How to secure Windows XP after it Xpired?

I have an HP DV 4000 with 512 MB ram and a 100 GB hard drive that will probably not run Windows 7 and upgrading RAM is not doable due to me starting my own business as expenses are tight. I plan to stick a flavor of linux on there as I still have my main laptop as my daily driver. This one is my travel laptop.

 

April 8, 2014 marks the end of XP support…but you don’t have to worry!

Invincea’s capabilities are proven time and again in the wild to stop zero-days in their
tracks – including
IE ActiveX exploits and MS Office exploits – we’ve got you covered!


http://www.invincea.com/why-invincea/the-xp-clock-is-ticking/

"We've got you covered"...
So how would Invincea protect you from a Windows XP zero-day kernel exploit?

 

reads like BufferZone
http://www.trustware.com/

 

It sounds like a sandbox with HIPS. The main thing they're pushing is that they will support XP after Microsoft stops. That's likely to be a cottage industry for some time to come.

I just noticed the thread about Invincea acquiring Sandboxie.

 

I think the only true protection from those vectors being exploited is not to have them: Office, PDF, Java, Flash, .NET FW, Silverlight. Eliminate the attack surface, not patch it, if you don't absolutely need it. I don't have any of it on my machine.

And my browser is hardened as all hell, in a restricted sandbox where only it is allowed start/run & internet access, and only that user, no recovery, auto deleted upon close with CCleaner secure deletion... all checked except free space. And D+ stifling it, including the Protection settings.

DEP, ASLR and shellcode injection are nice and everything. But what's better yet is not to need them in the first place because your attack surface is the size of a water flea.

Still... none of this accounts for an OS that is no longer actively developed and patched. Not to mention the 1 in a million chance I may have to actually call MS for support if a problem arises. And they won't say a word if you're on an unsupported OS. That has it's value too.

The only sure fire way to secure XP after it's EOL is to physically unplug it's ethernet cable.

 

@luciddream

Yes, your attack surface from 3rd party apps are reduced that way but that is only the perimeter. The OS itself is the biggest attack surface, regardless of size or disk space it uses. Like it or not, it is the platform whereby code runs on. That includes your security programs. Lacking ASLR is a big deal because it is what strengthens DEP. DEP alone is insufficient. Memory corruption mitigation techniques are the best tools we have against abuse of code flaws currently. The amount of attack surface does not negate the need for them. Quality of code triumphs over
quantity. Win7/8 own code are much more exploit-resistant (DEP/ASLR enabled). It's 3rd party ISVs that are slow to adapt and make use of these improvements.

I'm glad you decided to move up to Win7 though. On a side note, I read somewhere you contemplating over whether to go with the Ultimate edition over the Pro. If cost is not a factor, I suggest go with Ultimate.

 

Agreed on the system wide ASLR combined with hardware DEP being big (and not just the app specific ASLR). But then again the shellcode injection/memory mitigation in Comodo D+ does a very similar thing and will protect it's users well, for people that would stay on XP. And there are similar measures like that too in other products. And combined with Always On hardware DEP people can be well secured still. Especially in addition to a thing like MBAE and a miniscule attack surface.

But the patches... A Windows OS without patches is an accident waiting to happen. It's an OS inherently flawed for the trade off of convenience, and need patches to run safely like a car needs an oil change.

Also, I'd love to hear your reasons for using Ultimate over Pro (Win7 32-bit). I have Dell reinstallation DVD's for both, so I can go either way. I also have the 64-bit versions of both in case I decide to upgrade the box to it's full 8 GB capacity. The discs are dirt cheap without the keys included... which aren't needed when installing the OS on Dells from their discs. That's one thing I really like about Dells.

The only reasons I saw to use Ultimate instead were AppLocker & BitLocker. But regarding the latter I use TrueCrypt already. Will AppLocker be useful because it operates at kernel level, even though I'm going to use Comodo D+ too? And/or other reasons? You can PM me so we don't derail this thread. Because what I was thinking was to use AppLocker to whitelist the apps as a whole (allow or deny), then use D+ for the specifics. If they play nicely together I could see this being effective. And also something about native imaging in the Ultimate version that has more functionality than in Pro, but I don't know the specifics.

