Specific Configuration Steps for Windows XP

Many of the points I've mentioned so far in this chapter are general, conceptual ideas that should be helpful in planning a security strategy, but perhaps not specific enough to directly implement. The following sections provide some specific instructions to tighten security on your Windows XP computer or LAN. These instructions are for a single Windows XP computer or a workgroup without a Windows 200x Server. Server offers more powerful and integrated security tools than are available with Windows XP Professional alone (and happily, it's the domain administrator's job to set it all up).

If You Have a Standalone Windows XP Professional Computer

If you have a standalone system without a LAN, you need to take only a few steps to be sure you're safe when browsing the Internet:

• Enable Macro Virus Protection in your Microsoft Office applications.
  
  
• Be very wary of viruses and Trojan horses in email attachments and downloaded software. Install a virus scan program, and discard unsolicited email with attachments without opening it. If you use Outlook or Outlook Express, you can disable the "preview" pane that automatically displays email. Several viruses have exploited this open-without-asking feature. (The version of Outlook provided with XP Service Pack 2 is better in this regard.)
  
  
• Keep your system up-to-date with Automatic Updates (see the Automatic Updates tab on the System control panel applet), Windows Update, service packs, application software updates, and virus scanner updates. Check for updates every couple of weeks at the very least.
  
  

  NOTE

  Unfortunately, the Automatic Updates pop-up only appears when you are logged in using a Computer Administrator account. Unless you've configured Automatic Updates to automatically install the updates, you need to log on as an administrator at least once every week or two to see if anything new has been downloaded.

• Make the Security Policy changes I suggest later in this chapter under "Tightening Local Security Policy."
  
  
• Use strong passwords on each of your accounts including the Administrator account. (Sign on as Administrator by typing Ctrl+Alt+Del twice at the Welcome screen. Then change the password and make a password reset diskette.) For all passwords use letters and numbers or punctuation; don't use your name or other simple words.
  
  
• Be absolutely certain that Windows Firewall is enabled on any icon in your Network Connections folder that connects directly to the Internet. To enable Windows Firewall, use the steps shown later in this chapter under "Enabling Windows Firewall."
  
  

If You Have a LAN

If your computer is connected to others through a LAN, follow the first five suggestions from the list in the preceding section. Make the Security Policy changes on each computer.

If you are using the Simple File Sharing system option, which I discussed earlier in this chapter, the security situation is quite different than it was in any previous version of Windows. Since all access to shared files over any network or Internet connection is granted or denied access without a password, your one and only line of defense is having a firewall in place between the Internet and your computer. It's absolutely essential that you have a firewall in place, either Windows Firewall or a third-party product.

CAUTION

If you use cable Internet service with multiple IP addresses provided by your ISP, but have no hardware firewall device in place, you cannot share files on your LAN. For this reason, I urge you NOT to use this type of arrangement. See Chapter 19, "Connecting Your LAN to the Internet," for details.

Finally, if you use a wireless network, you must use WEP or WPA encryption to protect your network. Otherwise, thanks to Simple File Sharing, random people passing by could have the same access to your shared files as you do.

Enabling Windows Firewall

If you use the Internet, whether directly from your computer or through a network connection, you must be sure that some sort of firewall is in place to prevent Internet denizens from reaching into your computer. If you use a hardware Internet connection sharing device, that will protect you to some extent, and I gave specific tips for adding additional protection in the previous section. But unless you're on a professionally secured corporate network, or you use a third-party firewall product, you should also use Microsoft's Windows Firewall. Starting with Windows XP Service Pack 2, Windows Firewall is turned on by default, and you may already be using it. You can use the following procedure to verify or manually enable the firewall:

If you want to run a Web server, email system, or other network services that you want to be made available to the outside world, you'll have to "open" the firewall for these services. See "Configuring Windows Firewall" later in this chapter for details.

Tightening Local Security Policy

You should set your machine's own (local) security policy whether your have a standalone computer or are on a LAN. Local Security Policy lets Windows enforce some common-sense security rules, like requiring a password of a certain minimum length.

If your computer is part of a Windows domain-type network, your local security policy settings will likely be superseded by policies set by your domain administrator, but you should set them anyway so that you're protected if your domain administrator doesn't specify a so-called global policy.

To configure local security policy, log in as a Computer Administrator, and choose Start, All Programs, Administrative Tools, Local Security Policy. (If the Administrative Tools icon doesn't appear on the menu, the Administrative Tools Control Panel applet can get you there.)

A familiar Explorer view then appears with several main security policy categories in the left pane, as shown in Figure 21.4. I'll list several policy items you may want to change.

Figure 21.4. The Local Policy Editor lets you tighten security by restricting unsafe configuration options.

To change the settings, select the policy categories from the left pane, and double-click the policy names in the right pane. Appropriate Properties dialogs appear for each; an example is shown in Figure 21.5.

You don't need to change all the policies. I'll list the important ones in the following sections.

Account Policies

Account policies can be used to require long, difficult, frequently changed passwords, and make it hard for users to recycle the same passwords over and over when forced to change. You should lock out accounts that fail several login attempts, locally or over the LAN. Table 21.3 shows the password policies and recommended altered settings, and Table 21.4 show the options at your disposal for locking out an account.

Local Policies

You should have Windows make an entry in the Event Log whenever someone oversteps his or her bounds. Table 21.5 shows the audit policies and recommended settings.

^[*] You should not audit Privilege Use because hundreds of spurious entries appear for no apparent reason.

No changes are necessary in the User Rights assignments section, but you might want to view these entries to see what sorts of permission restrictions Windows uses.

Finally, go through the security options, as listed in Table 21.6. Security options are used to restrict what users can do with system options.

NOTE

If you're interested in how Windows regulates the operation of your computer, take a look at the settings under User Rights Assignment and Security Options. You'll probably never need to change any of these settings, but these two sections are the heart of Windows's security controls.

When you log out and back in, the new restrictive security policies will take effect.