Slashdot Mirror


NIST Issues Windows XP Security Guide

routerwhore writes "NIST Special Publication 800-68 (zip file) has been created to assist IT professionals, in particularly Windows XP system administrators and information security personnel, in effectively securing Windows XP systems. It discusses Windows XP and various application security settings in technical detail."

54 of 253 comments (clear)

  1. isolate by xOleanderx · · Score: 4, Funny

    Step one: Isolate from network.

    1. Re:isolate by Anonymous Coward · · Score: 2, Interesting

      not really...

      step one is to get a competent admin that will install from a slipstreamed install CD. all of mine are slipstreamed with SP2 so all patches up ot now are included and the machine is not instantly owned on the corperate network. ANYONE installing XP or W2K from origional CD's is nuts. slipstream the patches. My W2K disks are up to the SP4 rev and have all hotfixes on the disk ready for the scripted install after first reboot. and the XP disks are ready to go as well..

      Yes, it's a pain in the arse to have to do this cince MS refuses to issue updated install CD's every time they do major updates to their os... but it's all we got.

    2. Re:isolate by BrookHarty · · Score: 5, Informative

      Actually, that is pretty important as theres is no Service Pack 2 XP Cd out. If you install on an open Internet connection, you can be infected before you download the updates. Even our work lan wasnt protected, soon as I plugged my laptop in for updates it was infected, and I had to clean it off. (Ya, ya, zone alarm....) I guess the default XP firewall turned on would at least be some protection.

      I think its worth picking up a cheap network router or wireless router so you can have NAT firewall to filter your PC. 802.11b routers are on sale for 20 bux that have NAT built in. Pretty cheap, and then you can update your PC before it gets infected.

      I have all service packs merged into my Win2k on CD, but WinXP only has the default SP1 without the updates for a year. So, the unplug or firewall your Internet connection is pretty important.

    3. Re:isolate by DarkMantle · · Score: 2, Funny

      Step 2: install 3 popup blockers, 4 spyware utilities, and 5 Antivirus programs, 3 firewalls, and make sure it's behind a good external firewall, get all windows updates on a CD to install them offline.

      Step 3: Keep off network

      --
      DarkMantle I been bored, so I started a blog.
    4. Re:isolate by eean · · Score: 3, Insightful

      At my .edu they decided that our firewall would protect us from Blaster. Didn't take them long to figure out how wrong they were.

      Firewalls assume they're aren't malicious things happening on your side of it.

    5. Re:isolate by eean · · Score: 2, Insightful

      Then the students bring their computers back from the summer.

      Making a campus LAN not a dangerous one is impossible. You have to assume worms are going to get in.

    6. Re:isolate by Scutter · · Score: 2, Insightful

      You misunderstand.

      No, I understand perfectly, but protecting an internal network is not the firewall's job. The firewall's job is to act as a gatekeeper to traffic passing through it wherever it's placed in the network. What you are proposing is a fundamental change in network design, of which the firewall is only a very small part. VLAN's, proxy servers, etc. all play a part in securing an internal network. It doesn't make sense to place the blame for an insecure internal network at the feet of a single firewall (misconfigured or otherwise).

      If someone brings in an insecure laptop and plugs it into a random port on your switch, you can hardly blame the firewall between your LAN and the internet if the laptop starts spewing Sasser around your network. That's where VLAN's, internal firewalls, and other security measures come into play.

      Regardless, my response was in answer to your comment about firewalls not protecting internal networks, not the intricacies of switchport-level network security.

      --

      "Tell me doctor, with all of your defenses, are there any provisions for an attack by killer bees?"
  2. Format, install Linux... by PeterPumpkin · · Score: 2, Informative

    ...install VMWare, run XP from inside the sandbox :D

  3. Looks very usefull at first glance by Marxist+Hacker+42 · · Score: 5, Informative

    Especially for those of us who have mixed LANs at home. This was the first I had heard of a way to disable 445, the replacement Netbios port (even if it's a convoluted way to do it).

    --
    SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
    1. Re:Looks very usefull at first glance by mst76 · · Score: 4, Informative
      Especially for those of us who have mixed LANs at home. This was the first I had heard of a way to disable 445, the replacement Netbios port (even if it's a convoluted way to do it).
      There is plenty of information around if you know the right queries.
    2. Re:Looks very usefull at first glance by SquadBoy · · Score: 2, Informative

      But of course the first thing you did was to run nmap and Nessus against your shiny new XP box and then search on the ports that they found.

