Setting Up Mom's XP Computer
May 14, 2006 8:00 PM
I am a Mac Geek and will be setting up a Windows XP Pro computer for my computer novice mother, but I am concerned about XP security.
Her computer will be here next week and I will do a clean install to get rid of the junk Dell likes to install on new computers. After reinstalling, I intend to do the following:
a. Set Windows Updates to automatically download and install updates.
b. Rename the Administrated account and apply a long, secure, randomized password.
c. Create a regular user account for my mother to use.
d. Turn on XP's firewall.
e. Turn off all unneeded services (I understand XP has many).
f. Firefox will be her primary web browser.
g. A virus scanner will be installed.
Outside of these, can anyone recommend any further steps that will provide good security for a stand alone XP computer?
Her computer will be here next week and I will do a clean install to get rid of the junk Dell likes to install on new computers. After reinstalling, I intend to do the following:
a. Set Windows Updates to automatically download and install updates.
b. Rename the Administrated account and apply a long, secure, randomized password.
c. Create a regular user account for my mother to use.
d. Turn on XP's firewall.
e. Turn off all unneeded services (I understand XP has many).
f. Firefox will be her primary web browser.
g. A virus scanner will be installed.
Outside of these, can anyone recommend any further steps that will provide good security for a stand alone XP computer?
Considering you're a Mac Geek and she's a novice, it's too bad you couldn't get her a Mac. That's what all us Windows guys do for our Moms :)
posted by intermod at 8:12 PM on May 14, 2006
posted by intermod at 8:12 PM on May 14, 2006
Depending on how literate your mother ends up being, putting her on a regular user account will be restrictive. I know I did the same for my mother, only to frustrate myself whenever I try to install software for her and have to log into the administrator account.
posted by awesomebrad at 8:14 PM on May 14, 2006
posted by awesomebrad at 8:14 PM on May 14, 2006
Don't plug in the machine to the net until the firewall is installed.
posted by furtive at 8:23 PM on May 14, 2006
posted by furtive at 8:23 PM on May 14, 2006
Make sure Windows Messenger is disabled as part of your turning off unecessary services.
posted by spatula at 8:23 PM on May 14, 2006
posted by spatula at 8:23 PM on May 14, 2006
You can't rename the administrator account.
posted by Steven C. Den Beste at 8:31 PM on May 14, 2006
posted by Steven C. Den Beste at 8:31 PM on May 14, 2006
I've never had trouble renaming the Administrator account. Has something changed recently?
posted by majick at 9:21 PM on May 14, 2006
posted by majick at 9:21 PM on May 14, 2006
There were a handful of useful blog posts and articles getting linked around Thanksgiving and Christmas of last year, thanks to the "my parents are going to make me fix their computer" phenomenon: How to fix Mom and Dad's computer, Top 10 things to do to Mom's PC, Windows security for computer illiterates, How to fix Mom's computer.
posted by mendel at 9:46 PM on May 14, 2006
posted by mendel at 9:46 PM on May 14, 2006
Not security-specific, but -- be aware that the driver CDs that Dell ships are not always fool-proof -- I have had them auto-detect and tell me to install the drivers for two different Wi-Fi cards at once, for example.
Before you wipe the Dell crap off, I would take a second to write down make and model for all your important drivers. (right-click on My Computer -> Manage -> Device Manager)
posted by misterbrandt at 9:50 PM on May 14, 2006
Before you wipe the Dell crap off, I would take a second to write down make and model for all your important drivers. (right-click on My Computer -> Manage -> Device Manager)
posted by misterbrandt at 9:50 PM on May 14, 2006
You can't rename the administrator account.
If by "can't" you mean "can".
posted by delmoi at 10:32 PM on May 14, 2006
If by "can't" you mean "can".
posted by delmoi at 10:32 PM on May 14, 2006
It will take you much less time to just uninstall the Dell crap (which, IIRC, is just a "Dell Support" popup thingy, a My Way search bar, and a limited-time-subscription antivirus client) than it will to build a new XP installation with Dell drivers. Apart from that, what you're proposing looks sound.
