Windows XP Tips and Tricks follow-up

I'm no expert in Windows, but if people need to install XP on a Mac mainly to justify using one in an environment where certain applications are Windows-only, wouldn't it solve most security problems to simply avoid using all Internet software while in Windows? Could you perhaps not connect the Windows side to the Internet at all?

This wouldn't work for people who need connections on both sides, but it might help for others.

Paul Brians Professor of English Director of Undergraduate Studies Department of English Washington State University Pullman, WA 99164-2050 http://www.wsu.edu/~brians/

Just a few things to add to the excellent things that Kevin wrote.

Retail versions of Windows XP do allow transfers to new systems, although you will still need to run through the mandatory activation and may need to spend some time on the phone with Microsoft explaining what you are doing.

Unless you've been doing multiple installations already -- abusing the license -- it's unlikely that you'll need to call Microsoft. They obviously don't want to pay for tech support time because someone got their system up and running and then decided to reinstall from scratch, or bought a new computer a month later. What I've heard is that if a second installation is more than about 3 or 4 months after the first, there's no block at all. I've been in the situations mentioned above in much less time and had no trouble with the re-registration. There's probably much firmer information on this on the web for anyone who wants to search. What's clear, though, is that the MS registration scheme is designed to restrict massive cloning, counterfeit CDs, and exchange of keys, not to prevent a parent from installing her copy of XP on her kid's computer.

Windows XP is notorious for being infected immediately after a new installation, before the user has time to install system patches. Windows XP Service Pack 1 installations have been reported compromised in as little as 4 minutes after being placed on a standard DSL connection.

While this warning is definitely to be taken seriously, being behind a NAT and taking a little care should be sufficient. The NAT -- assuming no ports are mapped to the computer in question -- protects against direct attacks. Avoid surfing except to the MS sites as needed to complete the software updates -- in fact, just don't do anything but software updates on the XP system until the software is current.

But if the computer has a routable IP address (is not behind a NAT), then take Kevin's warning VERY seriously.

**Additional Security** - Always leave a firewall turned on, whether that's the built-in Windows one or third party software. This is a good idea even if you're computer is behind a hardware NAT firewall.

Yep. Although if the XP system is the only one behind a NAT, this may be unnecessary. I don't know what kind of IP connectivity a virtual XP system will get -- the Mac OS may act as a NAT, thus protecting it. But on a dual-boot system, the exposure is likely to be the same whether it's booted in Mac OS or XP.

The main reason for using a personal firewall even when protected upstream, is that even if you are behind an excellent firewall, there are other ways for malware to invade. Laptops are famous for this. I'm aware of a site which was taken down for a full day when all their internal servers were infected by SQL Slammer. It was several months after the Slammer release, and they had ignored the warnings to install the updates. But they were OK, protected almost entirely by NAT, until a consultant brought in an infected laptop and hooked it up to the LAN. Uh-oh.

Microsoft's Malicious Software Removal Tool should have been installed as part of the Windows Update during installation.

Technically it's downloaded, run, and removed monthly at the same time as a software update, or occasionally on its own. As a result, software updates always occur at least monthly even when there's nothing else to push.

I prefer Grisoft's AVG product; home users can get it for free.

My experience differs from Kevin's -- I found AVG annoying and hard to use. But the price is right, the reviews are good, and no one questions its ability to block malware. I won't consider McAfee due to unrelated bad experiences with the company, so I've gone back to NAV, though it certainly has its annoyances too. IIRC it can cost as little as about $20/year if you buy a multi-year subscription.

**Spyware Removal** -- Be sure to install spyware detection and removal software.

I have to say "it depends". I've been using XP for about three years now, have never run real-time spyware blocking software, and have never been infected by any spyware or adware. I run Ad-Aware occasionally just to make sure, and of course the monthly Malicious Software Removal Tool. (How the name, with the acronym MS meaning Malicious Software, got past Marketing is beyond me.) Ad-Aware has never found a single thing, and AFAIK neither has the MSRT (though I have no idea what it says when it finds something).

