Windows XP Pro(Home compatible) SP1 Remote Security Guide - Phase One

After massive security testing by the help of others on the AO community, and years of personal usage with XP, I have finally decided to sit down long enough and compose an in-depth guide to securing XP. I'm not talking about your typical "keep away the script kiddies" kind of security, but your Fort Knox meets NSA level of security. Seeing as how this one is geared towards securing it from remote intrusions and attacks, I will not be covering very much local based security, if at all. Perhaps someone can later convience me to compose a local security guide later on. Nonetheless, I hope you enjoy reading, and smile at least once. Why? Because this is every *nix/*BSD user's nightmare: That Windows may have a way to be as secure and as powerful as their favorite distros, and the public will know the little joke is up.

This guide will take you from a FRESH install of XP, to the high level of security I used during my recent XP security tests. Note that this is more intended for singular computer use (and possibly work office) and not for mission critical server usage. While yes, I encourage people to use XP for server usages, because it can handle it with the proper settings, a mission critical server requires a primary focus on the "Server" portion, rather than being evently distrubuted between server, desktop, and game machine. I have equal respect for each and every OS, and know that each and every OS can do everything every other OS can do. But when it comes down to mission critical servers, it isn't about bending tools to work, it's about how well they work. Windows XP as a *mission* critical server is not recommended because of latency issues, forced RAM on the GUI, and process handling meant for low latency on the GUI responcivness, instead of packet and server process stability handling.

Good for a normal, everyday server. Not good for mission critical. If you want mission critical, meet Solaris and OpenBSD. They are your best friends.


Phase one: Security beginning at the Installation level of Windows

Just like other Operating Systems, Windows does have a few choices to help give it some security on it's first bootup into the GUI. They are limited because the Windows XP installation requires little input, but things can be done. Note that I will not go through the entire installation process, but rather point out the areas in which are a point of security focus.

1. Partitioning configurations:

There are a few ways to partition Windows for security, and many *nix/*BSD users will recognize this as something similar to their own ways of partitioning. I will be speaking about the two ways I feel are the most secure. We are assuming Windows is the only OS on the harddrive.

NEWBIE NOTE: If you are dual-booting, then not only should you already know Windows XP should always be installed first anyways, but you also know to reserve space in the partitioning after this guide for the *nix/BSD area you will be installing.

A. - Two Partitions: A typical user setup

This places the Windows OS itself on one partition, while leaving you a second partition for the installation of other programs. This means that if one of your programs becomes infected, the chance of it fully crossing over on it's own is dropped a good degree, since it isn't just switching directories, but an entire partition. This also helps prevent against exploits found within your programs that could affect your computer and thus compromise your security. A two-partition setup is ideal for most typical users not running servers, since we are not focused on using a seperate partition to protect servers (see next part). If you are planning on hosting a server, skip below to the Three Partition Setup.

- For the first partition, set it to 4 Gigs. This will give you plenty of space for the entire Windows installation, as well as future upgrades and temp folder changes. Some Windows updates require 700 megs of space (SP2 will for example) for it to swap out files for backup, just in case you want to uninstall the update and return to the origonal files. This is a Good Thing®, as it gives you the option to unload a patch if all hell breaks loose.

- For the second partition, set it to as large as you want. This is where you install Adobe, Trillian, Gaim, and all other 3rd party programs that are not direct Windows OS components.

B. - Three Partitions: A typical user that runs a server on the side setup

This places the Windows OS itself on one partition, giving you a second partition for your servers (apache, SMTP, etc) and a 3rd partition for all other programs. This has the exact same benifits as above (read above, I won't retpye), with the extra benefit of having your servers running on a completely seperate partition. This means if they get cracked, the attacker still only has access to that partition and not your important primary OS partition. This also means that if someone DoSes and attempts to fillup that server, the partition itself will become flooded and not the primary OS partition. It is also a temporary defence against DoS attacks that involve Hard-disk processing. As the processor continually reads and writes to that server partition, your first and third partition won't feel the impact as much since they are, of course, seperate from the partition under heavy strain.

