NIST Issues Windows XP Security Guide

routerwhore writes "NIST Special Publication 800-68 (zip file) has been created to assist IT professionals, in particularly Windows XP system administrators and information security personnel, in effectively securing Windows XP systems. It discusses Windows XP and various application security settings in technical detail."

Re:50%

100% are problems for M$ users... HAHAHAHAHAHA

isolate

[xOleanderx]

Step one: Isolate from network.

Re:isolate

Step 1: find your computer
Step 2: unplug all wires leading to your computer
Step 3: go home and watch TV

you are know the proud owner of the safest computer not online.

Re:isolate

not really...

step one is to get a competent admin that will install from a slipstreamed install CD. all of mine are slipstreamed with SP2 so all patches up ot now are included and the machine is not instantly owned on the corperate network. ANYONE installing XP or W2K from origional CD's is nuts. slipstream the patches. My W2K disks are up to the SP4 rev and have all hotfixes on the disk ready for the scripted install after first reboot. and the XP disks are ready to go as well..

Yes, it's a pain in the arse to have to do this cince MS refuses to issue updated install CD's every time they do major updates to their os... but it's all we got.

Re:isolate

[xOleanderx]

Well your pretty safe behind a hardware router... Or in my case 2 hardware routers and a software router.

Re:isolate

[BrookHarty]

Actually, that is pretty important as theres is no Service Pack 2 XP Cd out. If you install on an open Internet connection, you can be infected before you download the updates. Even our work lan wasnt protected, soon as I plugged my laptop in for updates it was infected, and I had to clean it off. (Ya, ya, zone alarm....) I guess the default XP firewall turned on would at least be some protection.

I think its worth picking up a cheap network router or wireless router so you can have NAT firewall to filter your PC. 802.11b routers are on sale for 20 bux that have NAT built in. Pretty cheap, and then you can update your PC before it gets infected.

I have all service packs merged into my Win2k on CD, but WinXP only has the default SP1 without the updates for a year. So, the unplug or firewall your Internet connection is pretty important.

Re:isolate

Actually, that is pretty important as theres is no Service Pack 2 XP Cd out....

make your own... It's really simple. although it's way too advanced for a MCSE... you might want to get a real sysadmin for the task.

and if you think I'm kidding, look around, people are talking about it, and it has been commonplace cince windows NT 4.0

Re:isolate

[DarkMantle]

Step 2: install 3 popup blockers, 4 spyware utilities, and 5 Antivirus programs, 3 firewalls, and make sure it's behind a good external firewall, get all windows updates on a CD to install them offline.

Step 3: Keep off network

Re:isolate

[eean]

At my .edu they decided that our firewall would protect us from Blaster. Didn't take them long to figure out how wrong they were.

Firewalls assume they're aren't malicious things happening on your side of it.

Re:isolate

[Scutter]

Firewalls assume they're (sic) aren't malicious things happening on your side of it.

Might I suggest that you preprend the words "Poorly configured" to that sentence? A well-administered firewall assumes *anything* going through it is potentially malicious.

Re:isolate

[Pedrito]

I think its worth picking up a cheap network router or wireless router so you can have NAT firewall

Which unfortunately does you little good with our wonderful wireless routers having backdoors in them. I don't use Linux regularly, but where I do use it, is as my firewall. I've never trusted a Windows box to be on the net and these days, I don't trust the wireless routers. I'm sticking with my old Linux box. It's just an old cheap PII, and the power consumption is probably a bit high for a router, but it works and I trust it. And it's certainly fast enough to handle the routing demands of my home.

Re:isolate

[igrp]

Allow me to second this. Two weeks ago, I gave one of my old computers to a friend of mine as a replacement for her broken notebook. The system had SuSe 9.0 installed when I gave it to her but she wasn't comfortable at all with it, and since she had a term paper due, I agreed to install Windows XP for her.

So, I set the system up (quick'n'dirty install since I was in a rush) and hook her 56k modem up to at least install a decent, up-to-date virus scanner, SP1 and some critical updates. The computer was supposed to finish downloading the patches throughout the night, so all she would have had to do in the morning was reboot.

My phone rings the next morning. She's seriously panicing because the computer seems to be in a reboot loop. So I drive out there to see what's up. Turns out, the system got infected with an RPC way before it finished downloading the patches.

I'm just glad the worm was so buggy that it kept crashing the system. Otherwise, it would have just sat there, infected, for weeks until someone (me) had actually performed a virus scan.

Re:isolate

[thedillybar]

>Which unfortunately does you little good with our wonderful wireless routers having backdoors in them.

A NAT with a backdoor will still help you quite a bit. Sure, someone can get in your box with some effort...but any old worm trying to infect your machine will be effectively stopped.

Depending on your situation, the chances of someone try to manually hack your box are zilch. Not a good excuse for bad security...but still.

Re:isolate

[shokk]

You misunderstand. Anyone carrying a laptop from home and plugging it into your network ir circumventing the firewall, no matter how well configured it is. What is need is firewalling at each port of a switch. At the very least, laptop users can be placed into a VLAN of their own, probably as part of the WLAN opeartion, so that they can only readily infect each other.

Re:isolate

[spongman]

oh come on, it's easy:

1. unplug network
2. install XP
3. enable ICF (firewall)
4. plug in network
5. install updates

Re:isolate

[eean]

Then the students bring their computers back from the summer.

Making a campus LAN not a dangerous one is impossible. You have to assume worms are going to get in.

Re:isolate

[dmaxwell]

Even on a campus LAN, you can make a heavily firewalled segment for doing things like configuring freshly installed Windows machines.

Re:isolate

Additionally, how about turning on the Windows XP firewall before going on a network?

Re:isolate

[Scutter]

You misunderstand.

No, I understand perfectly, but protecting an internal network is not the firewall's job. The firewall's job is to act as a gatekeeper to traffic passing through it wherever it's placed in the network. What you are proposing is a fundamental change in network design, of which the firewall is only a very small part. VLAN's, proxy servers, etc. all play a part in securing an internal network. It doesn't make sense to place the blame for an insecure internal network at the feet of a single firewall (misconfigured or otherwise).

If someone brings in an insecure laptop and plugs it into a random port on your switch, you can hardly blame the firewall between your LAN and the internet if the laptop starts spewing Sasser around your network. That's where VLAN's, internal firewalls, and other security measures come into play.

Regardless, my response was in answer to your comment about firewalls not protecting internal networks, not the intricacies of switchport-level network security.

Re:isolate

[jayhawk88]

Even our work lan wasnt protected, soon as I plugged my laptop in for updates it was infected...

I think you need to have a frank discussion with whomever manages your firewall.

Re:isolate

Never heard about wireless LAN, did you?

Re:isolate

[eean]

We are doing something like this in the summer. All the dorms are going to be on their own segment. The new cisco routers should give us a lot of power. But its still my belief that the underlying assumption should be that a LAN that's any more public then your home network is hostile. Each computer needs to be able to defend itself ultimately.

Re:isolate

[siliconjunkie]

as theres is no Service Pack 2 XP Cd out

There is no official XP SP2 CDs out.

But don't let that stop you...

Re:isolate

[Blackneto]

Well you fail in the "Competent Admin" category.

1. You've slipstreamed XP sp2 onto a cd to use in production? This is not a final release, it is a testing release. Testing and Release candidates do not belong in production.

2. A computer installed from the original CD's gets instantly owned on your network? Why are there viruses/trojans running free on your internal network?

While slipstreamed CD's are nice, I install from the original CD's all the time. Then i map to the share that holds the patches and run a script to install them. I don't have to worry about burning a CD everytime, making sure everyone that does loads has one and has gotten rid of old CD's or any of the administration involved in that.

Different admin styles for different admin's I guess.

Re:isolate

[tyler_larson]

If you install on an open Internet connection, you can be infected before you download the updates.

Two words: NAT

Re:isolate

[llzackll]

Actually MS does update their install CD's when there are major updates like service packs. As soon as SP2 is released, they will update the install CD's. Just as the current install CD's on retail shelves have SP1 slipstreamed on them.

Re:isolate

Can someone please explain to me what is wrong with you people?

You talk about the easy way to do this and the cheap way to do that - WHAT IS WRONG WITH YOU PEOPLE?

Why don't you just fucking DUMP THE SHIT?

Jesus H. Fucking Christ, I am SO SICK of this pathetic 'we can save Windows' bullshit.

YOU PEOPLE ARE SO FUCKING PATHETIC! GET A CLUE!

Grrrr..

Re:isolate

[ovoskeuiks]

This is true... I work at a local primary school and I've setup a Freesco dial up box and a gentoo machine with squid between the windows network and the freesco box... not one of the many worms etc made it through in the 2 years they have been running

Re:isolate

Two words: NAT

That's one word, or three, depending on how you're reading it. I have ONE word for you: firewall. Of any kind.

Re:isolate

That was the whole point.. his school thought the firewall would protect their internal network.

Re:isolate

kid raping fucking molestor overdrive faggot asshole liar microsoft buttlicking faggot liar asshole is back. kid raping molesting fucking puke fucker asshole.

Format, install Linux...

[PeterPumpkin]

...install VMWare, run XP from inside the sandbox :D

Re:Format, install Linux...

[cball2k]

valid

I actualy do this very thing with a client. I also have anoth client that runs 2-4 servers per case, using VM-Ware, but running on w2ksvr. All my clients use Sonicwall TZ series firewalls (and I firmly believe that all business should have a firewall if they use the internet)

Re:Format, install Linux...

That just highlights the LACKING applications on Linux, why? because groups cannot agree on the colour of shit due to internal zealotism and politics. Thats what is holding Linux back, zealots and tards like XFree and generally lack of pushing forward and sticking with the ancient archane technologies.

Run Crossover, run WINE, run VMWare because this is all Linux is good for on the desktop.

