|
|
Configuring Windows XP for Security and Performance
|
There are many features of Windows XP that are unnecessary yet consume system resources and open security holes. Every time I install Windows XP, I spent a good deal of time configuring these away and building a more secure and resource-efficient system. This document will outline the steps which I think anyone interested in security and speed on Windows XP should take.
|
Tweak the User Interface
|
The new window manager and start menu can look cool, although I dislike the default skin for window decorations. I always revert to the look-and-feel of previous versions of Windows, both for the simplicity of the interface and because the theme engine that enables the new design uses a lot of memory.
Fortunately, it is quite simple to revert to the classic designs.
| Start menu |
|---|
- Right-click (context-click) on the taskbar, and select Properties.
- Choose the "Start Menu" tab at the top.
- Select "Classic Start menu".
- Click the "Customize" button, and review the options there. I always disable "Personalized Menus", because it hides Start Menu items that I haven't used recently, which makes it take longer to get to them later. Click "OK" when you're done.
- Click "OK" to save your changes.
|
| Window manager theme |
|---|
- Right-click on the desktop, and select Properties.
- Under the first tab ("Theme"), change the theme to "Windows Classic".
- Click "OK" to save this change. Everything should look as if you were using Windows 98 or Windows 2000 now.
- Now for the important part. To actually save memory, you must disable the "Themes" service.
- Open the Start Menu, and select "Run". Type "services.msc" (no quotes), and click "OK".
- Scroll down the list of local services until you find one called "Themes". Right-click on it and select "Properties".
- Change the startup type drop-down list to "Disabled".
- Click "Stop" to stop the service right away.
- Click "OK" to save your changes.
|
|
Remove Unwanted Services
|
Many system services are unnecessary. Below is a list of which services I think are worthwhile, and which I always disable. For instructions on disabling services, refer to the last section of customizing the window manager theme in the paragraph above.
| Services to disable |
|---|
| Fast User Switching |
Suggest Disable |
First disable this in the Users Control Panel item. I disable this because I would never use it and it seems to be a security risk. |
| Messenger |
Disable |
This was known as WinPopup from previous versions of Windows. It lets someone send you a network message that appears in a dialog box. It has been used recently to advertise to (read: spam) unsuspecting Windows XP users. |
| NetMeeting Remote Desktop Sharing |
Disable |
Unless you use this feature, disable it! It poses some potential security holes, as it's intended use is to let others use your computer remotely. |
| Portable Media Serial Number |
Disable |
I see no use for this service, other than forensic analysis. Also, it fails to stop. Disable it and reboot to stop it. |
| Remote Desktop Help Session Manager |
Disable |
This provides another way to let remote users use your computer. Unless you're sure you need it, it's best to disable it. I think this service is only really useful in a corporate environment (for use by tech support). |
| Remote Registry |
Disable |
The name of this service alone terrifies me. There's important stuff in the registry, and allowing remote access to modify it is a very risky move, especially considering any potential bugs it may have. |
| Secondary Logon |
Suggest Disable |
Similar to Fast User Switching, so read my comment on that. |
| Smart Card |
Suggest Disable |
If you don't use smart cards, you may as well disable this service. |
| Smart Card Helper |
Suggest Disable |
Same idea as above. |
| SSDP Discovery Service |
Disable |
Disable this unless you're absolutely sure you need it. It has serious security problems, and is not worth keeping running. |
| Telnet |
Disable |
No one should EVER run a telnet server. If you needed shell access, you should use SSH so it's at least encrypted. |
| Terminal Services |
Disable |
Yet another way to let remote users use your computer. Disable it unless you actually use it. Keep in mind that if you use it, there is a significant security risk. |
| Themes |
Suggest Disable |
See the user interface section above. |
| Universal Plug and Play Device Host |
Disable |
Similar to SSDP Discovery Service |
| Windows Time |
|
This synchronizes your computer's time to a network time server. I set my time myself and disable this. However, allowing your computer's time to become out-of-sync with some network servers may prevent you from logging into the servers (especially Kerberos authentication). |
| Wireless Zero Configuration |
Suggest Disable |
Disable this if you don't have an 802.11 wireless adapter. |
|
Stop sharing all your hard drives on the network
|
By default, Windows 2000 and Windows XP share your hard drives on the network as C$, D$, etc. Any computer that can access yours over the network could read and write anything on your hard drive if they merely guess your Administrator password, and there's no real limit on how many times they can guess.
Read this page describing how to stop sharing your entire hard drive as C$.
|
Remove Unwanted Programs
|
Some programs, both included with Windows and not, run automatically but are undesirable.
- Windows Messenger (formerly called MSN messenger)
- Open Windows Messenger from its taskbar icon, or by running the file "Program Files\Messenger\msmsgs.exe".
- Cancel the Microsoft Passport sign-up wizard if it opens.
- In the Windows Messenger window, select "Options..." under the Tools menu.
- Change to the Preferences tab.
- Deselect the first 2 checkboxes ("Run this program when Windows starts" and "Allow this program to run in the background").
- Click OK, and close the Windows Messenger window.
- Windows Messenger should no longer appear in the system tray.
|
Be Careful
- Don't open email attachments or files if you are not sure what they are. Malicious code lurks everywhere.
- Don't be an administrator.
Normally, the first account you set up on Windows XP gives you access to make any changes you want, such as installing programs. However, unless you install programs frequently, it is better only to use administrative accounts when you need them, and to run as an unpriviledged user most of the time. That way, if you should get a virus it can't do as much real harm.
Instructions coming soon.
- Get security updates frequently.
Microsoft issues updates for Windows problems very often. If you are on a fast network, it is a good idea to set your computer to autoupdate.
Instructions coming soon. Hint: Automatic Updates tab in System control panel
|
|