Why Do We Need This Guide
Now lets just get started with the fact that this guide is intended to be used as a last resort. Please try to get away from Windows XP as soon as possible.
Microsoft have killed support for Windows XP as of the 8th of April 2014. This means that Microsoft will not release any updates to Windows XP and that will leave systems running XP more and more vulnerable as times go on.
This guide is created for people using line of business software that does not support anything newer than Windows XP. Please try to run your software in a newer operating system it will make life a lot easier and reduce the security risks on your computer and network. You can also contact your software vendor and see if there is a version that does support newer operating systems and then migrate over to the new version.
Securing Windows XP
Remove Local Admin Rights
Removing users from the Local Administrators group is the first thing you should do.
This will stop users being able to install applications and also disable any software that is running under the local user account from changing system files and accessing the registry.
To do this you will just need to remove the users from the local administrator groups either through group policy or through local users and groups manager.
Use An Anti-Virus And Firewall That Supports Windows XP
Many of the major anti-virus software vendors are still supporting Windows XP even though Microsoft isn’t. Make sure that you have an anti-virus installed and that it is still supporting Windows XP and getting regular updates. This will help protect your Windows XP from viruses.
Using a strong firewall that supports Windows XP will also help you combat security threats. These can block unwanted network traffic that can potentially be harmful to your system. Make sure that the firewall is working both on inbound communication and outbound.
Both Symantec and Sophos are still releasing virus protection updates to Windows XP. These are not the same as the updates that Microsoft release for the operating system.
Put Your Windows XP Computers On A Sepperate Network
You should have your windows XP computers on a different network than all of your other computers or even better not connected to a network at all. Putting them on a different network isolates them from the rest of your environment that way if they get compromised the rest of your computers should not be affected.
Taking your XP computers off of a network completely will isolate them and then the Windows XP computers will not be exposed to anything that could infect or compromise the system.
Change Proxy Settings On Internet Explorer
Changing the proxy settings on Internet Explorer to 127.0.0.1 will disable users from browsing the internet. Browsing the internet is not safe on Windows XP and I do not recommend you allow users to browse the internet at all on the Windows XP machines.
Disable The Guest Account
Make sure the Guest account is disabled. This will stop users without a user account on the computer being able to log on to the computer.
To do this:
- Open the control panel
- Open User Account Settings
- Click Guest
- Select Turn Off Guest Account
The guest account will be deactivated.
Disable Unnecessary Services
You can help secure Windows XP by disabling services like:
- Telnet
- Universal Plug and Play Device Host
- IIS (not installed by default)
- Netmeeting Remote Desktop Sharing
- Remote Desktop Help Session Manager
- Remote Registry
- Routing & Remote Access
- SSDP Discovery Service
- Error Reporting Service
- Messenger Service
These services can be disabled if you do not use them. Any other unnecessary services may be disabled too. The more services disabled the less attack vectors there are on your XP system.
Use Software Restriction Policies
Software restriction policies provide administrators with the ability to control what software they want to allow to run. By using a software restriction policy to lock down Windows XP, an administrator can prevent unwanted programs from running; this includes viruses and Trojan horses, or other software that is known to cause conflicts when installed. You can set up a software restriction policy both through group policy on a domain network or using the local security policy on a standalone computer.
Remove Any Unnecessary Programs And Add-ons
Remove programs like:
- Java
- Flash
- Adobe Acrobat Reader
- Internet Browser Toolbars
- Silverlight
If you do not need these programs for your computers to run uninstall them. These can all act as attack vectors and without security updates they will become an easier target for hackers and malicious programs.
Any other programs that try to interact with the internet should also be removed.
You may also want to read this article on locking down domain computers.
If you have any other suggestions please let us know in the comment section below.