Re:50%

[mgoodman]

And unfortunately IE is integrated into Windows. Even if you use Mozilla, problems are still potentially exploitable, sadly.

Looks very usefull at first glance

[Marxist+Hacker+42]

Especially for those of us who have mixed LANs at home. This was the first I had heard of a way to disable 445, the replacement Netbios port (even if it's a convoluted way to do it).

Re:Looks very usefull at first glance

[howlatthemoon]

I'm glad someone is doing it given the speed at which MS provides this kind of assistance. It has to be part of their business plan. "If we wait long enough someone else will do it for us, and we can save some money" How do you think they get the cash they use to pay consulting groups to tell us how secure their OS is?

Re:Looks very usefull at first glance

[mst76]

Especially for those of us who have mixed LANs at home. This was the first I had heard of a way to disable 445, the replacement Netbios port (even if it's a convoluted way to do it).

There is plenty of information around if you know the right queries.

Re:Looks very usefull at first glance

[Marxist+Hacker+42]

Well, that and overcharging for the OS in the first place. TechsUnite recently recalculated the estimated profit on a single copy of XP Professional, given the amount of work they've moved to Hydrabad at 1/10th the labor cost- works out close to 97% markup on Windows, after R&D costs and duplication/printing/hardware key managment is taken into account. They ain't going broke soon- though a couple of their former executives are making a career out of limited liability corporation bankruptcy.

Re:Looks very usefull at first glance

[Marxist+Hacker+42]

Yeah- assuming you knew that Microsoft was using port 445 in the first place for that purpose, you could google it.

That's one of two problems I have with google- not knowing the terms I want to learn about and information overload once I do have the terms. Which only makes it moderately usefull for protecting against security holes that I don't know about to begin with. I had only heard about 445 last week, thus this article is usefull to me. I'm sorry if it's not usefull to you to have this much information in a single zip file.

Re:Looks very usefull at first glance

You might also be interested in "netstat -an" and nmap

Re:Looks very usefull at first glance

[thedillybar]

>This was the first I had heard of a way to disable 445, the replacement Netbios port (even if it's a convoluted way to do it).

What's wrong with using a firewall? Or a NAT?

Re:Looks very usefull at first glance

[SquadBoy]

But of course the first thing you did was to run nmap and Nessus against your shiny new XP box and then search on the ports that they found.

Or maybe I'm just a freak.....

But yea info and lots of it in one place is a *very* good thing. But it sounded like the grandparent knew it was there did not like it and had done nothing and was all out of ideas.

Or like I said maybe I'm just a freak...

Re:Looks very usefull at first glance

[Azghoul]

This is probably going to seem like flamebait, but I'm honestly curious: Does anyone else feel it's odd, at best, to have a government agency telling us all how to safely operate a private company's product?

Just seems weird to me, but I guess it happens in other industries as well...

Re:Looks very usefull at first glance

[Marxist+Hacker+42]

Some of us have day jobs, and install windoze boxen on home LANS to make the other members of the family shut up and let us play on our linux boxen. Best way to handle THAT is with a NAT router and fixing the holes as we hear about them.

Re:Looks very usefull at first glance

[Marxist+Hacker+42]

What, you expect the private company to actually be truthfull about the dangers of their product?

Seems normal to me, and a necessary function of government in a corporatist economy. Otherwise, Caveat Emptor is the only real law left.

Re:Looks very usefull at first glance

[Marxist+Hacker+42]

And how many home users would bother with THAT? Plus, pray tell, how do you download it when your only box on your shiny new home network is an unpatched XP machine?

Re:Looks very usefull at first glance

[SquadBoy]

Some of us have day jobs *and* a sense of humor.

Here is a hint from me to you. The phrase "or maybe I'm just a freak" generally indicates an attempt at a joke.

Re:Looks very usefull at first glance

[WaterBottle]

We get all sorts of guidance from government on how to use privately produced commodities.. cars/guns etc etc. What interests me is that they perceive that the Windows XP penetration is so persuasive that they produce this guidance... either that or someone inhouse was just doing it anyways.

Re:Looks very usefull at first glance

[RY]

It is normal for a government agency to help secure computers. The reality is that if the computer is excessively compromised the government agency loses root access to your computer. Helping you to secure your computer ensures their access to your information.

Relax were from the government, we are here to help you...

Re:Looks very usefull at first glance

[Marxist+Hacker+42]

Ah, ok- I took it the wrong way, sorry. Got to remember this is essentially an autistic medium.

Re:Looks very usefull at first glance

[reallocate]

This isn't a case of "a government agency telling us all how to safely operate a private company's product". If you'd read the NIST report, you would realize that it is aimed at that community. It's no surprise that it is available. Contrary to popular opinion, most everything the government publishes is available to the public. Not necessarily distributed, but available.

The government lives on Windows, like everyone else. Still, if you'd read the report, you'd notice it does address security issues in apps like Mozilla, Firefox and Netscape.

Re:Looks very usefull at first glance

Funny, the owner's manual for my car didn't list every possible way that I could be killed while operating the vehicle, but a lot of that information is available from government sites.

Re:Looks very usefull at first glance

[Marxist+Hacker+42]

I use both- but that still doesn't take care of the LAN (though it DOES explain why I have problems with my file and print sharing solutions thanks to having a single XP machine on a mixed OS network).

Re:Looks very usefull at first glance

[Marxist+Hacker+42]

And thus my point- though these days due to lawsuits and such there are plenty of warnings in the owners manual as well. Read a Saturn manual sometime on changing a tire. It goes to great pains to make sure you've turned off the engine and have set the emergency brake first.

Re:50%

[Mz6]

"Fifty percent of those problems are IE problems."

Does this get filed the same as "90% of all statistics are made up"?

147 pages!

[w1r3sp33d]

Easy broken down into 9 littler chapters for those MCSE's still out there.

Re:147 pages!

[krygny]

" Easy broken down into 9 littler chapters for those MCSE's still out there."

Or, nine PowerPoint bullets for the pointy-haired bosses still out there.

Re:Step one

[Marxist+Hacker+42]

And the answer is simple- hook it up to a Linux-based NAT router! If no server ports are exposed to the WAN, no worms can find the new box.

Re:I am a 23 year old virgin

[onkelonkel]

You're asking on Slashdot?????

Linux is complex?

[TheVidiot]

Only 147 pages of reading to secure your Windows XP?!? And they say Linux requires an in-depth knowledge of the OS...

Re:Linux is complex?

[databyte]

Not all of it is related solely to security.

• Section 1 - Introduction (15-16)
• Section 2 - Windows XP Security Guide Development (17-32) about general networking guidelines and how this guide came to be
• Section 3 - Windows Security Components Overview (33-38) with summary notes on the last page (38), the rest was features and footprint
• Section 4 - Installation, Backup, and Patching (39-48) consists of advise on running Windows Update, using strong passwords, etc. Notes are again, on the last page.
• Section 5 - Overview of the Windows XP Security Policy Configuration and Templates (49-54) explains templates and how to use them.
• Section 6 - NIST Windows XP Template Settings Overview (55-66) which explains the templates provided.
• Section 7 - Additional Windows XP Configuration Guidance (67-90) is a ton of good content
• Section 8 - Application Specific Security Configuration Guidance (91-110)
• Section 9 - Putting it All Together (111-112)
• Appendix A-F contain resource information not needed to secure your machine but good information to have.

Steps to securing:
Read the last page of Sections 3 and 4, if it's new to you - read the whole thing.
Apply templates using information from Sections 5 and 6 if you don't know how.
Read Section 7.
Section 8 is optional depending on what types of programs you use.

Required reading: 25 pages

Re:Linux is complex?

hehehehehe....fanboys....hehehehehe

Re:Linux is complex?

And you know of any linux/unix books smaller than 147 pages?

Re:Linux is complex?

[SCHecklerX]

Of course I do much more than this, but linux is pretty easy to secure from a "don't run unnecessary services" point of view. From my ks.cfg file used when building custom FreeSWAN gateways:

#Service Lockdown
rm -f /etc/rc.d/rc3.d/*
/sbin/chkconfig --level 3 network on
/sbin/chkconfig --level 3 syslog on
/sbin/chkconfig --level 3 keytable on
/sbin/chkconfig --level 3 random on
/sbin/chkconfig --level 3 crond on
/sbin/chkconfig --level 3 atd on
/sbin/chkconfig --level 3 named on
/sbin/chkconfig --level 3 ntpd on
/sbin/chkconfig --level 3 sshd on

Actually has some good points

[grunt107]

There are some areas around the registry and memory dump settings that could be useful (how many actually send MS their abend dumps?), shutting remote access, and pointing out the usage and benefits of a firewall. When it comes to internet downloads/emails, though, the standard "Don't open unknown emails/attachments" still abounds. Rather lengthy - could do w/o the graphs and standard defs.

Re:Actually has some good points

how many actually send MS their abend dumps?

I put mine in a bag, and set it on fire. Does that count?

Re:Actually has some good points

Your premis presumes MS actually looks at all the abend reports (BSODs for you MCSEs out there...)

Re:Page 1: For best security...

[xOleanderx]

Hopefully SP2 will fix many of these problems.

Windoze

-Insert clever Windows bashing phrase here-

Total Cost of Ownership thru the roof

[hey]

Wow, changing all those settings really bumps up the Total Cost of Ownership (TCO) of Windows!

Re:Total Cost of Ownership thru the roof

[badriram]

Well most people dont do this over and over again on each and every machine. That is we have GPOs (Group Policy Objects), scripting, and tons of third party apps. All those settings were done at my end once, and i update them at the release of every service pack. For security the amount of time i waste is barely nothing

Re:Total Cost of Ownership thru the roof

Can you say how to use GPOs to set one of those settings?