- For the first partition, set it to 4 Gigs. This will give you plenty of space for the entire Windows installation, as well as future upgrades and temp folder changes. Some Windows updates require 700 megs of space (SP2 will for example) for it to swap out files for backup, just in case you want to uninstall the update and return to the origonal files. This is a Good Thing®, as it gives you the option to unload a patch if all hell breaks loose.

- For the second partition, set it anywhere from 500MB to as high as you feel your server needs. I run a simple Apache server that hotlinks images for me, and quick files I leave open to my friends, thus I only need one Gig. However, research and preplan. You can of course resize this later using 3rd party software, but it is easier to get the hassle done with now. While my apache may only need 500MB, your MySQL+PHP+Apache+POP+SMTP may need 15Gigs depending upon what you plan on using it for.

- For the second partition, set it to as large as you want. This is where you install Adobe, Trillian, Gaim, and all other 3rd party programs that are not direct Windows OS components. This is where you, for those of you dual-booting later, need to keep in mind diskspace for your other OS.

C. - Post-partition setup: Of course, after following either the above A or B method, you are done with your partitioning. Remember to select Partition 1 as your primary partition, and press enter on it. No need to install it on the 2nd partition as it can make things go a bit quarky later on.


2.Formatting Choices:

The obvious choice is NTFS. Why? Allow me to explain the differences between FAT32 and NTFS:

FAT32: FAT stands for File Allocation Table. It also stands for another word : "omfgancientlikewhoa!!11". Traced back to the days of DOS as FAT16, Windows 95 SR-2 upgraded it to FAT32. In short, FAT16 had limitation concerning file size and disk size, which was an upcoming problem considering how large the harddrives were ending up in the hands of consumers. FAT32 allows larger volume sizes, allows longer filenames and larger cluster sizes than FAT16 did. FAT32 on Windows 2000/XP can only support up to 32GB, so we can see it simply wasn't meant for newer OSes and newer Hard drives. With little ability for permissioning trees and files, and lacking the ability to self compress or inherent encryption, it certainly doesn't scream "USE ME FOR SECURITY". However, FAT32 does have read and write support for most Linux kernels, whereas NTFS only has read support with minor write support in experimental(unsafe and testing) stages for Linux kernels. FAT32 is a nonjournaling filesystem, and this means that data is not continually written to the harddrive for safekeeping. You either press save, or it's gone for good if you suddenly reboot or lose power. That is a Bad Thing®

NTFS: NTFS stands for New Technology. NTFS is at it's heart, a journaling file system that will recognize errors and bad sections of a disk and try it's best to automagically correct them. With the jouranling in place, this also means it is continually indexing (saving) your working data just in case of a sudden reboot or power failure. This data is quite recoverable. NTFS supports file encryption, longer filenames, longer directory names, file encryption, auditing, file compression, and in-depth permission settings. It is also very ideal and capable of handling RAID and/or mirrors like a dream.

The reason should now be obvious. NTFS is simply newer with much more of a security/saftey focus in mind. It gives the administrator more control over the system itself, while giving the OS much more of an ability to adapt to the stressing needs a user can sometimes place on it (10gig sized files). Choose NTFS formatting for the primary partition and let it do it's thing.


3. Installation time - After the format, first reboot tips:

A. - When it asks for your name and organization, obviouslly do not give completely accurate information. This would apply even to workstations on an office workspace. Giving accurate information will only help an outside attacker gain information that could possibly lead to a security breach. Better safe than sorry. If company protocol has a problem with it, then get a new IT that can enforce positive security protocols to help keep the company's secrets and integrity safe, even it if means a one on one meeting with the B-O-S-S.

B. - Not but a few screens later, it will ask for the Administrator Password. I can not stress ENOUGH how important it is to create a secure and difficult password. Follow these few guidelines for a decently secure password:

1. Longer than 8 characters. Jack the ripper halts at 8, meaning anything beyond 8 characters and it doesn't have a clue what to do. Lophtlight may do more. If anyone knows more about this, LET ME KNOW)

2. Use both uppercase and lowercaster letters. This theoretically increases the time it takes for a brute force password cracker to go through the possibilities because there are twice as many letter combinations.

3. Use special characters such as : # @ $ _ : This once again increases password difficulty and the length of time it would take for an attacker to brute force yet another entire combination possibility.

