Hardening XP's Security

Windows in a very insecure operating system by default, so many setting have to be changed in order to make it more secure. In this tutorial I will be showing you what the administrative tools security options mean & how to configure them.

This tutorial is only designed for XP professional. XP home edition probably will not have some of these options available.


Finding & running administrative tools

If you're running XP professional, you should already have administrative tools installed.

Here is how to open it.

Open the Run dialog box & type 'control admintools' into it without the quotation marks or italics.

Now a windows should come up called 'Administrative Tools'.


Disable unnecessary services that could be a security risk

Windows has many services enabled that aren't necessary & could be used by a hacker to compromise your system.

By taking these steps, you will disable remote desktop & the ability for people to modify your registry over the net.

Despite the fact that remote services are reasonably secure, there has been security holes found in it.

Obviously, if you use remote services, ignore this stage.

In the 'Administrative Tools' window, open up 'Services'.

Another windows will come up called 'Services'.

In the services windows, find something called 'Remote Desktop Help Session Manager'

Doubleclick on it. Another window will come up.

In the new window, go onto the combo box & select 'Disabled'.

Close the window.

In the 'Services' window, find something called 'Remote Registry'

Doubleclick on it. Another window will come up.

In the new window, go onto the combo box & select 'Disabled'.

Close the window.

Close the 'Services' window.


Setting up the system's security

In the 'Administrative Tools' window, open 'Local Security Policy'.

A new windows called 'Local Security Settings' will come up.

In the 'Local Security Settings' windows, open 'Password Policy'

To change a option, double left click on it. A window for that option will come up. You can use this window to modify that option's settings.

Here are the options & explanations. Read the descriptions, before deciding whether to set them.

Enforce password history -
This option can make it so users can't use the same passwords for their user account, as they have used in the past. The number means how many passwords will be remembered. For example, if I used the password '1234' in the past & I tried to set that password again, it would not allow me. If the amount of passwords remembered was 10 then that means I would not be able to set a password that is the same as any of the past 10 passwords I have used. If it is older than the last ten passwords I have ever set, then I would be allowed to use it. This setting is useful, because if the user uses the same password over & over again, then there is a high chance that someone could work it out.

Maximum password age -
This option can stop users for having the same password for a long period of time. If the password age is 10 days then after 10 days of creating a password, the user will be required to change it. This is useful, because this stops users from keeping the same password for a long time. If the same password is kept for a long time, it might be found out.

Minimum password age-
This option stops users from changing their password multiple times within a brief period. If the setting was 3 days, then I would have to wait 3 days after changing a password before I can change it again.

Minimum password length -
This option stops users from having short passwords. Short passwords are easier to hack, so this makes sure that users can't have short passwords. For example if you put 6 as the setting, I could only have passwords over 6 characters long. If I tried to create a shorter password, I would not be allowed.

Password must meet complexity requirements -
This option makes sure that user passwords are complicated, so they are hard to crack. A password with just letters is not complex. A password with letters, numbers, Capital letters & symbols is complex. This helps stop user account passwords from being brute forced.

Store password using reversible encryption for all users in the domain -
Enabling this option will weaken password protection, so leave it disabled.

These are all the options in this section.

Now click the 'Up One Level' button. It looks like a yellow folder with a up arrow on it.

Double click on 'Account Lockout Policy'

To change a option, double left click on it. A window for that option will come up. You can use this window to modify that option's settings.

Here are the options & explanations. Read the descriptions, before deciding whether to set them.

Account lockout duration -
Sets up how long a account is locked out. Why would an account become locked out? Read the next option to find out.

Account lockout threshold -
How many times a user can attempt to logon with an incorrect password before the account is locked out. For example, if your setting was at 3 & I tried to log on & typed incorrect passwords 3 times in a row, it would lock the account out.

Reset account lockout duration counter after -
To be honest, I have no idea what it does. Most people say you should set this as the same as your 'Account lockout duration'.

These are all the options in this section.

That's all for now. It is only a third complete.