A Microsoft Tech Blog mentioned this at the beginning of the Conficker infections. MS08-067 and the SDL http://blogs.microsoft.com/cybertrust/2008/10/22/ms08-067-and-the-sdl/ Unfortunately, millions around the world had not installed SP2 and thus were infected by the first version of Conficker via port 445. When Windows 2000 was released, the advice around the 'Net was to install a firewall to be able to control Ports and Services. Those of us who did so made firewalls part of our security strategy, so when Windows XP came along, it was natural to install a firewall. Thus, what Windows did by default was of no concern, since we could control things ourselves. ---- rich
It's always been that way with Windows. The OS has lots of internal security features that aren't implemented by default or poorly implemented. It has been improving with each version but security is for the end user to implement. Corporate customers hired skilled administrators to lock down their systems but the poor home user was left on his or her own. I've been playing with the OS security features in a new installation Win 7 Ultimate the last few days. Lots of good stuff like SRP, Applocker and a much better Firewall but a lot of the better security options are not enabled at all. These are all things that would be used in a Corporate environment if the SysAdmin was any good at all.
It was IMO a slight improvement over sp1 and no sp's. As mentioned already your computer was open to attacks. If you do a default install of XP you'll notice how many services are running and ports that are open. With a few reg tweaks and disabling services you can somewhat close those holes at least better than leaving XP in it's default state. The built-in XP firewall still is though no match against 3rd-party software firewalls and routers that use flashable firmware and offer more control over your connections IMO.
With a little work, on XP you can close all of the open ports and still have a fully functioning OS. It actually runs faster without the excess services running. Unfortunately, XP is the last version of Windows that allows the user to do this. With all of the ports closed, XP can be connected directly to the web, no router or hardware firewall, and not be vulnerable to unwanted inbound connections. Try that with Win 7 or 8. I don't have an issue with Microsofts attempts to harden the core of the system, gaping holes in the implementation aside. My issue is the attack surface, everything enabled and running by default. It's like they regard intrusions as inevitable so why bother shutting the door?
I think its part of their business model. Having made a nice sum of money reselling some MS development software a few years ago, I'm aware that there is a whole food chain of developers and corporate administrators who learn all the complicated intricacies of MS Windows and pay MS steep licensing and certification fees annually. They in turn work for the corporations and institutions that buy Windows and Office and get paid very well for what they do. If MS sold its OSes secure and locked down to their full potential, it would be cutting out one of its revenue streams. No need for so many certified sysadmins to secure the corporate desktops of the world if Windows was too secure out of the box. In an institutional way, Microsoft is starting to remind me of the Catholic church. They definitely have both an orthodoxy and a hierarchy, not to mention institutional mass. They are also very predictable in how they are going to view and approach things in the same way as the Catholic church is.
Yes, it does look possible to close all open ports and run Xp with full functionality. As far as disabling services and speed I found just disabling "System Restore" made a difference. A resource hog and at times I found it unreliable. There are other options one can use. Of course many more services can be disabled which does make XP run faster. There are way more services installed and running in a Windows 7/8 OS than XP. How one goes about disabling these services and closing all open ports without crippling the OS I don't know if that is possible.
When I got an old hand-me-down computer, I had XP [128 MB RAM} installed by a friend of my sister. Then took the antique Compaq business computer home... The first thing I did when I connected to dial-up [AOL Australia], back in 2001, was install a software firewall [Zonealarm]...I was as green as the hills, when it came to computing...LOL In those days who cared about a firewall?
Also note, when new OS coming in, malware writers need some time to create new malware to infect them. Just see subsequent MS report and you'll find the most infected OS is now Vista. MS didn't commented it nor ofc yet corrected their flawed claim that 7 is x times more secure and 8 is... As MisterB said 7 is almost same as Vista in reagards to security. As a student in mathematical science I really hate this kind of feeling manipulation which apparently based on statistics but actually just abusing stats. Stats itself can't tell lie but those who use it can and often actually do. As to too many unnecessary services and we can't turn off all of them w/out crippling OS, I have to agree, tho I think Win FW itself is still necessary security improvement like Rmus illustrated. Also agree with MisterB, Windows can be secured but most user never see them. To be honest, major Linux distro are not much different in thie aspect but at least bit less noisy and services I turned off in Ubuntu12.04 were much fewer than Win7 (don't mention Linux is much more configurable).
