Dude, I've seen your posts on here, and they are all basically asking the same thing. Now, I admit, the first one we kind of took as a joke since you had a TIME LINE on it... Which, we are NOT going to just adhere to.
But this one, I'll go into some detail for you, since you aren't basically saying you want the info by a certain date, and you seem to genuinely just want to learn as much as you can, to lock down what you have, the best you can. And I can respect that.
Luckily for you, unlike the last time, I'm currently NOT in Excruciating Pain because of my back and shoulder and wrist and knee and Arthritis, and thanks to a bunch of Hydrocodone, Two Fentanyl Patches, and some Opana, I'm actually able to concentrate. (This has nothing to do with your post, but if I explain what it takes for me to not be in excruciating pain, it may help everyone understand why I'm in a bad mood sometimes. Anyone who was in THAT much pain, would NOT be chipper....And yes, I do in fact realize, that mixing all those with Hydromorphone, would kill most people. I'm not most people, and the amount of pain I'm in on a daily basis, makes it where I don't even get a buzz from all this stuff mixed together... The fact I don't get all stoned off ALL of that, should give you an idea of how much pain I'm actually in, and it's chronic, and therefore, doesn't go away ever.).
Now, with explanations out of the way, lets get started:
OK, first off, I understand you're using Windows XP, Service Pack 3.
I can NOT stress enough, how badly you need to upgrade, or change OSs period. I used to have to sit and listen to people go on and on about how Windows XP could be totally locked down to a point of good security.
Those are the same people, of course, who, if they were to do a fresh installation of it, would be infected like a cheap hooker LONG before they finished installing Patches to stop that **** from happening in the first place.
You on the other hand said you have a CD or something, where you've got Security Patches on the Disc itself, so when you install, you already have some patches. I don't know the number of them you have, but I don't think you'd manage to fit them ALL on CD.
So first, I think we should go into the Operating System itself, and start there:
Windows XP, no matter what edition, in insecure as hell. I know, I know, I'm gonna get flamed by people saying that I'm only saying that because I'm a Unix Elitist. That may in fact be true, but it is NOT the reason I'm saying it.
Windows XP... Lets begin from the start of a typical installation:
You pop the CD in, install it, and, then, when it finishes, you have a Windows Admin Account that AUTO LOGS YOU IN WITHOUT A PASSWORD! Bad idea, but, not my point, so we'll keep going:
Say you have a Computer running Windows XP, and you need to re-install the OS. How can you protect yourself in the time it takes to install patches, and your Anti Virus, and your Spybot, and all that, BEFORE the 15 minutes or so it's gonna take before you're back doored like a Back Street Boys back up dancer?
I used to use Windows XP all the time; I had it on my Laptop, which is what it came with, and, I used it on two of my Desktops, which I dual booted with other OSs.
Now, once the install is finished, one thing you can try, is what I used to personally do, to try and protect that thing from being back doored right away, or infected with some annoyance:
Hardware Firewall! Or, Better yet, a "Hardware Security Device". I really don't know JUST how good these things really are, because they may work great, but they may also not work well at all.
There are a bunch of them on the Market, and a lot of them don't cost much at all. I have one here, which is this:
"D-LINK DSD-150" and the box says "Total Network Security" and "Secure Spot total Network Security by D-LINK".
All in one Internet Security for 1 - 4 Computers. Internet Security Adapter. Single Application :
-Virus Protection
-Identity Protection
-Parental Controls
-Firewall Protection
-Pop up Blocker
-SPAM Blocker
-Spyware Protection
-Network Reporting
The box also states - "Protects your Network from Viruses, Worms, and other online Security Threats" and "Prevents your child from downloading and installing unwanted Applications" and "Provides an easy to use Web Based Control Panel for Set Up".
These used to cost like $100.00, but my Wife and I both saw this, and grabbed one for us, and my Mom, and they were 20.00 when we got it. I figured if nothing else; It was a new piece of Network Hardware to play with.
This is one way of course you can go about trying to protect your machine while you're installing updates and patches.
