The five most infamous Windows default settings

With Service Pack 2, Microsoft tightened most of the default settings in Windows XP so that out of the box, you're not left insecure. But that doesn't mean there's not more tweaking to do. Check out the following five most infamous default settings and see if they apply to your Windows XP deployment.

Note: This article assumes that you're running Windows XP Service Pack 2. If you're not running that, please upgrade as soon as possible.

1. Simple file sharing is enabled. If you aren't a member of a Windows domain, requests for access to shared files are aggregated into the Guest account's security context. You're then opening up your files to almost anyone -- particularly if you're not running a firewall on your always-on Internet connection (if you're not, stop reading this now and go install one). To disable simple file sharing, click Start > My Computer > Tools > Folder Options. Select the View tab, go to Advanced Settings, clear the Use Simple File Sharing box and click Apply.
2. The Automatic Updates feature is disabled. Some administrators say that before you install potentially unstable or conflicting software updates, you should perform update testing. There is some truth and wisdom to that. For the vast majority of home users, home office machines and small and medium business deployments, though, the risk of operating unpatched during a massive security breach would be too great (versus some typically small compatibility problems) to do update testing before installing the updates. To turn Automatic Updates on, right-click on My Computer, select Properties and click the Automatic Updates tab to enable it.
3. Using the FAT32 file system versus the NTFS file system. The FAT32 file system is inherently insecure in that it offers no granular permission structure. With NTFS, you can define individual users and groups and control access to those resources. With FAT32, you're limiting to share-level security when accessing resources over a network. There is no control over access to files and folders from the local console. That's a big hole. If you're anyone but a home user, or if your machine sees more than one user, switch to the NTFS file system now. Run convert /? from a command line for more information.

For more information: Learning Center: Windows security basics Checklist: Change default passwords

4. Default volume shares are enabled. All Windows systems have shares enabled where you can use the drive letter followed by the $ sign to access the root folder of a particular volume. For example, \\LAPTOP\C$ would access the root of the C: drive on the machine named LAPTOP. All crackers know these shares exist, and it's a prime way to get nasty bits installed on your machine. Remove them. Go to Control Panel, Administrative Tools, Computer Management, and click on the Shared Folders item in the left pane. Then, right-click on the default shares and click Delete.
5. No antivirus software installed. This one should go without saying, but a lot of users are under the delusion that they're sophisticated enough to spot problem e-mail messages and particular attachments that may be problematic. The difficulty with this misunderstanding is that when someone you know and trust and whom you regularly communicate with through e-mail becomes infected, a chink develops in your mental armor.

Fortunately, with today's powerful computers, you can have a program standing over your shoulder intercepting malware before you inadvertently execute. And, it is inexpensive in terms of resources and well worth the cost.

About the author: Jonathan Hassell is author of Hardening Windows (Apress LP) and is a SearchWindowsSecurity.com site expert. Hassell is a systems administrator and IT consultant residing in Raleigh, N.C., who has extensive experience in networking technologies and Internet connectivity. He runs his own Web-hosting business, Enable Hosting. His previous book, RADIUS (O'Reilly & Associates), is a guide to implementing the RADIUS authentication protocol and overall network security.