This undoubtedly is a combination of web browser choice, web surfing habits, and generally attunement to the software world and a basically skeptical attitude. I use Opera, which enables me to leave plug-ins (including the dangerous ActiveX) and Java turned off until I need them and trust the web site, and turn each on with two keystrokes -- and off again in the same. Though my surfing certainly includes plenty of the personal as well as professional, I apparently just don't often hit the sorts of web sites that want to do dirty things to my computer -- I can't even characterize where they would be. And I've never been into file sharing -- I looked briefly at Kazaa once and said you want to do WHAT on my computer, no thank you. So I can't give a rule of thumb as to who is in more danger, but I don't think it's universal. (Whereas the danger from viruses when running Windows is about as universal as anything gets in the world of IT.)

Note that Windows XP does not include a DVD player by default.

Windows Media Player plays DVDs just fine ... well it plays them OK. It lacks things like frame-by-frame and reverse play, but it works reliably. It can also play DVDs which have been copied to disk. (However, the latter is becoming more difficult. The author of the popular free DVD Decrypter has withdrawn it due to legal pressure.)

Edward Art works by Melynda Reid: http://paleo.org

At 7:53 PM -0700 2006/04/23, Kevin van Haaren wrote:

>File Transfer Software -- Not sure how I forgot to mention this but for FTP
>from Windows I use FileZilla. FileZilla is licensed under the GPL. It isn't
>quite as feature rich as Interarchy (I just had to re-type that -- after
>all these years I still call it Anarchie), and the interface could use a
>little work, but it does support a wide range of options, including
>encrypting FTP passwords over SSL (which Interarchy just added recently.)

        Note that Interarchy offered FTP control connections over SSH
with the first Mac OS X version, which is equivalent in terms of
security (and doesn't require an SSL-capable FTP server, just a
working SSH installation on the FTP server). SFTP is cleaner and
fully encrypted, though.


At 7:53 PM -0700 2006/04/23, edward wrote:

>Windows XP is notorious for being infected immediately after a new
>installation, before the user has time to install system patches.
>Windows XP Service Pack 1 installations have been reported
>compromised in as little as 4 minutes after being placed on a
>standard DSL connection.
>
>
>
>While this warning is definitely to be taken seriously, being behind a NAT
>and taking a little care should be sufficient. The NAT -- assuming no ports
>are mapped to the computer in question -- protects against direct attacks.
>Avoid surfing except to the MS sites as needed to complete the software
>updates -- in fact, just don't do anything but software updates on the XP
>system until the software is current.

        Or afterwards! The IE-based attacks are common and quite
severe. Alas, this isn't feasible.

>Yep. Although if the XP system is the only one behind a NAT, this may be
>unnecessary. I don't know what kind of IP connectivity a virtual XP system
>will get -- the Mac OS may act as a NAT, thus protecting it. But on a
>dual-boot system, the exposure is likely to be the same whether it's booted
>in Mac OS or XP.

        Parallels appears to share ("bridge") the Mac's interface
fully, meaning the virtual Windows box has full access to the
network. Mine gets its own DHCP address, and is unaffected by the
Mac's ipfw firewall.

        Except that the risk to the Mac from being attacked is
nowhere near as great as the risk to a Windows installation from
being attacked. Macs are (at least as of April 2006) unlikely to be
broken into by random schmoes on the Internet. PCs are taken down and
subverted by random attacks all the time.

>The main reason for using a personal firewall even when protected upstream,
>is that even if you are behind an excellent firewall, there are other ways
>for malware to invade. Laptops are famous for this. I'm aware of a site
>which was taken down for a full day when all their internal servers were
>infected by SQL Slammer. It was several months after the Slammer release,
>and they had ignored the warnings to install the updates. But they were OK,
>protected almost entirely by NAT, until a consultant brought in an infected
>laptop and hooked it up to the LAN. Uh-oh.

        And Windows firewalls also do a lot of egress restriction.
They check for programs on your PC connecting to the Internet, which
may be an indication that your Windows PC is a zombie / bot system
under someone else's control, sending spam or your private
information (passwords, credit card numbers, etc.) to the darker
corners of the Internet. UNIX firewalls (including Mac OS X) as a
rule don't restrict outbound traffic, being entirely concerned with
attackers trying to break in, rather than trying to detect attacks
that have already succeeded. This is why Zone Alarm is so noisy -- it
keeps asking if programs on the PC should be permitted to connect to
the Internet, while this just happens silently on a firewalled Mac.

