Safe XP

Services

Windows XP starts a number of background services automatically, many are unessential and can be disabled or set to start manually to improve performance and security

Disable Error Report service

If a program crashes on your machine, Windows generates an error report, which it wants to send to Microsoft.

Disable Remote Desktop support

Prevents your machine from having the ability to be remotely controlled by a system administrator or via the internet.

Disable Remote Registry service

Disallows remote computers to access and modify the registry on the local computer.

Disable RPC Locator service

Prevents your machine from using a specially malformed argument to be executed with system privileges by an attacker. The Locator service is not enabled by default except on Windows 2000 domain controllers and Windows NT 4.0 domain controllers

Disable Windows Update service

Changes Windows automatic updates to manual mode.

Disable Windows Messenger Spam

The Messenger service is normally used to transmit service messages between clients and servers over the Internet. (It should not be confused with the Windows Messenger instant messaging program). Advertisers are now increasingly abusing this service by sending messages to large blocks of random IP addresses via the Internet.

Disable UPNP/SSDP service

UPnP is a set of communications protocol standards that allow networked TCP/IP devices to announce their presence to all other devices on the network and to then inter-operate in a flexible and pre-defined fashion. There are currently limited UnPnP devices available and due to a recent security flaw it's advisable to disable this service. This also allows you to disable Universal Plug and Play Network Address Translation discovery which uses the Simple Service Discovery Protocol (SSDP) to reduce bandwidth and increase security.

Disable support for DCOM

Distributed Component Object Model, or DCOM, provides a method for distributed network applications to communicate with one another. This setting allow you to disable support for DCOM.

Disable Internet time synchronize

The system automatically synchronizes it's time with a timeserver at Microsoft.

Disable the POSIX Subsystem

Windows 2000 and XP still come with the POSIX subsystem which allows the use of Unix commands against your system.

Miscellaneous

Clear Pagefile at Shutdown

Windows does not normally clear or recreate the page file. On a heavily used system this can be both a security threat and performance drop. Enabling this setting will cause Windows to clear the page file whenever the system is shutdown.

Secure Desktop

Prevent certain software from sniffing and recording I/O on the desktop; however, the patch can interfere with other software.

Enable Windows File Protection

Windows File Protection (WFP) protects certain files that are key to the Windows 2000/XP operating system. These files are protected to prevent deletion of key files, unauthorized updating, and file damage that may be caused by viruses.

No File sharing

Disallows other users on a network from sharing your files.

No Printer sharing

Disallows other users on the network from sharing your printer.

TCP/IP & NetBIOS

Restrict Anonymous Guest Access

There is a security flaw in the kernels of Windows NT, 2000 and XP. They allow anonymous session access, which can reveal dangerous information about a computer and its SAM (Security Accounts Manager) accounts. Discovering a SAM with administrative privileges could allow an attacker to break into the user's account and jack up account privileges to admin level.

Protect Against SYN Flood Attacks

Windows includes protection that allows it to detect and adjust when the system is being targeted with a SYN flood attack (a type of denial of service attack). When enabled the connection responses time out more quickly in the event of an attack.

Prevent Denial of Service Attacks

Denial of service attacks are network attacks that are aimed at making a computer or a particular service unavailable to network users. These settings can be used to increase the ability for Windows to defend against these attacks when connected directly to the Internet. It also eliminates DHCP vulnerability.

Internet Explorer 6

Disable Automatic Updates

The Internet Explorer automatically connects to MS and checks for updates by default.

Disable Scheduled Updates

The Internet Explorer periodically checks for updates (usually once a month).

Disable Windows Authentication

Deactivates integrated Windows authentication so the current user can be identified over the internet.

Prevent Execution of Risky Commands

Prevents download permission for unsigned ActiveX controls and disables the vulnerability of mhtml documents. This restriction also removes the file association for .HTA extension to prevent infection by worms-like-viruses. It is safe for you if you do not use any HTML applications (HTA-files) at your computer.

Disable Script Debugger and JIT

If you run a script in Internet Explorer that results in an error, Internet Explorer gives you the option to debug the script.

Disable Watson Debug Log

When Internet Explorer crashes, it asks you if you would like to send an error report to Microsoft. Doing this may help the Internet Explorer development team improve stability in future releases, however you can disable this by checking the tick in the box. Internet Explorer 6.0 only!

