In this article, we will discuss how to improve the security of Windows XP operating system, further improve the security of users using Windows XP operating system, as well as some things that should be noted in the usual maintenance, and hope that it can be of some help to the majority of Windows XP users.
1. Install the security policy
(1) Do not choose to install from the network Although Microsoft supports online installation, it is definitely not safe. Do not connect to the network, especially the Internet, until the system is fully installed, and do not even connect all the hardware before installing. Because when Windows XP is installed, after entering the password for the user administrator account “Administrator”, the system will create an “ADMIN” shared account, but it is not protected with the password you just entered. This situation will continue until the computer starts up again. During this period, anyone can enter the system through “ADMIN”; at the same time, the installation is completed and various services will run automatically right away, while the server is still full of vulnerabilities and is very easy to hack from outside.
(2) To choose NTFS format for partitioning it is better to have all partitions in NTFS format, because NTFS format partitions are more secure in terms of security. Even if other partitions are in another format (e.g. FAT32), at least the system should be in NTFS format in the partition where it is located. In addition, applications should not be placed in the same partition as the system, so that attackers do not exploit application vulnerabilities (such as those in Microsoft’s IIS) to cause leakage of system files or even allow intruders to remotely gain administrator privileges.
(3) The choice of system version: Windows XP is available in various languages, for us, we can choose the English or Simplified Chinese version, I strongly recommend: if the language is not a barrier, please use the English version. You should know that Microsoft products are known for Bugs&Patch, the Chinese version has far more bugs than the English version, and the patch is usually at least half a month late (that is to say, your machine will be in unprotected condition for half a month after Microsoft has announced the vulnerability).
(4) Component customization Windows XP installs some common components by default, but it is this default installation that is dangerous. You should know exactly which services you need and install only the ones you do need, according to the security principle, minimum services + minimum permissions = maximum security.
(5) Allocation of partitions and logical disks is recommended to create more than two partitions, one system partition and more than one application partition, to separate the system partition from the application partition, so as to protect the application, generally speaking, viruses or hackers using vulnerability attacks, damage is the system partition, but not the application partition damage.
2.Account security policy
(1) User security settings check user accounts, stop unwanted accounts, and recommend changing the default account name.
1) Disable the Guest account in Computer Management. To be on the safe side, it is better to add a complex password to Guest.
2) Restrict unnecessary users Remove all Duplicate User users, test users, shared users, etc. Set the user group policy with appropriate permissions, and check the system users frequently to remove the users that are no longer used.
3) Create two administrator accounts to create a user with general privileges to receive mail and handle some daily things, and another user with Administrator privileges to be used only when needed.
4) Change the name of the system Administrator account The Administrator user of Windows XP cannot be deactivated, which means others can try this user’s password over and over again. Try to disguise it as a normal user, for example, change it to Guesycludx.
5) Create a trap user create a local user named “Administrator”, set its privileges to the lowest, can not do anything kind of, and add a super complex password of more than 10 digits.
6) Change the permissions of shared files from the Everyone group to Authorized Users Do not set the users of shared files to the “Everyone” group, including print shares, the default attribute is the “Everyone” group.
7), do not let the system display the last login user name Open the registry editor and find the registry entry HKLMSoftwaremicrosoftWindowsTCurrentVersionWinlogonDont-DisplayLastUserName, change the key value to 1.
8), System account/share list The default installation of Windows XP allows any user to get the system all account/share list through empty user, this was intended to facilitate LAN users to share files, but a remote user can also get your user list and use brute force method to crack the user password. You can disable 139 empty connections by changing the registry Local_MachineSystemCurrentControlSetControlLSA-RestrictAnonymous = 1. You can also disable 139 empty connections by changing the registry Local_MachineSystemCurrentControlSetControlLSA-RestrictAnonymous = 1. Security Policy) there is such an option RestrictAnonymous (additional restrictions on anonymous connections).
3. Application security policy
(1) Install antivirus software antivirus software can not only kill some famous viruses, but also check and kill a large number of Trojan horses and backdoor programs, so pay attention to often run the program and upgrade the virus database.
(2) Install a firewall to listen to the attacks taken by the outside world on this machine and alert the user to take preventive measures as early as possible.
(3) Install system patches to the Microsoft website to download the latest patches: frequent visits to Microsoft and some security sites to download the latest Service Pack and vulnerability patches is the only way to ensure the long-term security of the server.
(4) Stop unnecessary services Too much service is not a good thing, turn off all unnecessary services! The more service components are installed, the more service functions users can enjoy. But users usually use to the service components are limited, and those rarely used components in addition to taking up a lot of system resources, will cause system instability, but also for the hacker’s remote invasion provides a variety of ways.
To do this, we should try to block those service components that are not needed at the moment. The specific method of operation is: First of all, find the “Administrative Tools”/”Services” in the Control Panel, and then open the “Services” dialog box, in which the dialog box to block the In the dialog box, select the program that needs to be blocked, and click the right mouse button, from the pop-up shortcut menu, select the “Properties”/”Stop” command, and set the “Startup Type” to “This will allow you to block the specified service component.
4.Network Security Policy
(1) Close unnecessary ports
Closing ports means less functionality and requires you to make a bit of a decision on top of security and functionality. If the server is installed behind a firewall, there will be less risk. However, never assume that you can rest easy. Use a port scanner to scan your system for open ports to determine which services are open on your system that could cause a hack. There is a cross-reference table of well-known ports and services in the system32 driversetcservices file in the system directory. To do this, open “Internet Neighborhood / Properties / Local Connections / Properties / Internet Protocol (TCP/IP) / Properties / Advanced / Options / TCP/IP Filtering / Properties” and open “TCP/IP Filtering”. Add the required TCP and UDP protocols.
(2) Set up the access rights of security records
The security record is unprotected by default, set it so that only Administrators and system accounts have access to it.
(3) E-mail system using Web format
Do not practical Outlook, Fox mail and other client mail system to receive mail, now some of the mail is very harmful, once implanted in this machine, it may cause the system paralysis. At the same time, don’t check the attachments in strangers’ emails, which often have viruses and Trojan horses.