Tom McCune's

Windows XP Configuration


These are suggested basic Windows XP settings to improve its usability and security, and the privacy of its users.  This is designed primarily as a checklist that I will be using for myself, and is not meant to be completely comprehensive, or even to explain the reasons for my suggestions.  Most of this will be particularly helpful to individual users, but there is always the chance that any individual recommendation might produce an unwanted result for any particular individual.  For those wanting to seek greater understanding and guidance about privacy and security issues, I suggest starting at Protecting Your Privacy & Security


Classic Windows Settings

CONTROL PANEL:
Appearance and Themes - Folder Options - General tab: select "Use Windows classic folders"
                                                                       View tab: select "Show hidden files and folders"
                                                                                   uncheck "Hide extensions for known file types"
                                                                                   uncheck "Hide protected operating system files...."

Taskbar and Start Menu - Taskbar tab: uncheck "Group similar taskbar buttons"
                                                                check "Show Quick Launch"
                                                             uncheck "Hide inactive icons"
                                         Start Menu tab: select "Classic Start menu"
                                                                click on Customize button - click "Expand Control Panel"
                                                                                                     uncheck "Use Personalized Menus"

 System - Advanced tab - Performance settings (Visual Effects tab):
                                                             uncheck "Animate windows when minimizing and maximizing"
                                                                           "Fade or slide menus"
                                                                           "Fade or slide ToolTips"
                                                                           "Show window contents while dragging"

 Display - Themes tab - Theme: select Windows Classic
             - Desktop tab - Customize Desktop - uncheck "Run Desktop Cleanup Wizard every 60 days"
             - Appearence tab - Effects - uncheck "Hide underlined letters for keyboard navigation...."

START BUTTON - Settings -  right click on Control Panel, select Open - click "Switch to Classic View"

WINDOWS EXPLORER - View menu - select Status Bar
                                         Configure a folder as wanted, such as View menu - select Status Bar
                                                                                                                                 Details
                                                                 then Tools - Folder Options - View - "Apply to All Folders"

TWEAK UI (if installed) - Explorer: check "Use Classic Search in Explorer"
                                                    uncheck "Prefix 'Shortcut to' on new shortcuts"

If using third party software for CD recording, such as Nero or Direct CD, turn off Windows XP CD recording:
In Windows Explorer, right click on the CD drive, select Properties;  on the Recording tab, uncheck "Enable CD recording on this drive"


Privacy and Security Settings

Set a BIOS boot password (or preferably a hard disk password if you have this option).  When you boot, your computer should tell you what key to hit to enter Setup for this.

Set a Screen Saver password: Right click on the desktop; click on Properties; on the Screen Saver tab, set a Wait time, and place a check for "On resume, display Welcome screen."

Control Panel - Administrative Tools - Local Security Policy  (WinXP Pro only?)
            Set Account Policies - Password Policy settings
            Set Account Policies - Account Lockout Policy (maybe, all to 5)
            Local Policies|Security Options: Enable "Shutdown: Clear virtual memory pagefile"  or:
               1. Start Regedit
               2. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown
               3. Set the value to 1

Disable Services (Settings - Control Panel - Administrative Tools  - Services) you don't need to have enabled.  Particularly consider:

Go to Settings - Control Panel - System - Remote, and disable both Remote options.

Set Windows Updates settings: Settings - Control Panel - System - Automatic Updates
Select either Automatic, or "Notify me but don't automatically...."

Turn off Simple File Sharing (requires WinXP Pro): Settings - Control Panel - Folder Options - View

Microsoft Error Reporting: Disable it by Settings - Control Panel - System - Advanced - Error Reporting, and selecting Disable Error Reporting (I suggest checking "But notify me when critical errors occur").

Turn off File and Printer Sharing for your Internet connection:
Settings - Network Configurations - right click on the icon for your Internet connection and select Properties;
uncheck "File and Printer Sharing for Microsoft Networks," and also while you are there:
              "Client for Microsoft Networks"  (but, I found this one to be needed for my 802.11b wireless connection)

"Disable NetBIOS over TCP/IP": Settings - Network Connections - right click on the icon for your Internet connection and select Properties - click on Internet Protocol (TC/IP)- Properties - Advanced - WINS tab.

Windows Messenger: Unless you really use it, turn it off by going to its menu option of Tools - Options - Preferences, and unchecking "Run this program when Windows starts" and "Allow this program to run in the background."

Use a more secure browser (such as  Firefox) for routine browsing, and use IE only when needed for sites you trust (the IE View extension makes this very easy to do). 