In that respect, statistics are like forensic "evidence" and DNA. The science may be unbiased and accurate but the same can't be said for those doing the testing. The result is that they're made into commodities, evidence or proof for sale, sold to the highest bidder, which is almost always government and corporate interests. I agree that a firewall is a necessity, especially one with good outbound control. I don't agree that it needs to be the Windows firewall. Compared to other available firewalls, it is IMO an inferior product. As for the services, the majority of those services running by default won't be used by most people. They should be installed/enabled if needed, not the other way around. For me, the most questionable aspect of this is integrating system critical services with others that open ports or making them dependent on them. I have yet to see a good answer as to why these services need to open ports. Open ports serve one purpose, receiving unsolicited inbound connections and traffic. Why does the OS need to receive such traffic, whether the user wants it or not? This behavior appeared after Microsoft got "help" from the NSA with securing Vista. Given the revelations regarding their subverting security whenever possible, I have to believe that those open ports are for their benefit until I see a good explanation otherwise. For me, that's more than enough reason to make XP the last Microsoft OS I'll use, even as virtual systems. The vast majority of the time, my modified 98 system is my preferred OS.
There is an option in HijackThis to delete an NT service (win NT4/2K/XP) but was limited. Services belonging to Microsoft that are system critical couldn't be deleted. XP user could go through the services that are not needed and disable them. There are ways to slim down XP and secure it better if you take the time and effort to do so.
One of the best tools I've seen for stripping the excess out of XP is XPLite. It's worth the price if you like XP. In addition to services and their components, it allows you to rid your system of Windows biggest security liability, Internet Explorer. As good as XPLite and its predecessor 98Lite are, I find it interesting that they haven't released anything for stripping Vista or Win 7.
There is NTLite that Support Windows versions including client Windows 7, 8, 8.1 and 10TP. You can remove components and apply tweaks and more. (doesn't require NET Framework) There is also Win Toolkit that can customize your Windows installation. (Windows 7 toolkit) Some features work on Windows 8. Windows XP and Vista users need to install DISM Installer and NET Framework 3.5 in order for toolkit to work. You may also need to update the Windows Installer from 3.1 XP Users can also use nlite program (requires NET Framework) to integrate service packs, drivers hot fixes,add-ons and update packs. Also remove components, add reg tweaks and create a bootable iso file to burn to cd/dvd. Slim down XP from the default install.
The NET Framework requirement makes the toolkit a no-go for me. I'm not going to install that bloatware just to get rid of the existing bloatware. I don't trust the NET Framework uninstaller to completely remove everything, especially in the registry. NTLite and the Toolkit appear to be multi-purpose tools while XPLite and 98Lite are largely single purpose utilities. Both are very small, under 2MB. Neither requires that you install anything other than the tools themselves. I'd be curious to learn if anyone has managed to close all of the ports on Vista or 7 with the aid of those tools. I don't have either and don't intend to get them just to see if that battle can be won. What I'm really waiting for are the unofficial upgrades for XP, especially an XP equivalent of the KernelEx for Win98. As popular as XP is, I'm quite sure we'll see them. If they end up anywhere near the quality that the unofficial 98 upgrades have, XPs best years may be ahead of us.
On NET Framework uninstall (e.g. version 2.0) you would have extra cleanup after uninstall. Registry entry leftovers and Windows folders that contain logs, files. Also it leaves the ASP.NET State Service intact. Not exactly what you call a "clean uninstall". That's typical though for Microsoft. Updated NET Framework versions are probably the same if you want to uninstall them. Have managed to leave NET Framework off the system. Note: Windows Add or Remove Programs Sounds like a better approach to accomplish a similar objective. That would be great. It's almost been a year since MS ended support for XP.
The last time I checked, there is a KernelEx for Windows 2000. It's been a long time since I've looked at it. It should serve as a good foundation for an XP version. Dismantling the kernel and supporting files in order to add the new APIs and accommodate the new dependencies is slow work. Currently, there's an unofficial service pack for XP in development. As far as I know, it ports several of the updates for the newer OS back to XP. It's a start. It wouldn't surprise me if Microsoft did take note of KernelEx for 98 and took steps to make to make it much more difficult on XP.
