Services |
Windows XP starts a number of background services automatically, many are unessential and can be disabled or set to start manually to improve performance and security
- Disable Error Report service
- If a program crashes on your machine, Windows generates an error report, which it wants to send to Microsoft.
- Disable Remote Desktop support
- Prevents your machine from having the ability to be remotely controlled by a system administrator or via the internet.
- Disable Remote Registry service
- Disallows remote computers to access and modify the registry on the local computer.
- Disable RPC Locator service
- Prevents your machine from using a specially malformed argument to be executed with system privileges by an attacker. The Locator service is not enabled by default except on Windows 2000 domain controllers and Windows NT 4.0 domain controllers
- Disable Windows Update service
- Changes Windows automatic updates to manual mode.
- Disable Windows Messenger Spam
- The Messenger service is normally used to transmit service messages between clients and servers over the Internet. (It should not be confused with the Windows Messenger instant messaging program). Advertisers are now increasingly abusing this service by sending messages to large blocks of random IP addresses via the Internet.
- Disable UPNP/SSDP service
- UPnP is a set of communications protocol standards that allow networked TCP/IP devices to announce their presence to all other devices on the network and to then inter-operate in a flexible and pre-defined fashion.
There are currently limited UnPnP devices available and due to a recent security flaw it's advisable to disable this service.
This also allows you to disable Universal Plug and Play Network Address Translation discovery which uses the Simple Service Discovery Protocol (SSDP) to reduce bandwidth and increase security.
- Disable support for DCOM
- Distributed Component Object Model, or DCOM, provides a method for distributed network applications to communicate with one another. This setting allow you to disable support for DCOM.
- Disable Internet time synchronize
- The system automatically synchronizes it's time with a timeserver at Microsoft.
- Disable the POSIX Subsystem
- Windows 2000 and XP still come with the POSIX subsystem which allows the use of Unix commands against your system.
- Disable Help service
- Disables Help and Support service to gain much more system resource.
|
|
Miscellaneous |
- Clear Pagefile at Shutdown
- Windows does not normally clear or recreate the page file.
On a heavily used system this can be both a security threat and performance drop.
Enabling this setting will cause Windows to clear the page file whenever the system is shutdown.
- Secure Desktop
- Prevent certain software from sniffing and recording I/O on the desktop; however, the patch can interfere with other software.
- Enable Windows File Protection
- Windows File Protection (WFP) protects certain files that are key to the Windows 2000/XP operating system. These files are protected to prevent deletion of key files, unauthorized updating, and file damage that may be caused by viruses.
- No File sharing
- Disallows other users on a network from sharing your files.
- No Printer sharing
- Disallows other users on the network from sharing your printer.
|
|
TCP/IP & NetBIOS |
- Restrict Anonymous Guest Access
- There is a security flaw in the kernels of Windows NT, 2000 and XP. They allow anonymous session access, which can reveal dangerous information about a computer and its SAM (Security Accounts Manager) accounts. Discovering a SAM with administrative privileges could allow an attacker to break into the user's account and jack up account privileges to admin level.
- Protect Against SYN Flood Attacks
- Windows includes protection that allows it to detect and adjust when the system is being targeted with a SYN flood attack (a type of denial of service attack). When enabled the connection responses time out more quickly in the event of an attack.
- Prevent Denial of Service Attacks
- Denial of service attacks are network attacks that are aimed at making a computer or a particular service unavailable to network users. These settings can be used to increase the ability for Windows to defend against these attacks when connected directly to the Internet. It also eliminates DHCP vulnerability.
- Disable listening on TCP port 445
- Disables the raw SMB transport to cause malicious NetBIOS attacks and protect users from inadvertently exposing files on their computers, and also to block worms which spread via open file shares.
|
|
Internet Explorer 6 |
- Disable Automatic Updates
- The Internet Explorer automatically connects to MS and checks for updates by default.
- Disable Scheduled Updates
- The Internet Explorer periodically checks for updates (usually once a month).
- Disable Windows Authentication
- Deactivates integrated Windows authentication so the current user can be identified over the internet.
- Prevent Execution of Risky Commands
- Prevents download permission for unsigned ActiveX controls and disables the vulnerability of mhtml documents. This restriction also removes the file association for .HTA extension to prevent infection by worms-like-viruses. It is safe for you if you do not use any HTML applications (HTA-files) at your computer.
- Disable internal Java JIT compiler
- Disables Internet Explorer's internal Java Just-In-Time (JIT) compiler.
- Disable Script Debugger
- If you run a script in Internet Explorer that results in an error, Internet Explorer gives you the option to debug the script.
- Disable Watson Debug Log
- When Internet Explorer crashes, it asks you if you would like to send an error report to Microsoft. Doing this may help the Internet Explorer development team improve stability in future releases, however you can disable this by checking the tick in the box. Internet Explorer 6.0 only!