Internet Explorer: Tools - Internet Options - Security tab - Internet Zone - Custom Level; set security zone to Medium.
                                                                                         Scroll down to Scripting section; disable "Allow paste operations via script"
                                                                  - General tab- Temp. Internet Files Settings: set 1 MB for disk space amount.
                                                                  - Content tab- AutoComplete: uncheck Options you want to protect - Use Clear buttons
                                                                  - Advanced tab:  uncheck  "Enable Install On Demand (Internet Explorer)"
                                                                                                      "Enable Install On Demand (Other)"
                                                                                        check     "Empty Temporary Internet Files folder when …."

Disable SuperCookies in Internet Explorer.  In Windows Media Player:
        Tools - Options: uncheck "Allow Internet sites to uniquely identify your player"
This has more recently changed:
        Tools - Options - Privacy tab: uncheck "Send unique Player ID to content providers"

Make sure your Java is up to date.

Keep your Adobe Reader up to date.

Lexmark printer users: Rename all files starting with LEXPPS, unless you are actually sharing your printer on a local network.

Use a more secure email client (such as Pegasus Mail) instead of Microsoft's Outlook or Outlook Express.  They are the only email clients I know of that have been subject to contracting viruses without even opening attachments.  

        To make Outlook Express reasonably secure:
        Tools - Options - Security tab - Virus Protection:  make sure "Restricted sites zone" is selected.
                                                                                       Check both the other boxes in this section.
                                                       - Download Images: select "Block images and other external...."

        Tools - Options - Read tab: select "Read all messages in plain text."
       View - Layout: Make sure "Show preview pane" is not checked.

Unassociate Visual Basic Scripting: Control Panel - Folder Options - File Types
                                                                              Scroll down Extensions to VBS; click on it, and hit Delete.

Only login with admin privileges when you actually need to.  Use a limited user account for normal computer use. 

Use good user passwords:
Control Panel - User Accounts; click on a user account icon, and then click on "Change my password"

Make sure the default Administrator account has a secure password.  Windows XP Pro users can access this account by going to the Welcome Screen, and then holding down the Ctrl and Alt keys while punching the Del key twice, and entering Administrator as the user in the box that pops up.  Windows XP Home users will have to boot to Safe Mode: reboot and start punching the F8 key until given the option of booting to Safe Mode.

Disable the Guest Account: Settings - Control Panel - User Accounts
                                          Click the Guest account - Click "Turn off Guest access" (this is only for WinXP Pro?).

WinXP Pro users should consider using the NTFS encryption options, but if you have high security needs, consider the much more secure PGP.

If you choose to use Hibernation, be aware that all contents of your RAM (at the time of entering hibernation) will be written to the hard disk, including any passwords and personal information.

Microsoft Word: Tools - Options - Save: Disable "allow fast saves"

Associate the rtf extension with WordPad: right click on a file with an rtf extension - select Open With - select Choose Program
                                                              - click on WordPad - place a check for "Always use the selected program...." - click OK.

Set "X-No-Archive: yes" for News and Mail headers.  I understand that Outlook Express does not have a way of automatically having this in the headers, but having it (without the quotes) as the first line of a newsgroup post serves the same purpose.

Use Ad-Aware and/or SpyBot to remove spyware.  I use the SpyBot Immunize option to help prevent such problems.

Use good Anti-Virus software (such as the free Avast! or the free AVG).  Keep the virus definitions up to date.  Set your AV software to automatically scan files each time they are accessed.

Use a good firewall.  Although a firewall (such as the free Comodo) with both incoming and outgoing (to help defend against trojans, spyware, etc.) protection is better, the Windows XP Firewall is very good at the income only protection that it provides:
                      Settings - Control Panel - Network Connections - right click on your Internet connection icon - Properties - Advanced
                      set "Protect my computer and network by limiting or preventing access to this computer from the Internet."
                         (if the Windows XP Service Pack 2 is installed, the Settings button on the Advanced tab needs to be selected first)

Use of a router adds much incoming protection, esp. one with SPI (Stateful Packet Inspection).

If not using the computer for a long period of time (such as when away for the day at work, or when sleeping for the night), shut it down - esp. if having an always on Internet connection such as cable modem or DSL.

For wireless networking, be sure to use encryption.  If only WEP is available, use the 128 bit WEP, but be aware that WEP will not really protect you from a capable attacker.  If WPA is available, use it - TKIP is quite secure, but AES is even better if you have it available.  Use a shared key at least 20 characters long.  I recommend using Password Safe to both generate and store secure passwords.  Also make sure that you set a good password for your router setup access, change its default SSID (there is no need to hide it if you use WPA), and disable your router's setup access by wireless connections.  Make sure "Automatically connect to non-preferred networks" IS NOT checked, and that "Access point (infrastructure) networks only" IS selected (your wireless network connnection properties - Wireless Networks tab - Advanced button).


Return to Tom McCune's Homepage

Comments or Suggestions: web@DELETE_THISmccune.cc

Please notice that part of the above address needs to be removed.