Any new XP box sold these days will already have XP SP2 installed, so you don't have to worry about turning on the firewall - that (and Automatic Updates) will already be on. But you probably should uninstall whatever antivirus Dell ships with these days (McAfee?) and get her set up with AVG 7.1 Free. That way she won't be pestered with sales crap and reminders to update - it will Just Work.
There's no need to go in so hard against IE, either, for my money. Just using Set Program Access and Defaults to remove access to it should be plenty; and install the IE View extension into Firefox. There are still a few sites around that don't render right in FF. As long as she's not using IE for everything, she'll likely be fine.
Install Spybot Search & Destroy and enable its SDHelper component for protecting IE. Don't bother with the TeaTimer thing that locks down registry changes; it will be a nuisance for her more often than it will help her.
None of the unneeded services matter if the firewall is on, and disabling services often causes bizarre behaviour later. I'd leave everything on.
The limited account business is a very very good idea. But it means you'll have to install all the software she's likely to want for a while, and fiddle with it until it works (there's lots of software that needs Modify permission on its installation directory and/or HKLM\SOFTWARE registry key). To make setting permissions less of a pain if all you have is XP Home, use the "Security for folders and files" patch from here to allow the Security tabs to appear in normal mode as well as Safe mode.
posted by flabdablet at 10:53 PM on May 14, 2006
Any new XP box sold these days will already have XP SP2 installed, so you don't have to worry about turning on the firewall - that (and Automatic Updates) will already be on. But you probably should uninstall whatever antivirus Dell ships with these days (McAfee?) and get her set up with AVG 7.1 Free. That way she won't be pestered with sales crap and reminders to update - it will Just Work.
There's no need to go in so hard against IE, either, for my money. Just using Set Program Access and Defaults to remove access to it should be plenty; and install the IE View extension into Firefox. There are still a few sites around that don't render right in FF. As long as she's not using IE for everything, she'll likely be fine.
Install Spybot Search & Destroy and enable its SDHelper component for protecting IE. Don't bother with the TeaTimer thing that locks down registry changes; it will be a nuisance for her more often than it will help her.
None of the unneeded services matter if the firewall is on, and disabling services often causes bizarre behaviour later. I'd leave everything on.
The limited account business is a very very good idea. But it means you'll have to install all the software she's likely to want for a while, and fiddle with it until it works (there's lots of software that needs Modify permission on its installation directory and/or HKLM\SOFTWARE registry key). To make setting permissions less of a pain if all you have is XP Home, use the "Security for folders and files" patch from here to allow the Security tabs to appear in normal mode as well as Safe mode.
posted by flabdablet at 10:53 PM on May 14, 2006
A router with a built in firewall between the box and the net is a good idea. The firewall on the router is unlikely to get turned off somehow, but on the box itself it happens. Of course you also want to make sure the virus scanner is set to scan every incoming email and file etc. I am sure you knew this, but just in case...
XP security, especially as you plan to implement it, is pretty good. Unfortunately, XP has a huge bulls eye on it at which all the professional hackers and script kiddies are aiming. I doubt your mom will be visiting the sorts of sites that generally cause trouble and I trust you will tell her about being careful in opening emails and how to safely handle files sent to her in them. Follow these basic precautions and everything will be fine.
posted by caddis at 12:23 AM on May 15, 2006
XP security, especially as you plan to implement it, is pretty good. Unfortunately, XP has a huge bulls eye on it at which all the professional hackers and script kiddies are aiming. I doubt your mom will be visiting the sorts of sites that generally cause trouble and I trust you will tell her about being careful in opening emails and how to safely handle files sent to her in them. Follow these basic precautions and everything will be fine.
posted by caddis at 12:23 AM on May 15, 2006
Well... of course, when you say Linux everyone imagines programmer geeks typing archane commands into a shell, but have you looked at Ubuntu (screenshot, screenshot) lately? I actually think Gnome with all the Ubuntu stuff on top is easier to figure out for a computer newbie than XP, apart from being far more secure. If nothing else, consider burning her a copy of the Live CD, which she can boot from and play around with without affecting her hard drive XP install whenever XP is acting up (and it will.)
