Best Practices

Securing Your Windows XP Workstation - BEFORE Service Pack 2

Note: Instructions are under development for Windows XP with Service Pack 2!

Overview

Securing a Windows XP workstation is a simple and easy process.  It involves setting up the Internet Connection Firewall that comes with Windows XP and then running Windows Update to make sure that your machine has all current security patches applied.  This page will help you setup the Internet Connection Firewall and then run Windows Update. 

Internet Connection Firewall

The Internet provides access to a wealth of information and services by connecting users and systems. The availability and access to data and systems has brought increased attention to computer and network security. In an attempt to address these concerns, Microsoft offers the option of the Internet Connection Firewall (ICF) in their Windows XP operating system.

ICF is software installed with Windows XP that you can use to set restrictions on the information that is communicated between your PC and the Internet. ICF provides protection from inbound traffic, unsolicited data coming from the network to your PC. Commercial and Freeware firewall software is available that provides protection for outbound traffic but at this time  ICF does NOT provide outbound protection. 

ICF is a "stateful" firewall that monitors all aspects of the communications that cross its path and inspects the source and destination address of each message that the firewall handles. ICF maintains a table of all communications that have originated from the PC running ICF. Any unsolicited traffic from the public side of the network connection is then discarded. If enabled ICF will create a security log so that all activity that is permitted or rejected is tracked.

Requirements  

ICF is not started by default.  To enable or disable ICF, you must be logged on as Administrator or as a user that is a member of the Administrators group.

Basic Configuration

This configuration will disable all inbound connections to your machine from all Internet hosts. This will NOT prevent you from accessing or using the Internet.

  1. From the Windows Desktop click: Start -> Settings -> Control Panel -> Network Connections.
  2. Right Click on 'Local Area Connection' and choose Properties.  If your machine has more then one network connection you will need to select the one connected to the Internet.
  3. In the 'Local Area Connection Properties' Box select the 'Advanced' tab.
  4. Activate ICF by checking the box that states 'Protect my computer and network by limiting or preventing access to this computer from the Internet'.
  5. Click on the 'Settings' box in the lower right.
  6. Under the 'Services' tab leave all boxes unchecked.
  7. Select the 'Security Logging' Tab.
  8. Under 'Logging Options' check both boxes - 'Log dropped packets' and 'Log successful connections'.
  9. Under 'Log file options' use the default options of C:\WINDOWS\pfirewall.log for Name and 4096 KB for size limit.
  10. Select the 'ICMP' tab.
  11. Check the boxes for the following:
                    Allow incoming echo requests
                    Allow outgoing destination unreachables
                    Allow outgoing time exceeded
                    Allow outgoing parameter problem
  12. Select 'OK' from the 'Advanced Settings' box.
  13. Select 'OK' from the 'Local Area Connection Properties' box.

Windows Update 

Windows update is a tool that comes with Windows XP to allow users to quickly and easily get software updates for Windows XP.

  1. From the Windows Desktop click: Start -> Windows Update.
  2. If this is the first time that you have run Windows Update you will be prompted with a security warning telling you that Microsoft wants to install some software on your computer.  Accept these warning.
  3. Click 'Scan for Updates'.
  4. Windows will return with updates in three categories: Critical Updates and Service Packs,  Windows XP, and Driver Updates .  All patches in the Critical Updates sections should be applied.  Updates under Windows XP and Driver Updates can be installed at your discretion.
  5. When the selected updates have completed installing you will be asked to reboot.  You need to repeat this process until all the 'Critical Updates' have been installed.

Automatic Windows Update 

Windows can be setup to automatically check for updates and then either install them or prompt you to install them.  To do this:

  1. From the Windows Desktop click: Start -> Settings -> Control Panel -> System.
  2. Select the 'Automatic Updates' Tab.
  3. Make sure the box 'Keep my computer up to date' is checked.
  4. Select the update method you are most comfortable with.
  5. Select 'OK' from the 'System Properties' box

------
Thanks to DePaul University.

Copyright © 2005 The University of Iowa. All rights reserved.