      Or maybe I'm just a freak.....

      But yea info and lots of it in one place is a *very* good thing. But it sounded like the grandparent knew it was there did not like it and had done nothing and was all out of ideas.

      Or like I said maybe I'm just a freak...

      --

      Cypherpunks: Civil Liberty Through Complex Mathematics. Those who live by the sword die by the arrow.
    3. Re:Looks very usefull at first glance by Azghoul · · Score: 4, Interesting

      This is probably going to seem like flamebait, but I'm honestly curious: Does anyone else feel it's odd, at best, to have a government agency telling us all how to safely operate a private company's product?

      Just seems weird to me, but I guess it happens in other industries as well...

    4. Re:Looks very usefull at first glance by Marxist+Hacker+42 · · Score: 3, Interesting

      What, you expect the private company to actually be truthfull about the dangers of their product?

      Seems normal to me, and a necessary function of government in a corporatist economy. Otherwise, Caveat Emptor is the only real law left.

      --
      SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
  4. Re:50% by Mz6 · · Score: 3, Insightful
    "Fifty percent of those problems are IE problems."

    Does this get filed the same as "90% of all statistics are made up"?

    --
    Hmmm.
  5. 147 pages! by w1r3sp33d · · Score: 4, Funny

    Easy broken down into 9 littler chapters for those MCSE's still out there.

  6. Re:Step one by Marxist+Hacker+42 · · Score: 3, Insightful

    And the answer is simple- hook it up to a Linux-based NAT router! If no server ports are exposed to the WAN, no worms can find the new box.

    --
    SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
  7. Linux is complex? by TheVidiot · · Score: 4, Funny


    Only 147 pages of reading to secure your Windows XP?!? And they say Linux requires an in-depth knowledge of the OS...

    1. Re:Linux is complex? by databyte · · Score: 2, Informative
      Not all of it is related solely to security.
      • Section 1 - Introduction (15-16)
      • Section 2 - Windows XP Security Guide Development (17-32) about general networking guidelines and how this guide came to be
      • Section 3 - Windows Security Components Overview (33-38) with summary notes on the last page (38), the rest was features and footprint
      • Section 4 - Installation, Backup, and Patching (39-48) consists of advise on running Windows Update, using strong passwords, etc. Notes are again, on the last page.
      • Section 5 - Overview of the Windows XP Security Policy Configuration and Templates (49-54) explains templates and how to use them.
      • Section 6 - NIST Windows XP Template Settings Overview (55-66) which explains the templates provided.
      • Section 7 - Additional Windows XP Configuration Guidance (67-90) is a ton of good content
      • Section 8 - Application Specific Security Configuration Guidance (91-110)
      • Section 9 - Putting it All Together (111-112)
      • Appendix A-F contain resource information not needed to secure your machine but good information to have.
      Steps to securing:
      Read the last page of Sections 3 and 4, if it's new to you - read the whole thing.
      Apply templates using information from Sections 5 and 6 if you don't know how.
      Read Section 7.
      Section 8 is optional depending on what types of programs you use.

      Required reading: 25 pages
  8. Actually has some good points by grunt107 · · Score: 5, Informative

    There are some areas around the registry and memory dump settings that could be useful (how many actually send MS their abend dumps?), shutting remote access, and pointing out the usage and benefits of a firewall. When it comes to internet downloads/emails, though, the standard "Don't open unknown emails/attachments" still abounds. Rather lengthy - could do w/o the graphs and standard defs.

  9. Re:Page 1: For best security... by xOleanderx · · Score: 4, Insightful

    Hopefully SP2 will fix many of these problems.

  10. Total Cost of Ownership thru the roof by hey · · Score: 5, Funny

    Wow, changing all those settings really bumps up the Total Cost of Ownership (TCO) of Windows!

    1. Re:Total Cost of Ownership thru the roof by badriram · · Score: 3, Informative

      Well most people dont do this over and over again on each and every machine. That is we have GPOs (Group Policy Objects), scripting, and tons of third party apps. All those settings were done at my end once, and i update them at the release of every service pack. For security the amount of time i waste is barely nothing

  11. Re:Redunancy by Anonymous Coward · · Score: 2, Funny

    Windows XP *IS* Windows 3.11. We perceive the thought form at the root of each and merely hypostatize a different product because we believe in the illusion of time.

  12. Re:50% by jesser · · Score: 2, Funny

    90% of all statistics are made up

    Where did you hear that? I thought it was only 60%.

