Slashdot Mirror
How To Avoid Viruses At Windows Install Time?
reallocate writes "Can a home user install and update Windows without being attacked by a virus or worm? I'm a Linux user; have been since 1995. Recently, I needed to install Windows XP Pro on a home desktop machine with a Roadrunner cable connection. I tried twice. Both times, the machine was attacked and rendered unusable before I was able to pull down the first update from Windows Update." Read on for more details of what went wrong and when.
Here's a synopsis of my install method:
- Put the Windows XP CD in the drive;
- Disconnect the cable modem from the network card;
- Reboot and install Windows;
- The box remains off the net during the entire install: no registering, no setting up an ISP, no activation, no network configuration, no nothing. (BTW, the only networking component that I install is tcp/ip. All the other MS stuff never gets on the machine.)
- Reboot; Windows runs and all is well;
- Install the current version of Norton Internet Security Professional from a shrinkwrapped CD (firewall, anti-virus, etc.);
- Configure the Roadrunner net connection and reboot to pick up a DHCP lease;
- Launch the Norton update facility (per Norton's recommendation, the built-in XP firewall is turned off);
- Complete the Norton update and reboot;
- Launch Windows Update;
- Start to pull down Service Pack One; per Microsoft's instructions, all firewalls are turned off.
That's as far I got. During the first attempt, I acquired a virus or worm before I could finish the Norton update (machine powered down). On the second attempt, I got as far as Windows Update and SP1(continual rebooting).
So...how would you do it?"
You can get a cd from microsoft(more info here that would have a lot of the updates you are looking for. You could also download it from your linux machine, and then do the whole installation offline.
When I install Windows it is behind a NAT firewall which helps (no open ports from the outside). The first thing I do is install SP1 from CD, next I update from Windows Update.
I recommend downloading SP1 and burning it in Linux, then using that CD to patch up the Windows box before connecting it to the network.
24 beers in a case, 24 hours in a day. Coincidence? I think not!
Do the installation behind a personal NAT/firewall device.
(Or, read all the posts about how you can put together some huge, convoluted update CD that's never completely up-to-date instead of just spending $35 on a little hardware firewall.)
Leave the software firewall turned on if you can, if not, get a cheap Linksys Cable/DSL router, it will block all of those viruses.
:P
I have to reinstall most of my family's computers when I go home, I made all of them have routers.
-Bill
-Bill
Keep the firewalling on, no matter what Microsoft says. I've never had an instance where having a firewall turned on kept windowsupdate from working properly.
We do this all the time where I work.
Use another machine to burn a copy of the latest service pack, and the Sasser worm fix, and whatever other updates you want to include.
After installing, install the updates from the CD, then check windows update for anything else.
With LOVE.
Yes, a firewall and/or NAT is all you really need. Evidently Norton Internet Security did not live up to its promise, which comes as little surprise to me, I must admit.
I've had success installing Windows XP and upgrading it with only Microsoft's Internet Connection Firewall enabled.
What about a router/firewall?
How do you get these worms? This sounds incredulous...
Small potatoes make the steak look bigger.
Why don't people pay ~30$ for a router with built in firewall? Even if one got only one PC connected to it it's worth it. No worries about worms or hacks.
Well a good way of going about this would be to download the updates from microsoft. They do provide them in binary format which you can install without having to goto the windows update site. I got a XP box as well and I do not even try to connect it to any network before I have patched all I can. Plus a firewall between you and your connection would help as well while at it :) Trying running a gateway using FreeBSD or your fav *nix OS and that would get you well on your way.
Havin' it large, livin' the life, Welcome to the land of the rising sun.
...all firewalls are turned off.
Why don't you try turning the firewall on? It will block the RPC calls that are necessary to infect your machine with the most recent series of worms and allow you to install whatever patches are necessary worry free.
Plus, it just makes your PC safer in general.
Duh.
Perhaps also turning on the firewall just actually might work. Windows is targeted for the average Joe. Microsoft doesn't want to have to incur the support costs of explaining to average Joe how firewalls work, so they suggest you keep it off.
If you've really been using Linux that long, you'd have a clue. Really, this submission just sounds like a troll...
It seems more likely you have a dodgy connection or overheat problem than a virus there. Did you detect a virus with Norton or are the shutdowns/reboots all you base this on?
