Closing the Barn Doors

Front Door - Login Password

During the install of XP you set the administrator's password and then later you specified the name of a userid to be created. Now it's time to set a password for the account that was created (why didn't Microsoft force you to set a password?). Click on Start, then Control Panel and then User Accounts. Pick your account (there will only be one valid choice, 'Guest' is disabled, leave it that way). Now you can 'Create a password'. I always use the password I chose for the administrator. Whatever password you choose, just don't make it too trivial.

Back Doors

Windows intentionally has dozens of ways some knowledgeable person can run programs on your machine without you ever inviting them in or even knowing it is going on. The document describes how to shut some of the doors.

In theory, if you are on an isolated and protected network (e.g. at home with a router preventing the bad guys from knocking), you do not need to close any 'doors'. However, I'll claim it is worth closing these doors anyway. You never know when something will fail or an infected laptop will join your network and attack your home machine. If you are using this guide for a laptop, you definitely should follow these instructions.

Note there are legitimate reasons to allow some of these things to exist. Many are provided for sophisticated things that might be used at your work place or to allow machines to talk to each other - to share data. Very few, if any, of these things apply to you at home. However, if you just blindly follow the instructions here, something you want might break, so caveat emptor.

The following applies only to people who have XP installed. If you do not have XP, don't do this, you won't like the result.

Everything here can be undone, but undoing these things (e.g. re-opening the barn door) is not for the faint of heart. The first step is to disable various 'services' provided by Microsoft:

• Messenger popup ads
• Telnet server
• Alerter
• Clipboard service
• Netdde
• RSVP
• Distributed link tracking
• Remote access
• NTLMSSP
• SharedAccess
• Administrative shares
• Universal Plug and Play

If you want to allow one of these, do not do the following, otherwise download and save the file WinXP-services.reg and then double click on it. If you don't know if you want these things, you probably don't. Ask your 'guru'. If you don't have a guru, then you don't need these and should apply the changes.

This next step sets 'policies' - rules to tell XP what to do when it gets network traffic. Our rules are:

• Block all NetBios access (only used in some corporate environments)
• Block your machine from SERVING web pages. This stops the bad buys from making your machine into a web server to serve porn or whatever. It does not prevent you from using a browser to look at other websites on the Net.
• Block your machine from serving VNC. This would allow your machine to be controlled remotely by someone on the Net.

Again, if you want to allow one of these, do not do the following. If you don't know anything about these things, you should probably follow these instructions. This is more clumsy to run because you must first get a tool from the XP CD that was not installed.

• Insert your XP install CD and find \Support\Tools\Setup.exe. Double click on this and it will install some tools the next step will need.

  XP has become so user friendly you may well not be able to see what's on the CD. If you get the XP screen that says What do you want to do?, click on Perform additional tasks, then click on Browse this CD, then find your way to Support\Tools and double click on setup.exe which begins an installation wizard. Take all the defaults, but be sure to install the 'Complete' package.

• After this install completes, download and save the file WinXP-policies.cmd and then double click on it.