        If and when Macs start getting seriously broken into, we'll
have to face some of the same restrictions.


At 7:53 PM -0700 2006/04/23, brians548 wrote:
>I'm no expert in Windows, but if people need to install XP on a Mac mainly
>to justify using one in an environment where certain applications are
>Windows-only, wouldn't it solve most security problems to simply avoid using
>all Internet software while in Windows? Could you perhaps not connect the
>Windows side to the Internet at all?
>
>This wouldn't work for people who need connections on both sides, but it
>might help for others.

Paul,

        Many of the "Windows-only applications" I need to use are
IE(Win)-only "sites" (several belong to dedicated "appliances"). I
rarely bother with Firefox on Windows (which is frequently suggested,
and an excellent upgrade for Windows users), because if it worked in
Firefox, I'd do in inside Mac OS X! ;)

        But yes, doing as little on the Internet as possible in
Windows is an excellent idea for safety.


                                                Chris
--
Chris Pepper: <http://www.reppep.com/~pepper/>
Rockefeller University: <http://www.rockefeller.edu/>

brians548 wrote:
> I'm no expert in Windows, but if people need to install XP on a Mac mainly
> to justify using one in an environment where certain applications are
> Windows-only, wouldn't it solve most security problems to simply avoid
> using
> all Internet software while in Windows? Could you perhaps not connect the
> Windows side to the Internet at all?
>
> This wouldn't work for people who need connections on both sides, but it
> might help for others.

A big reason that folks use Windows is QuickBooks Pro. Especially the
Payroll. All QBPro and Payroll updates and fixes are done the same way
as Winodws via the Internet. And if you're running a bookkeeping system
with QBPro you likely also have MS Office on it. And some anti virus and
Malware detector as is being discussed in the other thread. Basically
you can't run many modern business systems without a broadband
connection or a phone line that can be tied for for long periods of time.

--On April 23, 2006 7:53:01 PM -0700 brians548 <brianswsu.edu> wrote:

> I'm no expert in Windows, but if people need to install XP on a Mac
> mainly
> to justify using one in an environment where certain applications are
> Windows-only, wouldn't it solve most security problems to simply avoid
> using
> all Internet software while in Windows? Could you perhaps not connect the
> Windows side to the Internet at all?

Yes and no. Internet Explorer is so integrated into the OS that it can
actually be tough to know when you are using Internet enabled software.
This is one of the reasons I recommend leaving the software firewall turned
on. It will inform you when programs talk to the internet and can warn you
of problems. Help is a frequent user of the internet (as on the Mac these
days).

However, as you recommend, sticking to just the application or two you
actually need is the best route to go.

--On April 23, 2006 7:53:01 PM -0700 edward <edwardpaleo.org> wrote:

>> Windows XP is notorious for being infected immediately after a new
>> installation, before the user has time to install system patches. Windows
>> XP Service Pack 1 installations have been reported compromised in as
>> little as 4 minutes after being placed on a standard DSL connection.
>
> While this warning is definitely to be taken seriously, being behind a
> NAT
> and taking a little care should be sufficient.

Generally this is true. However if you are installing at an office with
lots of other Windows devices, then beware. There are probably infected
machines on the network behind the firewall that can attack your
installation. If you're at home and this is the only machine then my
precautions are a little overkill.

Note -- If you have a NAT router, be sure to disable uPNP (or Universal
Plug and Play). Universal Plug and Play is a "feature" that Microsoft
thought was a good idea. It allows software on your windows computer to
control the router -- including opening ports and turning on port
forwarding. Malware is starting to catch on to this and use this ability
to give itself better access to the Internet.

> Yep. Although if the XP system is the only one behind a NAT, this may be
> unnecessary. I don't know what kind of IP connectivity a virtual XP
> system

Virtual PC has 4 (I'm not sure what other virtualization software offers)
types of network connections:
 * Off
 * NAT - The Mac has the main IP and virtual PC's IP is a NAT connection
through the host OS
 * Direct - The virtual PC has it's own IP address
 * Local only - The virtual PC can only talk to other virtual PC computers
(I believe IP's have to be statically assigned in this instance but it's
been awhile since I've used it.)

In NAT and Local only you're pretty safe from worm malware, the most common
attack against XP at installation time.