Comment removed based on user account deletion
Barring the fact that I don't believe you when you say that you get viruses over the 20 minutes that it takes to download and install the patches, the fix is simple: get some sort of router/firewall combo, or install a soft firewall before doing the update.
Alternatively, shut down all the services so that you have nothing listening, but if you're too lazy to do that, go out and spend $40 on a Netgear router and voila, you're safe from that crap.
So the WORST case scenario is that you don't actually succeed in getting Windows installed? Man, talk about a win-win situation!
Even better, I would get a hardware firewall, so that none of the ports that worms travel through are even open.
Basic security from automated attacks isn't particularly hard, you know. Why is this even on slashdot?
/^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$/i
Download the SP1 Network install before beginning your XP installation. Stick it on a CD or a Samba share and install it prior to connecting to the Internet.
"We can't solve problems by using the same kind of thinking we used when we created them."
This solution seems so obvious to me that I wonder why you even bothered to ask. With your apparent technical knowledge, surely you must've thought of this. I'm inclined to think this question was just a veiled way to start an article bashing Microsoft about all the worms affecting their system.
1. Install behind hardware firewall.
2. Submit article to Slashdot that amounts to a backhanded slam against XP disguised as a question from somebody who is a novice.
3. Watch the flames on a wasted sunday night.
All you need for a home installation is a NAT firewall connected to your cable modem/dsl. As long as your firewall is properly configured and no other computer on your NAT network is infected, you should be okay.
Just turn on the internal XP firewall (Network Properties -> -> Properties -> Advanced) before you connect to the net. You'll be safe long enough to get SP1/Kerio/etc all downloaded and installed.
When I'm forced to build an XP box on an unsecured network, I leave it offline until the install is done, enable the integrated windows firewall, plug the CAT 5 in, and fetch the updates. The built in firewall is typically good enough to fend off blaster, nachi, etc. After that, I install antivirus then Zone Alarm and disable the integrated firewall. Whenever possible, run behind a hardware firewall and you won't have this problem.
If you have another windows XP box, you can use the corporate windows update to download all the patches and service packs to CD and update the system offline.
FYI, if you do get infected, running "shutdown -a" from the command dialog (windows+R) will abort the 1-minute shutdown timer.
Urgo: "I want to live. I want to experience the universe and I want to eat pie!"
Jack: "Who doesn't??"
As of now I have performed only a couple reinstalls in the past couple years but never have had an incident of getting "owned" before installing my patches. I have a Netgear MR314 router that I make sure to turn all port forwarding off before putting a "naked" box on the network. Sure, it isn't fool proof and I would not consider it a firewall, but the nature of NAT does a sufficient job of blocking unrequested packets from coming in. After Windows installs I turn of superfluous services (such as messenger), install anti virus software from cd, plug in the network connection and then update that and Windows.
Of course if your problem is most hardware routers will not work with your ISP, then this tactic is not going to work well.
I can't believe nobody's posted this yet!
Autopatcher
AutoPatcher was started in October of 2003. It was started by Jason Kelley and was a simple batch program that would install many updates silently. Upon reaching version 2.65, Jason was contacted by Antonis Kaladis, who offered to help make a VB front-end for the program. And thus, the current incarnation of AutoPatcher was born.
Not only does it install all your Windows updates with just one reboot, it can also (optionally) install many other programs such as the Windows XP Powertoys, IESpell, etc. There's even some registry config options such as increasing the max connections per server (IE) to something greater than 2.
pretty smart worms if they can find your connection in the twenty minutes it takes before you can patch. I don't disbelieve the author, but it does seem like a match to start a Microsoft bashfest when it seems more like a case of significantly bad luck to me. I run XP and I've installed and reinstalled XP on numerous machines both NAT routed and otherwise and never had a virus problem before I could patch. -- M
I'm putting XP on my laptop next to me right now actually. I think it is pretty safe because a) it is connected to the net using NAT, not directly to the modem and b) I slipstreamed SP1 into my XP CD, so that when I install it I'm already at SP1 level. See here for instructions (that's win2k, but same for winxp of course). And I dunno why you'd bother with Norton Anything quite frankly. Maybe you can just buy a cheap router doing NAT and put it between the modem and computer while you get updates.
