.:[May 25th - 11:07 CET/GMT-0500]:.

How-To: Secure Windows XP.

Welcome to my little tutorial, Here I'll show you how to secure Microsoft Windows XP as much as possible by closing vulnerable Ports, stopping unneeded Services, etc. When I say secure I do not mean 100% secure, that is not possible if you want to surf on the Information Expressway. Neither will it guarantee that you'll never see a virus or other malware, most of that crap ends up on peoples Computers due to human negligence. Think before you click. :-)

This tutorial will show you how you to prevent unauthorized access to your Computer. The final result will also improve your systems performance as many services that "normal" people does not need or use will be turned off. It is written very simple so even the worst Computer illiterate persons are able to understand, and perform the changes to Windows.

I have all these informations stored in my hippocampus where they have been sitting for many years. A few years ago I was asked why I didn't make an on-line tutorial, and this is the result. This document is specifically directed at WindowsXP & Windows2000, You might be able to use it in whole or in part on Windows Vista & Windows7 systems, but I really have no idea if any services and such has changed. So if you give it a whirl, then you're on your own.

I strongly recommend that you Print this page, so that you can undo the changes you are about to make in case that you can't connect to the Internet upon completion, or if something else should be malfunctioning, as I can not be held resposible for any data loss, soft/hardware failure, or anything else, it is solely up to you to decide if you want go for it or not, but I have no intention of causing damage to your system, and my WindowsXP system has the very same settings as those you'll find here. No exceptions.

The best approach is to start fresh, this usually takes about 2 hours, depending on various variables, such as how much data you need to backup, and your Internet connection speed.

  1. Make backups of critical data to CD, DVD, USB or whatever.
  2. Unplug the RJ-45 (or USB) cable from your Computer
  3. Reboot with the original Windows CD in the drive
  4. Format the C:\ drive and re-install Windows
  5. Do everything that this tuturial says
  6. Plug the RJ-45 (Or USB) cable back into your Computer
  7. Connect to Windows Update, and fully update your fresh install with everything located in 'Critical Updates and Service Packs' and in 'Windows XP'
  8. When your system is fully updated with all security fixes, grab the drivers for your hardware (Use only manufacturers site's).
  9. Grab some Antivirus software
  10. You're done, and you can start restoring your backed up data.

But I know you probably don't want to go through with the fresh start, so you can just keep reading, but at least disconnect from the Internet while performing these operations.

Notice: Applying some of these changes will cause your Local Area Network (LAN) to malfunction if it uses NetBIOS or SMB. If you only have 1 Computer or your Computers aren't connected as a LAN then go ahead and perform all the changes. Unless you see a red notice as the one above.

I strongly recommend that you download and install the most recent Service Pack for WindowsXP if you haven't already. It can be obtained from Windows Update. You'll need some additional software too to ensure maximum protection when you have finished this tutorial. An AntiVirus Program, I recommend that you use either Avast or better yet Sophos. Avast is FreeWare for homeusers, you just have to register for free once every 14th Month. Sophos is TrialWare, you have to purchase a license when the trial expires, but it is well worth the money. Sophos is #1. Both of these AV tools comes with a nice auto-update feature, Avast isn't updating as often as Sophos though. You also have to ensure that WindowsXP is fully updated with all the latest security fixes and updates, so visit Windows Update. and download everything there is available in 'Critical Updates and Service Packs' and in 'Windows XP', you might have to reboot a few times, depending on which updates there are available. It can take from 2 mins to god knows how long depending on the updates availabe and your line speed. Finally you need a SpyWare removal tool, Adaware is the program to use for this, its fast, efficient and free. Download it from LavasoftUSA. When you are done with Windows Update, Install the 2 programs, Update their databases, then run a sweep on your Harddisk(s) to remove any Viruses and SpyWare. When done, unplug your Modem/Network cable.

Internet Explorer Settings.