See, Windows XP, from a fresh installation, is going to have a LOT of updates. And considering it only really comes with Internet Explorer, Word Pad, Windows Media Player, and a few other things, that's actually a lot.
Back in the day, on AntiOnline, people used to argue with me ALL the time how "Well, a fresh install of Linux has this many security patches, and Windows XP has this many"... They were idiots though, because a FULL install of any Linux distro, especially if you're talking about Debian, or SUSE, has like 20,000 + Applications it comes with!
And they also don't look at what TYPE of Patches and Security holes are being plugged.... If SUSE has 200 Patches (I'm just making up a number there) but they're all just bug fixes or local exploits only, and Windows has 100, but they're all things where the Computer can be "taken over" then it stands to reason, that first off, with Linux you don't have to reboot for patches unless you patch the Kernel itself... Almost EVERY update on Windows, requires you to reboot.
So, for a Fresh Installation of Windows XP, you have SOME Options to prevent the machine from getting infected BEFORE you've had a chance to lock it down.
I personally like Hardware based stuff. I mean software Firewalls, and software Packet Filters work and all that, but I like HARDWARE Firewalls and Packet Filters. And it's not like they have to cost a lot. You can go to a Computer Group in your area and get OLD ass 486 Computers, which are REALLY old, and can't run Microsoft based stuff from today, and take that thing, install FreeBSD, Slackware Linux, or, another BSD based OS, and use it as a Firewall, Router, or both. And it won't cost anything in Software, and the 486 will probably cost you 20 dollars.
So that's one way.
The main issue, is that you have to actually manage to install Security Patches and fixes from Microsoft, and a lot of them not only require a reboot, some of them, won't let you download ANYTHING but THAT patch, and nothing else, so this is how it goes:
Run Windows Update, select patches, install, reboot.
Windows Update again, select a Patch, which then says it has to be installed by itself.... Install, REBOOT.
Run Windows Update, select as many as you can, install, REBOOT.
Run Windows update, and continue this vicious circle....
Eventually, you see the end of the tunnel, and there's only one or two more left! You run Windows Update, install them, Reboot, and run it once more, seeing that NOW YOU HAVE TO INSTALL 10 MORE because they have to patch the patch they screwed up in the first place!
I've seen this before and I can't even count how many times.... I run Windows Update for my Mom, and see there's only ONE more left. I then install it, reboot, and BANG! There's now 10 more patches, because you have to install patches, then, the others show up, AFTER you install certain ones, because they THEN have to release a patch to fix the patch they released before, because it breaks something else, all for a patch they shouldn't have had to release in the first place because it's something so stupid you can't Believe they even missed it in the first place, but they did, so, you have to install a patch that breaks something, THEN install another patch, to fix what they broke when they tried fixing what was already broken.
This is why I don't respect almost anyone who uses Windows as a Server. I don't give a damn about having to reboot for a Patch to my Kernel, but having to reboot because of a ****ing Media Player that shouldn't even SHIP with a Server based OS.... WOW..
Can you imagine having to have the balls to tell a customer "Yes sir, you should install this patch, because the Windows Media Player, which has NO USE on a SERVER OPERATING SYSTEM could allow people to exploit it and get into your machine...
WOW that would take some balls.
I installed Windows Server 2003 Enterprise Edition on a machine, because I wanted to see how it looked and worked. To my utter ****ing HORROR, I saw Windows Media Player patches in Windows Update, and I thought to myself "Who the **** would put a MEDIA PLAYER in a SERVER?????" And then, again, to my utter Horror, I saw that I had to REBOOT for this stupid patch.
I'm not going to sit here and say Windows has no place, I won't do that. On the Desktop, it works well enough for most people, and they are getting Better. Windows 7 is a GREAT step forward for Microsoft. But Windows Server OSs, are a joke.
So, with that said, can you get yourself a hardware Firewall? Or, can you get yourself a 386 or 486? Because basically, not only can FreeBSD and Slackware both work on a 486, but, you can always choose to grab a 386, and just use an older yet still supported version of either.