Like others have mentioned, use a Router (eg. from Linksys, DLink, Netgear) as firewall or get FREE Zonealarm firewall or just turn WinXP's firewall on. You need a firewall or use another box (e.g Linux) as proxy to connect to web.
Windows XP: Surviving the First Day
Quantum materiae materietur marmota monax si marmota monax materiam possit materiari?
Here is a fairly comprehensive guide, aptly named: Windows XP: Surviving the First Day
That's not true, a worm needs no user intervention in order to infect a computer. Think Sasser .
sasser exploits a vulnerability in lsass.exe, which listens on 445. Some software firewalls leave this open, as it is required for Active Directory logins under some circumstances. If you do that and then go straight to windows update you should be fine.
I have people do this all the time without any problems. I have the WinXP firewall enabled then connect and go to windows update. No one has an issue doing it this way.
We should just put the whole internet behind a firewall. Problem solved. :)
On a more serious note, can you imagine the kind of trouble we'll have with IPV6? I'll be arrested because my toaster was hijacked and launched a DOS on army.mil
1 - Hardware Firewall Only. Software firewalls are for pikers and people waiting to be hacked.
2 - Download SP1 to a CD.
3 - STOP USING NORTON for ANYTHING OTHER THAN ANTIVIRUS
4 - Read 3 again
This
Excellent article. And this is the number one article on the sans.org reading list. ... Couldn't help noticing number three with its provocative title: Penetration 101.
Have you Meta Moderated t
Buy a LinkSys cable/dsl router for $50, which includes a firewall (if you can't afford a Cisco Pix). I've never had anything get through to any Windows box I was installing up to the point I got it completely updated.
No one should have any Windows box directly on a cable/dsl line anyway.
Anyone who loves or hates any language, platform, or manufacturer, doesn't know what they're talking about.
Launch the Norton update facility (per Norton's recommendation, the built-in XP firewall is turned off);
...
Start to pull down Service Pack One; per Microsoft's instructions, all firewalls are turned off.
reallocate was just following the instructions that Microsoft and Symantec gave him/her.
What about using Tiny Personal Firewall? It fits on a floppy (last time i checked atleast)
... or any brand name for that matter. My windows box is behind one of these and I've never had any problems. You can choose to forward any ports you DO care about (it blocks by default), and you can also set up some cool net policy stuff on the later models.
Seriously -- you can pick one of these puppys up for about $50... and they're incredibally functional if you ever decide to start you own little home network (5 ports is the norm for the price).
" Start to pull down Service Pack One; per Microsoft's instructions, all firewalls are turned off."
Firewall is on before I connect to my cable modem if you're going to be DUMB enough to connect it without a hardware firewall protecting the machine. Get an intermediary device like a Linksys or Netgear router, and now you don't have to worry about it. And seriously. Don't install your AV until AFTER you've installed all your updates. You're only complicating the registry before it needs to be.
Seriously, is Slashdot a "News for Nerds", or "HOWTOs for N00bs"? Some of these questions would be better handled by Google and half a brain about networking.
Can you ping me now? Gooood! | Manhappenin.Net - Things to do
step 1:
do not connect the pc to any phone or network and no wireless connections either.
step 2: install winxp
step 3: admin password
--at least 8 chars long
--letters numbers AND other charactors
--not a dictionary word
--not easily guessed
step 3: networking setup
choose custom
unselect client for msft networks
unselect file and printer sharing
(you can enable after it's all patched up)
on the 'will this computer coneect to the internet directly...' dialog, select the proper settings as they will be, but it still should not be plugged into the network
don't activate, remind every few days
step 4: user accounts
setup whatever user accounts you need, same rules apply to passwords. also, if your account has no password, it will not be accessable through the network.
step 5: verify network settings
in the network connections dialog, for each connection,
-- make sure client for msft networks and file & printer sharing are STILL off
-- turn on the windows based firewall
reboot now
step 6: windows update pass 1
-- you can now get online, because you should be safe enough with the firewalling set up
step 7: run windowsupdate/reboot as needed until the system is FULLY patched.
step 8: install other software, such as virus checking.
(it's still a bad idea to disable the firewall, but it's much safer now than before)
for the pdf guide that I basically copied here, check
http://isc.sans.org
Go to grc.com and get DCOMbobulate, click DCOMbobulate me! and you are safe from those worms.
