Home || Computing Articles || Working With Windows || Troubleshooting Section
The Windows operating system has the lion's share of the computing market and, being such a large target, it attracts the attention of malcontents and predators. Therefore, users need to be as informed on computer security as possible. Microsoft and others recommend that you at least keep current with Windows and application updates, use virus protection with up-to-date definitions, and run a firewall of some kind. With Service Pack 2, Windows XP now has a built-in firewall option enabled by default. There are also other software and hardware firewall vendors to help protect you from intrusions. I cover these issues in my Home Computer Security Tips article. I also have a list of valuable resources for becoming informed about and fighting spyware on the Spyware and Troubleshooting Resources page.
The tools described below address any vulnerability in Windows XP. Service Pack 2 from Microsoft fixed a number of security problems, adding better configuration utilities for security and wireless networks. Windows has a number of troublesome features enabled by default and the default XP install grants full administrative privileges to users at installation. Taken together, these can expose any vulnerability. Remember, home users act as their own system administrators. If there are problems, they need to be addressed.
The computing environment should be both flexible and secure. There are several Web sites that cover optimizing and securing XP that are maintained by very knowledgeable people. Discussion forums are also a great resource. There are some simple, recommended tools out there to help the home user and are worth exploring by support professionals. These help secure Windows XP computers and are described in the Tools section below.
Naturally, my information in this area is evolving. I plan to update this page from time to time. Here are a few site with valuable information on a viable strategy.
My research suggested a number of features are enabled by default on Windows XP and, because these present a vulnerability to your computer, they need to be disabled. The tools listed here represent a required minimum effort to reduce problems. The author at GRC.Com describes each issue and has several small utilities to disable problem features in Windows. All of the pages are very informative.
By the way, there is an interesting discussion forum thread on the Wilders Security Web site that discusses Windows Messenger. I chose to remove Windows Messenger using a highly regarded VBS script available at the Doug Knox Web site under "Win XP Fixes" and "Windows Messenger - Disable/Remove" heading.
Additionally, GRC.Com has other security useful testing tools.
Here are a couple more third-party utility sites you might visit.
In addition, in December 2005, another vulnerability appeared in Windows Metafile (WMF) format image files. It became a zero-day exploit as attackers used the feature before Microsoft released a patch. Before Microsoft released its official patch, I found a work-around and unofficial patch on the Windows WMF Vulnerability News& Updates page, located on the GRC.Com Web site, a great site for security information.
The Optimize XP Web site has links to and descriptions of recommended programs for virus and spyware protection. The site also recommends removing the vulnerable Microsoft Java Virtual Machine (JVM) and replacing it with the more secure Java Runtime Environment (JRE)—including a JVM—from Sun, the originator of Java. (For the relationship of the JRE and the JVM, see "Can I download only the Java Virtual Machine?") Scroll down the page to read the information and find links to tools and the Sun installer. Here is a cautionary comment from the Optimize site:
Auto-installing Spyware infections (CoolWebSearch) occur due to exploits in Microsoft's discontinued Java Virtual Machine v1.1.4 (Build 5.0.3810). Infection occurs by simply browsing the wrong web site... Under NO circumstances should MSJVM be installed or used.
Another site called this a "drive-by" malware installation. The Optimize site has links to a removal tool for the MS JVM and a direct link to the latest download page for the JVM and a page that verifies your JVM installation. If you go to main Java page at http://www.java.com/, you will find information and download links for the Java Runtime Environment (JRE) edition of Java. This gives you a Java Virtual Machine (JVM) and be sufficient as a replacement for the Microsoft JVM.
I found later that in order to install a Java-based program I needed the Java compiler ("javac") and this was only available if I installed the developer's kit, the next level of the Java environment. From that program's installation instructions:
Our build process currently requires that you have a development kit version of the Java tool set installed; anything other than a simple 'Java VM' installation will suffice.
It is available at http://java.sun.com/j2se/ and is called the Java 2 Platform, Standard Edition (J2SE) and it includes a JRE and the JDK ("J2SE Development Kit") tools. It is a sizable download. I wondered, since both have a JRE, if one needs to install both the basic JRE and the more full-featured J2SE version. See the Download Help FAQ "What Should I Download?" Here are a couple quotes from on the J2SE for Windows page:
Installation Instructions
In this procedure, you will run the self-installing executable to unpack and install the JDK software bundle. As part of the JDK, this installation includes the Java Plug-in and Java Web Start, as well as an option to include the public Java 2 Runtime Environment.
[And later on the same page...]