By unofficial upgrades, I'm referring to more than adapting the latest patches. For 98, the unofficial upgrades included porting USB 2.0 to Win98, fixing the memory and resource management issues that MS refused to, fixing hard drive size limitations, file copy size limits, adding new APIs so that more current software would run on it, porting newer VC runtimes, etc. These and more are still continuing for both 98 and Win 2K. It's this kind of work applied to XP that will make it an even better OS.
Windows Legacy Update I mentioned in #41 and his site care not only vulnerability patch but also software compatibility, tho he is more oriented to W2K than XP. But it's not open source, as he don't have original source code he just reverse-assemble new patches, proprietary drivers, etc. and make modified version which is compatible to old Windows. But cuz it is matter of trust and I myself don't have XP (so haven't tested them by myself), I can not generally recommend.
I have an XP Pro machine to use certain 16bit applications from the 90s. There's no personal information on the machine or anything mission critical on it. System runs speedily despite the slow processor (even for the era) but by choice I have no real-time protection other than exewatch for basic monitoring. - hardware firewall + default SW firewall; - rationalised services + hardening with xpy/xp-antispy/SafeXP/SeconfigXP; - Rollback XP; - portable apps and browser installed on second partition. Browser (Firefox): - NoScript; - uBlock with malware lists; - Limited privileges (SSRP). Machine has commit charge of 124mb on idle. It never occurred to me to disable all ports as mentioned by noone_particular. Also I've not used the POSready Windows Update registry hack or any unofficial patches.
XP can be stripped way down if you take your time and make backups as you go. Excluding the swap file, the virtual XP-Pro-SP3 I'm using now is under 750MB. Most of the Windows components that were part of the attack surface are gone. With a little work, I'm sure it could be stripped even more. It has 19 total running processes. 9 are Windows components, 3 of which are instances of svchost.exe. The rest are user and pri/sec applications. Except for an office suite, it's has all of the basic needs plus a good security and anonymity package, including Tor and SandBoxie. There's no reason that MS couldn't make a compact, efficient OS that doesn't need several gigabytes of hard drive space and RAM just to run. Operating systems keep growing in size and demands on the system so that they can push users into new hardware. Fortunately, XP users can take advantage of the available tools to make XP a very light and fast system, and end up with a more secure system in the process.
Wonder why there are 3 instances of svchost.exe running? I'll have to check what's running with Process Explorer. Sandboxie can be a good addition for browser and other applications. If I set Windows ' Terminal Services ' to manual and start the service then I end up with another svchost.exe running. (total of 3 ) Set the service to manual or disable then I'm down to 2 svchost.exe running. If you disable/manual service then you won't see ' User Name ' listed when you open up Task Manager. (e.g. SYSTEM, NETWORK SERVICE, <user name>)
There can be a dozen or more instances of svchost. There's separate instances for many of the services that require it. How far you can strip it down will depend on what you have installed and what you need. Take it slow, one or two changes at a time. Reboot between them. Test everything that you use to make sure it still works properly. Make system backups as you go, not just restore points. Lots of options for this. I use an old Acronis Rescue CD and save the images to a data drive. Above all, takes notes of what you disable and remove.
Even when it isn't stripped down, Xp SP3 is still much lighter than later versions of Windows. I like to hear of it being stripped down so far. The light OSes that MS has are WinPe and XPe and later versions of Windows Embedded. I've played around with AIK and set up bootable WinPE partitions that can run such useful software as Opera 12. I haven't got to the point of getting Windows explorer working but there is a lot of good software that can be started from a command shell including alternative Explorer shells. XyPlorer and BSExeplorer both work in WinPE. Xpe has a bit more than WinPE but it is still light and basic. There are XPe thin client boxes that are a bit more than a Raspberry PI but still pretty small. The are even XPe thin client laptops. The OS is entirely in flash rom so any change or alteration to the OS only lasts that session. Hardware sandbox in other words. After reading about XPe a bit, I'm planning on getting a thin client to experiment with.