While you are at it, get also the UPNP disabler and Shoot the Messenger! to avoid getting popups offering U N I V E R S I T Y D I P L O M A S (yuck)
Dear aunt, let's set so double the killer delete select all
It is not active during startup or shutdown. This window of vulnerability will be fixed in SP2. That said, I wouldn't trust a "firewall" written by people clueless enough not to enable it before the network stack goes up.
http://www.microsoft.com/downloads/search.aspx?dis playlang=en
If you visit the Windows Update site in anything other than IE, you'll get redirected to there-but it works in Firefox. Also easier(because of the non-ActiveX packaging) to just download and burn.
The role of the writer is not to say what we can all say, but what we are unable to say. -Anais Nin
Get either a dumb hub or a crossover cable, and connect the Windows box by that.
turn on NAT via iptables:
- iptables -t nat -I POSTROUTING -s 192.168.1.0/24 --out-interface eth0 -j MASQUERADE
Turn on packet forwardingiptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD --in-interface eth1 --out-interface eth0 -j ACCEPT
# turn off most packet forwarding (other than outgoing connections above) iptables --policy FORWARD DROP
( echo 1 >
This, of course, presumes that ETH1 is facing your windows box with an IP address in 192.168.1.{1-254}.
You can then either set your Windows box IP address manually, or learn how to turn on dhcpd (i'm not going to go there, but it's not too hard.). In any case, this should be enough NAT protection to allow you to get out on the net from your Windows box without opening it up to inbound virus connections. You can then get to places like Microsoft and Norton's without being pre-emptively infected.
Sometimes boldness is in fashion. Sometimes only the brave will be bold.
Benna, you're ignorant if you think it's bullshit - infected zombie machines are common and infect people quickly.
Want proof these worms are targeting every IP out there - go visit dshield.org, and you'll see what the Internet is dealing with.
My firewall logs a regular blip of hits on port 445, 25, 135, 3127, 1434, 1433.
All of these are various worms looking for an unprotected host. Until then... keep using linux, you're much better off.
It's almost common for a fresh install to be infected on the first few minutes of connection to the Internet - Microsoft made it far to easy.
1. Disconnect machine from net
2. Install XP
3. Before connecting to net, enable XP firewall. (Right click on network connection, properties, advanced, "Protect my computer.."
4. Turn on Automatic Updates (Right click on My Computer, properties, then click tick box on automatic updates).
5. Connect to net.
6. Let it patch itself, or if you want, do it manually via Windows Update.
Really, why this simple simple process seems so difficult to Linux users is beyond me. You wouldn't connect a Linux system running say, an old version of Samba or Apache to the net without IP Tables now would you?
backwards, you can hear satanic messages. But even worse, if you play it forward, it installs their software!
Thanks, I'll be here all week... try the veal...
...because obviously you're too stupid to do it yourself.
You say you've been using Linux since 95, yet the obvious solution of using a firewall excapes you! If you're such a linux expert then where's your iptables firewall machine? Or even your $50 router/firewall. I have one for sale for $40 if you want. That's Cdn $$ too! Man, even installing sygate, zonealarm, or any other personal firewall right after winxp is installed would prevent the shit out there from getting onto your machine.
I've been using Linux since 95 too, but I know better to put any machine, Linux or Windows, directly on the net or in the DMZ unless that's my intention. Windows is much worse than other OS's, but I wouldn't even put a fresh linux install of any distribution on the net without doing some work on it first.
Go to Best Buy and get a Linksys BEFSR41 router / firewall device.
Plug your computer into the LAN side.
Clone the MAC address of your computer.
Change the password on the router to something other than 'admin'.
Plug in your cablemodem into the WAN side.
Enjoy your new worm/virus/trojan free existance.
How many times do we need to spell it out??
Glonoinha the MebiByte Slayer
I have a linksys wireless router between my DSL modem and my computers. I've gotten malware and spyware on my main computer (I found out later when I ran a checking program) but never got a virus or a worm. When I later installed Apache locally on a Win 98 machine and put in a .hosts file with a list of all the adware companies and their servers routed back to localhost, (which causes the local copy of Apache to try to serve them and report no such page) it also stopped almost all popups and a lot of in-line ads.
The lessons of history teach us - if they teach us anything - that nobody learns the lessons that history teaches us.
