\[Editor's Note: Share your security discoveries, comments, problems, solutions, and experiences with products. Email your contributions (500 words or less) to [email protected] We edit submissions for style, grammar, and length. If we print your submission, you'll get $100.\]
Keeping systems secure is a major concern for systems administrators. One of the biggest security risks is the Internet. Following are recommendations for configuring Windows XP Service Pack 1 (SP1) for secure Internet access.
- Disable the file association Web service. XP SP1 first checks for file association information locally. If no local information is available about a filename's extension and associated file type, XP SP1 offers the user the option of looking for more information on a Microsoft Web site. To disable the file association Web service, start regedit and go to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system registry subkey. From the Edit menu, select New, DWORD Value. Enter the name NoInternetOpenWith. Then, select the NoInternetOpenWith entry and select Modify from the Edit menu. Ensure that Hexadecimal is selected, and enter 1 for the Value data. Close the registry editor.
- Prevent the flow of information to and from the Internet through Event Viewer. Users can access event logs for their computers through the Control Panel Administrative Tools applet's Event Viewer. To obtain detailed information about an event, users can double-click the event or select the event and select Properties from the Action menu. The Event Properties dialog box provides a description of the event; this description might contain one or more links that users can click for additional information. Links are typically to Microsoft servers or to servers that belong to the software vendor for the component that generated the event. When a user clicks a link, the parameters in the original URL are replaced by a standard list of parameters whose contents are detailed in a confirmation dialog box. The user must click Yes to agree to have this information sent over the Internet to the Web site named in the link. IT administrators might want to prevent users and administrators from sending this information over the Internet and accessing Web sites. In XP SP1, a registry subkey controls this option. Start regedit and go to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Event Viewer registry subkey. Select the MicrosoftRedirectionProgramCommandLineParameters entry, and select Modify from the Edit menu. Delete the final %s from the entry's Value data. Close the registry editor. After you make this change, a user who clicks a link in the Event Properties dialog box and selects Yes in the confirmation dialog box will still start Help but won't be able to access the Internet for information about the event.
- Disable the Help and Support Center's headlines and online searching. The headlines feature provides a source of dynamic content that some users visit frequently. To disable headlines, start regedit and go to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\HelpSvc registry subkey. From the Edit menu, select New, DWORD Value. Enter Headlines as the name for the new entry. Close the registry editor. Online searching lets users query Web sites automatically when performing a search. By default, the Microsoft Knowledge Base is one of the online search Web sites. To disable online searching, select Help and Support from the Start menu. Click Set search options (below the Search box), and clear the Microsoft Knowledge Base check box, as well as any selected check boxes below it. Close the Help and Support Center window.
- Remove Internet games. XP Professional Edition SP1 includes five new Internet games as part of the installation package. These Internet games open a connection to the MSN Gaming Zone by default. To remove XP's Internet games, open the Control Panel Add or Remove Programs applet. Select Add/Remove Windows Components. From the Windows Components Wizard, select Accessories and Utilities and click Details. In the Accessories and Utilities dialog box, select Games and click Details. In the Games dialog box, clear the Internet Games check box. Click OK to close the Games dialog box, click OK to close the Accessories and Utilities dialog box, and click Next in the Windows Components Wizard to initiate the setup.
- Disable Internet printing. Internet printing lets client computers running XP Pro SP1 use HTTP to send print jobs to printers anywhere in the world. To delete the Internet print provider registry subkey, first select Services from the Control Panel's Administrative Tools applet. Stop the Print Spooler service. Then, start regedit, go to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers\Internet Print Provider registry subkey, and delete it. Finally, restart the Print Spooler service.
- Disable Remote Assistance. XP SP1's Remote Assistance lets users connect remotely to a computer within the intranet or outside the network. To disable Remote Assistance, start the Control Panel System applet, click the Remote tab, and clear the Allow Remote Assistance invitations to be sent from this computer check box.
- Disable the Search Companion Web service. When you use Search Companion to search the Internet, the service collects the following information: the text of your Internet search query, grammatical information about the query, the list of tasks the Search Companion Web service recommends, and any tasks you select from the recommendation list. Windows doesn't collect query information when you use Classic Search. To disable the Search Companion Web service, select Start, Search, Change preferences, Change Internet search behavior, With classic Internet search, OK.
- Disable error reporting to the Internet. This change prevents the automatic flow of information to and from the Internet when users report errors. To disable error reporting, start the System applet. Click the Advanced tab and select Error Reporting. Select the Disable error reporting option, and ensure that the But notify me when critical errors occur check box is cleared. Click OK.
- Configure Windows Media Player (WMP) 9 to limit the flow of information to and from the Internet. From WMP 9's UI, select Tools, Options. Click the Player tab and clear the Start Player in Media Guide check box. Clear the Download Codecs Automatically check box. Click the Copy Music tab and clear the Copy Protect Music check box. Disable WMP's update feature. To do so, start regedit and go to the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft registry subkey. From the Edit menu, select New, Key; type the name WindowsMediaPlayer and press Enter. Then, select the WindowsMediaPlayer entry and select New, DWORD Value from the Edit menu. Enter the name DisableAutoUpdate and press Enter. Finally, double-click DisableAutoUpdate and enter a data value of 1.