Private vs. public JRE - Installing the JDK installs a private J2SE Runtime Environment (JRE) and optionally a public copy. The private JRE is required to run the tools included with the JDK. It has no registry settings and is contained entirely in a jre directory (typically at C:\Program Files\jdk1.5.0\jre) whose location is known only to the JDK. On the other hand, the public JRE can be used by other Java applications, is contained outside the JDK (typically at C:\Program Files\Java\jre1.5.0), is registered with the Windows registry (at HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft), can be removed using Add/Remove Programs, might or might not be registered with browsers, and might or might not have java.exe copied to the Windows system directory (making it the default system Java platform or not)
So, apparently, I need both. Install only the JRE if you want basic Java functionality or to replace the Microsoft JVM. Add the J2SE Core Java if you plan to install Java packages that require the Java compiler or tools for installation. I'm including links to both versions because I found it confusing getting to the J2SE/JDK version pages from the basic JRE home page on the Java site.
You can also review an older article on the Sun Java site, Java Upgrade Guide: Migrating From the Microsoft VM for Java to the Sun JRE. It has a lot of information on the issues involved in migration.
Here are a couple of sites that allow you to enter the name of an executable in a search field that will query a database whose results give you much information on the program. Very handy for determining legitimate executable files as a first step in troubleshooting.
You can also review a list of parasites at DoxDesk.com. I have more resources on file information on my links to security information page.
Here are several native Windows tools often referenced in Microsoft Knowledgebase articles and by technical support people.
Here is another information tool available from a software vendor:
In wondering about Windows XP security, I found a couple sites that described individual vulnerabilities. Those sites and the tools recommended are described above. Here is one site that reviews XP security in depth, including accounts of discussion with Microsoft engineers. It is an extensive article and valuable reading:
In doing online research for a Windows security problem, it doesn't take long to find highly qualified professionals describing their frustration with Microsoft in an article, forum post, or newsletter. For example, I had a problem with my router flooding my LAN with Universal Plug and Play requests on port 1900 in March 2006. The author of "Beyond Fear" and the security book "Secrets and Lies" has a January, 2002 newsletter article on the Windows UPnP Vulnerability:
Honestly, security experts don't pick on Microsoft because we have some fundamental dislike for the company. Indeed, Microsoft's poor products are one of the reasons we're in business. We pick on them because they've done more to harm Internet security than anyone else, because they repeatedly lie to the public about their products' security, and because they do everything they can to convince people that the problems lie anywhere but inside Microsoft. Microsoft treats security vulnerabilities as public relations problems. Until that changes, expect more of this kind of nonsense from Microsoft and its products.
I remember taking a Windows NT class from a consultant and, in explaining why the class wasn't an accredited MSCE class, he spoke of working with early version of the Microsoft class material and finding recommended techniques that did not work. He would point out the results and suggest a work-around with local tools. He said his Microsoft contact told him he couldn't say there was a problem. He should teach the materials, as is. He countered that his focus was effective administration in the real world. As a result, he decided to teach as an independent with his own material. It was a great class. I later found myself in a standard Windows NT class; it was a nice two-day vacation.
Some IT professionals may take the opinion that fully supporting only Microsoft software and recommendations is akin to following a gold standard. While there is much valuable information in that strategy, independent security experts will follow statistics and cast a wide net for information in finding security solutions. The first step is admitting there is a problem. I hope it gets better.
I recently read a Wall Street Journal article (Friday, September 23, 2005, "Battling Google, Microsoft Changes How It Builds Software"—subscriber login required or try here) on Microsoft's effort to create the successor to XP by recreating the coding process from the ground up. This is encouraging. With Service Pack 2 addressing vulnerabilities, the active discussion on least-privileged user implementation in the upcoming Windows Vista, and the new development process, it appears the culture and attention to security are improving at Microsoft. Another hopeful sign is finding a personal blog by a Microsoft engineer.
I found the extensive Microsoft Watch Web site during my research. It described and linked to an article on running as a non-admin user, the default environment that Microsoft is planning for Windows Vista. Here's a quote from Michael Howard, a senior security program manager in Microsoft Corp.'s security business and technology unit from that eWeek article:
"There's a whole ecosystem that needs to be educated and that can take a long time," he added. "There are a lot of games that update themselves online and a lot of them write files into the program files directory. We need to get them to change that, because the program files directory is a protected location and you have to be logged on as admin to drop bits there."
"When you're dealing with a product to be used by 100 million customers, you have to give developers lead time. They have to see what's coming down the pike so they can make the appropriate changes."
I can appreciate that implementing such changes can be as difficult as turning a supertanker.
