Windows XP ceases to be supported and therefore patched past April 8th 2014. This means if somebody finds a hole in it big enough to sail a tanker through, any XP machine not covered with a Premier contract will be left unpatched forever and therefore at risk forever too. This means if you still have any Windows XP machines in active use you really should find an alternative to Windows XP as soon as possible.
Why is this happening? Well, in short Windows XP is 13 years old at the time of writing, which in IT terms on par with the dinosaurs so it’s well past retirement age and we need to move on to something better. We’ve been telling people about this impending doom for years now but alas, for some IT departments it works well enough to not justify upgrading until absolutely necessary. Well now it is absolutely necessary; Windows XP has been supported longer than any other commercial OS in history but its day is finally up – if you want us to support you running it now it’s no longer free. Sure we’ll support XP if you absolutely can’t come off but the blank cheque on patches for this relic OS expires now.
That’s not to say it’s not possible to mitigate a large portion of the risk if you don’t want to buy Premium support; it is possible to lock down the OS and this article is all about how to best secure XP if this is your only option.
Standard warning of doom: while you use Windows XP without Premier Support, your machine and any data on it is at risk and Microsoft offers no guarantees of the safety of Windows XP once support dries up! Even if you follow this article + any number of other articles on the subject your only guarantee of functionality and safety is to move off the system onto something (anything) newer. Also, I’m not a platforms engineer by profession so don’t take this as gospel, I just happen to have years of experience with the system but others may have a different angle. If you need 100% supported reliability and safety you need to get off XP as soon as humanly possible but this article should help reduce the risk at least.
XP has very few of the security features that every version since has had baked in as standard which is just one reason it’s time to move on. That said however it still has some security features we can harness and some services we can switch-off to reduce the likelihood of anything bad happening. Here’s what we’re going to do:
The idea is very simply to turn our Windows XP install into a locked-down island of paranoia that services nothing and just allows outbound connections. Part of this should involve removing the machine from Active Directory which will obviously break any functionality needed by applications so your own mileage may depend on your needs; I’d strongly recommend taking any XP machines out of the domain because you can disable much more if you do.
Some many know of the handy Windows command-line utility “netstat” – it tells you what ports are in use for listening services. If you run “netstat -ano” it’ll tell you what ports are open and also, what process ID (PID) has each listening port. We need to shutdown anything with the same PID as “System” in task-manager; usually PID “4”:
Compare the PIDs with what you see in Task Manager (you’ll need to select the column as it’s not shown by default):
By default we see ports 137, 138 open on UDP and 445 on TCP by the Windows kernel – the UDP ports are NetBIOS and 445 is file-sharing (more information about all common Windows ports is available at http://technet.microsoft.com/en-us/library/cc959833.aspx). These need to not be open as the code that’s listening on the other end will never be patched again. It’s not enough to block with a firewall; they need to not be listening.
Ports 137 and 138 are NetBIOS and we need to turn it off. It’s possible to do it with a DHCP option to disable it for an entire network but it’s safer to do it by hand on each machine. Anything that depends on NetBIOS will obviously fail now but it’s preferable to being hacked hence we’re turning it off.
Open up “network connections” in control panel. For each and every network adaptor you need to do this; right-click, open “properties” and open properties for “Internet Protocol (TCP/IP)” – you might need to do this for TCP/IP v6 if your XP install has that too.
In TCP/IP properties, click on “Advanced”, and click on the WINS tab. There select “disable NetBIOS over TCP/IP” and click OK.
Click “OK” to apply the changes to the TCP/IP protocol and you should be good.
Finally, there’s a Windows service used in NetBIOS that you should disable and stop too. Do this.
Next up; port 445 needs to be unbound from any network interface. Back in network properties, uninstall the binding from the list so your network adaptors look something like this:
Now we’ve disabled the core kernel services that could sink the ship, we now need to do the same for user-mode services. That means, network listening stuff that isn’t part of the core system but still might be part of Windows anyway. All of these in other words:
These are ports 123, 1025, 1033, 1045, 1900, and 3324 all on UDP. UDP is a particularly vulnerable protocol because it doesn’t even require a handshake connection to transfer data from another machine to this one – someone/something can just “spray and pray” a bunch of UDP packets into a network and just hope something listening picks them up, thus making indiscriminate drive-by hacking much easier for an attacker.
Ports 1025 through 5000 are Active Directory – see below for closing those holes.
Port 123 is Windows Time Service – disable & stop this in Windows Services. Job done.
Port 1025 is used by the same service as the Windows Firewall (it’s also used for connection-sharing) so given we want to keep the firewall in use we’ll leave this one intact as disabling the firewall will arguably do more damage than good.