    --
    The shareholder is always right.
  13. Re:Step one by crimethinker · · Score: 4, Insightful
    You're only partly correct. If you put the windoze box behind a NAT, you won't get 0WN3D by all of the remote exploits, but that's only half of the solution. You're still vulnerable to virus-laden e-mails (especially if you use MS Outhouse) and malicious web pages (if you use IE).

    Yes, you and I have a clue and use something else for mail and web, but most home users are not savy enough to switch away from the vulnerable products, and worms and viruses will continue to spread through these channels for some time to come.

    -paul

    --
    Pistol caliber is like religion: everyone has their favourite, and theirs is the only right choice.
  14. Re:Step one by Marxist+Hacker+42 · · Score: 2, Interesting

    The point is to download the Windoze updates *before* even running Outhouse or IE. And of course, following all the rest of the advice in the above document in setup, before doing ANYTHING on the web.

    I'm also strongly of the opinion that home users that don't take precautions in this day and age deserve to have their boxen 0wn3d. And then have their ISP shut them down and isolate those boxen.

    --
    SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
  15. Re:Step one by Marxist+Hacker+42 · · Score: 2, Informative

    You mean like Cisco's Linksys routers- which are linux based? Still, yes, certainly a hardware (Flash Rom) based solution helps quite a bit, and is less troublesome to set up.

    --
    SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
  16. Quick way to get the post-SP1 pre-SP2 updates by semifamous · · Score: 5, Informative

    Quick way to get the post-SP1 pre-SP2 updates:

    AutoPatcher

    This is a good thing if you need to reinstall Windows soon before SP2 comes out.

    Even after SP2 comes out and it shrinks in size, the features it allows you to change are great.

    1. Re:Quick way to get the post-SP1 pre-SP2 updates by mattOzan · · Score: 4, Informative

      Even better way to get all those hotfixes RIGHT ONTO YOUR CD, so you don't have to muck about with downloading updates and waiting for them to install: XPCREATE: The XP Distribution CD Creator with Hotfix Slipstreaming

  17. I only use xp for games lately by Cyberhwk · · Score: 2, Insightful

    I've only kept my XP box around for games, movies, and entertainment. If I have to do something that needs to be secure I either use mac osx or linux. I try to avoid the IE browser except when reading webcomics or news and I do online banking far away from IE but I'm not worried about that cause I'm pretty sure my money is still federally insured under a plan that I forgot its name. I like XP for games and that is about it so far besides movies. I just hope SP2 doesn't ruin compatibility to some of my old favorites like Fallout 2

  18. Reminds me of Bastille linux by mentatchris · · Score: 5, Insightful

    I just briefly read thru that document. It is an excellent read. Lots of the things they mention are fairly well known, but to have it all grouped together in a comprehensive document is a real godsend. Reminds me A LOT of bastille linux .
    There is a huge advantage to have predefined profiles you can apply. I imagine myself using these security profiles to harden family member's PCs. I usually have neither the time nor the inclination to lock down my mother's computer.... so having some defaults and a quick checklist will save me a TON of time in the long run.
    It's also nice to be able to send someone a link and tell them "Do this stuff" rather than walk them thru all the things they need to do to be safe. As I am sure most Slashdot readers have experienced, the unending number of tech calls from friends and family gets old after a little while. I think this document will help restore the free time that Uncle Bill has taken from me.

    1. Re:Reminds me of Bastille linux by Anonymous Coward · · Score: 4, Interesting
      The problem with Linux is all the non-orthogonal options, and trying to figure out how they interact. To wit,
      • standard "chmod" permissions
      • extended attribute "chattr" permissions
      • bastille linux on top of the above
      • access control lists
      • Kerberos
      • Pam
      • selinux
      • ssh
      • beecrypt
      • sasl
      • a dozens more miscellaneous options and utilities.
      I wish there would be a unified solution. There are various bits of overlap, and the permutations of the above lead to quite a bit of complexity. Of course, as far as I know XP is not one bit simpler.
    2. Re:Reminds me of Bastille linux by vadim_t · · Score: 4, Informative

      Many of those have nothing in common. Please at least do some reading on this stuff.

      Bastille was a script that tweaked things for you last time I checked. It does nothing you can't do by editing config files and using chmod if you know how.

      ACLs are approximately a WinNT-like permission system for Linux.

      selinux goes MUCH further, adding capabilities that didn't exist before, making it possible to precisely specify what a process is supposed to do and what not. While quite complicated, it allows doing nifty things.

