How to secure Windows XP after it Xpired?

That's my setup exactly on Xp Home.
Been working securely and perfectly with out any issues for years.
Personally I will rely on this setup until my Xp box dies or I upgrade my OS, which ever comes first.
So I would recommend Feandur's suggestion, it is a sound one.

 

An OS that isn't supported anymore is not secure at all. If there are no security patches anymore from M$ it makes no sense to use XP for critical activities like online banking etc.

That is IMHO the only advice that is true.

Even third party security software is no solution here, because they are vulnerable to OS flaws and kernel bugs also. If the fundament has leaks, nothing build on that can help.

 

Support is not the only thing that secures an OS. For instance, shielding it from all attack vectors would make any OS secure, even if it is unsupported.

Why, do you expect your banking site to be a vector of attack against your computer?

 

Sure. And for that you can even look into statistics from M$. And with third-party software you can't shield securely an OS whose basic mechanismns are outdated.

I don't expect that. I wouldn't use an outdated OS for any activity where the consequences can be hard. I never said "stop using XP", people can use it for offline pc, for old multimedia machines etc. but not for critical activities.

The question from the OP: No. From a security point of view it can't be recommendet at all to use Xp for such activities after M$ has it officially declared for dead. XP even now isn't as much secure as newer OS versions and once it is unsupported it will be even weaker. And you can't securely protect an outdated and unsupported system and kernel.

 

This sounds really good. Isn't this like reversed SBIE? Also what is the difference between free and pro version?
It has to be free, my family doesn't want to spend any money on this.

That's where BD safeplay comes into play no? It assumes that the system is compromised and keeps everything out of the browser...

 

No because an exploit to unpatched (cause no longer suppported) leaks in such an old OS can make those protections that rely on those OS worthless as it can do with every security software... if the core is vulnerable you have lost the game.

 

You can't completely protect the latest OSs with 3rd party software either. Security is a plan with a concept. Unfortunately a lot of people think security is loading up all kinds of security software.

See post #2 and read the articles linked to if you haven't already. There are outstanding security measures built into the OS but not enable by default, you have to do that yourself. In my opinion, that's Microsoft's mistake in making the default an admin account. Since the vast majority of Windows users are running as admin, there's enough low-hanging fruit out there that malware authors haven't concentrated too much on standard/limited users until recently (see CryptoLocker as an example). However, with a software restriction policy CryptoLocker won't work either. I've can't recall ever having seen anyone post here (or anywhere else for that matter) that he/she got infected with a LUA & SRP setup.

 

Where I said the opposite? Beside that: new OS versions are much more secure than Xp and vulnerabilities that get known in newer OSes will mostly be fixed soon or later. For XP no more. And there is nothing to make the system secure than - no standard account, no softwar, nothing.

 

Yeah but in order for the malware to run on a victim's OS it has to be executed. ERP on lockdown will disallow execution of any software. So how will my security be bypassed??

 

I don't read propaganda materials.

Just because you don't know how to do it, it doesn't mean that you can't do it...

 

Your opinion. Also there exists a research paper which discusses EMET mitigations and which of them won't work on old systems like Xp. In the same paper you find numbers that show that Xp is from a security point of view much weaker than newer OSes.

Nonsense. Inform you how exploits especially kernel exploits work and you'll see. Every vendor of security software who is honest will tell you the same: If there are kernel vulnerabilities we can't protect cause we run on that os and rely on it's basics.

Recently Hungy Man explained a few mechanismns of modern OS exploits in this thread about sandboxes.

@mattdocs12345: That's also an answer for the anti-execution question and why even this can't help in the long run.

 

What would be really informative, as this is an informative thread, is that some of you that know more than the rest post a list of actual malware that bypasses Bitdefender Safepay, actual malware that bypasses Trusteer Rapport, etc., etc.

Because 'core', 'kernel', 'rootkit', 'attack surface' and so on are just words that make no harm on their own.

 

LUA + EMET, make sure to EMET svchost.exe, explorer.exe and other critical windows files that will never get updated anymore.

 

Thanks. Will add this to my bunker.

 

What the buzz about that ~ Snipped as per TOS ~ security problems with XP?
Look: there are number of PCs nowadays that aren't infected being also not updated (some of them I really know have XPSP2 on board). If this is possible now why it would be a problem when supports will end?

Update isn't real defense measure: you just change old holes to new ones!
Real defense is to make something to not to depend from these holes being closed or not.
And there are NUMBER of ways to do this! Set up user access rights, use mitigations kit like EMET, use alternative softwares, use HIPS and other numerous security tools.

But you never need to run mad about all this stuff - and you'll never need all this power! I think it would be enough to install EMET, alternative web clients (browser, mail, messenger etc.) and use some kind of web-filtering (DNS, hosts, proxy, complex IS built-in - etc.).

Being a maniac you can use also SRP, whitelisting for running apps, some XP substitutions for UAC.

But I dont need all this. And I think XP would earlier became fully uncompatible with hardware then it would be dropped out by users for security reasons...

So not the malware would kill XP. Hardware will do.

 

Good for you, mattdocs12345, for looking after your relatives. Like them, I will use win xp for as long as I can simply because I like it.
May I suggest you give some thought to installing Powershadow? I have used it since it came out and can recommend it without reservation. There are several threads here on Wilders about it.

