Suggestions for maximum-lockdown XP system

[CWuestefeld]

I'm looking for suggestions of how to best lock down a Windows XP system to avoid malware infestations for a non-savvy user.

My grandfather has been the victim of identity theft at least twice over the past year. Without making this too long, there is some reason to think that the leak of his personal info was through his PC. In addition, there's some circumstantial evidence that his habits aren't as sanitary as one might hope: he's had to have someone remove viruses twice, and his IE toolbars take up half the display space. Since the viral infection doesn't seem to be removed successfully, I'm going to cut the losses and just build a new machine.

So, I'm looking for your suggestions for the best way to set it up to protect him from getting into trouble in the future. One limitation is that I've only got spare licenses for Windows XP. I know that Win 7 would improve his security, but it would require me pumping in some extra cash (not to mention being a training issue), so I'd like to avoid that if I can.

• I think the first step is to keep the admin account secret, and only let him use a login that has minimal privileges.
• Install good quality Internet Security package, or separate antivirus and firewall, and ensure that he keeps it up-to-date. I've got some spare licenses around, or there's good freeware available.
• Don't let him use Internet Explorer, instead use Chrome. This isn't because recent IE versions are bad, but because of the way Chrome keeps itself up-to-date.

Can anyone offer additional suggestions, or comment on what I've already listed?

[mouser]

Given that he was already a victim of identity theft i think that's all the more reason why the best thing would be to upgrade to windows 7.
I know it's not what you want to hear, but a clean OS install or an OS upgrade would be the best way to solve this going forward.
It's not so much that windows 7 is so much more secure, it's that you don't really know what's on that machine and the safest thing would be a clean start.  And if you are going to do a clean start, win7 is the way to go.

[Jimdoria]

Microsoft used to have a free program called SteadyState for Windows XP that let you set up an XP system to work the way it would in a cyber cafe, where you'd basically want the machine reset back to a default state after someone's browsing session was over.

They have discontinued it (not compatible with Vista/Win7) but you may still be able to find it for download somewhere.

If not, check out the wikipedia article for SteadyState that lists some alternatives that do the same thing.

[MerleOne]

I would recommend TodoBackup 3 *Workstation* Edition which has a snapshot feature and it is maintained so far. 

[app103]

Another vote for SteadyState, since you plan on installing XP and are looking for something free. Microsoft took it off their website last year, though.

If you have any troubles finding a copy of it, let me know. I am pretty sure I have it, downloaded for a reason very similar to your situation.

[4wd]

SteadyState25.msi, 6.35MB, where do you want it?

I've stuck it here for the next week: SS25.msi NOTE: Now been removed.

Pretty sure there was a PDF associated with it but I can't see it on my drive atm.

Still on their download center here.

[CWuestefeld]

I'm still deciding whether I want to do the SteadyState thing. Here's where I'm at right now:

• Microsoft Defender for AV. I was on the fence between this and Kaspersky. Decided on this due to (a) simplicity and (b) freeware.
• Comodo Firewall. Free and highly recommended.
• Malwarebytes Anti-Malware. I wanted a supplement to the AV focusing on spyware.
• User lockdown. Gramps will only have access to a regular-user account. No admin privileges.
• Remote administration. I set up LogMeIn.com, so I can remotely take care of any problems he runs into.
• still to do Make sure I have an up-to-date rescue disc for this system.

[cyberdiva]

Why MS Defender rather than Security Essentials?  As I understand it, Defender focuses on spyware but not on viruses.  Security Essentials covers the full gamut.  Indeed, if you install MSE, it will disable Defender as no longer needed.  Since you don't have any other anti-virus software planned, I'd go with MSE.

[40hz]

All I would add is to set him up for automatic Windows update using the download and install option, and set it to run sometime during the day when he's likely to have his machine switched on.

+1 w/ Cyberdiva regarding MSE. I'm running it on all my home machines, and Windows business machines. That in conjunction with the built-in firewall and regular Windows updates and I have had zero issues to date. (knock wood)

Malwarebytes is an excellent supplement to the above. Good choice that.

I'm not too crazy about putting Comodo's firewall on a non-power user machine.