      PAM has an unique purpose - handling authentication. If you want your users to use a smartcard or a fingerprint reader, that's what you need.

      ssh is an encrypted telnet (simplifying things a bit)

      sasl is an encryption library, beecrypt is another.

      kerberos is an authentication method - which has absolutely nothing to do with things like filesystem permissions.

      So, where are those interactions you talk about? SeLinux with all its power has nothing to do with encryption and doesn't replace it. Different encryption libraries don't conflict with each other and in most cases users don't even need to deal with them. PAM could be said to be related to SeLinux a tiny bit, but they do very different things. SeLinux handles permissions, while PAM defines how users are authenticated to the OS. Kerberos is just a protocol.

  19. Re:50% by Pharmboy · · Score: 5, Insightful

    You're in IT? Notify the upper-management about the best tools available then implement those tools. If you can't make a reasonable argument why Windows is a hazard than get another career and move over for someone that can. It is POSSIBLE.

    IT departments are the problem and Windows will be the dominant OS for decades to come until more IT "men" grow some balls.


    HA! Just ask the boss for money and he gives it to you? Thats rich. So, if windows allows an email client to arbitrarily execute code in an email, its the IT depts fault? If Windows IIS allows you to run code by simply sending a malformed URL, its the IT depts fault? So, the solution is buy yet more software, that will not know about these exploits until they are exposed anyway, so is useless for unknown (but will be discovered) vulnerabilities?

    And MS is the good guy and the IT guys are the bad guys, because all they have to do is go spend a bunch of money to secure an operating system they already paid alot of money for? And if the company is dependent on software that will only run on Windows for a year or two, its the IT depts fault if the boss won't change to Linux?

    I gotta admit, I did enjoy the "grow some balls", coming from an AC. You sound more like a pissed off 20 year old who just finished a program at Devry and can't believe someone won't hire him for $80k.

    --
    Tequila: It's not just for breakfast anymore!
  20. I'd read through that.... by nukem1999 · · Score: 5, Funny

    but I'm not supposed to download unknown zip files on my Windows machine.

  21. "in effectively securing Windows XP systems" by Alexis+de+Torquemada · · Score: 3, Funny

    There are already a lot of people who can do this. Well, without the first blank, that is.

  22. Re:50% by Phibz · · Score: 2, Funny

    I had heard it as "A survey once showed that 50% of all statistics are wrong 90% of the time." :-D

    Phibz

  23. Re:Step two by TedCheshireAcad · · Score: 2, Funny

    Step 3.....profit?

  24. "effectively securing Windows XP systems" by WarMonkey · · Score: 3, Funny


    effectively securing Windows XP systems

    That's the great thing about Slashdot -- timely reviews of only the very best science-fiction literature.

    --
    -- I could tell right away that she was impressed with my HUGE Slashdot Karma.
  25. Free Windows Security Update CD by not_hylas(+) · · Score: 4, Informative

    http://www.microsoft.com/security/protect/cd/order .asp

    See? Wasn't that easy?

    --
    ~hylas
  26. Re:50% by Anonymous Coward · · Score: 2, Funny
    Just ask the Mac users out there that thought they were downloading Word 04.
    Well those people are just idiots...

    Especially the one quoted in the article: "I downloaded the file in the hope that perhaps Microsoft had released some sort of public beta."

    Strike Three! You're OUT!
  27. I'm being double charged by maximilln · · Score: 2, Insightful

    Glad to know that my taxpayer dollars not only go to subsidize their schooling and subsidize their certification programs but also to generate a nice neat HOWTO manual for them to do their jobs.

    No wonder there's so many pencils stuck in the ceiling.

    --
    +++ATHZ 99:5:80
  28. How to install Windows XP in 5 hours or less by spoonyfork · · Score: 5, Insightful
    From Mark Pilgrim's How to install Windows XP in 5 hours or less:

    1. Back up entire d: drive to iMac upstairs. rsync rocks.
    2. Find Windows XP install disc.
    3. Reboot with Windows XP install disc.
    4. Asked for product activation. Curse Microsoft.
    5. Search my house in vain for my original, 100% legitimate, retail Windows XP box.
    6. Reboot.
    7. Search control panels in vain for a window, dialog, tab, or pane that displays my current product key.
    8. Search Google for "windows xp get current product key".
    9. Find a utility on a cracker web page in Russia that displays the current product key. This is one of the more lame utilities, since most of the good ones allow you to change it. I don't wish to change it; I actually have a perfectly good product key, I just don't know what it is.
    10. Reboot with Windows XP install disc.
    11. Reboot repeatedly as required.
    12. Boot screen. Choose between "Windows XP Professional" and "Windows XP Professional". Brilliant. Pick one. The wrong one. Boot into fucked Windows XP install. Hard reboot. Pick the right one. Make mental note to hack boot.ini later.
    13. "Welcome to Windows XP. You have no useful programs and no internet access. You have 30 days left for activation. Would you like to activate now?" Yes, I would, but I have no internet access.
    14. Unnecessarily loud and cheerful startup noises. Make mental note to turn off all sounds later.
    15. Search the "Network and Internet Connections" wizards in vain for some way to set up my Linksys wireless card. Having never done a clean install of XP (I previously upgraded from Windows 2000), and having been moderately impressed by the new wireless networking features in XP, I naively assumed this would "just work". Silly rabbit.
    16. Search my house for my Linksys wireless card driver install disc. Find the install disc that came with the old card, that broke and was replaced by the new-and-improved version 3.0 card. Wonder if that will suffice.
    17. Fight with the "Add New Hardware Wizard" trying to install the obviously inferior drivers off this disc.
    18. Wonder where the "Device Manager" is hiding.
    19. Find the "Device Manager". Right-click on the unknown device, "Linksys_Instant_Wireless_Card". Update driver. "Windows was unable to locate a driver for this device. Would you like to search on the internet?" Yes, I'd love to, but I can't, you moron. Install driver from specific location. Specify WIN2000 folder on old-and-inferior install disc.
    20. "This driver is not digitally signed." OK.
    21. "This driver may cause your computer to become unstable." OK.
    22. "This driver may anally rape your mother while pouring sugar down your gas tank." OK.
    23. Nothing. No connection, no internet access, no acknowledgment of any device whatsoever.
    24. Reboot.
    25. Doesn't work.
    26. "Take a tour of Windows XP!" I am.
    27. Reboot.
    28. Doesn't work.
    29. Dig out old wired PCMCIA card. Take computer upstairs. Plug directly into switch. cmd. ipconfig. We have an IP address. ping www.google.com. We have name resolution and internet access.
    30. Fire up Internet Explorer. runonce.msn.com. No. www.linksys.com. Support. Downloads. WPC11. Windows XP. Linksys.com rocks.
    31. Insert Linksys wireless card.
    32. Back to Device Manager.
    33. Uninstall old-and-inferior driver.
    34. Update driver.
    35. "This driver is not digitally signed." OK.
    36. "This driver may cause your computer to become unstable." OK.
    37. "This driver may…" OK.
    38. cmd. ipconfig. We have internet access.
    39. "Add your .NET Passport to Windows XP!" No.
    40. Fire up Internet Explorer. www.msn.com. No. www.mozilla.org. Download Mozilla.
    41. Realize I should create an "f8dy" user because it will make my life easier later.
    42. Create "f8dy" as an administrator. Log out. Log in.
    43. Install Mozilla. Yes, I would like to make you my default

    --
    Speak truth to power.
    1. Re:How to install Windows XP in 5 hours or less by Anonymous Coward · · Score: 2, Funny

      There's two more steps

      148. System continually bluescreens on boot.
      149. Go to step 1

    2. Re:How to install Windows XP in 5 hours or less by John+Whorfin · · Score: 2, Insightful

      Good God man, wouldn't finding a freaking Linux CD be easier?

  29. Great document by glass_window · · Score: 2, Interesting

    Going along the lines of the earlier slashdot story
    (http://slashdot.org/article.pl?sid=04/07/0 6/12172 43&mode=thread&tid=146&tid=188&tid=192&tid=99)
    I wish my college prof threw out the books for class and asked us to use stuff like this, it has everything the books had in it, and it covers it so much better.

  30. Missing step 148. by Tenebrious1 · · Score: 3, Insightful

    147. Search Google for "apache 2.0 win32?. Download. Install. Copy and paste custom stuff into httpd.conf. Restart Apache service.

    148. GHOST MACHINE. Never have to reinstall again.

    --
    -- If god wanted me to have a sig, he'd have given me a sense of humor.
    1. Re:Missing step 148. by Agilo · · Score: 2, Insightful

      Wrong, because by the time you've ghosted, and are installing another machine, oh, say, half a year later, it turns out there's 80 new patches available on Windows Update, and Apache has been cracked to shits, thus requiring updates, and, well, just about the same for a whole lot of programs.
      Then once you have installed that, go ahead, ghost it again, but it's an viscious circle if you ask me.