In a nutshell, whenever you wish to prevent changes to your OS, you just start Powershadow by clicking on a shortcut to "Shadowsetting.exe". When you shut down the computer, Powershadow discards any changes that were made while it was running. No restart necessary. Next time you do restart, those changes will be gone. I think they're all gone at shutdown, but can not prove that absolutely.

One downside is that you can't install anything that requires a restart. The way I use it is to update everything before starting Powershadow. If I forget, or some automatic update is done while PS is active, it'll just be done again after a restart. Any software you want to keep can be installed before starting it. And you can use a lot of free portable stuff.

The free version is v. 2.6. It is available at CNET. To avoid the CNET installer, use the "Direct Download Link" not the big green button.
http://download.cnet.com/Power-Shadow/3000-2094_4-10359673.html
The SHA256 hash for it is 8a4b7e46baa49843034a956707e939a27324f84f1affb8d96a4652d2c1ca6110
Its a trial version, but You can convert it to a registered version with the registration number found in this thread at post #12:
https://www.wilderssecurity.com/showthread.php?p=925327#post925327
This post describes my security setup, no malware for 5 years or so. All free apps, pretty easy to manage.
https://www.wilderssecurity.com/showpost.php?p=2294848&postcount=1

 

Holy back in time Batman . What a joy to revisit the once prized and powerful POWERSHADOW.

I still use it in my XP units which are many as in multi-hdd tethered together in a single tower.

Had not been for SD i venture to say POWERSHADOW would still be in use as part of my layered security.

Regards EASTER

 

@SLE: Theories are fine and all, but you haven't provided any practical evidence of XP being insecure when hardened. Real life Internet isn't some doomsday scenario every time, everywhere.

 

Thank you for Powershadow. I have only one copy of SD so Powershadow will go on the 2nd laptop.

 

If you like to get a up to date LV program for your relatives, you can install TTF.

http://www.toolwiz.com/products/toolwiz-time-freeze/

Bo

 

yeah but this one gets bypased by malware easilly and is also quite buggy.

 

We can be happy that some of the things mentioned are more theories atm, but some things that are possible will happen. It will be much easier once xp is unsupported and holes won't be fixed anymore (one example was mentioned by Brummelchen in this thread: reverse of resolved issues
from newer OS systems)

Beside, I never said that different forms of hardening wouldn't make XP securer than without BUT an unsupported OS will remain a risk at all, a higher risk than a more modern system.

As you asked for some practival evidence, ok. Let's look at the example EMET. Often mentioned for hardening, but not all mitigations work on XP (even in supported time) and so even with mitigations enabled XP is more insecure than newer OSes.

http://www.abload.de/img/emetpzk90.jpg

source: MSRC PROGRESS REPORT 2012 pp. 29-30. (sorry it's only a summary, wasn't able to find the complete test paper so fast)
The exploits M$ used for that study were real life examples and nothing synthetic >> so there you see that even with mitigations enabled XP is more unsecure.

(ok some will say >> propaganda, cause from M$... )

 

I totally agree with you.

@SLE: I'm not saying that XP cannot be attacked, or that patching is useless, or that upgrading to 7 or even 8 doesn't have its security advantages. But from real life scenarios I saw myself and from what I learned during the years of using it, the hardening of Windows XP by using a combination of methods (AV, firewall, EMET, LUA and so on) provides enough security even for an unpatched XP.

It's normal that MS is doing propaganda against older operating systems, because they want to sell more Win8 copies. I don't really blame them, but you shouldn't base your security decisions on a marketing campaign.

 

Yes, but that's no argument for good security mechanismns of OS or third party software. The fact "I never was infected" usually results from a mixture of right behaviour, habbits (and sometimes luck and software).

And the data from M$ I have shown: (1) Infection rates of OS (2013); (2) Protection against Exploits with EMET for different OSes (2012) are real life data too - but for more than one person ;-)

That some of the security mechanismns in newer OS aren't just selling points you don't believe? Independent researchers will say you the same. XP had many security flaws, some of them got fixed with later updates, some couldn't cause they were "by design".

And of course M$ wants to sell - but, their marketing usually brings features and usuability as arguments, not security.

 

@ EASTER:

Yep, totally retro, man.

@ mattdocs12345:
For sure, PS takes some getting used to. Everything you forgot to store somewhere else is gone. A local email address book would be reverted to its "pre-shadowed" state, losing new addresses. That .iso file that took an hour to download is gone. But for me, it's worth it.

Fwiw, I tried two apps named Timefreeze, one from Toolwiz (free) and one from Wondershare (trial). Both worked well. Both made a very slight slowdown on performance, not enough to matter. Both will work for OSs after win xp, Powershadow will not.

I stayed with Powershadow simply because there is no way (that I can find) to save changes to C: when you shut down. So those malwares that hide an exe somewhere and run it when you restart don't work. My xp machines have an extra partition for storing stuff. That might introduce a vulnerability, but it is awfully convenient. PS could shadow all partitions, but I don't do that.

The threat from CryptoLocker is new to me. It might allow the extra partition to be encrypted before I can stop it. But that partition is backed up, and hopefully the antivirus and Sandboxie will catch such a malwares before it gets in. I don't know if Powershadow works with CryptoPrevent or not.