Re:Total Cost of Ownership thru the roof

[gnu-generation-one]

"Well most people dont do this over and over again on each and every machine."

Yes... we do...

I'm not bitter, honest! It's great fun getting a load of WindowsXP machines, and trying to convert them into something useful.

Even when machines are arriving in dribs and drabs and 8 machines every few weeks, it still doesn't seem worth the effort to buy tools and figure out what to do to make WindowsXP non-sucky. Especially when it might go wrong and screw lots of stuff up, and even when all the machines are pre-installed by Dell.

Can't Dell have a tickbox option on the order form: "leave off the eyecandy please, I want to run computationally-intensive programs on this machine"

Maybe even a tickbox saying "yes I've used windows before, I really don't need a big-ass sign pointing to the start menu and demanding I click it on each machine I install"

I suppose the real question is: these install tools, do they help with the really crappy stuff about windows? For example, the having to agree to a license agreement on each machine you get, setting different network settings for each machine, or configuring a normal-looking desktop without mucking up things like drivers for whatever odd hardware Dell has installed in each machine. Are any of the tools actually easy to use, useful to have, and if so, where can I download them?

Re:Total Cost of Ownership thru the roof

There are several tools to help you.

The first one that comes to mind is Sysprep.

Creat an image w/ your settings, set it up in sysprep and create an image.

It's not that hard.. Honestly.

Re:50%

I'm really getting sick of hearing everyone complain about Microsoft.

Stop blaming Windows-usage on "management."

Stop.

IT is the real problem.

You're in IT? Notify the upper-management about the best tools available then implement those tools. If you can't make a reasonable argument why Windows is a hazard than get another career and move over for someone that can. It is POSSIBLE.

IT departments are the problem and Windows will be the dominant OS for decades to come until more IT "men" grow some balls.

Re:Redunancy

Windows XP *IS* Windows 3.11. We perceive the thought form at the root of each and merely hypostatize a different product because we believe in the illusion of time.

Re:50%

[jesser]

90% of all statistics are made up

Where did you hear that? I thought it was only 60%.

Re:Step one

[crimethinker]

You're only partly correct. If you put the windoze box behind a NAT, you won't get 0WN3D by all of the remote exploits, but that's only half of the solution. You're still vulnerable to virus-laden e-mails (especially if you use MS Outhouse) and malicious web pages (if you use IE).

Yes, you and I have a clue and use something else for mail and web, but most home users are not savy enough to switch away from the vulnerable products, and worms and viruses will continue to spread through these channels for some time to come.

-paul

Re:Step one

[AgntOrnge]

Or any NAT router or a decent hardware based firewall etc. And I'd rather it be some proprietary OS like Cisco IOS so I don't have to worry about securing my OS to secure my OS.

Re:Step one

[Marxist+Hacker+42]

The point is to download the Windoze updates *before* even running Outhouse or IE. And of course, following all the rest of the advice in the above document in setup, before doing ANYTHING on the web.

I'm also strongly of the opinion that home users that don't take precautions in this day and age deserve to have their boxen 0wn3d. And then have their ISP shut them down and isolate those boxen.

Step two

[Wild+Bill+TX]

Step two: FDISK!

Re:Step Two

[Marxist+Hacker+42]

And thus the worm hits you before you've configured your proxy. The problem with proxies is that your internal machine is still open to the wider net. Which is the same problem with putting an unpatched Windows box on your LAN. A NAT will give you a layer of firewall protection between your open ports and the WAN.

Re:Step two

[TedCheshireAcad]

Step 3.....profit?

Re:Step Two

I believe the previous poster means that you have a private IP without any NAT or routing to the Internet. Then, the only access to the Internet is via a proxy. This could be more secure than using NAT as it's harder for machines to communicate with you (you can't even talk to them without the proxy) and you could potentially filter nasty bits before it hits the proxied machine. Albeit not perfect, it is at least as secure as NAT and potentially more so.

Re:Redunancy

[ClosedSource]

99% of Windows 3.11 machines have never been connected to the Internet, so I don't think we'd know if there were any security holes.

Re:Step one

[Marxist+Hacker+42]

You mean like Cisco's Linksys routers- which are linux based? Still, yes, certainly a hardware (Flash Rom) based solution helps quite a bit, and is less troublesome to set up.

Quick way to get the post-SP1 pre-SP2 updates

[semifamous]

Quick way to get the post-SP1 pre-SP2 updates:

AutoPatcher

This is a good thing if you need to reinstall Windows soon before SP2 comes out.

Even after SP2 comes out and it shrinks in size, the features it allows you to change are great.

Re:Quick way to get the post-SP1 pre-SP2 updates

[poulbailey]

> AutoPatcher

Let me get this straight; you trust security updates from a site that chooses to use warez (!) newsgroups as one of its distribution systems?

Re:Quick way to get the post-SP1 pre-SP2 updates

[mattOzan]

Even better way to get all those hotfixes RIGHT ONTO YOUR CD, so you don't have to muck about with downloading updates and waiting for them to install: XPCREATE: The XP Distribution CD Creator with Hotfix Slipstreaming

Re:Quick way to get the post-SP1 pre-SP2 updates

[bill_mcgonigle]

In case anyone tries this out to help out a windows friend like I did, the download format is a self-expanding EXE. You have to run it on a windows machine to create the archive, which you can then burn onto a CD.

Not to autopatcher guys - cool product but give us ZIP at least.

My grandpa's computer needed 149 updates...

Re:Redunancy

Well, you and your parent can't both be right. As a matter of fact, you're both wrong.

Step Two

[silas_moeckel]

Forget about NAT and start running proxies for anything you need. Worms will keep working as long as they can get out. Proxies can help with not allowign the stupid stuff in and running all sorts of malware scanning but it's very important to stop the spread as well. NAT is good for things you cany proxy like games.

Draft?

Did anybody else notice that it is still set as a Draft? I guess they arn't even sure they got everything.

Obvious?

[IGnatius+T+Foobar]

This is not a troll.

It should be patently obvious that if Windows XP requires that much effort to use securely, it means that the software itself is insecure by nature, and you probably shouldn't be using it.

As a famous computer once said: "The only winning move is not to play."

Re:Obvious?

[Anonvmous+Coward]

"It should be patently obvious that if Windows XP requires that much effort to use securely, it means that the software itself is insecure by nature, and you probably shouldn't be using it."

And Linux is better? It's not secure. You still have to install patches and updates and the like. You have to put the work in either way, might as well go with the OS that does the things you wanna do. In other words, us gamers are not swayed by your argument.

Re:Obvious?

[duffbeer703]

Oh yeah? Try setting up Unix machines without hardening and see what happens.

https://www.unc.edu/security/sans.html

Re:Obvious?

so basically you're saying that Windows systems should be only used as game devices, meaning Windows is a toy OS.

I'll agree.

Re:Obvious?

Well, according to Theo de Raadt, "Only one remote hole in the default install, in more than 8 years!"

Oh, wait. I'm sorry, you said "Unix" (which I'm actually not sure exists, I'll give you the benefit of the doubt and assume you meant "UNIX"), which means you wish me to pay lots of money for a closed, proprietary OS with prohibitive licensing issues. Hmm. No thanks. Did that with Windows. In the words Mr. Horse from Ren and Stimpy: "Well sir, I don't think I have a use for rubber nipples!"

I only use xp for games lately

[Cyberhwk]

I've only kept my XP box around for games, movies, and entertainment. If I have to do something that needs to be secure I either use mac osx or linux. I try to avoid the IE browser except when reading webcomics or news and I do online banking far away from IE but I'm not worried about that cause I'm pretty sure my money is still federally insured under a plan that I forgot its name. I like XP for games and that is about it so far besides movies. I just hope SP2 doesn't ruin compatibility to some of my old favorites like Fallout 2

Re:I only use xp for games lately

[marnargulus]

Firefox will handle all your webcomics just fine, not to mention it will allow you to get rid of the keenspace banners, etc...

Re:I only use xp for games lately

[Cyberhwk]

Why would I want to get rid of the keenspace banners? Doesn't that help support the comics? I prefer the normal mozilla over firefox. No reason for it just habit. I use IE to go surf my comics cause I have the google tool bar in it and I can easily blog it. I also visit them with osx using the blog this link.

Re:I only use xp for games lately

[vigilology]

Same here. For me, Microsoft make a good games OS and that's it. Oh and good hardware. They should stick to what they're good at.

Re:I only use xp for games lately

[siliconjunkie]

I've only kept my XP box around for games, movies, and entertainment

I can see your point with games...but movies and entertainment? What can XP do that linux and mac cannot in the media arena?

Re:I only use xp for games lately

[Cyberhwk]

I started copying my music library to my computer a long time ago and I was using WMA. And I have a video card with windows drivers. I don't feel the need to go change what isn't broken yet.

Re:I only use xp for games lately

[siliconjunkie]

OH. OK. I assumed when you said If I have to do something that needs to be secure I either use mac osx or linux that you had a Mac running OSX and a linux box lying around, in which case I would question your desision to use XP for media (especially if a mac w/ OSX is available for use)

Re:I only use xp for games lately

[Cyberhwk]

Heh my mac is an ibook G4 with only a CD drive. Good for music but I have to transfer mpegs over to it from my other computers.

Ho-hum... let the MS-bashing begin.

[TheTXLibra]

Things You'll always see in a slashdot thread regarding Microsoft."

1. "Microsoft ripped off/ruined XXXXXXX!"
2. "Windows sUx0rZ! Use Linux instead."
3. "Blah, blah, Bill Gates ate my balls, blah."
4. "They must have used IE! LOL!"
5. "Blahblah, William Henry Gates, blah, hexidecimal, blah 666, blah."