Regardless of your browser choice you should set up Internet Explorer accordingly.
Open IE and click 'Tools' in the menubar.
Select 'Internet Options' –> 'Privacy' –> 'Advanced'. Then do:

  1. Tick 'Override Automatic Cookie Handling'.
  2. Tick 'Allow 1st Party Cookies'.
  3. Tick 'Block 3rd Party Cookies'.
  4. Untick 'Always allow session cookies'.
  5. Click 'OK' once.

You told IE never to accept cookies that doesn't originate from the website that you are visiting, eg Tracking Cookies from Banners on a Website, this prevents more than 95% of all SpyWare from infecting your System. If you want to, you can set IE to 'ask me everytime' for First Party Cookies. Mine is set to ask everytime, cause I don't need to take cookies from each and every site that I visit. Notice: Some sites, especially Homebanking sites requires 'session cookies', you can add exceptions, instead allowing them globally.

Click on the 'General' tab, then in the 'Temporary Internet Files' section click on 'Settings'.
Lower the 'Amount of diskspace to use' to 1MB (MegaBytes). Click on 'OK' twice to close the Internet Options windows.

You changed the cache size of Internet Explorer, this prevents SpyWare and other malicious files from being written to the cache / stay there for very long before another object will take it's place. The safest thing is to use 0 MB, but IE doesn't allow that.

Turning OFF System Restore.

Click 'Start' –> 'Settings' –> 'Control Panel' –> 'System' –> 'System Restore'.
Tick 'Turn OFF System Restore on all drives'. Click 'OK' once.

You can safely turn OFF System Restore, it is rather useless unless your Computer has a nasty habit of refusing to boot up properly, and if it does, then you would be better off with a fresh install of Windows (or maybe new hardware).

Prevent Remote Access.

While you have the 'System' window open, click on the 'Remote' tab, untick both Checkboxes in the Remote Settings window. Click on 'OK' to close the System Property window.

Only Bill Gates knows why WindowsXP by default allows Remote Access!

Stop and Disable Unneeded Services.

Activate the 'Control Panel' window again and open 'Administrative Tools' –> 'Services'.

You may not have all the services that are listed here, if there are any on the list that you don' have, just skip to the next item. To stop and disable a service, double-click on it, then click on 'Stop' then select 'Disabled' from the pulldown menu and click 'OK'. If a Service can't be stopped simply disable it, and it won' start when you reboot.

Stop and disable the following Services:

  • Alerter.
  • Clipbook.
  • Computer Browser.
  • DHCP Client.
    Notice: Do not disable the DHCP service unless you have a static IP address.
    If you don't know leave it on Automatic !!
  • Distributed Link Tracking Client.
  • Distributed Transaction Cordinator.
  • DNS Client.
  • Error Report Service.
  • Help And Support.
  • IPSec Service.
  • Messenger.
    Notice: This is not MSN/Live Messenger and not all versions of WinXP has this service.
  • Net.Tcp Port Sharing Service.
  • Network DDE.
  • Network DDE DSDM.
  • Network Location Awareness (NLA).
  • Print Spooler.
    Notice: Do not disable the Print Spooler service if you have a printer attached to your system.
  • Remote Access Auto Connection Manger.
  • Remote Access Connection Manager.
  • Remote Desktop Help Session Manger.
  • Remote Procedure Call (RPC) Locator.
  • Remote Registry.
  • Routing And Remote Acccess.
  • Secondary Logon.
  • Server.
  • Shell Hardware Detection.
  • SSDP Discovery Service.
  • System Restore Service.
  • Task Scheduler.
  • TCP/IP NetBIOS Helper.
  • Telephony.
  • Terminal Services.
  • Universal Plug And Play Device Host.
  • Volume Shadow Copy.
  • WebClient.
  • Windows Image Acquisition (WIA).
  • Windows Presentaion Foundation Font Cache 3.0.x
  • Windows Time.
  • Wireless Zero Configuration.
  • Workstation.

I won't go in to details about each Service, you can use Google if you want to know the details. Some of the services are only stopped to conserve resources, and does not pose a security threat. Please note that Automatic Updates (alg.exe) uses TCP port 1025, when it is started. You must disable the Automatic Updates Service to close that port. Below is a table of my own Services. Compare to your own and notice that I have changed some services from Auto to Manual.