I would follow the recommendation of our friends at thebroken.org and burn your computer from the inside out.
So I should reinstall my OS and depend on some third party tool to remove crap installed on it?
What you are saying is that it is impossible to install Windows cleanly?
Try using a firewall/router instead.
If you can't afford a hardware router you can't afford Windows. Add $50+ to the TCO of Windows.
Or if you can't afford that, use another free OS, such as any BSD or Linux.
If tyranny and oppression come to this land, it will be in the guise of fighting a foreign enemy. - James Madison
1. Pull machine off net
2. Install box
3. Configure TCP/IP and enable windows firewall
4. Plug in network cable
5. Windows update
6. Repeat windows update
Job done.
1) Hide behind a NAT router - Install windows disconnected from networks. Find someone with DSL and a NAT router. Intall all the patches from the safety of their home network.
2) Before installing windows, format the disk to have a FAT partition. Boot Knoppix Linux from a CD. get on the internet and download the patches to the FAT partion. Boot Windows - install patches.
Religion is the main cause of atheism.
Use a hardware firewall, or a decent router with a firewall built in, instead of depending on something that's software-based. That way, the nasties are stopped before they even get to your computer.
I've not had personal experience with them, but others I've spoken with have had good luck with Linksys and D-Link. For my part, I've always depended on our Watchguard Firebox II to handle things.
Granted, such a unit is well beyond the cost range of most home setups (unless you get a phenomenal deal on it used, as I did). However, before I had the Firebox, I was part of the Beta testing team for the Zyxel 'Prestige 312' combo dual-Ethernet router/firewall. The 312 has been discontinued for some time now, but it performed like a champ for me.
If I were going to pick another unit today, I would look at Zyxel's ZyWall 100 series, or something similar. They're quite a bit less expensive than Watchguard's products, and I see no reason they shouldn't work just as well.
If the 100's a little too costly for you, the entire ZyWall series comes in a variety of sizes from 1 on up. The number usually designates the number of VPN connections the unit allows.
If you're a DIY'er, you can, of course, just get hold of a spare PC, stick a couple of NICs in it, load it up with FreeBSD or some such, and turn it into a router/firewall.
The bottom line is that I don't believe any purely software-based firewall can ever be as secure as one that's hardware-based, and dedicated to the purpose of just being a firewall. I certainly don't trust Uncle Bill or Symantec to do it right (witness the problems you've already had).
Happy hunting.
Bruce Lane, KC7GR,
Blue Feather Technologies
NAT is an evil abomination that breaks the Internet's end-to-end model, but for machines that will really never receive incoming connections (VOIP, games, IM, etc. as well as web servers), it's cheap insurance, and for machines that aren't ready to connect to the net, like unpatched Windows, it's pretty much essential. And once you've got your machine patched, you can then open up whatever ports you want on your firewall, if it's bright enough to do that.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
For the most part, people don't realize there are other options. (Check any number of previous /. discussions.) In certain instances they don't know they have other options. Dell/HP/Compaq/Gateway don't offer Linux. They tell you they include Windows.
In other cases they literally do NOT have a choice. My brother in law is headed to medical shcool. He was presented with a list of requirements for his computer. One of those is that the computer have Windows XP Professional installed. Half of the requirements are to prevent the students' computers from bringing down the school's network. All of those could be met by using a Mac or installing Linux. Neither is presented as an option. It will take considerably more effort on my brother in law's part to find out if he can use a Linux computer than it would to just click on the "purchase here" link.
I've strongly suggested that he make the effort to see if he can use Linux and avoid having to purchase the software they recommend (which cost more than the hardware). However, he isn't so interested in that effort or the effort the might be required in running a linux box.
I have no question why he thinks his only option is a Windows computer. He wants to be a physical therapist, not a computer expert.
Paul
This is a 100% true story. Any time this year I tried to reinstall a machine at school (UC Santa Cruz) that was connected to the network, it would immediately be attacked by blaster. No warning, the system would get the RPC death knell and die. This was with a copy of XP that I made that had SP1 slipstreamed into it. The answer, however, is very simple. 1) Download the SP2 network install ahead of time and burn it on a CD (throw on your chipset drivers too) 2) format and reinstall with the network unplugged 3) install chipset drivers (for DMA) 4) install SP2 5) plug into network and run windows update etc... volia. If you can't get ahold of SP2 ahead of time, use any decent software firewall (Zone alarm and norton both work pretty well) or a hardware firewall preferably. They aren't really necessary though, SP2 will save your life.