Amusing, all of them, but couldn't we just bundle all the posts that do nothing but bash MS with some over-used catchphrase into a scripted category? Automatically, every time a story regarding Microsoft or Bill Gates comes out, a script will automatically generate the above comments in a seperate thread, and if someone can think of an original bash to say, they can just add it to the list. With time and effort, the script will grow to a good....10 or 20 insults.

Re:Ho-hum... let the MS-bashing begin.

[Master+Bait]

6. Windows -- low-brow ignorant beginner's crap.

Re:Ho-hum... let the MS-bashing begin.

[bandar8338]

Ooh! I've got one!

6. Fix for (insert exploit here):
Format C:\
Install (favorite distro)

Honestly, I think I've seen this more than actual comments on /.

Reminds me of Bastille linux

[mentatchris]

I just briefly read thru that document. It is an excellent read. Lots of the things they mention are fairly well known, but to have it all grouped together in a comprehensive document is a real godsend. Reminds me A LOT of bastille linux .
There is a huge advantage to have predefined profiles you can apply. I imagine myself using these security profiles to harden family member's PCs. I usually have neither the time nor the inclination to lock down my mother's computer.... so having some defaults and a quick checklist will save me a TON of time in the long run.
It's also nice to be able to send someone a link and tell them "Do this stuff" rather than walk them thru all the things they need to do to be safe. As I am sure most Slashdot readers have experienced, the unending number of tech calls from friends and family gets old after a little while. I think this document will help restore the free time that Uncle Bill has taken from me.

Re:Reminds me of Bastille linux

The problem with Linux is all the non-orthogonal options, and trying to figure out how they interact. To wit,

• standard "chmod" permissions
• extended attribute "chattr" permissions
• bastille linux on top of the above
• access control lists
• Kerberos
• Pam
• selinux
• ssh
• beecrypt
• sasl
• a dozens more miscellaneous options and utilities.

I wish there would be a unified solution. There are various bits of overlap, and the permutations of the above lead to quite a bit of complexity. Of course, as far as I know XP is not one bit simpler.

Re:Reminds me of Bastille linux

Not likely that you'll be saving any time. You will get endless calls asking you to install this, make that work, etc.. These hardened installs are a mother to get stuff working correctly on. Applied sensibly, a lot of this stuff is good, but if you just blindly apply it all, things are gonna break, and they'll just start running as admin.

Re:Reminds me of Bastille linux

[dmaxwell]

The Bastille Linux of which the grandparent spoke is not a distribution. It is a hardening script that is designed to implement the Linux Security HOWTO. There are versions of it for all major distributions. Bastille gives you sane security base on which to starting building a server or workstation.

What you're asking for isn't all that reasonable. Linux can be used for a myriad of purposes so all that stuff wouldn't necessarily be installed. It is possible to automate quite a bit of security for say home desktop users but a server admin will always have to be aware of the ramifications his choices have. This is true regardless of the OS you're using.

Security isn't something you can just throw in a box and install with a couple of clicks after inserting a CD. Security means different things in different contexts and increasing security ALWAYS entails tradeoffs vs. functionality and convienience.

The closest thing I know of to "integrated security" is OpenBSD whose security is mainly a function of conscious best practices. One thing it does not do is hold your hand.

Re:Reminds me of Bastille linux

[vadim_t]

Many of those have nothing in common. Please at least do some reading on this stuff.

Bastille was a script that tweaked things for you last time I checked. It does nothing you can't do by editing config files and using chmod if you know how.

ACLs are approximately a WinNT-like permission system for Linux.

selinux goes MUCH further, adding capabilities that didn't exist before, making it possible to precisely specify what a process is supposed to do and what not. While quite complicated, it allows doing nifty things.

PAM has an unique purpose - handling authentication. If you want your users to use a smartcard or a fingerprint reader, that's what you need.

ssh is an encrypted telnet (simplifying things a bit)

sasl is an encryption library, beecrypt is another.

kerberos is an authentication method - which has absolutely nothing to do with things like filesystem permissions.

So, where are those interactions you talk about? SeLinux with all its power has nothing to do with encryption and doesn't replace it. Different encryption libraries don't conflict with each other and in most cases users don't even need to deal with them. PAM could be said to be related to SeLinux a tiny bit, but they do very different things. SeLinux handles permissions, while PAM defines how users are authenticated to the OS. Kerberos is just a protocol.

Re:Reminds me of Bastille linux

You are trying to gloss over the complexity. And Kerberos is hardly "just a protocol", it is type of authentication, so it shares something with pam. Kerberos controls access by issuing authentication tokens, i.e. "tickets".

Furthermore, just think of all the other duplicated access control mechanicms:

• /etc/hosts.allow
• /etc/hosts.deny
• /etc/hosts.equiv
• ~/.rhosts
• /etc/ftpaccess
• /etc/rsyncd.conf
  

Jeez, there are sure to be many more that I've overlooked. You can't wave your hands a pretend that this complexity doesn't exist. That solves nothing.

Re:Reminds me of Bastille linux

[vadim_t]

Right, kerberos shares something with PAM, that it can be implemented in a PAM module. I don't see what's the problem there, makes perfect sense to me.

hosts.allow and hosts.deny deal with a very simple thing: what computers are allowed to access what services. This can be replaced by a firewall.

hosts.equiv and rhosts are for tools like rsh, which these days should be considered obsolete and deprecated by ssh.

files like ftpaccess and rsyncd.conf contain configuration specific to services. I don't see how that's in conflict with hosts.allow either. It's very simple. hosts.allow determines what computers can use the FTP service. Then, ftpaccess determines options relevant only to FTP.

So, how does all this work together? Very simple.

hosts.allow determines which computers are allowed to connect to telnet

PAM determines how can you authenticate to telnet (for example, asking for an username and password, and verifying against the right database)

a config file then is read by the daemon to configure telnet-specific options.

So, what's the problem here? It's a perfect implementation of the Unix philosophy. Every tool does its own job.

PAM doesn't need to be concerned about what computers on the network are allowed - that can be done with hosts.allow or a firewall. It doesn't need to be concerned with a daemon's configuration either. Any of these layers can be replaced without touching the rest.

Re:Reminds me of Bastille linux

Joe Stockbroker needs an easier way to secure his system. You are talking like a geek and ignoring the problems civilians face when confronted dozens of security options. It may be simple to you; it is not simple to ordinary users.

Re:Reminds me of Bastille linux

[vadim_t]

Joe Stockbroker just installs a distribution and uses that, like he does with Windows. The Windows equivalent of this is tweaking things in the management console, and I'm pretty sure Joe Stockbroker almost certainly hasn't heard of it. This stuff for sysadmins.

99% people don't need to mess with PAM, hosts.deny or things like that because the defaults are sane. Now, in a big corporate environment the sysadmin will probably tweak all of that, but most home users can live without knowing anything about it. In several years of using Linux I only needed to read documentation on PAM when I decided to try to write a module for it, and that was just an experiment.

In any case, it's an unfortunate fact that security configuration can't be simple. Even the most user friendly Windows tools like Zone Alarm are horribly confusing for this hypothethical Joe Stockbroker. "services.exe wants to access the Internet, do you want to allow it?"

Re:Reminds me of Bastille linux

[jonadab]

> increasing security ALWAYS entails tradeoffs vs. functionality and convienience

In theory, it always means that. In practice, some of the things being
traded off are of no value to the vast overwhelming majority of us. For
example, the tradeoffs involved in using Pegasus Mail instead of Outlook
are in almost all cases negligible, and there are more advantages than only
security as far as that goes.

Your point is basically right, though. Security is not a feature that you add.
Security is knowing the implications of your setup and being aware of the
ramifications of your choices.

Step Three

[MrR0p3r]

Don't download zips from the internet and open them on your winxp machine.

Sorry about the Bold print. Accident.

[TheTXLibra]

The bold print was an accident of not closing my tags, not an attempt to get my post more attention or to be a troll.

Re:50%

[Pharmboy]

You're in IT? Notify the upper-management about the best tools available then implement those tools. If you can't make a reasonable argument why Windows is a hazard than get another career and move over for someone that can. It is POSSIBLE.

IT departments are the problem and Windows will be the dominant OS for decades to come until more IT "men" grow some balls.

HA! Just ask the boss for money and he gives it to you? Thats rich. So, if windows allows an email client to arbitrarily execute code in an email, its the IT depts fault? If Windows IIS allows you to run code by simply sending a malformed URL, its the IT depts fault? So, the solution is buy yet more software, that will not know about these exploits until they are exposed anyway, so is useless for unknown (but will be discovered) vulnerabilities?

And MS is the good guy and the IT guys are the bad guys, because all they have to do is go spend a bunch of money to secure an operating system they already paid alot of money for? And if the company is dependent on software that will only run on Windows for a year or two, its the IT depts fault if the boss won't change to Linux?

I gotta admit, I did enjoy the "grow some balls", coming from an AC. You sound more like a pissed off 20 year old who just finished a program at Devry and can't believe someone won't hire him for $80k.

Re:50%

[Anonvmous+Coward]

"Fifty percent of those problems are IE problems."

And, in an earth shattering coincidence, it's also the main app that actually goes out to the net and pulls data down. Other browsers need be very wary of this issue as well. Just ask the Mac users out there that thought they were downloading Word 04.

I'd read through that....

[nukem1999]

but I'm not supposed to download unknown zip files on my Windows machine.

Re:I'd read through that....

Type the URL into the address bar.

Re:Redunancy

Thanks for the fine aneurysm inducing comment. Here let me return the favor: If it hadn't been for my horse, I wouldn't have spent that year in college.

"in effectively securing Windows XP systems"

[Alexis+de+Torquemada]

There are already a lot of people who can do this. Well, without the first blank, that is.

Re:isolate... from hardware

[axis-techno-geek]

Take XP disc, lock it in the safe so nobody can "install" it by accident.