Finally, you’ll want to stop & disable services “SSDP Discovery Service” and “Universal Plug & Play Device Host”. Just to be sure port 1900 doesn’t come back, follow this guide too - http://support.microsoft.com/kb/317843 and also uninstall it from the Windows Components Wizard, under “Networking Services” from “Add/Remove programs”…
If IIS is installed, that needs to urgently come off. Even if XP would be supported forever I’d be saying the same.
Make sure there’s as little in this list as possible, but definitely remove IIS & all “network services” components.
XP normally has at least one of these options turned on. Turn both off in System properties; they’re now both fundamentally unsafe to have switched-on:
Turn both these options off and apply.
Ports 1025 through 5000 are Active Directory which for safety we should disable. This might not be a possibility for some people but we’re going to do it here because XP must become a potato to have any chance of staving off any future attacks, even if that means breaking all sorts of dependencies.
Remove the machine from the domain, then stop & disable services “workstation” and “netlogon”.
Seal the deal by uninstalling the “client for Microsoft networks”. Your XP machine just became as functional as Mac, which is actually half the point of this step. Your network components should look something like this now:
Clean and secure-ish. About as good as you’re going to get on XP anyway.
If you’ve done everything above correctly, running “netstat” again should now show something like this:
Anything listening on 0.0.0.0 is fine as that’s not an address that could ever receive network packets by design. The 1025 port is our firewall which we want to keep open so our firewall works if you have a replacement firewall then feel free to disable the “Windows Firewall/Internet Connection Sharing (ICS)” service too.
Good job; Windows XP should now be responding to absolutely nothing on any interface. This is what we need.
Windows XP is based on NT which comes with a pretty comprehensive file & system permissions matrix. One of the problems with XP is that it doesn’t have an easy way of temporarily elevating a program to admin-level, aka, User Account Control so everyone tended to just be complete administrators all the time without any checks on permissions – a problem malware exploited hugely.
Well, now we need these safety mechanisms to protect XP more than ever. There should be one administrator account per machine, maximum, and this should not be the default “Administrator” account that comes with Windows out of the box – it should an account name only you, the machine owner knows. That way if something malicious gets onto the box it’ll only be able to potentially destroy your profile, not the whole OS.
For the normal, every-day users, they can elevate to this administrator account if & when needed as so:
Computer Manager will run as AdminUser, which has full administrative permissions. It’s a bit like “sudo” in *NIX land and actually a good security practise. Also available is the “run as” command - http://technet.microsoft.com/en-us/library/cc771525.aspx.
Your accounts need to look like this – default Administrator account disabled with another user created for admin tasks, with a strong password.
Finally, make sure you disable enumeration of the computer accounts for anonymous users so nobody can/could query the XP machine for what accounts there are without authentication. Given all the changes we’ve made above this would be very difficult anyway but good security is a layered-cake approach, not any silver-bullet.
Microsoft Security Essentials will stop being supported when XP stops too but it’ll still receive updates for a while. You may want to consider another anti-virus solution though as there may be others with a more complete support package.
Look for antivirus solutions that support Windows XP – not all do but some will for a while longer at least. There are other options to look at; BitDefender; Norton; McAfee, to name but a few – check them all out.
Windows XP needs to respond to zero traffic sent to it as that’s a huge vector for attack even on a good day. This means no listening services as we’ve done above but we’re going to double-tap this problem by activating the firewall and setting it to block all inbound traffic with no exceptions.
There’s no outbound firewall restrictions in XP so this is about as good as we’re going to get. I’d strongly recommend doubling-up the firewall with something external too and configuring outbound restrictions too.
Finally, there are other bits & pieces that could probably be stopped just to reduce running processes, which is generally a good security practise to reduce surface-area for attack. Consider turning off:
· Automatic updates, if you’re reading this past April the 8th. Make sure you’ve at least got the latest patches from Windows Update but after April, this service will no longer get updates – it’ll just eternally think Windows is fully patched. Which technically it will be, because we won’t be releasing any more. Either way; this is now redundant.
There are probably more but these are a start at least. Review each service and see if you can survive without each one; obviously not all but there’ll be some you don’t need. Each service running is potentially a security risk as they’ll never be patched again.
Windows XP was most the most successful and matured operating systems ever; it provided the foundation for all Windows OS’s since. It’s time to move on though; technology cannot stay static forever and given the multitude of improvements that’ve gone into not just Windows since, it’s just no longer an option to keep “ye olde” OS’s on life-support. This lockdown is a last-ditch attempt to stay safe on an old system but it’s not guaranteed.
Everyone wins ultimately by moving off Windows XP; it’s been good but its’ time is up. Onwards & upwards!
// Sam Betts