Empty Temporary Internet Files on Exit

This setting controls whether IE should delete all of temporary internet files stored during the session when the browser is closed.

Media Player

Windows Media Player has some kind of Spyware features. But you still have some control over your personal computer.

Disable Auto Upgrade

Windows Media Player (WMP) will check from time to time if a new version of WMP is available by connecting to the microsoft.com site. If you do not want this to happen, mark this option.

Disable Sending User Identifier

Windows Media Player sends a "serial number" unique to your system (GUID: global unique identifier) to Microsoft & other content providers. For enhanced privacy, check (disable) this option.

Disable Automatic Codec Download

Codecs are what Windows Media Player uses to decode encoded media files (such as MP3, AVI etc.). If you try to play a file that Windows Media Player does not have a codec for, enabling this option will allow it to download one from Microsoft's web site automatically. Disabling this will make it ask you first.

Disable Processing of Scripts in Files

Disables Windows Media Player from running embedded HTML script commands which can contain malicious code and should be disabled.

Disable Recent files in Media Player

This restriction will disable Windows Media Player from creating recently used lists.

Disable acquire licenses automatically

This restriction will disable Windows Media Player from connecting to Internet sites for acquiring licenses. You acquired your license when you bought the CD, you should be able to copy it to your hard disk.

Disable Auto-update Song Information

This restriction will disable Windows Media Player from connecting to Internet sites for updating song information.

MS Office XP

Block Linked Images in Documents

As an added security measure you can configure Office XP to block linked Hypertext Transfer Protocol (HTTP) images that are placed in documents. This is useful to avoid to ability for documents to be tracked using hidden images.

Disable Error Reporting

In the event of a program crash with Microsoft Internet Explorer version 5 and 6, Office XP and also Windows XP itself, the user has the option to send debugging information to Microsoft. In theory this sounds like a smart function which should help Microsoft create more stable software. However, users sending these reports should be aware that sensitive or personal information may be sent to Microsoft along with debugging information.

Read Messages as Plain Text

Stops getting splashy spam screens in your Outlook email box.

Attachment Restrictions (exe,scr, etc.)

Blocks attachment types that are commonly used to distribute viruses. The attachment types bat, cmd, com, exe, hta, pif, scr, vbs, wsh files are not commonly sent over e-mail for legitimate purposes and almost always carry viruses.

Remove from Start Menu

Recent Documents

This setting can be used to remove the Recent Documents folder from the Start Menu.

Favorites

This tweak allows you to remove the Favorites folder from the Start Menu.

My Documents

This restriction removes My Documents which is shown under the Documents folder on the Start Menu.

My Pictures

This restriction removes My Pictures from the Documents folder on the Start Menu.

My Music

This restriction removes My Music from the Documents folder on the Start Menu.

Recent Documents History

Normally when you open or access a document or file it is added to the list of recent documents on the Start Menu. This tweak will stop files from being added to the list.

Recent Shares

This restriction stops remote shared folders from being added to Network Places whenever you open a document in the shared folder.

Search

This restriction removes the Search feature from the Start Menu.

Run

Removes the ability to launch commands or processes from the Start menu by removing the Run option.

Remove / Hide User Name

Removes the user's full name from the top of the Windows XP Start menu.

Disable User Tracking

This setting stops Windows from recording user tracking information including which applications a user runs and which files and documents are being accessed.

Pinned Programs List

Removes the pinned programs list from the Start menu. Also removes the Internet and E-mail checkboxes from the Start menu.

MSN Windows Messenger

Disable in Outlook and IE

It is used to remove MSN Instant Messenger functionality and integration from Outlook Express and Internet Explorer.

Disable Autostart of MSN Messenger

It is used to disable the autostart of MSN Messenger and running in background when you boot your computer.

Disable MSN Messenger completely

It is used to disable the ability to run the Microsoft MSN Instant Messenger client.

Network

Disable Automatic Hidden Shares

It is possible to control automatically created hidden shares (C$, D$, E$ and so on) by Windows networking.

Hide Computer from the Browser List

If you have a secure server or workstation you wish to hide from the general browser list, then enable this setting.

Remove Shared Documents

This restriction will remove the "Shared Documents" object from My Computer.