How to secure Windows XP against malware

I’ve run into this issue many times. I read messages from technicians who often complain about how they clean up their customers’ infected Windows XP computers, and before they know it they’re infected again. I’ve been able to run Windows XP for years without catching a single worm or virus. I’ve done it by following some techniques borrowed from my days as a Unix user.

Windows XP has security capabilities built in that apparently a lot of people don’t know about. In this entry I will be discussing them.

Steps you should take to secure your computer:

  • Make sure the file system you are using is NTFS, not FAT32. The difference is that NTFS enforces user-level security on your folders and files. FAT32 does not. NTFS is an arrow in your quiver against malware, because under the right circumstances it will disallow malware from installing itself just anywhere it wants. If it doesn’t get installed, it has less of a chance of doing mischief.
  • Install SP 2, if you haven’t done so already (Update 8-20-2009: Now what you should get is SP 3. It probably contains all SP 2 updates, so you shouldn’t need to install both, though you will likely go through the same process described here). The main thing I noticed when I installed Service Pack 2 was that XP warned me whenever I tried to open a file that came from the internet. It also set up other warnings, like whenever I try to open an attachment from an e-mail in Outlook/Outlook Express. It gives me a “second chance” to recover from an action I have taken that could result in damage to my system.
  • Create a limited account and use it to run your web browser and e-mail client. This ties in with using NTFS. When you run programs under a limited account, XP runs the program in a more restrictive environment. It only allows the program to write files to certain locations, and the program has read access, but not write access to the system registry. A piece of malware could still potentially cause harm, such as corrupting or deleting personal files that the limited account has access to, but doing this makes it more difficult for malware to infect your system. This is important because so long as it can’t “implant” itself somewhere, you don’t have to worry about trying to get it off your system.
  • Make sure you have a firewall activated. XP comes with its own firewall, but there is free third-party firewall software for Windows, as well as commercial firewalls you can buy. There is no excuse for not having this protection. It is readily available. Having this active makes it more difficult for internet worms to exploit a vulnerability in your system.
  • Update, update, update. Microsoft sometimes finds vulnerabilities in XP and releases what are called “patches” for it. These are system updates that plug these discovered vulnerabilities. It’s a good rule of thumb: The sooner you put the plugs in, the less vulnerable you will be. Hackers have been getting faster and faster at exploiting vulnerabilities that have been discovered. It’s an arms race of sorts. Set up Windows Update in a way that works for you, and let it protect you.
  • Update Microsoft Office. Microsoft sometimes finds vulnerabilities in Office that could allow an attacker to mess with your system. They release patches that are specifically for your version of Office to plug these holes.

Ed Bott at ZDNet wrote an article recently on a method he’s used to secure other people’s Windows XP computers. He covers some of the bases, and he has some good ideas.

Here is my own take on how to secure your system. Take these steps when you think you won’t be using the computer for a few hours. This could take a while.

I’ve divided the article into sections that talk about different features of XP that should be set up in order for you to run XP securely. Each section is, for the most part, broken up into two sections: check if a feature is already set up correctly, and then if not, how to set it up.

Each section starts with the assumption that you have logged into a desktop session as an Administrator. This shouldn’t be a problem for most people. The name on the account can be anything, but you need to have administrative privileges to do these things. If you’re an average XP user, you’re logged in as Administrator whenever you log in to get to the desktop:

Are you using NTFS?

Go to your C: drive in Windows Explorer or My Computer, right-click on it, and select “Properties”. Look at the “File System:” designation. If it says “NTFS”, you do not need to convert it. It’s already NTFS.

Convert your file system to NTFS

If you have a FAT32 file system it’s best to convert it to NTFS. Your programs will still run. They won’t know the difference. The only program I’ve seen that has a bit of a problem with NTFS is my copy of Partition Magic (I think it’s Version 6), which is a system utility.

Note: I’m not sure about this, but my guess is that Windows needs some free disk space to do the conversion. If your C: drive is pretty full, I’d wait until I could find a way to free up a gigabyte of space before proceeding. I’m sure that the process will need to move some data around in order to do the conversion. That’s just my unprofessional opinion.

First of all I’d check to make sure there are no errors on C:. If you have the C: drive’s Properties screen up already (if not, refer to my note about “Are you using NTFS?” for how to bring it up), select the “Tools” tab, and click on the “Check Now” button in the “Error-checking” box. A dialog box will come up.

Just to be safe I would select both check disk options: “Automatically fix file system errors” and “Scan for and attempt recovery of bad sectors”. Hit the “Start” button in the dialog box. It will tell you that you need to reboot. Go ahead and do this. It will do the error check on reboot. Once it’s done it will bring you back to the login screen.