Load Linux. :)

Re:50%

[Phibz]

I had heard it as "A survey once showed that 50% of all statistics are wrong 90% of the time." :-D

Phibz

Re:I am a 23 year old virgin

Buy a nice outfit at Banana Republic , spend at least 150 between pants and a shirt. Get a nice pair of shoes and a belt too. Get a cool watch down at some jewelry store, keep it simple. Go get a REAL haircut at a salon (hint, not Cost Cutters). Now you should be pretty confident. Maybe go take a dance lesson or two. Somehow get invited to a party or head out for a night on the town. Buy drinks for anyone you're interested in, but only flirt a little , if at all. You should have sex within a week.

Wrong

Doesn't it seem wrong that this came from NIST and not Microsoft?

Re:Redunancy

If Windows is just a state of mind, I fear for the future of humanity.

S.U.S.

[Aliencow]

Great free tool to deploy security updates if you complement it with a few VBScripts to check the status of the GPO and to force deployement...
Too bad version 2 which will support Office, IIS and SQL patches keeps getting delayed..

"effectively securing Windows XP systems"

[WarMonkey]

effectively securing Windows XP systems

That's the great thing about Slashdot -- timely reviews of only the very best science-fiction literature.

Re:50%

[TMacPhail]

And 75% of the people who are told that that believe it.

Free Windows Security Update CD

[not_hylas(+)]

http://www.microsoft.com/security/protect/cd/order .asp

See? Wasn't that easy?

Re:Free Windows Security Update CD

[bandar8338]

It's a good start, but it's only updated until October 2003. Slipstreaming hotfixes and making a fully patched WinXP CD is pretty easy actually...go to www.msfn.org for a guide (or look for XPCREATE on google). The newest version will automatically download all the updates too.

Re:Free Windows Security Update CD

[Eraser_]

Not so much. I tried to order the CD from Mozilla on my FreeBSD workstation and it told me I don't have cookies enabled. The website switches from www.microsoft.com to oms.one.microsoft.com and complains about no cookies being set. Strange.

Re:Free Windows Security Update CD

[Zemplar]

I'll send you mine. Once it finally arrived, I was rather disappointed in the content.

The security CD was lacking any real "meat" to make it worth ordering IMHO.

Perhaps they should have just sent a CD with FreeBSD 5.2.1 on it?

Re:Free Windows Security Update CD

[canavan]

Try ordering one for germany:

We're sorry, but there is no Microsoft.com Web page matching your entry. It is possible that you typed the address incorrectly, or that the page no longer exists. You may wish to try another entry or to use the links below, which we hope will help provide you with the information you need.

No, it doesn't and it's been like this for 3 months now, I think, so they really do care about security. There's a workaround - choose "switzerland (german)" and later, when giving your address, select "germany" for both billing and shipping address before filling in anything else (otherwise you'll end up writing everything 4 times, since they left out the useful "copy" button for the shipping address).

Re:Free Windows Security Update CD

If you select 'Netherlands', you don't get the option to order a free CD at all, just a three-step plan to activate items MS should have activated for you already.

Re:Free Windows Security Update CD

[Eraser_]

I mainly wanted it as a way to stick it to the man, $1 at a time. :) I will put it with my Y2K bug-fix CD.

And why send out 5.2.1 cds? Aren't you CVSup'd to -CURRENT? :P

Re:Free Windows Security Update CD

[Zemplar]

I just figured that FreeBSD 5.2.1 would be THE security fix for Windows!

Re:50%

Just ask the Mac users out there that thought they were downloading Word 04.

Well those people are just idiots...

Especially the one quoted in the article: "I downloaded the file in the hope that perhaps Microsoft had released some sort of public beta."

Strike Three! You're OUT!

Re:50%

[Zebano]

I thought that was 92.3% of all statistics are made up? :)

Re:Step one

[motorsabbath]

Blaming the comsumer for the actions of some poorly designed, incompetently manufactured product instead of blaming the product's creator isn't really all that smart in a capitalist system. However, within that same system, once a monopoly has been allowed to run unchecked and now swamps the planet to 90%+ penetration with the aformentioned engineering abomination, it gets very difficult to do anything about it.

Don't blame me, I don't use it, and neither does my Mom or my niece and nephew.

I'm being double charged

[maximilln]

Glad to know that my taxpayer dollars not only go to subsidize their schooling and subsidize their certification programs but also to generate a nice neat HOWTO manual for them to do their jobs.

No wonder there's so many pencils stuck in the ceiling.

How to install Windows XP in 5 hours or less

[spoonyfork]

From Mark Pilgrim's How to install Windows XP in 5 hours or less:

1. Back up entire d: drive to iMac upstairs. rsync rocks.
2. Find Windows XP install disc.
3. Reboot with Windows XP install disc.
4. Asked for product activation. Curse Microsoft.
5. Search my house in vain for my original, 100% legitimate, retail Windows XP box.
6. Reboot.
7. Search control panels in vain for a window, dialog, tab, or pane that displays my current product key.
8. Search Google for "windows xp get current product key".
9. Find a utility on a cracker web page in Russia that displays the current product key. This is one of the more lame utilities, since most of the good ones allow you to change it. I don't wish to change it; I actually have a perfectly good product key, I just don't know what it is.
10. Reboot with Windows XP install disc.
11. Reboot repeatedly as required.
12. Boot screen. Choose between "Windows XP Professional" and "Windows XP Professional". Brilliant. Pick one. The wrong one. Boot into fucked Windows XP install. Hard reboot. Pick the right one. Make mental note to hack boot.ini later.
13. "Welcome to Windows XP. You have no useful programs and no internet access. You have 30 days left for activation. Would you like to activate now?" Yes, I would, but I have no internet access.
14. Unnecessarily loud and cheerful startup noises. Make mental note to turn off all sounds later.
15. Search the "Network and Internet Connections" wizards in vain for some way to set up my Linksys wireless card. Having never done a clean install of XP (I previously upgraded from Windows 2000), and having been moderately impressed by the new wireless networking features in XP, I naively assumed this would "just work". Silly rabbit.
16. Search my house for my Linksys wireless card driver install disc. Find the install disc that came with the old card, that broke and was replaced by the new-and-improved version 3.0 card. Wonder if that will suffice.
17. Fight with the "Add New Hardware Wizard" trying to install the obviously inferior drivers off this disc.
18. Wonder where the "Device Manager" is hiding.
19. Find the "Device Manager". Right-click on the unknown device, "Linksys_Instant_Wireless_Card". Update driver. "Windows was unable to locate a driver for this device. Would you like to search on the internet?" Yes, I'd love to, but I can't, you moron. Install driver from specific location. Specify WIN2000 folder on old-and-inferior install disc.
20. "This driver is not digitally signed." OK.
21. "This driver may cause your computer to become unstable." OK.
22. "This driver may anally rape your mother while pouring sugar down your gas tank." OK.
23. Nothing. No connection, no internet access, no acknowledgment of any device whatsoever.
24. Reboot.
25. Doesn't work.
26. "Take a tour of Windows XP!" I am.
27. Reboot.
28. Doesn't work.
29. Dig out old wired PCMCIA card. Take computer upstairs. Plug directly into switch. cmd. ipconfig. We have an IP address. ping www.google.com. We have name resolution and internet access.
30. Fire up Internet Explorer. runonce.msn.com. No. www.linksys.com. Support. Downloads. WPC11. Windows XP. Linksys.com rocks.
31. Insert Linksys wireless card.
32. Back to Device Manager.
33. Uninstall old-and-inferior driver.
34. Update driver.
35. "This driver is not digitally signed." OK.
36. "This driver may cause your computer to become unstable." OK.
37. "This driver may…" OK.
38. cmd. ipconfig. We have internet access.
39. "Add your .NET Passport to Windows XP!" No.
40. Fire up Internet Explorer. www.msn.com. No. www.mozilla.org. Download Mozilla.
41. Realize I should create an "f8dy" user because it will make my life easier later.
42. Create "f8dy" as an administrator. Log out. Log in.
43. Install Mozilla. Yes, I would like to make you my default

Re:How to install Windows XP in 5 hours or less

There's two more steps

148. System continually bluescreens on boot.
149. Go to step 1

Re:How to install Windows XP in 5 hours or less

[John+Whorfin]

Good God man, wouldn't finding a freaking Linux CD be easier?

Re:How to install Windows XP in 5 hours or less

Well, you can see his problem, he installs all this commie open-source stuff, instead of using what Microsoft gives him and liking it!

Re:How to install Windows XP in 5 hours or less

[Mordaximus]

Sucker, he could have installed $DISTRO and used the extra 4.5 hours saved to get the XP Tour and SP1 running in Wine! :)

Re:How to install Windows XP in 5 hours or less

I didn't think it was possible for anyone to have a harder time with an XP install than me, but you have done exactly that. God bless you my horribly suffering friend. Bwahahahaha! Ha ha ha ha ha ha! Tee hee, tee hee! There. I feel so much better now. I might even be able to skip the meds today.

Re:How to install Windows XP in 5 hours or less

[advocate_one]

Five hours!!! that's a bit optimistic isn't it???

Re:How to install Windows XP in 5 hours or less

And people are whining about compiling things in Gentoo? Heck, at least I don't have to sit around and wait while Gentoo compiles -- I just go off and do other things.

Man...I'm glad I don't use XP anymore. All of the above sounds very very painful.

Re:How to install Windows XP in 5 hours or less

[CdBee]

If you had ready the XP deployment tools, you could have created a winnt.sif file (plain text, manually edited) which placed on a floppy disk in the drive, or in /i386 on the windows install disk (need WinISO and nero do to this) automates the install and allows you to specify classic theme, classic start menu, not installing msn messenger or explorer or wordpad or games or other crap..