      This'll be really wortless if you ghost the image to a DVD/CD, waist of DVD/CD in my opinion.

      Then again, I don't use Windows anymore.

      --
      - Agilo
    2. Re:Missing step 148. by dmaxwell · · Score: 4, Informative

      Think lineage of image here. If you're making a new image or install, it will still be easier to start from an image you made 9 months ago than to start from an XP cd. All the little desktop tweaks will be the way you like them and you'll only have 12 or so patches and 3 reboots rather than 47 or so and 7 reboots. Not only that, a good deal of your software won't have changed. You'll be saved some work there as well.

      I finished new OS 9 images for some Macs I maintain (I know, I know but it has to be this way.) I didn't start from an OS 9.0 cd and patch it up to 9.2.2 + add a boatload of apps. I installed last year's image, made changes and then created a new image. I still saved a considerable amount of work and thumb twiddling watching progess bars.

  31. Re:Obvious by mingot · · Score: 3, Informative

    Dunno. I've done just fine with a years old Linksys router. No AV, no anti-spyware software, and pretty much no configuration on the boxes themselves. Oh, and using Outlook and IE.

    How have I gone literally YEARS without a virus, worm, or peice of spyware? Quite simple.

    1. I don't steal other peoples work. This has two implications. I don't install file sharing software which is most always loaded with spyware. The other is that I don't download software of dubious origin.

    2. I don't run executable content I get through email unless I know the source and am expecting the file. Outlook has not auto run scripts in years now.

    3. I limit the items that I do download to execute to those that are well known and from sites that I trust. I DO NOT go and download every screen saver I can find on the internet like a LOT of other idiots do. You'd be surprised at the amount of shit that creeps in through the installs of these whores.

    4. When the little popup says that updates are availible I install them. That simple. For software that I use which is not included in the windows update I check the sites regularly (if they are software that is susceptable to this sort of thing).

    No cost, save the router. All common sense and situational awareness when I surf. The people who have computers loaded with spyware lack this. And Linux/OSX/FreeBSD are NOT going to save them from themselves.

  32. Re:50% by Anonymous Coward · · Score: 2, Insightful
    Clearly you've never worked for an appreciably large global organization which has strict standards on hardware and software. "Upper management" is usually in a different city, if not a different country/continent, and rolling out such a deployment to 50000+ desktops is not cheap. Administration of said desktops is often decentralized, and it doesn't matter how much it'll save in the long run, companies are just trying to save funds in the short term in order to stay afloat.

    I'll have you know that I have lovely 'balls', so whenever you're done your MBA (the only thing I can attribute your cluelessness to), perhaps get a mitt and get in the game. You're obviously not seeing a broad enough spectrum of the business world.

  33. NSA's guide or NIST's? by Danathar · · Score: 3, Insightful

    Since NSA already has a guide for Securing WinXP...which part of the government is authoritative on recommendations?

    Here is the link to the page for NSA's Windows XP security Guide (And others)

    http://www.nsa.gov/snac/downloads_winxp.cfm?Menu ID =scg10.3.1.1

  34. Re:Obvious by Kjella · · Score: 4, Insightful

    2. I don't run executable content I get through email unless I know the source and am expecting the file. Outlook has not auto run scripts in years now. (...) The other is that I don't download software of dubious origin.

    Last I checked, IE ran executable code automagically due to a buffer overflow late last year, not sure if there are any such bugs this year.

    Anyway, I realize what you're trying to say but it is still a poor situation. It's like saying "Yeah, I drive a crappy and hazardous car with poor brakes, but I'm a good driver and drive defensively so I don't get into any accidents anyway."

    And regardless of how obvious it may seem to you, it is not common sense. It's your computer knowledge. Don't confuse common sense with logic. It is logical to you because you know how a computer works. It is not logical to a person that doesn't know what's ihside that beige box, and has no idea what an OS is or does. And that really have no idea what is nor should be happening when they open a file.

    People have no clue what makes up a "dubious" origin. Hell, RealPlayer counts as dubious in my book (once a villain, always a villain), while an OSS project who has no corporate backing, not knowing any of the coders, is usually less dubious. How do you know which are reputable companies? Knowledge, which implies that it is not common sense.

    Kjella

    --
    Live today, because you never know what tomorrow brings
  35. zerg by Lord+Omlette · · Score: 2, Informative

    For any part that says "disable unused services", don't forget to check out XP Service Config Guide by Black Viper.

    --
    [o]_O