XP Security, Performance, and Initial Impressions.

XP Security, Performance, and Initial Impressions

Who's on First?

My initial impressions of XP are quite positive. So much so in fact, that while I had originally planned to load most of my apps in the very familiar Win 98 SE environment on this multi-boot box, I now have a hard time, finding a reason to go play there.

I've also found, reason after reason, to put off the RedHat install. I think that M$ has succeeded in what I had guessed was their marketing plan. It was time to release a real operating system that was also user friendly, and that could take advantage of the current technology, most folks were adding to their boxes.

It makes sense to me to have the OS support nice 3D graphics and animations that can be noticed on a regular basis, not just during 'game time'. Purists needn't worry; Classic theme sets are loaded as well. While a robust current CPU and MoBo combo can power all the options, it appears that some thoughtful tuning could make this OS go, on a slightly more mature rig as well.

The point of this article is to shed some light on a few of the rumors floating around and to make some recommendations for safe computing, that I feel are necessary. In fact at this point, that is my only criticism. It is potentially easy for a person switching to XP, to get themselves in a world of hurt, and never even know it happened. This last statement probably sounds like some of those rumors you've heard, and that I alluded to.

In post #4 here, Mike mentions the issue of Raw Sockets and links to an informative article for background info on the subject. Mr. Steve Gibson has also gained some publicity in this regard.

Weed through the tall grass at your convenience. The real problem is simple. MicroSoft has left the user status confusing at best, in this OS. It will take someone paying close attention to avoid operating as an Administrator with full privileges and services running, that some of us would see as a needless security risk.

By comparison, a new user to Linux quickly learns the importance of 'root' privileges, the necessity to switch to 'superuser' to access them, and the importance of normally operating at the 'user' level.

The same safe practices are called for in XP. That's understandable, since in both cases we have service support Operating systems with Sockets; both are powerful, real, highly configurable Operating Systems. But by default, you'll have to apply a bit of effort to get there in XP.

The confusion starts during the Install. You are prompted to submit a Password for Administrator. I believe you can actually bypass this step and complete the install as well. You will also be asked to create 'User' accounts. I made 5. So, I assumed, just as dangerous as ever, that I would be looking at a config with 1 Admin account and 5 User accounts.

Wrong.

Shortly after the install, I realized I had 6 Admin accounts. The 5 showing on the initial login screen and one hidden in the bowels of the OS. At this point, I'm still not sure if the Administrator account has privileges superior to the 'Computer Administrators', but I am sure that the 5 admin accounts had more privileges than I would want those accounts to be running around with.

Fixing this is no big deal. Hit Start > Control Panel > User Accounts and make the changes. Well actually, I better give a bit more detail. At this point you'll notice that all your accounts are listed as 'Computer Administrator' and you can change them to 'Limited accounts'. You'll also notice that the accounts available to modify, are only those that you created as Users, during the install. Those are the same ones listed on the login screen, and the original password protected 'Administrator' account is nowhere in sight.

You really do need a scorecard. 'Administrator'='AWOL', 'User account'='Computer Administrator', and get this: 'Limited account'='User'.

To verify this last little bit of info we need to dig a little deeper in the shortcuts. But don't worry another surprise or two is in store.

First go ahead and get those accounts that are sitting on the login screen set to User, I mean Limited. Well actually I mean both, but not the same User as you saw during the install, that's the current 'Computer Administrator', or rather everyone is a 'Computer Administrator' by default.

The real shame in all of this is that, many of Microsoft's target market, have never seen Abbott and Costello, pull off this routine with impeccable timing.

But before we finish on the User Account menu in Control panel, another surprise awaits. One of these User accounts must be assigned as 'Computer Administrator'. Huh?

So that means, each of these machines may in fact have one un-password protected log-in visible, with some measure of Administrative privileges, at all times.