Local only is very useful for building test networks you don't want
interfering or appearing on your useful network. Virtual PC also allows
multiple network cards to be configured in the virtual machine. I once saw
a demonstration where the presenter used small linux distributions in
virtual machines as routers and built an entire 3 subnet test network with
6 virtual machines (2 servers and 2 clients plus 2 router virtual machines).

> **Spyware Removal** -- Be sure to install spyware detection and removal
> software.
>
> I have to say "it depends". I've been using XP for about three years now,
> have never run real-time spyware blocking software, and have never been
> infected by any spyware or adware.

This recommendation was for long time Mac users that just haven't built up
the paranoia that running Windows requires. Spybot Search & Destroy has
some pro-active blocking mechanisms that I think will help the first time
user.


>> Note that Windows XP does not include a DVD player by default.
>
> Windows Media Player plays DVDs just fine ... well it plays them OK.

Windows XP Media Player won't play DVDs if you've bought the retail version
of Windows. If you purchased a computer with a DVD in it from Dell, HP,
Alienware, whoever, they will frequently include the OEM codecs for DVD
playing via Windows Media Player (with the limitations you mention). I'm
not sure if Boot Camp installs a DVD decoder for Media Player.

A list of the default codecs for Media Player is here:
<http://support.microsoft.com/default.aspx?scid=kb;en-us;899113#EJACAAA>

You'll notice there is no MPEG-2 decoder included. You can purchase MPEG-2
decoders for Media Player (there are some free ones floating around too.)

The FAQ on this is very deceiving:
<http://www.microsoft.com/windows/windowsmedia/player/windowsxp/features.aspx#vidvd>

You'll notice the first point is:
Yes, you can watch DVDs in Windows Media Player for Windows XP! You can
also check out chapter listings, jump to a different chapter or read about
ratings information. If the DVD includes them, you can even adjust camera
angles to watch your DVD just the way you like it.

But if you read further down:
Most computers with DVD drives come with DVD decoders preinstalled. But for
those rare cases in which the decoder did not come with the DVD, DVD
decoder packs are available from third-party vendors

--On April 24, 2006 10:15:09 AM -0700 Chris Pepper <pepperreppep.com>
wrote:
> Note that Interarchy offered FTP control connections over SSH
> with the first Mac OS X version, which is equivalent in terms of
> security (and doesn't require an SSL-capable FTP server, just a
> working SSH installation on the FTP server). SFTP is cleaner and
> fully encrypted, though.

Yes the SFTP is better, but I like SSL+FTP because of the speed (which is
due fully to the unencrypted data transfer) since I'm usually just
uploading public web pages anyway, or transferring to an internal server, I
don't mind the unencrypted data part.

Filezilla will technically do SFTP in combination with PuTTY, however I
never got it to work with the public key authentication I use (I keep my
key on a USB thumbdrive and it requires a passkey). Interarchy does work
with this configuration on my Mac.

Kevin

On Apr 24, 2006, at 1:15 PM, Chris Pepper wrote:

> This is why Zone Alarm is so noisy -- it
> keeps asking if programs on the PC should be permitted to connect to
> the Internet, while this just happens silently on a firewalled Mac.

Part of this is also security marketing: if your computer sits
quietly, there's no reason to believe the money you spent on Zone
Alarm was well spent. On the other hand, if it throws up a dialog
box every ten minutes alerting you that someone was portscanning you,
or that a packet with a signature it didn't understand was received,
you feel like you're getting something for the money.

(This is also why backups and disaster recovery plans are such hard
sells: it feels like you're pouring money into something you'll
never use, and you even *hope* you'll never use it, but man, when you
need it, suddenly it seems like a good thing in retrospect.)

Charlton

--
Charlton Wilbur
cwilburchromatico.net

>
> Generally this is true. However if you are installing at an office
> with
> lots of other Windows devices, then beware. There are probably
> infected
> machines on the network behind the firewall that can attack your
> installation. If you're at home and this is the only machine then my
> precautions are a little overkill.