Oh and you can slipstream the disk with SP1 to save a LOT of time downloading too. I'm typing this from a clean install which took just 35 mins from reboot with CD to getting online fully patched to SP1 state.

Re:How to install Windows XP in 5 hours or less

[ElderKorean]

Shouldn't you have got a worm/virus when you connected to the internet after step 29. - that's what I'd been led to believe.

Re:How to install Windows XP in 5 hours or less

Been there, now I'm with Linux. Not trolling, back with MS Blaster, I had to reinstall MS Windows for some reason (can't remember) and it took less than five minutes (can't remember exactly... 3 or 4 minutes) for it to hit me. I could have worked around it, but it was easier to just install linux and leave windows for the games that wouldn't run on linux (not many these days).

Obvious

Yes, I've been thinking of this.

You use windows, you have to buy windows, install anti-virus software, firewall software, anti-spyware software (the free versions require repeated updating and could dissapear arbitrarily at any time), configure alot of stuff, and you STILL don't get complete control over your box.

But somehow people put up with this, and somehow (at least according to MS) Windows has a lower TCO.

Re:Obvious

[NanoGator]

"But somehow people put up with this, and somehow (at least according to MS) Windows has a lower TCO."

We put up with it so we don't have to go search Google for obscure things like the setting up of dual monitors.

Re:Obvious

[mingot]

Dunno. I've done just fine with a years old Linksys router. No AV, no anti-spyware software, and pretty much no configuration on the boxes themselves. Oh, and using Outlook and IE.

How have I gone literally YEARS without a virus, worm, or peice of spyware? Quite simple.

1. I don't steal other peoples work. This has two implications. I don't install file sharing software which is most always loaded with spyware. The other is that I don't download software of dubious origin.

2. I don't run executable content I get through email unless I know the source and am expecting the file. Outlook has not auto run scripts in years now.

3. I limit the items that I do download to execute to those that are well known and from sites that I trust. I DO NOT go and download every screen saver I can find on the internet like a LOT of other idiots do. You'd be surprised at the amount of shit that creeps in through the installs of these whores.

4. When the little popup says that updates are availible I install them. That simple. For software that I use which is not included in the windows update I check the sites regularly (if they are software that is susceptable to this sort of thing).

No cost, save the router. All common sense and situational awareness when I surf. The people who have computers loaded with spyware lack this. And Linux/OSX/FreeBSD are NOT going to save them from themselves.

Re:Obvious

[Kjella]

2. I don't run executable content I get through email unless I know the source and am expecting the file. Outlook has not auto run scripts in years now. (...) The other is that I don't download software of dubious origin.

Last I checked, IE ran executable code automagically due to a buffer overflow late last year, not sure if there are any such bugs this year.

Anyway, I realize what you're trying to say but it is still a poor situation. It's like saying "Yeah, I drive a crappy and hazardous car with poor brakes, but I'm a good driver and drive defensively so I don't get into any accidents anyway."

And regardless of how obvious it may seem to you, it is not common sense. It's your computer knowledge. Don't confuse common sense with logic. It is logical to you because you know how a computer works. It is not logical to a person that doesn't know what's ihside that beige box, and has no idea what an OS is or does. And that really have no idea what is nor should be happening when they open a file.

People have no clue what makes up a "dubious" origin. Hell, RealPlayer counts as dubious in my book (once a villain, always a villain), while an OSS project who has no corporate backing, not knowing any of the coders, is usually less dubious. How do you know which are reputable companies? Knowledge, which implies that it is not common sense.

Kjella

Re:Obvious

Hey buddy, what's your IP address again?

Re:Obvious

[mingot]

192.168.1.10 :) Have fun with that!

Re:Obvious

[mingot]

Last I checked, IE ran executable code automagically due to a buffer overflow late last year, not sure if there are any such bugs this year.

I patch. Sooner or later I guess my luck could run out, but I expect Firefox (even though it, the most popular open source browser, cannot properly render the most popular open source advocacy site) to start stealing marketshare. When this happens MS will either get off its ass and fix/improve IE or I'll end up switching to Firefox for the added features. Firefox was not quite a "better mousetrap" the last time I checked (0.9.1), but it was getting damn close, and when that happens I switch.

People have no clue what makes up a "dubious" origin. Hell, RealPlayer counts as dubious in my book (once a villain, always a villain), while an OSS project who has no corporate backing, not knowing any of the coders, is usually less dubious. How do you know which are reputable companies? Knowledge, which implies that it is not common sense.

When I said "dubious" what I really meant to say was "l33t zer0 day juarez". Simply not screwing around with warez/mp3z/etcz limits your exposure to malware in a big way.

When it comes to downloading other things it still seems like common sense to me. When the website looks like jeffk authored and the software is claiming to help you grow your penis by 2 inches I usually take a pass. When the download is from a company website and there are some reviews to be found I feel fairly safe.

Oh hell, maybe I *am* just a smart guy with lots of technical knowledge. But then again, I use windows so THAT can't be possible.

Re:Obvious

[fleagal271]

'Common sense' and 'computer knowledge' - easily mistaken. I work with many administrative staff who always refer to their monitor as the computer and the PC as 'the box'.

An amusing story was of a secretary who decided to clean her keyboard only to discover that her PC was behaving oddly. I had seen her cleaning the keyboard earlier and asked whether she had left the PC switched on. "It's not that" she said "I switched the computer off - like this" and switched the monitor off. I naturally explained to her in my most sarcastic, condescending tone that switching the monitor off does not disable the keyboard or switch off the PC.

Getting back to the point, firewalls, anti-virus, ad-aware and the like are all to prevent or undo malicious programming - the less experienced the user the more protection required.

A friend of mine is a serious user who thinks Windows is a poor creature indeed (with a grudging exception for Win 3.11). My argument is that it helped bring computer useage to the masses (I owe my whole career to MS Word upon which I built a business with some labour- (correct spelling in the UK!) saving macros in 1996).

If my friend had his way command prompts and UNIX would be the norm but he fails to see that this would not have caught on en masse and we would be trapped in the 70s or 80s. 'Wargames' would still be 'fresh'. Britney would not have been airbrushed and you could see that she looks like a bag of spanners... Flame me on these points if you wish but we will have to agree to differ.

For full protection stick an M&M in the ethernet port (peanut butter my preference although sadly unavailable here in the UK), remove the DVD/CD drives, diable USB and wi-fi and turn the floppy disk connector upside down (if you didn't do it when you built the PC) which also provides for a constantly lit LED which is pleasing.

Email me if think of any additions to the above list. Don't expect a reply mind you, I'm just digging out my abacus - sans ZoneAlarm...

Link to summary...

[Flexagon]

... before it's too old for the front page. Probably a good idea to read before heading straight to the zip file.

guidance_WinXP.html

WHERE THE HELL IS SP2 BY NOW

[kilox]

Longhorn is going to be released before SP2 is release..which is supposed to clean up a lot of these loose ends.

Great document

[glass_window]

Going along the lines of the earlier slashdot story
(http://slashdot.org/article.pl?sid=04/07/0 6/12172 43&mode=thread&tid=146&tid=188&tid=192&tid=99)
I wish my college prof threw out the books for class and asked us to use stuff like this, it has everything the books had in it, and it covers it so much better.

obligatory /. trolling

step two...
C:\>FORMAT C:

Re:Redunancy

[Pharmboy]

99% of Windows 3.11 machines have never been connected to the Internet, so I don't think we'd know if there were any security holes.

Maybe most or half, but certainly not 99%. We had a box setup as a router using a modem in the 28.8 days, for around 8 people, all running Windows 3.11, well before 95 came out. And we are not in the tech industry.

Then again, my first internet account was a shell account I accessed from a DOS dialup terminal. Lots of people had internet access with 3.1 and 3.11. I still have the same Usenet account I had pre 95, and still using Forte Agent, which came out for win16 (still support 1.9x in both 32 and 16 bit vers!), as did Mosaic, Netscape, PircH, plus lots of utilities, Trumpet Winsock, Archie, Veronica, Finger (those USED to work, you know), WS_FTP, mIRC, all for 16 bit windows. Plus all the unix utilities I could want from the shell account. Back then, we used our Mosaic browser to Gopher, and we liked it!

But Windows 3.11 has tons of internet capability, still, due to 3rd parties porting unix utils. Windows updates were via ftp then. In a huge directory that had the msg "dont do a ls here, there are too many files". ALL their patches and updates in a SINGLE ftp directory. They weren't too smart back then, internet wise.

You may be right in one way: There may not have been any internet specific holes, but Win 3.11 by itself did not support the Internet. It was all add on software, Free for the most part. No browser (later, IE was released for 3.11), no TCP/IP stack. Even FTP was a port of BSDs, and still has acknowledgements to Berkeley, to this day. If you can get the NIC drivers, you can still surf just fine with 3.11.

Re:I am a 23 year old virgin

Buy a nice outfit at Banana Republic , spend at least 150 between pants and a shirt. Get a nice pair of shoes and a belt too. Get a cool watch down at some jewelry store, keep it simple. Go get a REAL haircut at a salon (hint, not Cost Cutters). Now you should be pretty confident. Maybe go take a dance lesson or two. Somehow get invited to a party or head out for a night on the town. Buy drinks for anyone you're interested in, but only flirt a little , if at all. You should have sex within a week.

Or just roll the wife over without waking her up until its too late.

[OT] Re:Total Cost of Ownership thru the roof

[Mick+Ohrberg]

Printing the document will contribute to killing trees, pushing TCO up further. How dare you want to secure your OS! Think of the baby seals!

...speaking of - short joke: A baby seal walks into a club.

Ba-dam tisch....curtain

Missing step 148.

[Tenebrious1]

147. Search Google for "apache 2.0 win32?. Download. Install. Copy and paste custom stuff into httpd.conf. Restart Apache service.