Note: If you have your system set up to boot multiple partitions, be sure to select the operating system that you are using now from the boot menu.

At the login screen log in to an account with administrative privileges. Converting the file system to NTFS is pretty easy to do. Click on the Start menu and select “Run…”. This will bring up a small dialog box. In the box labeled “Open:” type:

convert C: /fs:ntfs

That’s it. Windows will tell you that you need to reboot. When you reboot it will begin the conversion process, after which it will bring you back into Windows and the login screen.

Note: If you have your system set up to boot multiple partitions, be sure to select the operating system that you are using now from the boot menu.

Do you have SP 2?

Click on the Start menu, go to your Control Panel, and select System. Under “System:”, in the “General” tab, Windows will tell you what version of XP you have installed. If it says somewhere in there “Service Pack 2”, you have SP 2 already. If you do not see this, you do not have Service Pack 2 installed.

Installing SP 2

SP 2 should be available from the Windows Update site.

Click on the Start menu, select All Programs, and select Windows Update. When you get there select “Custom” (rather than “Express”). Have it scan your system for suggested updates. SP 2 should show up either under the “High Priority” or “Optional” update lists. You can select these lists from the “Select by type” menu on the left-hand side of the Windows Update page. Note: “High Priority” and “Optional” only show up as options after you have let it scan your system for updates.

The update should show up as something like “Windows XP Service Pack 2”. It’s large and will take a while to download and install, so be patient with it.

If you are concerned that SP 2 may cause software compatibility problems, the installer will allow you to select an option at some point during the installation process that says something like “Allow me to uninstall SP 2”. This will cause it to create a backup of your existing system files, and it will put an entry for it under Add/Remove Programs (which is under Start|Control Panel). This way, if it causes problems for you, you can revert the system back to the way it was, by uninstalling SP 2.

Given the security benefits though, I would try to find a way to make SP 2 work on my system. If that means upgrading some software, or using alternative software that works better with SP 2, I’d suggest doing it. It’s worth not having the headaches.

Do you have a limited account?

Unless you’ve already gone through the steps to create one, you probably don’t have one. If you do have one, just use that as the account you use for accessing the internet. I’ll explain more about this below.

Creating a limited user account

This is an important step. Even if you do all the other things to secure your system, there’s still the possibility that you’re open to some attacks. New vulnerabilities are found in Windows frequently, and it can take Microsoft some time to come out with a fix for them. You can create what’s commonly called a “sandbox” around the programs you use that access the internet. You do this by creating what’s called a “limited account”.

Click on the Start menu, select Control Panel, and then select User Accounts. This will bring up a User Accounts screen.

  • Select “Create a new account”. Type a name for the new account. I’ll call it “Internet”, but you can call it what you want. Click the “Next” button.
  • It asks you what permission level you want for the account. Select “Limited”. Click the “Create Account” button.

Okay! We’re almost finished here. User Accounts will take you back to an earlier screen, where all accounts on your computer are listed.

  • Select the “Internet” account (or whatever you called it).
  • This will take you to an account options screen. Select “Create a Password”.
  • Type in a password for the limited account. It will ask you to type it in twice: once in the box labeled “Type a new password”, and again in “Type the new password again to confirm”. This is done to make sure you typed the password the way you intended. If you like, you can also put in a hint for the password, in “Type a word or phrase to use as a password hint”. This is optional. This is just something you can use to jog your memory if you forget the password. Click the “Create Password” button.

Using your limited account

So what do you use it for? Limited accounts have limited privileges in your system. When you are logged in under the limited account, you don’t have write access to system files, and you don’t have write access to the registry, and neither do any of the programs you use under this account. These are the places where malware likes to install itself. A neat feature of Windows is you don’t have to switch accounts every time you want to access the internet, or use the software you have installed.

The way I do things is whenever I want to use my computer I log in as Administrator, and run my non-internet software as usual. But if I want to use e-mail, use my web browser, or use any software that accesses the internet, I usually configure them to run under the limited account. How do I do this? I’ll use your web browser as an example.

Go to the icon you usually use to open your web browser. This could be on the desktop, the Quick Access bar, or under Start|All Programs. It doesn’t matter which, go to the icon for your browser, and right-click on it. Select Properties.

  • Click on the “Advanced…” button
  • This brings up a dialog box, usually with only one option accessible. Select “Run with different credentials” and click on the OK button.
  • Click OK on the Properties screen.

Now, left-click on the same icon you right-clicked on earlier. Now a new dialog box comes up, called “Run As”, asking, “Which account do you want to use to run this program?” It gives you two options: “Current user” or “The following user”. Usually I pick “The following user:”. That’s what we’ll do here.