Service NameStateType
.NET Runtime Optimization Service v2.0.xManual
AlerterObsolete
Application Layer Gateway ServiceStartedManual
Application ManagementManual
ASP.NET State ServiceManual
Automatic UpdatesStartedAutomatic
Background Intelligent Transfer Service
If You experience issues with Windows Update set BITS to Automatic.
Manual
ClipbookDisabled
COM+ Event SystemStartedManual
COM+ System ApplicationManual
Computer BrowserObsolete
Cryptographic ServicesStartedManual
DCOM Server Process LauncherStartedAutomatic
DHCP Client
Do not disable the DHCP service unless you have a static IP address.
If you don't know leave it on Automatic !!
Disabled
Distributed Link Tracking ClientDisabled
Distributed Transaction CordinatorDisabled
DNS ClientDisabled
Error Report ServiceDisabled
Event LogStartedAutomatic
Extensible Authentication Protocol ServiceManual
Fast User Switching CompatilityManual
getPlus(R) Helper – Adobe Reader Autoupdater.Disabled
Health Key And Certificate Management ServiceManual
Help And SupportDisabled
HID Input DeviceStartedAutomatic
HTTP SSLManual
IMAPI CD-Burning COM ServiceManual
Indexing ServiceManual
IPSec ServicesDisabled
Java Quick Starter – Sun's Java Prefetching Tool.Disabled
Logical Disk ManagerStartedAutomatic
Logical Disk Manager Administrative ServiceManual
MessengerN/AN/A
MS Sofware Shadow Copy ProviderManual
Net.Tcp Port Sharing ServiceDisabled
NetMeeting Remote Desktop SharingManual
Network Access Protection AgentManual
Network ConnectionsStartedManual
Network DDEDisabled
Network DDE DSDMDisabled
Network Location Awareness (NLA)Disabled
Network Provisioning ServiceManual
nTune Service – nVIDIA ServiceStartedAutomatic
nVIDIA Display Driver Service – nVIDIA ServiceStartedAutomatic
Performance Logs And AlertsManual
Plug And PlayStartedAutomatic
Portable Media Serial Number ServiceManual
Print Spooler
Do not disable the Print Spooler service if you have a printer attached to your system.
Disabled
Protected StorageStartedAutomatic
QoS RSVPManual
Remote Access Auto Connection MangerDisabled
Remote Access Connection ManagerDisabled
Remote Desktop Help Session MangerDisabled
Remote Procedure Call (RPC)StartedAutomatic
Remote Procedure Call (RPC) LocatorObsolete
Remote RegistryDisabled
Removeable StorageManual
Routing And Remote AcccessDisabled
Secondary LogonDisabled
Security Accounts ManagerStartedAutomatic
Security CenterStartedAutomatic
ServerObsolete
Shell Hardware DectionDisabled
Smart CardManual
SSDP Discovery ServiceDisabled
System Event NotificationStartedAutomatic
System Restore ServiceDisabled
Task SchedulerDisabled
TCP/IP NetBIOS HelperDisabled
TelephonyDisabled
TelnetManual
Terminal ServicesDisabled
ThemesStartedAutomatic
Uninteruptable Power SupplyManual
Universal Plug And Play Device HostDisabled
Volume Shadow CopyDisabled
WebClientDisabled
Windows AudioStartedAutomatic
Windows CardSpaceManual
Windows DefenderStartedAutomatic
Windows Driver Foundation - User-mode Driver FrameworkManual
Windows Firewall / Internet Connection Sharing (ICS)StartedAutomatic
Windows Image Acquisition (WIA)Disabled
Windows InstallerManual
Windows Management InstrumentationStartedAutomatic
Windows Management Instrumentation Driver ExtensionsManual
Windows Media Player Network Sharing ServiceManual
Windows Presentaion Foundation Font Cache 3.0.xDisabled
Windows TimeDisabled
Wired AutoConfigManual
Wireless Zero ConfigurationDisabled
WMI Performance AdapterManual
WorkstationObsolete

Close the Services Window

Edit Windows's Registry File.

