How to secure Windows XP after it Xpired?

lol *sigh* after a PM I realize that none of my post crossed over properly. My point is that these conversations aren't worth getting upset about, neither are the MS articles. My opinions are based on things. Yours are based on things. We all view each others ideas as wrong for whatever reason, and everyone will continue to push their ideas.

In the end it's only worth considering these conversations ways to kill time because anything else is just painful

@noone,

How many systems ran 98 when it was retired? How many will be running XP? That alone should tell you the situation is completely different.

 

Other than the quantity of available targets and the number of potential attackers, not much has changed. A couple of the biggest changes that come to mind are what constitutes a typical user. In the 9X days, users still needed to have some skill and knowledge to make their system run properly. Thanks largely to XP, users needed only to know how to turn the computer on and click the browser to get into trouble. IMO, it's safe to say that the typical user knows much less about their equipment than they used to. That lack of skill and sense is the biggest problem. For those users, no security package, hardened kernel, permission level, etc is going to make any real difference.

The next biggest difference is the change from 9X to NT systems. AFAIC, the NT operating/file system caused as many problems as it fixed. On that issue, we'll have to agree to disagree.

Just as much has stayed the same as well, starting with MS exaggerating the importance of their support. Regardless of what they claim, a supported system has never translated to a secure system. MS has never made a secure system. True zero day exploits will compromise both equally. AFAIC, if I have to click on a file to enable it to exploit me and give it permission to run, it's not a threat to me. If it's web content that requires the browser to launch java, flash, or open a PDF, the threat is DOA on my system. On mine, that code will have to pass through Proxomitron unaltered, exploit the browser itself, and perform its function without triggering a response from SSM. I have yet to see anything that comes close on either OS. This is where we differ. IMO, if a flaw can't be targeted or exploited, it is not a vulnerability. The individual driving an armored tank isn't bulletproof. The skin (attack surface) of the tank protects the vulnerable operator. Malicious code doesn't pass through the attack surface just because it contains a kernel exploit. Malicious code delivered by a website/server doesn't automatically pass through NoScript or Proxomitron just because it has kernel code in it. That code has to survive passing through those apps/extensions unchanged. It then has to target an app or plugin that is available and vulnerable, and exploit it in a way that passes on the kernel exploit. If it doesn't succeed at all of these, the exploit fails. When a security package can intercept and defeat these attempts, I call that a secure system, even if it is theoretically vulnerable. OTOH, show me a kernel, that has absolutely no vulnerabilities, theoretical, unknown or otherwise. No such kernel exists, therefore a truly secure system doesn't exist.

 

I was waiting for the "big dooms day" on my 98SE PC,never saw it.
I'm currently waiting for the "big dooms day" on my XP PC.

 

Users who outsource the responsibility for their security to a 3rd party are the ones who can find themselves in a bad situation. If a user relies totally on a security suite and the vendor next version no longer runs on the users system, that user is in trouble. If that user understands how malicious code gets onto their system, they can take the appropriate steps to prevent most of that from happening. The user who learns what needs to run on their system in order to function properly can allow those to run and block everything else. That user will avoid the vast majority of malicious code. That's the basis of default-deny, the complete opposite of what conventional security suites do. Trying to identify all of the malicious code in existence is an exercise in futility. The amount is potentially infinite. By comparison, there's usually 50-100 executables on the average PC that are necessary for it to function properly. It's far more efficient to maintain a short list of what is good than an infinite list of what is bad. Users who want to continue using an OS after official support ends need to learn that system.

 

I suppose, if one has perfect knowledge of Windows, then a perfectly implemented HIPS would be the perfect system. Unfortunately you, nor just about anyone else (including quite a number of MS employees) knows Windows perfectly, and a perfectly implemented HIPS is simply not possibly on Windows going by a classic definition.

I think you may be overestimating your own ability to make security decisions on a system.

It is certainly quite easy to for anyone to download malware and double click it and deny execution - you already know it's malware. What about if someone hacks Wilders? What will knowledge gain you?

 

If something prompts me to execute that I didn't choose to download, why would I allow it? You misunderstand my setup. It's not default-ask. I don't see prompts or alerts on this system that I need to respond to unless I put SSM in administrator mode. The only time it's in administrator mode is when I'm modifying or updating my system, which is very seldom. In user mode, there are no prompts of any kind. The system altering executables like cmd.exe, command.com, regsvr32.exe, rundll32.exe, regedit.exe and others are not permitted to run at all in user mode.

Hacked to deliver what? If it tries to deliver an executable, it'll be denied with no action on my part. If the code uses java, flash, PDF, media, etc, it won't find the plugins available. I've whitelisted the few javascripts I find necessary for this site. The rest are filtered out. Iframes and Ilayers are converted to links. Request Policy will warn me if there's any attempts to connect to other domains/servers. I don't allow execution from the cache, temp folders, etc, unless I'm in admin mode. What's left that an attacker can use to deliver malicious code? The HTML itself? Even that will have to survive the Proxomitron filters.

 

Seriously people... I'm one of the biggest XP otaku's in here, but even I will move on once official support ends. I'm stickin it out until then though not only to milk it, because I do love this OS and think it's the best ever, but also because I'm lazy. I'll probably do it by May 2014 anyway.