Also, FreeBSD has a custom version made JUST for Firewalls.
http://www.pfsense.org/
http://m0n0.ch/wall/
As you can see from this, you have options if you have the spare hardware. I know of a few people who will find a Pentium based PC (Basically, a 100 MHz Processor machine with like 8 MBs of RAM) and they then, install FreeBSD on it, and set it up as a router and Firewall.
With FreeBSD, you can REALLY cut this thing down to almost nothing, with relative ease I might add, and basically, make it so that you only install the Software you actually need to run this thing, and during an installation of FreeBSD, it actually asks you if you'd like it to be a Gateway, and other stuff like that, and, of course, if you'd like to start the services to do this. So it's actually quite simple. And it won't cost you NEARLY what it would for a REAL hardware Firewall.
And because you'll have such a bare bones system, updating it and installing Patches is simple; There aren't that many you'd need. And of course; Because it's FreeBSD, installing extra stuff you need LATER, is a breeze.
So, for the fresh install problem, I'd say this is one way to go.
I myself keep two hardware parts in front of all my machines, and that allows me to get things patched before anything gets in.
Then, there's the part where you've now installed the OS, and have some patches installed, but, what do you do? Should you install patches first?
Well, I personally keep a CD around for this sort of thing; I basically grabbed a bunch of software, like Spybot, and AVG, and a couple other things I know I want installed quickly, and, because of the fact that you can get 7-Zip totally Free of Charge, and, put the installer on CD, you can make an Archive, and Compress it, and fit WAY more.
PeaZIP, TugZIP, and any other 7-Zip based product, which are all free I might add, have Compression that makes the ZIP Software from other companies, look like crap.
I can Copy all the files I want to back up, and stick them in a directory, and then Compress that directory, and have it about half the size it normally is. And you can do better than that too!
So, I take my CD, install Spybot, update it, and then, I use the Immunization feature, assuring my Web Browsers are safer, and of course, there's Teapot to watch over the System, which also put another step in your journey to security.
A lot of people I know, think Security is a Program, or a couple Programs, and that's simply not true; It's a PROCESS. You can't lock down every machine every time the right way; You'll eventually have time constraints that don't allow this.
Now, what can YOU do?
Well, I'm not the only one who's told you that XP is NOT the best choice. I don't know what your financial situation is, but if you can, do this:
Upgrade to Windows 7 ASAP. Windows 7 is one of the best OSs Microsoft have ever came out with. I HIGHLY recommend you do this ASAP.
If you currently can not afford to do this, maybe switch to something else. Do you HAVE to use Windows XP? Is there something stopping you from using another OS?
FreeBSD isn't exactly known for being newbie friendly, so I won't tell you to run out and do that; Not knowing a thing about Unix, will possibly back fire.
But there IS something called PC-BSD! THIS is an OS that is VERY easy to use, and doesn't expect you to know anything! So you may want to look into PC-BSD:
http://www.pcbsd.org/ <-- That's the main PC-BSD Web Site. You can learn more about it, and start looking into it. It's BSD, so you know it can be easily locked down, and the Installation, is VERY easy. Easier than Windows even. It's a GUI based installer, and it's a nice one.
http://www.pcbsd.org/pcbsd <---- This is more or less a way to look at what it can do based on your needs.
http://www.pcbsd.org/documentation <--- That's the Documentation section.
http://www.pcbsd.org/about <---- This is where you can find more info about it.
http://en.wikipedia.org/wiki/PC-BSD <--- Again, more information.
http://distrowatch.com/table.php?distribution=pcbsd <---- This is a good place to look as well, because it not only have info about it, but, there are links to reviews and other stuff.
After reading your other post, and seeing that you used to work on Solaris, I think you'll like BSD even more.
Anyway, basically, everything you asked about, can in fact happen. Encryption can be broken. I mean, back in the day, it was pretty much something not well known from what I understand, and Admins were finding out the hard way that you could download a password file, and basically crack the encryption without much effort.
Before I make this post into a 300 page book, I'll just ask:
Do you have any plans for upgrades?
What are your current needs for the Operating System?
Is there something that keeps you on Windows XP?