Please PM me... and thanks.

 

Depends. On hardware that's "too" dated, i.e. lacking any hardware/CPU virtualization support, for sure. But he says he has a Core 2 Duo CPU. Depending on the exact model it could have VT-x & VT-d, which gives a great hardware assist and can make the VM barely noticeable. Check here to see what integrated features your CPU supports:
http://ark.intel.com/Products/VirtualizationTechnology

And if you had one that supports EPT as well (which Core 2 Duo's don't, unfortunately), you can notice hardly any impact at all. But with VT-x & VT-d it's a huge assist anyway. I tried running a VM on my old Dell Dimension with none of these hardware virtualization support and it was absolutely unusable. But now it takes it in stride great with minimal overhead. And on another persons machine that had EPT on his CPU too you didn't even notice it was there, though I believe he was using something else (Virtual PC I believe). To my (albeit brief) experience that one runs that lightest and is the easiest to deploy for people that aren't really techies.

 

Virtual Pc is MS effort isnt it?
That hasnt been updated in years.

Suns( now oracles) virtual box is as easy to use as VPC but more current and no doubt faster than VPC with supported for hardware assist.

 

I dunno, VPC seemed pretty darned light. It really was apples to oranges though because his box was faster than mine period, and had the EPT assist too. And I think its easier to use too.

 

@luciddream

Yes. AppLocker and BitLocker. You like to tinker so might as well get Ultimate and play around with these 2 features. You might not consider them necessary now but why deprive yourself the chance to try? It'd also be a great time to go 64-bit. If you worry about your current security software selection, Comodo and Sandboxie support 64-bit.

As for the Comodo shellcode protection, you might want to read this:
http://news.saferbytes.it/approfondimenti/2012/10/common-preventive-and-reactive-approaches-to-
mitigate-exploit-attacks/

 

Well I'll be using TrueCrypt instead of BitLocker for sure. So AppLocker would be the only reason. The reason I would go with Pro instead if I'm not gonna use either of them anyway is because it's lighter and has less surface. And I don't like the thing about having to email MS to get a hotfix to fix a flaw in AppLocker. And if I'll be using D+ not sure how much use it'd be anyway. Does D+ work at the kernel level too? If not, do you see logic in what I said about using AppLocker just to allow/deny, and then D+ for more granular control over specifics? Because if that applies I may just go with Ultimate.

And regarding Comodo & Sandboxie having 64-bit versions... aren't both limited in some fashion? Like in Comodo there's some option for "enhanced protection mode" for 64-bit systems, that makes certain concessions to have it work properly. And I thought I remembered a similar situation with Sandboxie. And I just don't think vendors have caught up with it yet as a whole. I just don't think I'm ready to go with 64-bit just yet. I'm pretty firm about going with x86. The only question remains Pro or Ultimate, and that hinges solely upon AppLocker's value to me with D+ already in place.

And yeah the shellcode protection certainly isn't what DEP + ASLR would do to help, but combined with hardware DEP and a restricted sandbox & tight HIPS rules it's sufficed just fine thus far. I've yet to be exploited as things are. Also I don't really use the stuff that's almost invariably carries the vulnerabilities with them: Flash, Java, .NET FW, IE, PDF, plugins.

That being said I'd love it if a certain member here got done with a project he's working on (OpenEMET) before XP's EOL. It can't provide system wide ASLR where there isn't none, but can add the app specific mitigations. To stay on topic here, to the OP, that is something that would certainly make XP safer past it's EOL.

 

Market share for Windows XP is increasing...

http://www.netmarketshare.com/

Choose Operating systems -> Desktop trend by versions

Lol!

 

It is decreasing. The trend report is from June of last year. It has decreased about 7% since then. It is still a healthy percentage of what is out there.

 

Malware writers are going to move on.

No one wants to write for an obsolete OS that very few people are running.

Which means theoretically, in a couple of years, you could ditch your AV and be confident of a safe Internet browsing experience!

 

December 2013, 28,98%
January 2014, 29,23%

 

As I said in another thread, people are starting to realize that XP is the best Microsoft OS out there

Actually, that 0.25% is probably a statistical error.