On XP SP2 Windows Firewall is more than sufficient to protect you
while you update everything. You'll probably want to add a different
firewall later. Don't worry about AV until you get everything fully
installed. The ZoneAlarm package which uses CA's AV is better than
the big 2.
>

> Virtual PC has 4 (I'm not sure what other virtualization software
> offers)
> types of network connections:
> * Off
> * NAT - The Mac has the main IP and virtual PC's IP is a NAT
> connection
> through the host OS
> * Direct - The virtual PC has it's own IP address
> * Local only - The virtual PC can only talk to other virtual PC
> computers
> (I believe IP's have to be statically assigned in this instance but
> it's
> been awhile since I've used it.)
>
Parallels seems to be bridged only right now, which opens you up for
potential worms (well, it also supports host only but you can't do
much with it). Using the beta in a hotel recently I even had to "pay"
twice for access since it saw my virtual machine as a second PC (the
hotel cleaned the charge in the morning).
>
>> **Spyware Removal** -- Be sure to install spyware detection and
>> removal
>> software.
>>
>> I have to say "it depends". I've been using XP for about three
>> years now,
>> have never run real-time spyware blocking software, and have never
>> been
>> infected by any spyware or adware.
>
> This recommendation was for long time Mac users that just haven't
> built up
> the paranoia that running Windows requires. Spybot Search & Destroy
> has
> some pro-active blocking mechanisms that I think will help the
> first time
> user.
>
The Microsoft Spyware beta (Windows Defender) is pretty solid for
spyware and a good base product with low overhead. Webroot is the
most aggressive, but costs money and is terrible with system
resources. Spybot is fine, but not as strong as it used to be.

-rm

On 4/24/06 1:15 PM, "Chris Pepper" <pepperreppep.com> wrote:

> And Windows firewalls also do a lot of egress restriction.
> They check for programs on your PC connecting to the Internet, which
> may be an indication that your Windows PC is a zombie / bot system
> under someone else's control, sending spam or your private
> information (passwords, credit card numbers, etc.) to the darker
> corners of the Internet.

I know Chris knows this but just to be clear, the firewall built in to
Windows XP does *not* do egress restrictions. It only allows or prevents
access to ports from the outside. It may pop-up and warn you about a program
but only when that program is trying to open a port to act like server, not
when one tries to send data.

--On April 24, 2006 2:23:45 PM -0700 Robert Movin <rmovingmail.com> wrote:

> On XP SP2 Windows Firewall is more than sufficient to protect you
> while you update everything.

Yes, this is the primary reason I recommended keeping the computer off the
network until SP2 is installed. If you have an install CD with XP+SP2
already on it then you're good to go. If you're moving an older XP to a
new install then be sure to have SP2 on hand and ready to install without
being on a network.

>> Generally this is true. However if you are installing at an office
>> with
>> lots of other Windows devices, then beware. There are probably
>> infected
>> machines on the network behind the firewall that can attack your
>> installation. If you're at home and this is the only machine then my
>> precautions are a little overkill.
>
> On XP SP2 Windows Firewall is more than sufficient to protect you
> while you update everything. You'll probably want to add a different
> firewall later. Don't worry about AV until you get everything fully
> installed. The ZoneAlarm package which uses CA's AV is better than
> the big 2.

No. This is exactly the kind of thinking that allows things to spread.
At this moment in time with the latest install setup from MS it might be
true. Might. But bad guy may discover a hole tomorrow that invalidates
this assumption. Or they may be restoring a system from a set of install
disks 5 months old. Or like me I was wiping and setting up a system that
had install CDs from before SP2. If you want to be secure, you need to
always operate securely. Period. Anything less is not secure. So with
windows, always start behind a NAT with no other machines on your
subnet. Anything less is asking for a compromised system.

At 10:15 04/24/06 -0700, Kevin van Haaren wrote:
>Windows XP Media Player won't play DVDs if you've bought the retail version
>of Windows.

Ah right, how soon I forget.

>If you purchased a computer with a DVD in it from Dell, HP,
>Alienware, whoever, they will frequently include the OEM codecs for DVD
>playing via Windows Media Player

Also, separately purchased DVD drives usually come with codecs, though
often they must be extracted from a larger software package that's bundled.

