Securing XP PCs after Microsoft drops supportBy Susan Bradley
All good things must come to an end; in less than four months, Microsoft will officially end support for Windows XP.
Here are the steps I’ll take to ensure that my remaining XP machines are as secure as they can be.
(Note: Many of the following tips can be applied to newer versions of Windows, too.)
What does “end of support” mean? After April 8, 2014, Microsoft will — among other things — no longer release security updates for its 12-year-old operating system. Third-party hardware and software vendors might also take a cue from Redmond and drop development of XP-compatible drivers, add-ons, and utilities on their new products.
With that in mind, all XP users should start by asking themselves: “Do I really need to stick with an OS that will become increasingly unsecure?” It’s akin to driving an older car that’s not equipped with airbags. Sure, it’ll get the job done, but at what potential risk?
For business computing, moving off XP might not be an option. Some line-of-business apps will run only on Windows XP. The same can be true of some consumer products. For example, I have software that lets me customize my Pronto TV remote. But the app will run only on XP. So I keep XP on a virtual machine that’s running under Windows 7.
But those are rare exceptions. By and large, there’s no compelling reason to stick with XP — and, as noted above, there are important reasons not to.
All that said, if you must keep an XP system up and running after April 8, a few changes can help keep the system relatively secure. And those changes start with Internet Explorer.
Browsers have historically been a leading gateway for PC infections, and Microsoft’s Internet Explorer had one of the worst reputations. The latest versions of IE — 10 and 11 — are much more secure than their predecessors, but neither runs on XP. IE 8 was the last version of an MS browser to run on XP. So one of the first steps for hardening an XP system? Don’t use IE as your default browser. (You will, however, need to keep it installed and updated.)
Switch to Google Chrome or Mozilla Firefox as your primary connection to the Internet. And if you use Firefox, add in NoScript to block malicious scripts. Another reason to switch: Google Apps doesn’t support IE 8, but the online service will run in XP-compatible Chrome and Firefox.
Keeping your antivirus software up to date is always important, but even more so with Windows XP. My preferred AV setup is a combination of Microsoft Security Essentials (site) and Malwarebytes’ Anti-Malware (site), which plays nicely with other full-time virus scanners. (As a rule, you don’t want to run two full-time scanners at the same time.)
Truth be told, I’m skeptical of reports claiming that one antivirus product is better than another. All AV apps must react to rapid changes in malware delivery. And I often find suspicious files on systems that have top-rated antivirus products installed. Combining compatible AV scanners is the best way to keep malicious software off a system.
To complete your anti-malware routine on your XP system, regularly scan XP with a bootable AV product such as the Kaspersky Rescue Disk (site). That’ll ensure your PC is free of hard-to-find rootkits.
At some point, antivirus vendors will stop supporting Windows XP. When that happens, browsing the Internet will no longer be safe, no matter what browser you use. Here’s how to move to a secure browser and email client outside XP.
You might have a key application that must run on Windows XP (I can relate), but it certainly isn’t email or Web browsing. If you’re unwilling or unable to migrate to a newer version of Windows, I suggest you treat yourself this holiday season to a new device that’s ideal for email and browsing — and relatively safe from malware. (Most of these digital devices don’t run on Windows.) Consider, for example, purchasing a Kindle Fire, Apple iPad, Android-based tablet (more info), Google Chromebook, or even a laptop running Ubuntu Linux (Amazon info).
You might also consider a Windows RT device. But keep in mind that Windows RT is not Windows. (See the Oct. 25, 2012, Top Story, “Win8 vs. Windows RT: What to know before you buy.”) Windows RT will look familiar, but it doesn’t run legacy Windows apps. If you want full Windows on a highly mobile device, see the Nov. 14 Best Hardware story, “MS Surface Pro 2 — the only PC you need?”
The non-Microsoft devices have their own limitations. For example, a Chromebook works nicely for heavy Google Apps and/or Gmail use, but it can’t directly access your shared Windows files; it can access only Web-based content (such as Google Apps).
The Kindle Fire is an inexpensive device from Amazon. The less-expensive models are subsidized by advertising, but I don’t find it all that annoying. With the right applications, you can access shared files on your network and complete most computing needs. (The same is true for iPads and Android tablets.)
Going Ubuntu could be the most mind-boggling option. Although its graphics-based interface is relatively intuitive, it doesn’t completely hide its Linux foundations. So your learning curve will be a bit more intimidating than with the other devices from Google, Amazon, Apple, and Microsoft.
Bottom line: Keep XP only for those tasks than won’t run on a more modern platform.
Disable Web browsing: After support ends next April, consider reconfiguring Windows XP to block its access to the Internet. (Remember: You’ll no longer need IE or Windows Update for system updates from Microsoft.) To do so, open IE, go to Tools/Internet Options, and then click on Connections. Click the LAN settings button (see Figure 1) and then check the “Use a proxy server …” box (see Figure 2). Next, enter 127.0.0.1 into the Address box. Finally, check the “Bypass proxy server for local addresses” box.
These changes will keep Windows XP off the Web but still able to talk to other local computers — and the system will still function normally for local computing. But after the April deadline, the system will be fair game to any new vulnerability that hackers might exploit.
Watch where you click and what you do on the Web: We’re all familiar with the adage, “You get what you pay for.” Online, you might get more than you wanted (mostly unwanted) for free. Be especially careful with Web searches from your XP system. As noted in a DataProtectionCenter.com story, clicking search links for “free software” or recent news topics is likely to take you to a site containing malware or unwanted services.