If you choose to stick with XP, you have a pretty sound plan for securing her computer. You should also consider partitioning the disk into two partitions: a main one and a data one. You tweak her profile so that My Documents, Desktop, Favorites, Outlook/Thunderbird mail folders, etc. are all on the D drive and you leave C drive to windows and program files. When it's time to reformat, you can just wipe C and keep D in tact. It's very useful. We set things up this way for all the professors in my faculty (I work in tech support at my university.)
posted by ori at 12:44 AM on May 15, 2006
If you choose to stick with XP, you have a pretty sound plan for securing her computer. You should also consider partitioning the disk into two partitions: a main one and a data one. You tweak her profile so that My Documents, Desktop, Favorites, Outlook/Thunderbird mail folders, etc. are all on the D drive and you leave C drive to windows and program files. When it's time to reformat, you can just wipe C and keep D in tact. It's very useful. We set things up this way for all the professors in my faculty (I work in tech support at my university.)
posted by ori at 12:44 AM on May 15, 2006
point the internet explorer shortcut to firefox/opera. seriously.
after rebranding a secure browser my family's computer hasnt had one problem, and they dont know the difference.
posted by a. at 2:28 AM on May 15, 2006
after rebranding a secure browser my family's computer hasnt had one problem, and they dont know the difference.
posted by a. at 2:28 AM on May 15, 2006
Thanks for all the good information MeFi. And I am aware that what I intent will mean I will need to be there for her to install software but since she lives ten minutes from me, that is okay.
posted by DuckFOO at 4:49 AM on May 15, 2006
posted by DuckFOO at 4:49 AM on May 15, 2006
Oh yeah, ori's comment reminded me -- once you have everything installed how you want it, make an image of the C drive and burn it to a DVD. A year from now you can wipe and re-image and it will take you a fraction of the time. (I've never actually done this as I am to lazy, but I always intend to)
posted by misterbrandt at 7:20 AM on May 15, 2006
posted by misterbrandt at 7:20 AM on May 15, 2006
I recommend installing TightVNC so that you can use Chicken of the VNC to connect to her machine remotely.
posted by Wild_Eep at 9:25 AM on May 15, 2006
posted by Wild_Eep at 9:25 AM on May 15, 2006
Uninstall Outlook. Configure Internet Explorer to not run ActiveX except from microsoft.com (so you can still use Internet Update.) Ditto everyone else about Firefox (I'd just delete the IE shortcut and its presence in the start menu rather than reroute them.) Turn off auto-run of software on CDs/DVDs. Install Startup Monitor. Configure automatic download and installation of updates.
If you want to be safer, but more restrictive, and guaranteeing more tech support visits, configure your mother's user account to not be able to install software.
posted by Zed_Lopez at 11:48 AM on May 15, 2006
If you want to be safer, but more restrictive, and guaranteeing more tech support visits, configure your mother's user account to not be able to install software.
posted by Zed_Lopez at 11:48 AM on May 15, 2006
Ori's second screenshot nicely reveals the off-by-one text rendering bug that drives me absolutely up the wall whenever I use OpenOffice Writer. But I'm sure it will go away eventually.
posted by flabdablet at 9:19 PM on May 15, 2006
posted by flabdablet at 9:19 PM on May 15, 2006
This thread is closed to new comments.
Take steps to prevent Outlook Express from launching.
Configure IE to use a dummy proxy, such as 127.0.0.1.
posted by majick at 8:10 PM on May 14, 2006