Edward
Art works by Melynda Reid: http://paleo.org

>
> No. This is exactly the kind of thinking that allows things to spread.
> At this moment in time with the latest install setup from MS it
> might be
> true. Might. But bad guy may discover a hole tomorrow that invalidates
> this assumption. Or they may be restoring a system from a set of
> install
> disks 5 months old. Or like me I was wiping and setting up a system
> that
> had install CDs from before SP2. If you want to be secure, you need to
> always operate securely. Period. Anything less is not secure. So with
> windows, always start behind a NAT with no other machines on your
> subnet. Anything less is asking for a compromised system.
>
The same can be said for any OS. If NAT/firewall is available you
should always use it (even for OS X). That's not something every user
has.

In the real world as long as you start with SP2 (which enables the
firewall by default) you can safely configure a Windows system
without being totally isolated. Anything less than SP2 and you place
yourself at risk. When it comes to using a configured system, email
and using IE at inappropriate sites are the main sources of
compromise. That's when you'll need heavy AV, anti-spyware, and a
firewall with outbound blocking/application control. And turn on
Windows Update.

I'm a fan of being paranoid, it's what I get paid to do, but the fact
is today Windows Firewall in SP2 offers sufficient protection to
connect to the Internet and update to the latest patch level.

Personally I recommend avoiding connecting Windows machines (or
anything) directly to the Internet, but when roaming around WiFi
hotspots and hotels that's not always an option. But by using a
firewall, Windows Update, Firefox (instead of IE), AV, and
antispyware I've never been compromised (even in very hostile
environments) and unless you download weird stuff you should be fine.

AV is the weakest area of protection right now, so I also make it a
habit to never launch executables or even media files/other
attachments unless I'm absolutely confident in the source. There are
some custom exploits floating around that AV won't catch (although
the slowly improving Host Intrusion Prevention products offer some
hope).

-rm

--On April 25, 2006 11:03:24 PM -0700 Robert Movin <rmovingmail.com> wrote:

> In the real world as long as you start with SP2 (which enables the
> firewall by default) you can safely configure a Windows system
> without being totally isolated. Anything less than SP2 and you place
> yourself at risk.

After reading these comments the one thing I wish I'd added to my article
was the clarification the XP+SP 2 is safe to put on the internet "at this
time". I forget these articles are available for years and years. Next
month SP 2 may not be the safest, you may need a particular patch against
some vulnerability that is being exploited widely.

One thing Microsoft has started doing is bundling each month's worth of
fixes in a downloadable/archivable ISO image:

<http://support.microsoft.com/kb/913086>

Unfortunately:
a) These aren't cumulative. Where on the Mac you can download the latest
combo update and have all updates to that point, Microsoft isn't doing this.

b) They've not released one for any of the fixes prior to January 2006. SP
2 shipped in Aug 2004 so that is 16 months worth of updates you have to get
one at a time or put your SP2 computer on the net to get them from Windows
Update.

I don't know why Microsoft doesn't just make each ISO cumulative with all
the fixes since the last major SP, it would make life so much easier.

On Apr 25, 2006, at 11:03 PM, Robert Movin wrote:
>
>
> I'm a fan of being paranoid, it's what I get paid to do, but the fact
> is today Windows Firewall in SP2 offers sufficient protection to
> connect to the Internet and update to the latest patch level.

Another proper area of paranoia with Windows (and with Mac to a much
smaller degree) is "free, must have" downloaded stuff.

In the Windows world, it is very common for the license agreement for
this stuff to stipulate that the download includes spyware (using
gentler language, of course) whose installation you agree to by
agreeing to the license. (Even our old friend Eudora did this from
the inception of the ad-supported option up through the last time I
downloaded it for Windows, to help them send you "appropriate" ads--
even if you switch immediately to the free, crippled form or the paid
form.)

Read the license agreements, particularly in Windows-land. You may
find that the must have thing can be done without after all.

   --John

> Windows XP Media Player won't play DVDs if you've bought the retail version
> of Windows. If you purchased a computer with a DVD in it from Dell, HP,
> Alienware, whoever, they will frequently include the OEM codecs for DVD
> playing via Windows Media Player (with the limitations you mention). I'm
> not sure if Boot Camp installs a DVD decoder for Media Player.

Just a note that VLC wil play DVDs -- complete with menus etc -- on
standard Windows machines. It works just like it does on Mac OS X,
which means it works very well.

It doesn't emulate a DVD remote control like Apple DVD Player does,
but the mouse works fine.

http://www.videolan.org/vlc/