148. GHOST MACHINE. Never have to reinstall again.

Re:Missing step 148.

[Agilo]

Wrong, because by the time you've ghosted, and are installing another machine, oh, say, half a year later, it turns out there's 80 new patches available on Windows Update, and Apache has been cracked to shits, thus requiring updates, and, well, just about the same for a whole lot of programs.
Then once you have installed that, go ahead, ghost it again, but it's an viscious circle if you ask me.

This'll be really wortless if you ghost the image to a DVD/CD, waist of DVD/CD in my opinion.

Then again, I don't use Windows anymore.

Re:Missing step 148.

[dmaxwell]

Think lineage of image here. If you're making a new image or install, it will still be easier to start from an image you made 9 months ago than to start from an XP cd. All the little desktop tweaks will be the way you like them and you'll only have 12 or so patches and 3 reboots rather than 47 or so and 7 reboots. Not only that, a good deal of your software won't have changed. You'll be saved some work there as well.

I finished new OS 9 images for some Macs I maintain (I know, I know but it has to be this way.) I didn't start from an OS 9.0 cd and patch it up to 9.2.2 + add a boatload of apps. I installed last year's image, made changes and then created a new image. I still saved a considerable amount of work and thumb twiddling watching progess bars.

Re:Missing step 148.

[Tenebrious1]

Wrong, because by the time you've ghosted, and are installing another machine, oh, say, half a year later, it turns out there's 80 new patches available on Windows Update, and Apache has been cracked to shits, thus requiring updates, and, well, just about the same for a whole lot of programs.

Insightful? Jeez, moderators need to get a clue.

How long does it take to install 40 some apps? How long to customize each app the way you like? About four days worth of customization; I know, as a systems integrator, I'm rebuilding my machine all the time after testing. From scratch, it takes about 4 days to get everything back where I like it (with years of practice). Installing 40 some apps takes a LONG time. Remember that reinstalling apps, you *still* have to download and install patches *separately*.

From a ghost image, I'm up and running in a few minutes. If you image your machine once every few months, you don't need that many updates; updates take less than 30 minutes after imaging, maybe an hour at most.

Insightful my ass...

Re:Missing step 148.

148. GHOST MACHINE. Never have to reinstall again.

149. Hope the image will fit on a DVDR. Burn it as a bootable DVD with Ghost.exe.

Haha, this is great!

[Ignorant+Aardvark]

I happen to work at NIST and I'm on the Gaithersburg, MD campus right now. Perhaps reading this article can be considering reading slashdot and working at the same time?

Did anyone actually read the documented guide?

[Agilo]

Did anyone actually read the documented guide, even for a little bit?
I tell you, if a sysadmin should resort to that, he must REALLY suck, because all of what is explained in there is so f*cking obvious.
I mean, c'mon. :\

Re:Did anyone actually read the documented guide?

[reallocate]

Of course not. /. fans lack the attention span to read anything that takes up more room than an 80x24 box.

Securing Windows? Isn't that...

...like cleaning out the Aegean Stables with a whisk broom?

Re:50%

HA! Just ask the boss for money and he gives it to you?

Linux is free.

So, if windows allows an email client to arbitrarily execute code in an email, its the IT depts fault? If Windows IIS allows you to run code by simply sending a malformed URL, its the IT depts fault?

YES! You were stupid enough to accept running Windoze and other M$ trash. You should have demanded an M$-free workplace or walked out.

because all they have to do is go spend a bunch of money to secure an operating system they already paid alot of money for?

Again. Linux is free, has a much lower TCO, and requires fewer admins.

147 Pages...

[Stevyn]

and I thought the gentoo handbook was a long read.

Re:50%

[Stevyn]

what about konqueror integration in KDE?

Re:50%

Clearly you've never worked for an appreciably large global organization which has strict standards on hardware and software. "Upper management" is usually in a different city, if not a different country/continent, and rolling out such a deployment to 50000+ desktops is not cheap. Administration of said desktops is often decentralized, and it doesn't matter how much it'll save in the long run, companies are just trying to save funds in the short term in order to stay afloat.

I'll have you know that I have lovely 'balls', so whenever you're done your MBA (the only thing I can attribute your cluelessness to), perhaps get a mitt and get in the game. You're obviously not seeing a broad enough spectrum of the business world.

Re:50%

boy, did you not read the parent or what??

No SP2.

that is pretty important as theres is no Service Pack 2 XP Cd out

That's because there's no SP2 out. If you like running Betas though, I've got this copy of Win98...

What about it?

[mgoodman]

You've at least got the CHOICE of whether or not to use KDE. I personally use GNOME, but that's only because I'm using Fedora, because I'm too lazy to install Debian at work...or rather I've got better things to do. Erm, where was I?

Oh right, also, KDE is open source, so you could potentially disable konqueror if you *really* wanted to, so it seems that your point is invalid...

NSA's guide or NIST's?

[Danathar]

Since NSA already has a guide for Securing WinXP...which part of the government is authoritative on recommendations?

Here is the link to the page for NSA's Windows XP security Guide (And others)

http://www.nsa.gov/snac/downloads_winxp.cfm?Menu ID =scg10.3.1.1

Re:NSA's guide or NIST's?

[meadowreach]

It looks like this may supercede the NSA one. From the FAQ for the guide at http://csrc.nist.gov/itsec/guidance_WinXP.html:

How were the publication and security templates developed?
The publication was developed by NIST; however, NIST started with excellent material developed by the National Security Agency (NSA), DISA (Defense Information Systems Agency), Microsoft, and other members of the security community. NIST collaborated with NSA, DISA, the Center for Internet Security (CIS) and Microsoft to produce the publication's consensus baseline settings for various operational environments.

Re:50%

[malfunct]

Might want to delete mshtml.dll and possibly browseui.dll and shdocvw.dll and that should get rid of a majority of IE security holes. I won't vouch for how many applications you totally nuke by doing that though.

BTW I found the list by running the dependancy walker on iexplore.exe and checking html/browser specific looking things in the list.

My Mom won't have trouble. And Why?

[MichaelCrawford]

Like many of those here, I provide free tech support to friends and relatives.

Mom's ordering a new computer today. And I expect she won't have much trouble with it.

She's actually been very happy with her old computer, but the video went out a couple days ago, and she decided it was time to get a new computer rather than having the old one repaired, something I urged her to do because most of today's software won't run on the machine I gave her and dad for Christmas in 1995.

She was still running netscape 4.5. I avoided using CSS for the longest time for the sole reason that it wouldn't render well on Mom & Dad's machine.

(Dad passed away, I'm very sorry to say, about a year ago.)

Mom's old machine? A Mac 6130. I forget if it was a powermac or performa. It had a 66 Mhz PowerPC 601. Remember - Mom was perfectly happy with her old Mac until it lost video. It might even be easy to repair, but we're a continent apart so I can't look at it myself.

Her new machine? A 17 inch iMac, with 256 MB of RAM, 80 GB hard drive, 1.2 GHz PowerPC CPU. I think the iMacs all use G4s now.

No worms or viruses for her.

I recommended purchasing AppleCare. It will take her some time to get used to Mac OS X. I think her iMac could boot into Mac OS 9, but I'm not going to tell her how. I'm going to suggest she take a class to learn about Mac OS X.

All her old software will still run, just under the Classic mode within OS X.

Do you do tech support for your Mom? Get her an iMac, and get ready to stop cursing at Windows.

Aunt Peggy, Mom's twin sister, got an iBook about a year ago, again on my recommendation.

Re:50%

[mgoodman]

I found my own little list of "potentially insecure" apps by opening my windows directory lol.

Seriously, just go ahead and delete whatever you want. If something breaks, you needed it. Just go to a recovery console and get it back if you have to. If not, cool, your system is likely better without it.

This rule of thumb does not hold true for your firewall or antivirus software...

BTW, Sysinternals (http://www.sysinternals.com) has some really great free products that could really help in determining what files and dlls you actually need. Checkout http://www.sysinternals.com/ntw2k/freeware/listdll s.shtml and http://www.sysinternals.com/ntw2k/freeware/handle. shtml and http://www.sysinternals.com/ntw2k/source/filemon.s html among other products.

Re:50%

[TommydCat]

Know the tools of your trade, otherwise what makes you difference from any other MCSE that doesn't know his ass from a hole in the ground?

It is ITs responsibility to be aware of security issues and make appropriate recommendations to those responsible for purchasing based on risk assessment to the company's infrastructure. Any less makes people wonder why you collect a paycheck.

Re:Step one

are you, like, 13 fucking years old?

Re:50%

[Pharmboy]

but that is a far cry from "its IT's fault!", when you have budgets, TONS of bugs to patch (and test and test and test..), and a short staff. It would be much easier if MS had STARTED with the security settings in SP2 to begin with.

Re:I am a 23 year old virgin

Just find a nympho and you'll be all set it worked for me and I was a virgin at 23.

Re:50%

Then show "upper management" a business case why their network ripe with corporate secrets needs to be secured. Having "balls" does not necessarily mean antagonistic conflict, but the ability to own up to your position.

Wrong:
Boss: Why should I spend $x million?
You: Because you're a dumbass

Right:
Boss: Why should I spend $x million?
You: Several well-documented studies show that we are at risk for significantly more

Not so hard is it? Or are you still waiting for the one who will show up one day in IT to fulfill the prophesy because you are too polishing your lovely balls to do it yourself?

No matter where you are on the totem pole, it has to start somewhere. Don't let your fingers get so sticky from the donuts that it gets hard to type, dial a phone or turn a doorknob!

Re:Step one

[Marxist+Hacker+42]

Absolutely agreed that the Windoze monopoly is an overpriced and poorly designed product- but incompetently manufactured? Depends what you mean by manufactured- but in a capitalist system, anything you can slap a 95% markup on is a success regardless of whether it actually works as advertised or not.

