Zip program installed such as IZArc or WinZip.
_ Disable the Desktop Cleanup Wizard - This helps people keep their desktop clean.
_ Don't Search Windows Update for device drivers - Windows Update includes thousands of 100% compatible drivers.
_ Do not cache thumbnails - Only select this if you do not view a lot of photos.

Then select "Apply"

Warning - It is highly recommended to leave the profile on "Neutral" and adjust the values manually. The presets included such as the "Suggested" profile will disable important Windows features such as Windows Updates, the Security Center and Internet Explorer settings like Javascript and ActiveX. This will break common web page features such as menus and forms and prevent critical security patches from being applied. The color coding of check boxes can be further explained in the Help file under "Signs and Symbols".


Step 6 - Services

Windows XP has a lot of extra services running by default that can be a security concern. By disabling these services you will limit the number of security vulnerabilities on your system.

GRC Shoot The Messenger - Download - Home Page
Disables Windows Messaging service. This will prevent online spammers from abusing this and causing message Pop-ups during normal system operation.

Notes - Installing SP2 or higher will disable the messenger service for you.

GRC Unplug n' Pray - Download - Home Page - Details
Disables Windows potentially dangerous and exploitable Universal Plug and Play networking capability.

GRC BlackViper's Windows XP Services Guide - Home Page - Mirror - PDF File (Acrobat Reader Required)
Using this guide will improve security by disabling useless Services turned on by default in XP. Run XP-AntiSpy, Shoot The Messenger and Unplug n' Pray first before going through this guide since those utilities will disable some of these Services for you.

The following is a list of Services that you can Disable on most systems for added security:

Disable Alerter
Disable Distributed Link Tracking Client
Disable Help and Support (If you use Windows Help and Support leave this enabled)
Disable Indexing Service
Disable Messenger (Shoot the Messenger and installing SP2 or higher will disable this)
Disable Net Logon
Disable Netmeeting Remote Desktop Sharing
Disable Portable Media Serial Number
Disable Remote Desktop Help Session Manager
Disable Remote Registry Service
Disable Routing and Remote Access
Disable Secondary Logon
Disable SSDP Discovery Service (Unplug n' Pray will disable this)
Disable Telnet
Disable Terminal Services
Disable Universal Plug and Play Device Host
Disable Upload Manager
Disable Wireless Zero Configuration (If you are on a wireless network leave this enabled)

The following is a list of Services that should always be set to Automatic for increased Security:

Automatic Automatic Updates
Automatic Background Intelligent Transfer Service
Automatic Cryptographic Services
Automatic Protected Storage
Automatic Security Accounts Manager
Automatic Security Center
Automatic System Event Notification
Automatic System Restore Service

Notes - Windows Updates can enable services that you have previously disabled. Check which services are running after a future Windows Update is completed. If applications stop working after using this guide it is usually due to being to aggressive with disabling services. Enable the services you disabled one at a time until the application works. In the future leave this service on automatic. If you run into any problems set all services back to their Defaults and start over.


Step 7 - Measures

The following are necessary measures that should be taken to further secure Windows XP.

NTFS Secure 1. Use NTFS on all your partitions - Home Page
"NTFS provides security enhancements in the form of Access Control Lists (ACL)s for files and directories. ACLs are security descriptors attached to all files and directories on an NTFS file system. Any file, directory, or other object in the file system can have multiple levels of access permissions. Before a process is allowed to access a file, the security system verifies that the process has the appropriate authorization to do so. FAT file systems do not implement security, and all user accounts have equal access to files and directories on the system." - Source

Instructions - Go to "My Computer", right-click on each partition, left-click "Properties". Look under "File System", if it does not say NTFS use the built-in utility convert.exe to change them to NTFS.

Notes - The conversion to NTFS is a one-way process. After you convert a drive or a partition to NTFS, you cannot convert it back to FAT or to FAT32. To restore the volume to the previous file system, you must reformat it as FAT or as FAT32. This action erases all existing data including your programs and personal files. In this case, you must either restore your data from a backup, or reinstall your operating system and programs. - KB307881

Password 2. Password Protect All User Accounts
Windows XP Professional and Home Edition allow user accounts to utilize blank passwords. Blank password accounts cannot be accessed remotely by means such as a network or the Internet. A blank password (no password at all) on your account is more secure than a weak password such as "1234" on a network or the Internet. However this offers no physical security. Many people store personal and financial information on their computer and would not want everyone who has physical access to the computer access to this information. Laptop users are at an even greater risk. Regardless it is highly recommend to use strong passwords for all user accounts, especially the Administrator account.

Instructions - Go to "Start", "Control Panel", "User Accounts", select the account you wish to password protect, then select "Create a password". Use a minimum eight character or more password for all user accounts. A simple easy way to do this is to use two four letter words in combination. Passwords are case sensitive. For added security you can use "Pass Phrases" of three or more words, mixing in numbers and symbols. For the Administrator account use a very strong password. Make sure to use passwords you can remember or write them down in a physically secure location not on a computer.

Notes - Windows XP Home does not password protect the Administrator account by default and it can only be accessed from safe mode in the Home Edition. Reboot your computer into safe mode by pressing the F8 key down during boot up and selecting "Safe Mode" from the Windows Advanced Options menu. Go to "Start", "Control Panel", "User Accounts", select the "Administrator" account, then select "Create a password". Again make sure to use a strong password.

Users 3. Remove Useless User Accounts
Windows XP Creates additional User accounts that are of no use to the average user. aspnet_wp and the ASP.NET account can be removed if you do not do .NET development work. Delete any other accounts that are no longer required. If you do not use or recognize the account, delete it.