While it may offer a higher level of protection (debatable) than Windows built-in firewall, it usually winds up being less effective since most non-tech users simply click ALLOW whenever they get a pop-up alert they don't understand. So this has to potential to make a more powerful firewall less secure than a set & forget one like Microsoft's. Your call on that. My personal experience is that the Windows firewall is more than adequate for normal computer use. Especially when combined with a restricted user account, MSE, and regular updates. That combo is damn near bulletproof AFAICT.

40hz's NSFW take on this stuff

Luck with all this.

P.S. If you really really really need something that's been "harshed and sat-on major" as my niece would say, just buy him an iPad. It doesn't get more locked-down than that little $800 Etch-a-Sketch!

[Stoic Joker]

Wow, Dorothy looks pissed... 

(on topic...-> I'm with 40hz and have been having great success with that configuration on 100+ machines over the past year or so since implemented.

[Carol Haynes]

Clean install of Windows XP (you can use the license key of the edition already on there - if you don't know it download SIW and it will tell you - if it hasn't been activated in the last 90 days there shouldn't be an issue with Microsoft).

Then fully update and install any software he needs to use.

Don't bother with security software - buy a copy of Farionics DeepFreeze Standard.

Deep Freeze means that anything that happens in a session will be wiped and the 'standard install' you built will be restored when the computer is restarted or booted from cold.

If you want to make changes to the protected partitions you have to boot the machine in 'thawed mode' and then turn on the deepfreeze again when you have finished.

You can stop anyone tinkering with the Deep Freeze setting by requiring password access to the thawing functions.

If you want antivirus protection it is designed to integrate with your security of choice (Microsoft Security Essentials is free and very good, and has minimal interruptions to the user) or the same company do an AV product that works with DeepFreeze so that it can be updated.

I wouldn't bother with a firewall beyond windows firewall. Any non-savvy user can't manage an active firewall - they just let everything through or nothing - either way you have a big headache!

Basically he would have a computer that always clears any nasties from the system at startup or restart and the computer always starts in a known state.

There is a free trial version if you want to play with it and it is compatible with XP, Vista, 7 and MacOS

[Stoic Joker]

The only problen with going the draconianware route is it locks the machine down too tightly. My wife isn't an adept user, and has no interest in becoming one. However she does like to change her wallpaper from time to time with the latest really cute picture of our granddaughter.

She also spends a great deal of time on FaceBook (a.k.a. Virus World) ... But using only a standard user account has left her machine running perfectly fine and trouble free for the past 6 years.

[Ehtyar]

+1 for Security Essentials. I agree with all the other choices except for Firewall - those things generate more confusion than helpfulness, and I don't see how they help prevent infection (assuming the machine is not directly connected to the Internet, in which case you're buggered regardless).

As for rescuing the machine, I'd probably just schedule restore point creation daily or something like that. Little effort involved, and it should sort out most types of infection.

Should any businessy types come across this thread, a skim of the NSA hardening guides (page erroring at time of writing, google cache here) can provide you with some helpful nuggets.

Ehtyar.

[4wd]

As for rescuing the machine, I'd probably just schedule restore point creation daily or something like that.

-Ehtyar (October 21, 2011, 08:10 PM)

Having never had any System Restore work on either XP or W7, (I have always had to do a full system recovery by installation or image restoration after using System Restore), I would heartily recommend you use some other program to do a full image backup of the OS.

Just one of the reasons why I always turn the useless piece of rubbish off, (or in the case of XP, nlite it out of existance).

[Carol Haynes]

I have used System Restore numerous times to fix registry corruption problems and it can be really helpful. Not (IMHO) terribly useful to protect against malware though as in WIndows XP it is only intended to revert critical system files and the registry.

[40hz]

I've had mixed results (mostly good) with System Restore under XP. To Carol's point, it's not intended nor designed to be a cure-all. But within the scope of what it's meant for, the results were often quite good.

Windows 7 is another story. The system recovery tools it provides have been real lifesavers for several of my clients. Even in the face of three separate cases of accidentally installing bogus antivirus software.

Nice to see these capabilities are now built into the OS where they belong. Good stuff!

Maybe that's one more good reason to start migrating off XP?