Re:Security Update CD - dated October 2003

[okock]

From that site:
The Microsoft Windows Security Update CD includes Microsoft critical updates released through October 2003 and information to help you protect your PC. In addition, you will also receive free antivirus and firewall trial software!

Re:50%

Then obviously they are comfortable with the risk at your level of staff and funding. Good job!

Bitch, Whine, Moan....

[reallocate]

Pilgrim bitches too much.

It's his fault that he can't keep track of his product key. Windows isn't the only product -- software or otherwise -- that wants a serial number before it works.

It's his fault that he wasn't clueful enough to add SP1 and the usual horde of updates before he started mucking about. (Not that anyone installing a 4-year old version of any Linux distribution wouldn't also need to install a horde of security updates.)

And, it's his fault for trying to use old drivers to get his net connection working.

Re:Bitch, Whine, Moan....

Key - The point isn't that Windows is worse than some other proprietary Desktop OS (OS/2 Warp? Ha!). The point is that no software, OS or otherwise, should be this antagonistic to use. No free (libre) software requires a product key. If it did, it wouldn't be free to use.

Updating old software - Why would someone install a four-year old Linux distribution when they can buy a new one for about $5, or create an ISO from _today's_ packages, or download an iso which is a few weeks to a few montsh old, or do a minimal install from floppies and download the rest as needed? Of course, only the first option would work with his wireless NIC. The point again is that the software is antagonistic to use.

Drivers - This wouldn't be a problem with a recent distribution, assuming his hardware is supported in Linux, which is an entirely different rant all together.

Re:Bitch, Whine, Moan....

[reallocate]

A commercial and easily pirated product is not being "antagonistic" if it requires a product key. The fact that Windows does this is more of a commentary on the ethics of too many people than it is on the obtuseness of MS. If Torvalds had decided to sell Linux, odds are it would need a product key, too. One approach is no more or less correct than the other.

You wouldn't install a 4-year old Linux. You'd install a current distribution that incorporates all the security patches that have been issued in the last 4 years. And you would still need to install all the patches issued after that distribution hit the streets. It's a simple equation. All that whining about security updates when installing XP from an original CD was deliberate posturing.

Re: drivers -- Yes, a CD pressed today can contain new drivers than a CD pressed yesterday, or last year, or 4 years ago. Whining that an original XP CD doesn't have drivers for hardware manufactured after the CD was made is childish.

The piece was simply an exercise in willful FUD and dilettantism.

Re:IE for Banking

It's called FDIC insurance and doesn't cover losses as a result of hacking. It was created to ensure that if "the bank" goes belly-up, you'll still get your money.

Hacking liability is up to your individual bank and you might want to check up on what they will reimburse you.

Re:50%

No matter where you are on the totem pole, it has to start somewhere.

You must be new to the industry. While I share your sentiments completely, they're unfortunately fairly unrealistic.

Don't let your fingers get so sticky from the donuts that it gets hard to type,

Ah, the classic assumption that all IT folks are big sweaty nerds. Further verifying that you're new to the industry, or not a part of the industry at all. You don't seem to have been around long enough to a) be jaded or b) figure out how things REALLY work, and for that, I can't fault you. Your ideas on change are understandable, but the ease with which you think they can be carried out are off the mark.

Re:50%

Right:
Boss: Why should I spend $x million?
You: Several well-documented studies show that we are at risk for significantly more grins smugly

Boss: Does our application platform with multiple terabytes of data run on it.

You: .....uh, uh, but it fulfills the prophesy

Re:Step one

[gnu-generation-one]

"And the answer is simple- hook it up to a Linux-based NAT router!"

Why not just do the web-browsing on the linux machine? It would be easier, nicer, and more secure than using it to protect what we can only call "the virus-bait"

Freudian slip?

[roc_machine]

in effectively securing Windows XP systems

Anyone else first read this as "ineffectively securing..." ?

Spend an extra hour reading the EULA

[truthsearch]

Don't forget to read the EULA. In it you'll find out you aren't allowed to install an IMAP server, SMTP server, or apache server for non-local connections. It's right there on page 1.

Re:Redunancy

[ClosedSource]

Given that Win 3.11 didn't support the internet out-of-the-box, 1% still sounds reasonable to me.

Re:Page 1: For best security...

...and create a whole new set just for the fun of it!

Re:I am a 23 year old virgin

"Or just roll the wife over without waking her up until its too late."

I'm presuming that you weren't offering him your wife at that point - but hey easy way to make a little cash!!! ;-0

Re:50%

[Jim_Maryland]

Sure IT is responsible for configuring secure systems and applying updates, but most people would agree that MS hasn't exactly made an IT workers life easy. I'm not saying that the job should be "easy" as in they sit around all day, but applying patches shouldn't consume a large chunk of your time nor should it require more IT employees to actually accomplish the repeated patching.

I'm not opposed to running a mixed environment (select the proper tool for the job) but MS tends to make a large target that is easy to hit.

Mod parent UP, Grandparent DOWN

Grandparent is an obvious troll, spreading FUD.

I am posting here in order to cancel my moderation - I accidentally modded parent post the way I meant to mod grandparent (yes I know, I am an idiot sometimes)

Re:Mod parent UP, Grandparent DOWN

Anonymous Coward's don't get mod points. The parent still has your -1 Overrated BTW.

Another government hardening guide?

[brennz]

Looks like those NIST folks forgot all about the DISA STIGs

Defrag

[Larry_Dillon]

After all that, I'd:

1. defrag the disk
2. download the pagefile defragger from Sysinternals, and
3. defrag the pagefile and system files.

Re:50%

[toiletsalmon]

Hey! I went to DeVry you insensetive clod!

(And it's even a "University" now :)

zerg

[Lord+Omlette]

For any part that says "disable unused services", don't forget to check out XP Service Config Guide by Black Viper.

Re:50%

[Karl+Cocknozzle]

I'm not saying that the job should be "easy" as in they sit around all day, but applying patches shouldn't consume a large chunk of your time nor should it require more IT employees to actually accomplish the repeated patching. I'm not opposed to running a mixed environment (select the proper tool for the job) but MS tends to make a large target that is easy to hit.

Amen brother. And new patches should not re-break old ones. Or change random settings without telling you. (BTW: Last one isn't Microsoft exclusive, but I've had far more personal experience with exploding MS patches than any other OS.)

Better install tools

[leonbrooks]

Are any of the tools actually easy to use, useful to have, and if so, where can I download them?

Info here.

yeah, those IT professionals

I don't understand 'IT professionals' in the same sentance as 'Windows XP' really. If you are that stupid to maintain something that constantly breaks down./.. oh well

Re:50%

[reallocate]

Geez, what planet are you on?

Check back after you actually been on someone's payroll for a day or two. (Although that may take some time if you follow your own advice and demand an MS-free workplace.)

Trust me on this: The corporate world doesn't care that Linux is "free".

Re:50%

[malfunct]

I'd advise knowing slightly more than that, I actually think a fair number of "IE" security holes are actually in the mshtml.dll. Unfortunately a great many others are in wierd random dlls like webdav and stuff.

Huh?!?

There are still some people around who are stupid enough to use a Window$ operating system?! I thought all those idiots were gone by now. Don't they keep up with the news?

Strange isn't it

[Ponkinator]

Aren't government agencies usually the worst offenders as far as network security is concerned? Aren't they usually given D and F ratings by the Office of Management and Budget (OMB) year after year? Yet here is a government agency cranking out advice on securing Win XP. It makes more sense to get rid of the offending OS if it really is that bad rather than trying to fix the unfixable. I can't beleive all the time and money that is spent on firewalls, antivirus software and patching on what shouldn't be a major problem in the first place. I don't understand why Microsoft Software is so popular if it really is this crappy. Even if it came "free" with the computer (I can assure you it didn't), MS would still be charging too much for such a low quality POS by any other standard. By all rights, all MS OSes should have some sort of warning during installation that says that the OS was designed for easy installation of viruses, worms, trojans, and malware that you should retract your hard drive for safety.

Yeah, sure, I can talk smart; I don't use MS products so what do I know.

Re:50%

[BCW2]

There are lies, damn lies, and then statistics.

Re:My Mom won't have trouble. And Why?

[VGPowerlord]

It's one thing to replace a Mac with another Mac, quite another to replace a PC with a Mac, and different yet if it's their first PC.

My mom still uses a Calender Creator made in 1987 for DOS 3 or 5. I'm not sure which. She's managed to carry it all the way over to her Windows 2000 Professional machine. She uses Windows 2000 because that's what they use at her workplace.

The computer decisions of my aunt & uncle and my grandparents were heavily influenced based upon what my mom used... Windows.

Actually, it was more of a rolldown effect. My aunt saw what my mom could do with her IBM Compatible PC and bought one in the 90s. Last year, when my aunt bought her new Windows PC, Grandmother saw what my aunt could do with it and bought one similar to it.

Which also means that I had no influence whatsoever in what they bought... Oddly enough, they don't call me for tech support very often. I suppose that's because they still haven't caught the Internet bug... they're content with using an email only service.

Re:Redunancy

How do you figure? Sure you had to install TCP/IP but PPP came with it out of the box. I'd call that "supporting 'internet' out of the box".

Personally I bypassed Win3.11 for home use but had to support it a bit in different jobs. In fact the last time I had to do some work on Win3.11 was about 3 years ago for an airline. Kind of scary that they were still using it but they had a legacy app that noone seemed to want to update.

it's a 7-zip exe

the autopatcher self-expanding exe is a 7-zip exe. according to the 7-zip home page (http://www.7-zip.org/) it's possible to get it working under wine (though i've never figured out how to get it working this way).