Instructions - Go to "Start", "Control Panel", "User Accounts", select the account, then "Delete the account".

Guest 4. Disable the Guest Account
The Guest account should be disabled for added security.

Instructions - Go to "Start", "Control Panel", "User Accounts", select the "Guest" account, then select "Turn off the guest account".

Notes - Windows XP Home does not allow you to truly disable the Guest account. Disabling the Guest account in Windows XP Home only removes it from the Fast User Switching and Log on screens. For security set a very strong password for the Guest account.

FileSharing 5. Disable Simple File Sharing - Home Page
By default, simple file sharing is enabled on a Microsoft Windows XP based computer if the computer is not a member of a domain. There are no permissions or passwords set on shares this way. If you do not have a firewall enabled, anyone with network access to your PC can access these shares with no restrictions.

Instructions - Go to "Start", "My Computer", "Tools", "Folder Options", "View" tab, select "Advanced Settings", uncheck "Use Simple File Sharing", select "Apply".

Notes - Windows XP Home doesn't allow you to disable Simple File Sharing and is unable to join a domain. For security make sure you set your shared folders to be read only or if your using the NTFS file system, use the "Make Private" option in the folder properties. If you cannot select this see KB307286. For any issues accessing these folders later see KB308421.

Disable Admin Shares 6. Disable Hidden Admin Shares - Download - Home Page
Windows XP Professional automatically creates a number of hidden administrative shares (such as ADMIN$ and C$). These shares are designed for remote access support by domain administrators. By default, if you delete these admin shares, they will be recreated when you reboot. To disable them permanently so they will not be recreated on the next reboot, use this utility.

Instructions - Download, unzip and run. Uncheck the box, apply the changes and reboot.

Notes - Hidden shares that are created by users can be deleted, and they are not re-created after you restart your computer. Windows XP Home Edition does not create hidden administrative shares.

Data Execution Prevention 7. Enable DEP for all programs
"The default configuration for hardware and software DEP protects core Windows components and services and has a minimal impact on application compatibility, but you can choose to configure DEP to protect all applications and programs on your computer." - Source

Instructions - Go to "Start", "Control Panel", "System", "Advanced" Tab, under "Performance" select "Settings", "Data Execution Prevention Tab", Select "Turn on DEP for all programs and services except for those I select". Finally remove any exceptions from the list unless you have added them there personally.

Notes - "If you configure DEP to protect all applications and programs on your computer you will have the benefit of additional protection, but it might lead to additional application compatibility issues. If you configure DEP to protect all applications and programs on your computer, you can exempt individual 32-bit applications from software DEP protection if they have compatibility issues. You cannot disable hardware DEP or exempt 64-bit applications running on 64-bit Windows XP systems with DEP compatible processors. Hardware-enabled DEP is enabled by default on computers with DEP compatible processors that run Microsoft Windows XP 64-Bit Edition. 64-bit applications will not run from "non-executable" areas of memory. Hardware-enabled DEP cannot be disabled."

SecurAble SecurAble - Download - Home Page
SecurAble checks your system for the presence of Hardware DEP support, 64-bit instruction extensions and Hardware Virtualization.


Step 8 - Internet

Internet Explorer 7 Internet Explorer 7 - Home Page - Features - Download
Internet Explorer 7 maintains the most webpage compatibility of any browser and adds Tabs, Integrated Search and a much needed Anti-Phishing feature. Pop-up Blocking support was added in Windows XP SP2 for Internet Explorer 6 and is built into Internet Explorer 7. Since the single most important feature of a browser is webpage compatibility, this is an excellent choice for most users.

Opera Opera 9 - Home Page - Features - Download - Betas - Customize
Opera invented Tabbed like browsing and was the first web browser to include an Integrated Search feature and Pop-up Blocking. Other unique features include an integrated BitTorrent Client and Voice control. Opera is the Fastest, most Secure and most Compliant (Acid2) Graphical Web Browser for Windows. An excellent choice for advanced users.

Notes - Opera is not compatible with all webpages.

Firefox Myths Firefox Myths - Firefox Myths
Firefox is not being recommended here for many reasons. Some of those reasons are that it is slower than Internet Explorer, insecure and not completely compatible with 10-15% of all web sites. Get the facts.



Microsoft Baseline Security Analyzer Microsoft Baseline Security Analyzer - Download - Home Page
"Microsoft Baseline Security Analyzer (MBSA) is an easy-to-use tool that helps small and medium businesses determine their security state in accordance with Microsoft security recommendations and offers specific remediation guidance."

Process Explorer Process Explorer - Download - Home Page
"Find out what files, registry keys and other objects processes have open, which DLLs they have loaded, and more. This uniquely powerful utility will even show you who owns each process."

Process Monitor Process Monitor - Download - Home Page
"An advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity. It combines the features of two legacy Sysinternals utilities, Filemon and Regmon, and adds an extensive list of enhancements."

Windows XP Security Console Windows XP Security Console - Download - Home Page
"Windows XP Security Console allows you to assign various restrictions to specific users, whether you're running XP Pro or XP Home. XP Home leaves you completely without the Group Policy Editor, while XP Pro lacks the ability to use the Group Policy Editor to selectively apply policies to specific users."



This guide is under constant revision as new security risks emerge or significant changes to Windows are made. Feel free to submit suggestions or comments to Do not send Technical Support Questions.

XP Myths XP Myths - Make sure to read this before submitting suggestions since this explains why some security suggestions are not listed here.

Legal Notice - Reproduction of this guide in whole or in part is strictly forbidden. This guide and ALL versions thereof are protected by copyright under the Digital Millennium Copyright Act (DMCA). Feel free to link to this Guide.