I originally began computing at home on a Macintosh in 1991. A couple years later, I used an X-terminal to connect to a VMS system, worked on a Windows NT workstation, and connected to Unix servers via terminal programs. I now have two computers. One, a Macintosh laptop, runs MacOS X, a Unix variant with a wonderful user interface and lots of features, and another, a Dell, runs Windows XP Professional with SP2. The latter is my third Wintel (Windows OS on Intel processor) computer. I had a Winbook XL laptop where I discovered the BIOS was locked and if I needed to reinstall Windows 95, I had to send it back to the vendor. The passive LCD screen was also a pain. As a result, it was a part-time computer in the mix. A couple years later, I purchased an eMachines tower, keeping it for three weeks before taking advantage of the 30-day no-questions-asked return period. That box could definitely be described as a Craputer. After that fiasco, I finally asked an experienced PC friend to recommend a computer. I wanted the option to install Linux, if desired. Many Windows computers have some functionality partially in Windows-based software, rather than hardware. I wanted a flexibly configured box.
What I discovered is that in the PC world, if you want performance, configuration flexibility, and robustness, you really have to rebuild the computer you get. Granted, the Dell PowerEdge 600SC I purchased is a server class computer that had no sound card and weak video performance and I needed to install third-party audio and video cards to use it as a workstation. There are three fans—front, CPU, and back—whose combined loud volume was astonishing sitting under my desk off the living room. Luckily, I found you could replace the rear 45db (!) fan with a duplicate of the 22db front fan by simply reversing the grille. I couldn't use a third-party fan because the Dell has proprietary connectors. I wonder, is it so much more expensive to have quiet fans? Do no humans work in or near server rooms. If someone yelled "Fire!" in the next room, would they hear it? I also had to replace the included CD-RW/DVD drive as it didn't reliably burn CDs.
At home, I wanted to share a 19-inch LCD monitor with the Dell and an occasional laptop. I used KVM (keyboard/video/mouse) switches before and so I purchased a Belkin 4-port KVM and cables. The KVM shares the peripherals via USB ports for the client computers but has PS/2 ports for its keyboard and mouse inputs. While the three-button scrolling Logitech USB mouse works fine with a small USB to PS/2 adapter, I found that one has to have the exactly correct keyboard for full key functionality. The Dell keyboard had an ancient plug and an adapter to PS/2, making it too tall for the compact KVM cable control box. I tried a Micro Innovations PS/2 keyboard unsuccessfully, but I don't remember why it didn't work. I tried a Microsoft Natural Wireless USB keyboard using a USB to PS/2 adapter but the "F" keys and media and Internet keys didn't work. I purchased a Belkin USB Ergoboard at the local computer center—they had no PS/2 keyboards—figuring it should work with a Belkin KVM using a USB to PS/2 adapter. It had a couple of problems, including the no "F" keys problem, I believe. Finally, I found and ordered a cheap Belkin PS/2 Ergoboard online and it provides full functionality. This keyboard has LEDs for CapsLock, and NumLock, which are very handy features. I don't remember the MS keyboard having those, or perhaps they also did not work with the KVM. Even with this keyboard though, I had an intermittent problem over several weeks where a couple applications, notably Firefox, displayed the wrong characters when I typed. Quitting Firefox and relaunching "fixed" the problem. I finally discovered I installed the French language in "Regional and Language Options" control panel under "Languages:Details" for some reason but still used only the English keyboard. Removing French in that control panel fixed the problem. Hardware/software coordination problems are frustrating.
So, I found my PC hardware needed tweaking and, as you can also see from the information on this page, there are a number of program and operating system defaults that need to be changed to fully secure a computer and optimize its performance. Many online business Web sites require Internet Explorer (IE), and the online virus and spyware scanners even need its ActiveX capability, so it is vital that you get IE secured. I'm still amazed at the amount of work and research required.
By the way, if things really go awry with your XP computer, you might need to repair or reinstall Windows XP (MS KB article.) I had a problem with Internet Explorer (IE) and found a Microsoft Knowledgebase article on reinstalling or repairing IE. Since it is part of the OS, it takes more work than you might think. You can view the short article "How To Repair XP and Avoid a Full Reinstall" on Help2Go.Com or visit the Radified: Windows XP Installation Guide. I also have a long article "My Experience Removing the NewDotNet Software" on verifying and recovering that might help.
I do have a final opinion and recommendation. If you have a couple computers at home, or at work for that matter, make sure there is at least one Macintosh, running MacOS X of course, in the mix. It is not nearly as vulnerable as Windows (no viruses so far), it has Unix and GUI tools, and it connects to networks easily. As an example, I used a Mac connected by ethernet cable when troubleshooting a router problem. Think about it.