Microsoft Windows XP Updates, Patches and Security Settings

Windows XP behaves very much like Windows 2000, which is considerably better than WinME, Win98 and previous versions, both for security and reliability.

Luckily, hfnetchk can run on XP just as it can on NT 4.0 and 2000.

For security tools, please see HfNetChk and CIS. Proceed to the recovery page for XP-related downloads. traveling

From Mary Landesman, Your Guide to Antivirus Software. FREE Newsletter. Sign up now! August 24, 2004 Automatic update or automatic curse? Starting August 25th, XP users who have automatic update enabled will be force-fed Windows XP SP2. Because XP SP2 is incompatible with a wide range of antivirus and security software, the end result may be systems that are no longer protected. And XP SP2's firewall is inbound-only, hence the loss of protection can be even more severe for some users. Corporations will also face a difficult time as their employees will doubtless become unwitting beta testers who may now find themselves with internal applications that simply won't work with this 'patch' that can better be described as an operating system overhaul. Those who wish to avoid the automatic download may wish to disable Automatic Update. To do so, right-click the My Computer icon on the desktop, choose Properties, select the Automatic Update tab, then select Turn Off Automatic Updates, click Apply, and then click OK.

Security Overview: Windows 2000

When properly patched and configured, Windows 2000 provides satisfactory security, and the steps necessary to secure it are not too complicated. The operating system is commonly available in both "Server" and "Professional" edition. We strongly recommend the Professional version. Why? A default installation of Windows 2000 Server will immediately leave you open to full remote compromise!. By now, everyone has at least heard of the 'Code Red' worm, and the 'Nimda' worm. These were both severely fueled by the massive amount of default installation Win2k Server systems on the Internet. Please do not install 2000 Server if you do not know how to disable IIS. A recent wave of Windows compromises has proven that hackers are well aware their ability to break into systems with weak windows passwords. Don't forget to set a password with numbers and letters to at least 7 characters. When setting up a fresh system, don't forget to check out our recovery page for 2000-related downloads. HfNetChk and CIS are available for patching.

Windows 2000 Configuration Changes:

1. Services:
   1. Under Start menu, go to Settings, and click Control Panel
   2. Doubleclick Administrative Tools
   3. Doubleclick Services
   4. Disable IIS: Scroll down in the alphabetical list, and find these two items: IIS, and WWW Web Publishing
   5. On each, doubleclick the item, and change "Startup Type" to Disabled
   6. Disable Telnetd: Scroll down to Telnet in the list, and perform step five
2. Change Passwords:
   1. Under Start menu, go to Settings, and click Control Panel
   2. Doubleclick Administrative Tools
   3. Doubleclick Computer Management
   4. On the left, uncollapse the "Local Users and Groups" item, click once on "Users"
   5. On the right, you will see a list of the users on your machine. Right click each user, Set Password
   6. Your passwords should be at least seven characters, and contain letters and numbers

Security Overview: Windows NT

There isn't much to say about NT. The same major IIS security precaution applies to NT just as it does to Windows 2000. By now, everyone has at least heard of the 'Code Red' worm, and the 'Nimda' worm. This worms are both able to spread through unpatched IIS daemons running on NT machines. Make sure that IIS is not running unless you need it. For patch installation and NT-related downloads, please see our recovery webpage. HfNetChk and CIS are available for patch checking.

NT Configuration Changes:

1. Services:
   1. Under Start menu, go to Settings, and click Control Panel
   2. Doubleclick Services
   3. Disable IIS: Scroll down in the alphabetical list, and find these two items: IIS, and WWW Web Publishing
   4. On each, doubleclick the item, and change "Startup Type" to Disabled
   5. Disable Telnetd: Scroll down to Telnet in the list, and perform step five
2. Change Passwords:
   1. Under Programs menu, go to Administrative Tools (Common), and click User Manager
   2. On the top, select a user by clicking once on its name
   3. In the "User" menu, select "Properties".
   4. Your passwords should be at least seven characters, and contain letters and numbers

Windows 98/ME: Overview

Although Windows 98 and Millenium Edition are both very inconvenient for a networked environment, their security is satisfactory. Nevertheless, we advise everyone who can, to upgrade to Windows 2000. Keep in mind that Windows 2000 is not compadible with all hardware configurations. Please contact your hardware vendor for more information. Unfortunately HFnetchk does not run on this platform, so you need to stick with Windows Update and an updated browser.

98/ME Patching:

1. Windows Update:
   1. Under the Start menu, click Windows Update (an IE window opens)
   2. On the left, click "Product Updates" (a rectangular window opens)
   3. The "Critical Updates Package" should already be checkmarked.
   4. On the top right, click the big blue "Download" button.
   5. Click the big blue "Start Download" button.
   6. Follow through the remaining license agreements and installation questions.
   7. When prompted to reboot, do so.
       
2. Upgrade Internet Explorer!

Security Overview: IIS

Internet Information Services (IIS) contains the Windows web service that allows you to publish information for the Internet or your department.

With its severely spotty security record, IIS needs to be watched very carefully. Decide cautiously whether or not it is necessary to install it. Windows 2000 Server installs and runs it by default. (This is why it made such a good candidate for the Code Red and Nimda worms.) We recommend looking at the Apache Software Foundation HTTP daemon, whos security record is much better than that of IIS. There is a version for NT 4.0, 2000, and XP. Apache security issues are generally minor and infrequent. Below are links to webpages that containing security and proper configuration information regarding IIS.

Stanford IIS Checklist
Microsoft IIS Lockdown Tool
eEye "Secure IIS"
CIS Benchmarking Tool
Users are encouraged to evaluate the Apache Web Server for Windows.

FYI: A MedIT systems administrator was once setting up a new Windows 2000 server. He installed the operating system, and then left for lunch figuring it was a good time to take a break. Upon his return, he realized the machine had already been infected with the Code Red worm. Moral of the story: Know your software. Be aware of the security holes in your services, and how quickly they can be compromised.

Security Auditing Tools

HFNetCheck: HFNetCheck is a tool written by Shavlik Technologies which checks for the presence of service packs and hotfixes for the NT/2000 operating system, Microsoft SQL server, Microsoft IIS server, and Microsoft Internet Explorer. It will NOT tell you of vulnerabilities found in other services running on your computer, nor will it audit the safety of your passwords. We highly recommend the use of this tool to all administrators and users who run windows XP, 2000, or NT on server or desktop machines. Please go here for directions to installation and use of this tool.

CIS Benchmark: CIS is a tool supplied by the Center for Internet Security. Its function is to rate your computers security on a scale of 1 to 10 (ten being the best). It runs the same check which HFNetChk does, and then also determines the status of various other settings in your operating system. Resources on the CIS website are suppplied to instruct you on patching your computer to obtain a higher score.

Service Packs

Links to service packs for Windows XP, 2000, and NT can be found at the Microsoft download page, or at the recovery page.

Copyright © 2005 Benivia, LLC	Email:	Last modified: 04/28/06

Copyright © 2005-2015 Benivia, LLC	Email:	Last modified: 01/06/15

Copyright © 2005-2015 Benivia, LLC	Email:	Last modified: 01/06/15

Copyright © 2005-2015 Benivia, LLC	Email:	Last modified: 01/06/15

Copyright © 2005-2015 Benivia, LLC	Email:	Last modified: 04/28/06