10 Ways to Keep Windows XP Machines Secure

Now that Microsoft no longer supports Windows XP, the only way to keep the operating patched for newly discovered security vulnerabilities is to pay for Microsoft for Extended Support. If that’s not an option for your organization, then it’s only a matter of time before many of your computers running the aging operating system are compromised.

That said, you can reduce the vulnerability of machines still running Windows XP. These 10 tips will help.

1. Don’t Use Internet Explorer

Internet Explorer is the source of many vulnerabilities. As recently as the end of April, a new IE zero-day vulnerability was discovered. This flaw let attackers take control of Windows computers, putting millions of Windows users at risk until it is patched.

[ How-to: Beat Hackers Exploiting the Latest IE Zero-Day Bug ]

“The more potentially severe issue is that anyone still using XP will be completely exposed as long as they continue to use the unsupported OS,” says Pedro Bustamante, a security expert at anti-malware vendor Malwarebytes. “For them, there will never be a patch.”

[Related: How to Support Windows XP Now That Microsoft Isn’t]

Instead of IE, use a browser such as Google Chrome or Mozilla Firefox that still receives security patches.

2. If You Must Use IE, Mitigate Risks

One key reason many organizations still run Windows XP is to run old versions of Internet Explorer to access internal applications that are incompatible with other browsers or more modern versions of Explorer.

You can reduce the risk by removing third-party browser plugins such as Java, Flash and PDF viewers, since Explorer vulnerabilities often come from these types of plug-ins.

3. Virtualize Windows XP

If the need to run an old version of Internet Explorer is the only reason for staying on Windows XP, consider upgrading to Windows 7 and then running the old version of Explorer in XP Mode. This is a Windows XP virtual machine that runs inside Windows 7 and allows you to launch XP Mode applications (such as old versions of Explorer) from the Windows 7 desktop.

[Related: Don’t Hate Microsoft for Pulling the Plug on Windows XP]

The advantage of this approach is that XP is used only when absolutely necessary (to access legacy applications, for example). The rest of the time the user is working in the more secure Windows 7 environment.

XP Mode is a free download for Windows 7 Professional, Enterprise or Ultimate editions.

4. Use Microsoft’s Enhanced Mitigation Experience Toolkit

EMET is a free Microsoft tool which lets you to force applications to “backport” to XP some of the security measures present in later versions of Windows.

[ Careful … Researchers Bypass Protections in Microsoft EMET ]

One such technique is Structured Exception Handler Overwrite Protection (SEHOP), which was introduced in Windows Vista to help prevent buffer overflow exploits. EMET lets you extend this protection to XP machines.

You can download EMET 4.1 from the Microsoft Security TechCenter.

5. Don’t Use Administrator Accounts

Many of the vulnerabilities that affect Windows XP — 92 percent of all critical vulnerabilities in Microsoft’s 2014 security bulletins, according to a 2013 Microsoft Vulnerabilities Study carried out by Avecto — can be exploited successfully only if the user is logged onto an account with administrative rights.

[ Related: Time to Drop Unnecessary Admin Privileges ]

[Related: 9 Reasons Users Won’t Ditch Windows XP]

Making users log in to standard, nonadministrator accounts makes it possible to mitigate the overwhelming majority of the risks of running Windows XP at a single stroke. In larger organizations, privilege management software can be used to control user accounts and elevate privileges when necessary.

6. Turn Off ‘Autorun’ Functionality

A common way to infect computers with malware is to automatically run executable software that’s present on a USB drive when it’s inserted.

It’s possible to disable all Autorun features in Windows XP Professional by configuring Group Policy settings — but an easier way is simply to download and run Microsoft Fix it 50471. (Autorun can be re-enabled if necessary by running Microsoft Fix it 50475.)

7. Turn Up Data Execution Prevention Protection

Data Execution Prevention Protection (DEP) is designed to prevent the execution of malicious code on parts of the computer’s memory that are intended to hold data rather than program code. Malicious code may be placed in these parts of memory during a buffer overflow attack, and an attempt may subsequently be made to execute it from this location.

[ Related: The Revolution That Was Windows XP ]

To get the maximum protection from DEP, ensure that it’s turned on for all applications. (If a particular application becomes unstable with DEP turned on, you can selectively disable DEP for that application.)

To set DEP for maximum protection follow these steps:

  1. Click Start, click Run, type sysdm.cpl and then click OK.
  2. Click the Advanced tab. Under Performance, click Settings.
  3. In the Performance Options dialog box, click the Data Execution Prevention tab.
  4. Select Turn on DEP for all programs and services except those I select.

8. Don’t Use Office 2003 (or Office XP)

Support for Microsoft Office 2003 and earlier has been discontinued along with support for the Windows XP operating system. To minimize the chances of a Windows XP machine being compromised through Office, you should upgrade to a later version of Office or use an alternative product such as the open source LibreOffice.

[ Feature: 5 Free Open Source Alternatives to Microsoft Office ]

It’s also important to ensure that any other software running on a Windows XP machine is up to date with the latest security patches and to discontinue the use of any software (such as Outlook Express) that’s no longer supported if an alternative exists.

9. Make the Most of Available Windows XP Security Software

Windows XP may not be updated anymore, but it does have some defenses. This includes the built-in firewall (which should be turned on) and plenty of antivirus options.

Microsoft’s free Security Essentials antivirus product will continue to receive updates until July 14, 2015. Other well-known vendors such as McAfee have pledged support for at least two years; some, such as ESET, have promised support for at least three.

10. Disconnect From the Network

Some legacy hardware such as scientific equipment may work only with Windows XP due to the lack of more up-to-date drivers.

If you only need Windows XP in order to use this type of hardware and acquire data from it, consider disconnecting the computer from your corporate network (and the Internet) if it’s possible to transfer the acquired data to other computers manually (by using a USB stick, for example).

At the very least, you should use network segmentation to isolate Windows XP machines from more sensitive parts of your network.

Paul Rubens is a technology journalist based in England. Contact him at [email protected]. Follow everything from CIO.com on Twitter @CIOonline, Facebook, Google + and LinkedIn.