4. A password isn't good if you can't remember it either. Make it something that sits in your mind. I'm not saying spell out exact words, but use the above rules to finish it out. An example could be:

@h0T_D0G@ : Uses 9 characters, and you just have to remember to use 0 instead of 'o', where the capital letters are, to use a _ between the words, and @ on either end.

Remember. A password can be rock solid, and a random password is even better. But a system is no good if even you can't get into it. So make it difficult according to the 3 rules provided above, while keeping in mind how best to combine them.

C. - When you reach the Network Settings Dialog, choose "Custom Settings" instead of Typical Settings. This will take you to a window that will allow us to begin basic security measures on our network security. Four choices:

"Client for Microsoft Networks" - is required for you to login, so leave it of course.

"File and Printer Sharing for Microsoft Networks" - this is up to you whether you leave it on or not. If you do not specifically USE file sharing or printing on your home network (if you have one), then turn it off (uncheck it). This is one less hole that would allow people to suddenly start "Sharing" your files from outside. If you do use File Sharing and Priting, oh well, leave it and we can secure that as much as possible later with a firewall.

"QoS packet Scheduler" - Leave this turned on. And here is why: QoS helps manage bandwidth usage between programs for optimum system preformance, while balancing bandwidth usage to the programs that are calling for it the most. For example: Let's say you are running Gaim and Apache, and someone suddenly starts launching a massive SYN attack against your box. QoS catches the change in system preformance, notices which applications are being called upon the most and which applications are demanding more bandwidth in order to keep the system from slowing down. In this case, it would prioritize Apache because it is already running as a service, which would end up with gaim disconnected because of low ping times, but Apache running as smooth as possible, and thus keeping the system preformance as high as possible because it is allowing the computer more bandwidth to respond to the SYN flood. I have seen very little documentation as to how this works on a deeper level, but all tests I have run against it, it preforms in the exact manner I have just described below. And the difference is signifigant when tested with QoS turned off.

"Internet Protocol(TCP/IP)" - This is requires for internet usage, period, so leave it enabled. However, we can fine tune some security on it right now. Highlight it with one click of your mouse, and then choose the "Properties" button. From here, don't worry about this part, as automatic is another Good Thing® for IP detection on DHCP computers. Worry more about clicking on the "Advanced" button. Once in the new window, go straight to the WINS tab. Now, if you are not on a home network, or your network is not using the NetBIOS protocol, then uncheck the "Enable LMHOSTS loopup", and set "NetBIOS settings" to "Disable NetBIOS over TCP/IP". Remember this is only if you are not on a home network using the NetBIOS protocol! Leave both settings as they were origonally if you are! From here click options, and then click the "Properties Button". Notice here we have a very limited TCP/IP filtering configuration window. While there is no need for this on a typical installation (a firewall works much better), there may be a time when you need to allow a default Windows XP to ONLY allow certain protocols or ports. Now you know. Click okay to all windows to close them off.

D. - Choosing a Workgroup name: This is a touchy subject, as some ITs simply refuse the future hassle and configuration this may have on their work schedual. However, it's a quick fix, and as long as the change is kept in mind there is very little to worry about. By changing your Workgroup name to something other than WORKGROUP, you eliminate yourself from someone attempting to emulate a WORKGROUP connection to you, and thus seeing you on the WORKGROUP. For use on a large scale network, simply remember to jot down the change of name you made here for future configuration and reference. No need to worry about secure WORKGROUP names, as any name is as good as the next.


4. Pre-Post-Installation time - After the GUI configurations, second reboot tips:

This is the section where it reboots and pulls you into the interactive interface for final OS installation configurations. It is quite simple here, just read the directions and do as nessessary. Nothing special we can do for security changes. Some XP versions not only ask for an additional, non administrator username, but a password for that username. No worries, just follow the same guidelines as we mentioned above for passwords. Keep it just as strong (but not the same password), since this account being created will also have Administrative abilities.


And this ends the first part of my Windows XP security tutorial. I will be writing them as quickly as possible so people who want to get into a secure XP system can do so. I thank you for reading, having an open mind, and a willingness to learn. If you have any comments, suggestions for improvements, or flames, please let me know. Also, if you are finding it difficult to read, let me know. I want to make this easy on the eyes, so people can worry more about reading than *trying* to read it.