Okay, Okay. If you're new to NT kernels, I'll tell you where the original password protected Administrator login is. Do the three-fingered solute, twice, at the login screen that shows the User Accounts formerly known as Computer Administrators. No it won't re-boot. That's 98.

Let's see, where were we. Oh yeah, we need to verify that 'Limited account' is 'User'.

Login as one, of what for now, I assume will be two, of your 'Computer Administrator' accounts and hit 'Control Panel' > 'Performance and Maintenance' > 'Administrative Tools' > 'Computer Management' and find 'Groups' under the 'Local Users and Groups' branch of the System Tools tree.

The right hand pane will reveal a few more groups are present on this sys than the 2 we have seen so far. If you look at the entries under the 'Users' group you will see that that's where the 'Limited accounts' are listed.

Take a look at the 'Power Users' Group. Many of you may find that to be a nice account level to work in. Figures it wasn't shown as an option, on the User Account screen, we had to mess with a little while ago.

The idea is, that during your normal day-to-day activities you'll not want to be logged in as an Administrator. So make sure you have a 'Power User' or 'Limited User' account for yourself as well.

Yes, I glossed over how to establish a 'Power User' account. While that is getting past the scope of this article, you'll find many features and have many questions, as you get to know this OS. From the Start button you'll see a 'Search' feature. There is a 'Help and Support' search on that GUI. When you find a tidbit in the sys, punch it in the 'Search' as a keyword. Quite a bit of info is on-board.

So with our account levels set to more conservative settings, we can make a couple of Security and Performance tweaks and then you can set about exploring a lot of neat features, just below the pretty surface.

Closing a couple of Holes

We'll get right to the heart of the matter, and take a look at the services installed and there availability.

If you're coming from a DOS through Win9X environment, you may have known that a number of processes were running, but controlling them required jumping through hoops. With a real OS, being able to configure what you want and need is a standard part of the deal.

Naturally, some decisions are initially made for you, and in M$ fashion many things are turned on that we may not want or need. Lean and mean will lead to better performance and security.

The right hand pane now shows you in alphabetical order, the services available and their status. For right now we will adjust only four of them.

Scroll down to NetMeeting Remote Desktop Sharing. Unless you know for a fact that this is a function you want available at all times, highlight it, a description that should send chills down your spine appears to the left of the services list, now double-click the entry, and 'disable' this service.

Here are three more that I'd advise disabling:

Remote Desktop Session Manager
Remote Registry Service
Web Client

If you feel you really need them, do as you wish. Remember, nothing has been uninstalled; they have been disabled, and can easily be reinstated at any time.

In fact, as you grow with your sys, you'll find yourself doing just that. That's what an Admin does, and now you is it.

Black Viper has been kind enough to share his opinions on setting up system configurations, and his site also has a number of tweaks and tips as well.

I'll link to his Services Configuration page, and you can browse his place from there:

www.blkviper.com/WinXP/servicecfg.htm

Easily Save Some Resources

Now let's look at a couple of settings that we can adjust from the System tab.

Find that at: Control Panel > Performance and Maintenance > System.

Choose the 'Remote' tab. The first check box is probably empty and the 'Advanced' button is grayed out. Makes sense, we just killed the service that makes it available. Be sure the lower check box is also empty.

Now choose the 'Automatic Update' tab, since I don't want machines phoning anywhere, and downloading anything, without my help, my recommendation is to check "Turn Off Automatic Updates.

Now choose the 'System Restore' tab. I know many will find this an attractive feature, please keep in mind, that it is a Resource Hog, and will consume disk space if not kept in check.

If you manually image your drives, and use various back-up methods to protect your data and configuration, you may want to disable this function for the performance gain.

That's it for our little tweaking tour, at this point, you'll have an idea of how to move around in the sys, and have the piece of mind that fewer 'gotcha's' will bother you, while you get to know XP.

If you're ready for a break, here's a couple of links to grab some toys from:

I think you're gonna like this thing.