XP Advanced Security

For novice users, it is best to seek help from you IT support person before attempting these instructions. Following some of these steps may result in data loss so remember to backup your registry and any critical data before proceeding.

Microsoft Baseline Security Analyzer

Benefits: Microsoft Baseline Security Analyzer is a tool used to identify and help correct most common security misconfigurations of Windows. Available from: http://www.microsoft.com/downloads. Finds most common security holes in Windows products. Scans local and remote machines, will identify any patches if available.
Costs: May trigger false positives in firewalls on remote machines.

Steps: Once downloaded and installed, the Microsoft Baseline Security Analyzer will diagnose common security holes. The program will also provide URLs to patches or instructions on steps close security holes. 

Windows XP Optimization

Benefits: Hackers and malicious programs can't exploit these services. Faster load and execution time for other programs. 
Costs: If you are not using these services, there is no cost to implementing this recommendation

Steps:      Disable unnecessary services that are installed and running by default but are not used. The following services can safely be disabled :

  • NetMeeting Remote Desktop Sharing
  • Remote Registry
  • SSDP Discovery Service

You will need to look through your own list of services and determine what should be running. Make sure you know what you are doing here. Disabling required services can cause system instabilities.

Start > Control Panel > Administrative Tools > Services >
double click on each service above > change the startup type to
disabled > reboot  

Convert to NTFS file system

Benefits: Increases file access performance and on-the-fly file defragmentation. Improves security, gives more granular control of permissions and enables the use of the EFS (Encrypting File System)
Costs: System recovery is more difficult. If conversion procedure fails result will be catastrophic data loss. No dual partitions, no DOS access to drive.

Steps:

  1. Determine if your computer is running NTFS
  • Right-click on your hard drive and click Properties. File system will be either FAT, FAT32 or NTFS.

If not NTFS, convert by doing the following:

Start > Run > type cmd > click OK > type convert driveletter: /FS:NTFS > reboot

Disable POSIX

Benefits: Prevents hackers from using Unix commands
Costs: For most users none

Steps:   

  1. Click Start > Run and type regedt32 (not regedit)
  2. Find HKEY_ local_machine\system\currentcontrolset\Control\Session Manager\SubSystems and click on the multistring called Optional in the right-hand pane.
  3. By default, the multistring's value will be POSIX; delete that value and leave the space empty (but don't delete the Optional multistring).
  4. Then click on the actual POSIX multistring in the same pane. Note that it points to a file in your Windows System32 directory called Psxss.exe. Delete that file using Windows Explorer, use the Registry Editor to delete the POSIX string, and then reboot.

Disable Unnecessary Services 

Benefits: Hackers and malicious programs can’t exploit these services. Faster load and execution time for other programs.
Costs: If you are not using these services, there is no cost to implementing this recommendation

Steps:   

  1. Start > Control Panel > Administrative Tools > Services >
    double click on the service > change the startup type to disabled > reboot

Disable Default Administrative Shares

Benefits: Open shares, particularly if they are unused, leave a system open to exploit
Costs: Certain programs require access to Administrative Shares, if programs stop working, you will need to re-enable access.

Steps:   

For NT 4.0 Workstation/W2K Pro/XP Pro, the change is:

Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\LanManServer\Parameters
Name: AutoShareWks
Data Type: REG_DWORD
Value: 0

  1. A reboot is necessary for this registry change to take effect.
  2. If you can't find the value in the registry under the exact location (i.e. it does not exist) – right-click in the right pane of the window and create it.
  3. If you want the administrative shares to be re-created, you can change the value back to 1.
  4. Some applications depend on the presence of these shares. If things stop working, re-enable the shares.

Please note: this registry hack does NOT stop the IPC$ share and this is a share that is often used by hackers to enumerate systems before attack since it can yield a wealth of information about your system names, your user names, and more. If your ACL permissions are not correct or you haven't disabled anonymous user access or you haven't disabled the guest account then this port can lead to total system compromise within minutes!