Be especially judicious about clicking links in ads that are included with Bing and Google search results. For example, the search results for “microsoft support” will likely include paid ads from companies suggesting they provide Microsoft support but that are actually not Microsoft.
Review your backup strategy: As the recent CryptoLocker attacks showcase, keeping current backups is an invaluable tool for recovering from malware attacks. (CryptoLocker is especially pernicious because it encrypts your data and holds it for ransom.) When there are no new security updates for XP, maintaining full system backs will be particularly important. Remember: If your XP system fails, you can’t just buy a new system with XP installed. But with a full image backup, you can install it on a virtual machine running on a new Win7 or (more likely) Win8 system.
There’s insufficient space in this story to go into the legalities of moving XP onto another physical or virtual PC. In short, retail copies of Windows XP give you the most flexibility. You’re allowed to move them to another machine and reactivate the operating system. OEM versions, on the other hand, are tied to the specific hardware they came on.
For a backup system, I’m still a fan of Windows Home Server, though — sadly — it, too, has been put out to pasture. My second choice is Acronis True Image (site). The 2014 edition still supports XP, and it makes full images that you can reinstall on a new hard drive. It also gives you cloud backups, synched-file copies, and other powerful backup options.
Firewalls and Web filtering: The primary task of home and small-business routers is to route traffic over a network. They also typically include wireless networking and hardware-based firewall protection. If you’re running an old router, upgrading to a new model will provide better protection for your XP system — and all other devices on your network. In any case, check that the router’s firewall is on and properly configured. For more on software firewalls, hardware firewalls, and XP, see the April 3 LangaList Plus story, “Are both PC and router firewalls necessary?”
(Many new routers offer additional features such as remote access to your local data and media streaming, which lets devices on the net share music, video, and such. A recent CNET story compares some of these new, enhanced models. Just don’t be embarrassed if you need to ask some 10-year-old kid to help you set it up.)
Web filtering can also add another level of protection from malware. For example, OpenDNS (more info), a service that’s been around for years, can block browsing to suspect sites. It’s free and works well for home networks.
Adding the OpenDNS settings to your router extends Web filtering to all devices on the local net. The process is relatively simple: open the router’s admin menu system and enter 184.108.40.206 and 220.127.116.11 (these are OpenDNS’s IP addresses) into the router’s DNS section. Save the changes, and you’re done. The next time you go to a site on the Web, your request will go through the OpenDNS servers, not your ISP’s DNS servers. Some ISPs such as Comcast already provide OpenDNS as an option. If you pay a small subscription fee, OpenDNS lets you customize what’s filtered and blocked.
Check your media: Optical disks don’t last forever, and it seems as if they’re always getting misplaced. Take some time now to ensure you have your original XP installation disc and make an ISO image of it. You can burn a copy using products such as MagicISO, Passcape ISO Burner, and ISO Recorder. Store the ISO on a flash drive or other removable media.
Next, download a copy of XP SP3 from the Microsoft site and save it for a rainy day. And finally, check that you have your Windows XP product key written down in a safe place. (On OEM systems, look on the side or back of the case for a tiny sticker that’s by now almost unreadable. (Again, Windows XP machines can still be reactivated after April 2014.) If you’ve lost your product key, you’ll have to rely on a full image backup.
Keep third-party apps up to date: After Microsoft ends support for XP, some third-party software vendors will continue XP support for their products. If you haven’t done so already, install Secunia’s Personal Software Inspector (site). It still supports XP SP3 and will help ensure you have the most currently available version of installed software.
Also, check for any hardware-related updates such as system firmware, video drivers, and so forth. If you have an OEM system, start with the vendor’s website. The better PC manufacturers offer automated scanning tools that will find your system’s serial number and use it to ensure you have up-to-date drivers.
Hardware upgrades can extend the life of older systems. For example, install a solid-state drive (SSD). On older machines, the trick is finding the right type of drive connector. Most SSD drives use SATA, not the older IDE. But with a bit of searching, I found an IDE SSD for an aging laptop.
Make a backup image of your existing drive and install the image on the new SSD — that could give a sluggish XP system renewed vigor. (This also works nicely on older Windows 7 machines.) If the system is running out of space and a new SSD drive won’t fly, consider upgrading to a larger traditional drive, one last time. (I find upgrading to a larger hard drive easier and safer than attempting to clean out old system files.)
Over the years, applications haven’t gotten any smaller or more efficient. Upgrading RAM is another relatively inexpensive and painless improvement for XP systems. Crucial’s website has a tool that scans a PC’s memory and hard drive, then suggests upgrades.
(While you’re at it, check whether your XP system has an svchost overrun, as reported in the Dec. 12 Patch Watch column [paid content]. Some XP users have solved the problem by manually installing the latest IE security updates.)
At this stage in XP’s life, I don’t recommend video upgrades because it’s hard to find cards compatible with older bus slots. On the other hand, feel free to buy a larger monitor — it’ll be one less item to purchase when you eventually move to a newer PC.
As I said at the top, all good things must come to an end. Those of us who grew comfortable with Windows 98 were reluctant to move to Windows XP. Many XP users were — or still are — reluctant to upgrade to Windows 7 (Vista users: not so much). Windows 7 has quickly become the workhorse operating system for many PC users, who see no compelling reason to move over to Windows 8. (You can still purchase a new Win7 system, but probably for not much longer.) The simple rule: When Microsoft ends support for a product, it’s probably past time to give it up. And that’s where we stand today with XP.
Finally, the holiday season is a time for giving. If you’re the family geek, pass along these tips to those who have older Windows systems. Better yet, grab an eggnog and review their XP options with them. It might be the best gift they get this year!