You should always use a router between your PC and the cable modem. My PC is safely hidden behind the router and has never been hacked.
I tell every person I know who gets a broadband connection to buy a hardware firewall device. If they invest in a wifi router for about $80, then they not only get a built-in firewall but also wifi a hub/switch as a bonus. As far as I am concerned, this is an absolute requirement these days.
The NAT that is setup by default for all such routers is just the ticket to avoid viruses like blaster.
Cert/CC has an article called "Before You Connect a New Computer to the Internet"
Like many others said: Get a cheap "internet router" that does NAT (Network Address Translation). If the attackers can't get to the fresh XP machine, they can't kill it. Easy, isn't it? Just turn OFF UPNP support and all DMZ / port forwarding stuff on the router.
If you still have a spare PC (minimum 486SX-25, 8 MB RAM, Floppy, two ethernet cards), give fli4l (or any other small Linux router software) a try. Download size is a few MBytes (ask your friends / neighboors), complete boot floppy is created within a few minutes on any Windows system. No linux knowledge required.
Keep the NAT router between the XP machine and your internet connection even after you have completed the XP setup. Though the router may not help against using IE and Outlook, it will help against all TCP and UDP based attacks. All viri and worms that spread by connecting to any TCP or UDP port on your machine will fail to infect your machine thanks to the NAT router.
Tux2000
Denken hilft.
Sorry, I couldn't help it!
See my journal, I write things there
Pick up a router from SMC ( I can recommend the 7008/4 ABR series). Even if you don't want to setup a home network, this is the best way to go I think. Even with the sygate firewall it could ( in theory) happen that the software silently crashed, leaving the icon still in the system tray until you move the mouse cursor over it. Also I wouldn't rely on Windows Update to keep your computer safe. If your unpatched version can get infected, your updates will not prevent infection when someday an exploit gets releases sooner than the patch. When using a router, all incoming connections will be refused by default since the router itself is only running the administration tool. Add a personal firewall for save measure in case the router gets compromised and you are set to go. Also you can seamlessly add computers to your network, all sharing the same internet connection and printer. As a side note, the Norton firewall has crappy configuration options and its all in baby talk. I didn't like it very much. Zonealarm doesn't work well with edonkey, overnet, emule, also, if you forbid all the notorios windows applications (explorer.exe, alg.exe, svchost.exe) all access to the network, you are in for a very unstable windows expierence. Sygate is still the best of the three. ;)
I bought the router to finally rid me of the personal firewalls tedious configuration ( which btw, you have to do again on each install, with the router it stays with you forever
Not associated with SMC, I just picked up the model mentioned above friday and I am very happy with it.
___
No power in the 'verse can stop me
Enable the built-in firewall in Windows XP before going online. This will resolve a lot of your problems.
Also go into the widnows update site (on another connected computer) and click the update options to the right. There is an option to turn on the catalog view (or something like that... in Linux right now). This will allow you to search for all the updates of a particular Windows platform.
Use this to download the patches and burn them to a CD... Use this CD to patch your system.
Jim
just buy a hardware firewall. do the install with the network cable unplugged, then plug in from behind the firewall to get the updates.
alternately, you could download all the service packs, patches, etc., burn them to a CD, and do the install completely disconnected from the internet, then run the patches, then connect.
Using TCP/IP may have been a mistake. It was, after all, the vector by which the malware installed itself to begin with.
A better approach may be to do this with two computers, where one is the machine onto which you need to install XP and the other is already up & running with whatever operating system you like.
This second computer will act as a bridge to the internet, speaking TCP/IP only on its WAN interface, and speaking a non-routable protocol like NetBEUI to the XP machine on the LAN interface.
This way, the XP machine can only speak to other local machines.
With a setup like this, you can download the necessary service packs and other updates to the gateway machine -- people have already explained this in some detail elsewhere in this discussion -- and then the XP box can access the updates by regular old fashioned Windows file sharing.
Once you have the minimal updates, then and only then does it make sense to turn on TCP/IP support on the XP machine.
DO NOT LEAVE IT IS NOT REAL