- Empty Temporary Internet Files on Exit
- This setting controls whether IE should delete all of temporary internet files stored during the session when the browser is closed.
|
|
Media Player |
Windows Media Player has some kind of Spyware features. But you still have some control over your personal computer.
- Disable Auto Upgrade and User Tracking
- Windows Media Player (WMP) will check from time to time if a new version of WMP is available by connecting to the microsoft.com site. If you do not want this to happen, mark this option.
- Disable Sending User Identifier
- Windows Media Player sends a "serial number" unique to your system (GUID: global unique identifier) to Microsoft & other content providers. For enhanced privacy, check (disable) this option.
- Disable Automatic Codec Download
- Codecs are what Windows Media Player uses to decode encoded media files (such as MP3, AVI etc.).
If you try to play a file that Windows Media Player does not have a codec for, enabling this option will allow it to download one from Microsoft's web site automatically. Disabling this will make it ask you first.
- Disable Processing of Scripts in Files
- Disables Windows Media Player from running embedded HTML script commands which can contain malicious code and should be disabled.
- Disable Recent files in Media Player
- This restriction will disable Windows Media Player from creating recently used lists.
- Disable Acquire licenses automatically
- This restriction will disable Windows Media Player from connecting to Internet sites for acquiring licenses. You acquired your license when you bought the CD, you should be able to copy it to your hard disk.
- Disable Auto-update Media Information
- This restriction will disable Windows Media Player from connecting to Internet sites for updating media information.
|
|
MS Office XP |
- Block Linked Images in Documents
- As an added security measure you can configure Office XP to block linked Hypertext Transfer Protocol (HTTP) images that are placed in documents. This is useful to avoid to ability for documents to be tracked using hidden images.
- Disable Error Reporting
- In the event of a program crash with Microsoft Internet Explorer version 5 and 6, Office XP and also Windows XP itself, the user has the option to send debugging information to Microsoft. In theory this sounds like a smart function which should help Microsoft create more stable software. However, users sending these reports should be aware that sensitive or personal information may be sent to Microsoft along with debugging information.
- Read Messages as Plain Text
- Stops getting splashy spam screens in your Outlook email box.
- Attachment Restrictions (exe,scr, etc.)
- Blocks attachment types that are commonly used to distribute viruses. The attachment types bat, cmd, com, exe, hta, pif, scr, vbs, wsh files are not commonly sent over e-mail for legitimate purposes and almost always carry viruses.
|
|
Remove from Start Menu |
- Recent Documents
- This setting can be used to remove the Recent Documents folder from the Start Menu.
- Favorites
- This tweak allows you to remove the Favorites folder from the Start Menu.
- My Documents
- This restriction removes My Documents which is shown under the Documents folder on the Start Menu.
- My Pictures
- This restriction removes My Pictures from the Documents folder on the Start Menu.
- My Music
- This restriction removes My Music from the Documents folder on the Start Menu.
- Recent Documents History
- Normally when you open or access a document or file it is added to the list of recent documents on the Start Menu. This tweak will stop files from being added to the list.
- Recent Shares
- This restriction stops remote shared folders from being added to Network Places whenever you open a document in the shared folder.
- Help and Support
- This restriction removes the Help feature from the Start Menu.
- Run
- Removes the ability to launch commands or processes from the Start menu by removing the Run option.
- Remove / Hide User Name
- Removes the user's full name from the top of the Windows XP Start menu.
- Disable User Tracking
- This setting stops Windows from recording user tracking information including which applications a user runs and which files and documents are being accessed.
- Pinned Programs List
- Removes the pinned programs list from the Start menu. Also removes the Internet and E-mail checkboxes from the Start menu.
|
|
MSN Windows Messenger |
- Disable in Outlook and IE
- It is used to remove MSN Instant Messenger functionality and integration from Outlook Express and Internet Explorer.
- Disable Autostart of MSN Messenger
- It is used to disable the autostart of MSN Messenger and running in background when you boot your computer.
- Disable MSN Messenger completely
- It is used to disable the ability to run the Microsoft MSN Instant Messenger client.
|
|
Network |
- Disable Automatic Hidden Shares
- It is possible to control automatically created hidden shares (C$, D$, E$ and so on) by Windows networking.
- Hide Computer from the Browser List
- If you have a secure server or workstation you wish to hide from the general browser list, then enable this setting.
- Remove Shared Documents
- This restriction will remove the "Shared Documents" object from My Computer.
- Secure DNS cache against pollution
- DNS cache pollution can occur if Domain Naming Service (DNS) "spoofing" has been encountered. The term "spoofing" describes the sending of non-secure data in response to a DNS query. DNS spoofing can be used to redirect queries to a rogue DNS server and can be malicious in nature.
|