I'm moving on to Windows 7 Pro SP1 32-bit. I'm hoping that XP Mode will allow me to hang onto my emulators and other old games, and keep them all on 1 box. But if not I'm just moving all that stuff onto another older box I have laying around, offline, to serve as a retro gaming console in my game room.

I can upgrade my box from 4-8 GB, so if I wish to use 64-bit in the future I can. I don't feel like 64-bit/Patchguard is ready for mass deployment just yet. I want my security software to be able to work. And regarding Ultimate, the 2 things that otherwise would have sold me were AppLocker & BitLocker. Regarding the latter, I simply don't trust it as much as I do TrueCrypt. And with AppLocker, I'll be using a strong, deep hook setting HIPS instead, like Comodo FW/D+ 5.10 making the voyage with me. Hence my decision for my new OS.

Only 4-5 months of XP left. Geez, I feel like such a huge thing is coming to an end.

 

I'll upgrade to Windows 7 in 2014,not because of support ending for XP.
The reason I'll be getting a new PC will be for gaming,video editing,etc.

 

From Secure Windows XP after updates end:

 

You don't 'secure' XP once it's out of support. You keep it offline or if it really needs to be online, you look at securing the perimeter.

 

Ditto for Win 2k

Are you still going to go with Sandboxie on Win 7 ?

 

Sandboxie OR Defensewall

 

Nobody should be running XP. If you have a machine that cannot run anything higher, then it is time to get a different machine.

Even my cheap father in-law picked up a Refurb 3.2ghz dual core, 4gb ram for $120 over the holidays. I just saw a quad core, 8gb refurb at Microcenter for $199.. Both windows 7 preinstalled!

Really NO EXCUSE to be running XP. Heck, I am starting to wonder why I waited so long to jump to 8, after playing with 8.1 and finding it speedy, and very easy to use. 7 feels really bad in comparison. But XP? That stuff is garbage.

 

For "garbage" my PC does anything I want it to do.

 

Why?...sorry but your "explanation" explains nothing. Win XP is just useful tool for me, it still works properly, it's still convinient and absolutley enough for my needs. Why do I have to change it?...because there is something new?...perhaps more modern, "sweet and cool" but still with the same functionality? Why should I change my tools like knife or hammer?...because of there are other more smooth and shiny. Why should I change my old and tested in difficult conditions shoes...only because of there are some other new ones?

 

+1

 

Windows XP has a worldwide market share of 28.98% as of December 2013 (Source:thenextweb.com)
Windows XP desktop OS market share of 28.98% as of December 2013 (Source: Net Applications)


IE6 browser has a worldwide market share of 4.43% as of December 2013 (Source:thenextweb.com)
IE7 browser has a worldwide market share of 2.14% as of December 2013 (Source:thenextweb.com)


In the U.S. Windows XP market share as of September 2013 was 14.69% (Source:Statista.com)

Who in the world would still be running IE6 or IE7...especially IE6 on Windows XP?

3 more months of patching XP by Microsoft. I wonder if the very last month updates will be
quite sizeable?


Backup...Backup...Backup!!!

 

The other side of the expiration of Microsoft support for XP is that malware developers will move on, too. No one wants to put in a lot of work for an OS that people are upgrading from, not even the bad guys!

No one is writing malware for Windows 95/98 any more simply because very few people are running a legacy OS. The same thing thing will happen to Windows XP in time. You can run it twenty years from now and it will be even more secure than it is today.

 

Except that 20 years from now nothing will run on XP either. Just look at today, how much software is created to run on Windows 98?

 

Wow, you seem to have really bought off into the Microsoft mindset. I am an advanced user who has tweaked XP over a ten year period and have far too many enhancements to even consider going to7 or 8. I have the technical skill to maintain XP way past EOL. For you to make the statement that there is no reason for anyone to be running XP is not only arrogant but simply not factual. By the way I own licensed copies of Vista, Windows 7 and Windows 8. Never used them. I was forced to purchase for professional reasons. I am not saying I do not see a reason to upgrade. In fact I do. However, I suspect my definition of an upgrade is wholly different from yours. I intend to upgrade from Microsoft to Linux. Please get this correct. My decision to do so is not because I dislike XP. My decision to do so is because I dislike Microsoft and find the subsequent windows versions complete garbage when considering a security model when contrasted against Linux.

 

Interesting, then what do you think of UAC vs sudo? Neither exist in XP, yet it's less of a garbage when compared against the security model of Linux? That's just one example, don't you mean privacy instead?

 

It seems like you purposely misread the intent of the above message. I could go into the multiple problems with UAC starting with Vista. I don't see the point. Clearly some upgrade needs to happen. I simply cannot stomach the stench of MS any longer.

 

I think your view of UAC is based on M$ hatred rather than technical reasons. That is of course unless your dodging of the question means in fact you dislike sudo's nagging as well. Why do I think that?:
https://www.wilderssecurity.com/showpost.php?p=2331575&postcount=65

 

I definitely have to disagree there. Stupid/ignorant end users are the problem, as always. Not the move to NT.