Click 'Start' –> 'Run' and type 'regedit' in the editbox and click on 'OK'.
Notice: If a String doesn't exist then you have to create it. This is done in the right-hand-window, by right-clicking and selecting a new item from the menu that appears, then choose the appropriate data. The left-hand-window contains the keys, and the right-hand-window contains the data and values.

Open 'HKLM' (HKEY_LOCAL_MACHINE) and locate this key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\
Add the following 'DWORD string' MaxCachedSockets and set the value to '0'.

  • Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\
  • Value: MaxCachedSockets
  • Type: REG_DWORD
  • Content: 0 (disable)

Then locate this 'HKLM' key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters
Add the following 'DWORD string': SmbDeviceEnabled and set it' value to '0'.

  • Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters
  • Value: SmbDeviceEnabled
  • Type: DWORD value (REG_DWORD)
  • Content: 0 (disable)

Then locate this 'HKLM' key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs\
Change the value of the string: ListenOnInternet from 'Y' to 'N'.

  • Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs\
  • Value: ListenOnInternet
  • Type: REG_SZ
  • Content: 'Y' (enable) or 'N' (disable)

Then locate this 'HKLM' key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
Change the value of the string: EnableDCOM from 'Y' to 'N'

  • Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
  • Value: EnableDCOM
  • Type: REG_SZ
  • Content: 'Y' (enable) or 'N' (disable)

Then locate this 'HKLM' key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc
Edit the string DCOM Protocols, and remove 'ncacn_ip_tcp'.
Notice: Be very careful, remove only 'ncacn_ip_tcp' from the string).

  • Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc
  • Value: DCOM Protocols
  • Type: REG_MULTI_SZ

Close the registry editor.

Network Services & NetBIOS.

Activate the 'Control Panel' window again and open 'Network Connections' and right-click on your Internet connection (Usually 'Local Area Connection') and select 'Properties'.

  • Highlight and delete 'Client for Microsoft Networks'
  • Highlight and delete 'File And Printer Sharing For Microsoft Networks'.
  • Highlight the 'Internet Protocol TCP/IP' and click 'Properties', –> 'Advanced', –> 'WINS' and do:
    1. Untick 'Enable LMHOSTS Lookup'.
    2. Set 'NetBIOS over TCP/IP' to disabled.
    3. Click 'OK' three times.

Repeat this section for each connection you have in 'Network Connections'.

NetBT.

After you have stopped some of the Services as described earlier, the NetBT driver can be stopped.
Notice: Do not stop the NetBT driver if you didn't stop the DHCP service! NetBT is required if you have a dynamic IP address and uses DHCP. (Consult with your Internet Service Provider (ISP) if you are unsure if your IP address is dynamic or static). If NetBT is disabled, your PC won't be able to fetch an IP address from your ISP. Hence you won' be able to get on-line.

Click 'Start' –> 'Run', type 'cmd' in the editbox and click 'OK'. In the DOS Window type the following two commands.

  1. net stop netbt
  2. sc config netbt start= disabled

Reboot.

Reboot your Computer and after the boot, click on 'Start' –> 'Run', type 'cmd' in the editbox and click 'OK'. In the DOS Window type: 'netstat -ano' followed by Enter/Return. This will display your Network connections, and it should have no other ports than 1025 (Automatic Updates) listed. Close the DOS Window and plug in your Modem/Network cable.

If you should happen to have any other ports open/listed whilst not connected to the Internet, then, contact me and I will do my best to help you. Attach a screenshot of the DOS window that shows the results of 'netstat -ano' and of your running processes with Process ID Numbers (PID).
To get to the process list click 'CTRL+ALT+DEL'.

  1. Click 'TaskManager'.
  2. Click on the 'Processes' tab.
  3. Click on 'View' in the menu bar and click 'select columns'.
  4. Tick 'PID (Process Identifier)'.
  5. Click 'OK'
  6. Sort the window by PID.
  7. Tick the 'Show Processes from all users' before you take a screenshot.

Created by Jesper on July 15th 2002.
This page has been updated regulary ever since, and last update was today :P
Comments and translations are welcomed.