Securing Windows XP Home Edition for Stand Alone Use!


1. Windows XP Home Security

Windows XP Home cannot authenticate to a Windows domain and therefore is unsuitable for use in any context requiring a domain login. It is not inherently any more insecure than most operating systems. However the original configuration needs to be changed to take advantage of the security features it already possesses.


1.1 Disabling Remote Assistance

Windows XP Home contains a feature known as Remote Assistance which under certain circumstances can allow it to be hijacked by a remote user. To stop this make sure that you can see the System. icon in the Control Panel by clicking on Switch to Classic View.:

[Windows XP Home: Classic View]

which looks like this:

[Windows XP Home: Classic View]

Double-click on the System icon, and bring the Remote tab to the front. Make sure that Allow Remote Assistance invitations to be sent from this computer is not ticked.


[Windows XP Home: Remote Assistance]

1.2 Disabling Universal Plug and Play (UPnP)

Universal Plug and Play is designed for the era when your fridge sends you email telling you that you are running out of milk. It is a set of communications protocol standards that allow networked TCP/IP devices to announce their presence to all other devices on the network and to then inter-operate in a flexible and pre-defined fashion. There is nothing wrong with the idea, but devices utilizing such technology are not currently widespread, and security was not really a consideration in development.

Since you are unlikely to need it at the moment, you should (as the FBI recommend) disable it. Open the Control Panel, make sure that you are switched to the Classic view (see instructions above) and double-click on Administrative Tools.

{Windows XP Home: Services]

Then double-click on the Services icon.

[Windows XP Home: Disabling UPnP]

Double-click on Universal Plug and Play Device Host.

[Windows XP Home: Stopping UPnP]

Click on Stop. You have now stopped the service but not disabled it. (If you do not disable it, it will start again next time you restart the computer.) Click OK to return to the Services page, where you will now see that the service is no longer shown as Started. Double-click on the Universal Plug and Play Device Host line again and change the Startup type to Disabled from the dropdown menu.

[Windows XP Home: Disabling UPnP]

1.3 Password Protecting Your User Accounts

If you currently have the Welcome screen logon enabled you should disable it. (This presents every user as a small icon with their name beside it. Clicking on it enables users to login without entering a password, and is very insecure.) You should disable this before attempting to password your accounts. Open User Accounts in the Control Panel. Select Change the way users log on and off.

[Windows XP Home: Changing User Accounts]

Then make sure that the Welcome Screen is not ticked and click on Apply Options.

[Windows XP Home: Welcome Screen]

Go back to the and pick User Accounts, and then select Change an account. This will take you to a list of accounts. Choose yours and then choose Change my password.

[Windows XP Home: Passwording]

Note: If you have not used passwords on your machine until now, your password will be blank. You should not enter anything on the Type your current password: box ie make sure you leave it blank. You should now enter an new password (not less than six-eight letters for security, and not a dictionary word or your userid, which is easy to guess), and then confirm it by entering it a second time on the line below. Click on Change Password and you will have successfully password protected your account.

You need to do this for any other accounts you have on your computer except the Guest account. You should disable this by clicking the Guest account icon from the User Accounts screen. From the next screen, choose Turn off the guest account.

[Windows XP Home: Turn off Guest]

Finally you may see an account called Owner from your User Accounts screen. This account is created if no user accounts were enabled when Windows XP was installed.
This account must be password protected as well to fully protect your computer. You can also rename it.

1.3.1 The Administrator Account

The Administrator account is present on every Windows XP machine (all users are by default given the rights of an Administrator) but it is hidden. To password it (and to check that all other accounts are password protected) go to Start>Run and type 'control userpasswords2'.

[Windows XP Home:Administrator]

Make sure that Users must enter a name and password to use this computer is ticked, and then choose the Administrator account and click on Reset Password.

[Windows XP Home:Admin Password]

You will be prompted for a password, which you then need to confirm.

1.4 The WindowsFirewall

The Windows Firewall or ICF is a basic firewall, which will block incoming traffic to your computer with a minimum of configuration. It will not necessarily keep your machine entirely safe, but it does provide some protection. Unfortunately it is not installed in Windows XP unless you have Service Pack 2 installed, so the first step you need to take is to endure that you have Service Pack 2 installed. To do this click Start, right-click My Computer and then click Properties. On the General tab, under System, the Windows product and version number are listed. 

To turn the Windows Firewall on, open the Control Panel, and Network and Internet Connections and then if you are using the Category view, just Network Connections if you are switched to the Classic view.

[Windows XP Home: Turning ICF on]

Select the appropriate connection and Change the settings of this connection from Network Tasks.

[Windows XP Home: Advanced Tab]

Bring the Advanced tab to the front. `Tick Protect my computer by limiting or preventing access to this computer from the Internet.

Double-click on the Settings button at the bottom-right, choose the ICMP tab and tick Allow incoming echo request.

[Windows XP Home: Allow Ping]

1.5 Turning File and Printer Sharing Off

Go to the Control Panel, open Network Connections and then select your connection as described above, right-click on Properties and clear the File and Printer Sharing for Microsoft Networks box.

[Windows XP Home: Turning File and Printer Sharing Off]

1.6 Turning Messenger Off

The Messenger service is used to send popup alerts and error messages to you, but has recently become the focus of activity for some spammers, and is potentially insecure in other ways. 

To disable Messenger, go to the Control Panel, open Administrative Tools and select Services. Scroll down until you see the Messenger service and highlight it.

[Windows XP Home: Messenger Service]

Right-click the line (the Messenger service will be started by default), and change the Startup type on the dropdown menu from Started to Disabled.


[Windows XP Home: Disabled Messenger]


1.7 Configuring Windows Update to update your machine automatically

Microsoft constantly issue patches for newly-discovered software vulnerabilities, so you need to keep your machine updated. The most painless way to do this if you have a permanent connection to the Internet and you tend to leave your machine on is to allow the machine to update itself and reboot if necessary overnight. To do this, right-click on My Computer, choose Properties and bring the Automatic Updates tab to the front. Select Automatically download the updates, and install them on the schedule that I specify. In this particular example, the machine is set to check Microsoft's website every day (recommended) for updates and install them at 3:00AM in the morning.

[Windows XP Home: Setting Windows Update]

What you will choose depends on your circumstances. if you don't leave your machine on and permanently connected, then you should choose Download the updates automatically and notify me when they are ready to be installed. If you don't like this being done automatically, then choose the first option instead.

1.8 Installing Antivirus Software and Keeping it Up to date

If you already have an antivirus product such as Symantec which came with your machine then either continue running it or uninstall it before attempting to install VirusScan. If you choose to keep running it, then remember that most such purchases only have a year-long license, so you will need to pay again after the first year to keep getting updates.

Your antivirus protection is only as good as the latest updates. If you have an old set of antivirus files, they will probably not protect you against the latest viruses.

All products mentioned are registered trademarks or trademarks of their respective companies. 

Questions or problems regarding this web site should be directed to the Webmaster.
Copyright 1999-2008 Internet Fixes. All rights reserved.       Legal Disclaimer

This Site Is Part Of The Internet Fixes Network!

Hit Counter