  • Select “The following user:”. This will highlight the current user’s user name. Type “Internet” (or whatever name you used for the limited account you created) in the box labeled “User name:”.
  • Then type the password that you assigned to the limited account, in the box labeled “Password:”. Hit the OK button.

Your browser is now running, but it’s running under the limited account you created.

You’ll probably notice that none of your bookmarks or favorite sites show up when you look for them, and that the browser is running under a default configuration. This is because the browser literally thinks it’s running under a different account, not the one you usually use. This only occurs if you just created the limited account. If you’re using a limited account you created before reading this, you’ll see any options and bookmarks that have been set/created in that account.

Windows XP divides up configuration files for different users into different sets of folders. So all of your bookmarks and browser options that you set before still exist, just under the account that you’ve been using for a while. Since the limited account, in this example, is new, it doesn’t have any of your settings yet.

This will be true for most of the software that you do this with.

All software configuration files and bookmarks are stored under “C:\documents and settings”. Each user has their own folder under this one. Under their folder, their configuration data is typically in their own “Application Data” folder. In Application Data there are sub-folders where each piece of software stores its configuration data. It’s possible to copy this data from one account to the other, just by copying it between the <user>\Application Data folders (substitute a user name for <user>). Favorites/bookmarks can be transferred the same way, but they’re either in a folder under <user>\Application Data, or in the user’s “Favorites” folder, depending on the browser you use.

Issues with this approach

A side-effect of running your browser under a limited account is any program that is activated from your browser will also be run under the limited account. For example, if you go to a site that contains online audio or video, which brings up a player, that player will be run as the limited user. This is good, as this will seamlessly insulate you from possible security threats that other internet-enabled software can bring in. However, I’ve noticed this can cause problems with Windows Media Player, particularly since I got a Pocket PC and had to set up ActiveSync. ActiveSync 4.0 only runs properly as Administrator, but Windows Media Player insists on activating it whenever it’s run, even if from a browser. This causes WMP to crash. The exception is the ActiveX Media Player control, which runs inside the browser window. It runs with no problems. You can’t control which gets run. The people who created the page control that.

Windows Media Player used to run just fine under a limited account. It didn’t start crashing until I installed ActiveSync. Nowadays when I want to play streaming video from a web site I use RealPlayer. I’ve had no problems running it as a limited user. I can use WMP from the desktop for playing video files.

Edit 10/12/06:

A special note about files you download through your browser, or upload from your browser: account privileges count here too.

If you run your browser from a limited account, any files you download through it will be saved with limited account privileges. There may be directories on your hard drive you cannot save to, because they are limited to Administrator access. If you save anything to My Documents through the browser, it will save the file to the limited account’s My Documents folder, not the My Documents folder of the account you logged into to get to the desktop. If you save a file and don’t find it under My Documents, look under C:\Documents and Settings\<limited account name>\<limited account name>’s Documents, substituting <limited account name> with the limited account name you set up earlier.

If you are uploading a file, you may receive an error message saying that it can’t access it. If you created the file using an application as the user you logged into the desktop with (presumably as Administrator), the file may not give access privileges to the limited account. In this case, right-click on the file, select Properties, and then select the Security tab. See if the name of the limited user account shows up in the “Group or user names:” list. If it’s there, make sure the Read permission is set under the “Permissions for <limited user account name>:” list, and click the OK button. Uploading the file should work after doing this.

If the name of the limited account is not in the “Group or user names:” list, click the “Add…” button, type the user name of the limited account in the text window, and hit the OK button. Select this user in the “Group or user names:” list and make sure it has the Read permission set in the “Permissions for <limited user account name>:” list. Then click OK. The upload should work after doing this.

Exceptional situations

I think on one occasion I had to install an ActiveX plug-in through my browser as Administrator, because it would not do so as the limited user.

I do this reluctantly, but sometimes I have to. There have been times when I have to access a web site as Administrator (on Windows). In these cases, I just select “Current user” (Administrator), when the “Run As” option dialog shows up. There are web sites which won’t run properly if I’m running my browser as a limited user. I saw this when I was planning a trip and shopping for a rental car. A few of the rental car sites would not run properly. This could be the fault of IE as well. If I used a different browser like Opera or Firefox, maybe these problems would go away. Even if I was using them, I would still run them under a limited account. They’ve had their security issues as well from time to time. It’s just a good policy to have.

There are times when I can’t run my browser as a limited user even if I wanted to. I have desktop search installed. Sometimes I have trouble finding a web link I’ve saved. So I search for it in desktop search. I can click right on the link when I find it, and bring it up in my browser, but it brings up the browser as Administrator. It’s not the best situation, and I have to admit I don’t run a totally tight ship.

I have run into occasions when I’m running IE as a limited user where it starts hogging the machine. Everything else slows down. IE may even lock up. I’m not sure why. When this happens I have to go into Windows Task Manager and shut down one of the instances of IE I have running, whichever one is screwed up. This doesn’t happen too often.

Do you have a firewall activated?

There’s a little more configuration to do.

Windows XP has a software firewall built in. Here’s how you can check to make sure it’s activated.

Click on the Start menu, select your Control Panel, and then select Windows Firewall. If it is not on, check and see if you have a third party firewall activated. Some antivirus software comes with its own firewall, and may have turned off Windows’s firewall (it’s better if you don’t have two of them running at the same time). The thing about this is the third party firewall may not even be called a firewall. For example, the version of Norton Antivirus I have installed comes with a firewall, and it’s called “Internet Worm Protection”. This is a good common sense name for it, since that’s typically what a firewall is used for: to protect against internet “worms”. Just saying that you may have a firewall running even though it’s not called “firewall”.

If you have a third party firewall activated, don’t worry about the Windows firewall. The third party one is probably better. If, however, you know of no active firewall, make sure the Windows firewall is turned on.

If you’ve just turned the Windows firewall on for the first time, check out the “Exceptions” tab on the Windows Firewall screen. If there are any programs you know need internet access to function, give them an “exception” to the firewall restrictions by putting a check by their name in the list.

When you’re done, click the OK button.

Are you up to date with the updates?

Checking this is easy. Click on the Start menu, select All Programs, and select Windows Update. When the Windows Update page comes up, select “Express”. Wait for it to finish scanning your system. If there are any critical updates you need to get, it will show them to you right up front. If any show up, click on “Review and install updates”. This will take you to a second screen. Select “Install updates”. This will start the process of downloading and installing the updates. Some updates may require you to reboot. If this happens, go ahead and reboot your computer. Once it comes back up, log in as a user with administrative privileges and go back to Windows Update, repeat the process described here, and see if any more critical updates come up. If so, start the install process. Sometimes an update that causes a reboot is a necessary prerequisite for other critical updates. You’re not downloading and installing updates you already got. They’re just ones that weren’t ready to be installed before the previous update.

If no critical updates show up, you are up to date!

Get critical updates automatically

You can set up Windows Update to check for and install updates automatically from here on out. Here’s how to set it up.

Click on the Start menu, select Control Panel, and then select “Automatic Updates”. This will bring up an Automatic Updates screen. If you have never been to this screen before, it should already be set to “Automatic”. If it’s not set to that, set it to “Automatic”. You can set when you want it to check for and install updates, like the day of the week, and the time of day. Make sure you set it to a time when the computer will typically be turned on. It will not automatically update if the computer is in standby mode or powered off. When you’re done, click the OK button.

Office updates

Updates are available for Microsoft Office, too. Even if you just have Microsoft Word, you can still gain security benefits from them. You get them by going to Windows Update and clicking on “Office Family”. This will bring up a new browser window, going to a different site, for Microsoft Office. Once there, click on “Check for updates” in the box labeled “Office Updates”. It will scan your Office installation and see if you need any updates. It’s best to just install all the ones it suggests.

New – Microsoft Update – Get all critical updates automatically

There’s an add-on available for Windows Update from Microsoft, called “Microsoft Update”. It’s free. It automatically finds any Microsoft software you have installed, system and applications, and if there are any critical (security) updates available for them that you don’t have, it will download and install them for you. This way you do not need to check for critical updates for Windows and Office separately. It will handle both, and it will use your settings in “Automatic Updates” (under Start|Control Panel) for doing that.

You can get Microsoft Update from the Windows Update web site. Go to Start|Control Panel|Windows Update. You will see one or more links to “Microsoft Update” either on the home page, or on the results screen after you have had Windows Update scan your computer. Just click on one of the links and follow the onscreen instructions. It will install a new ActiveX control on your system, and you will be all set.

Finally!

I’m sure you’re saying, “Gosh this seems like a lot of work to secure my system.” It is, but this is just the initial setup. Once you have everything set, all you really need to do from now on is run your internet-enabled software under the limited account. That’s it. Everything else is set up to protect you automatically. Assuming you have cleaned your system already of any malware (or have been lucky enough not to get it in the first place), you should notice that your virus and spyware scans come up clean from now on.

From what I’ve been reading this will get better with Windows Vista, the new version of Windows Microsoft is planning on having out by January next year (for consumers–earlier for businesses). Microsoft is really trying to design in security with Vista, so users won’t have to jump through hoops to get it.

Advertisements