In the previous two parts of my series (Part 1 here and Part 2 here) I described why it’s still possible to find an obsolete OS like Windows XP in production environments. I explained why it’s a great idea to take a full backup of the computer’s hard disk, and suggested the basics of firewalling the device and how to venture online.
In this concluding part I’ll explain the ways in which you can harden XP to provide the best possible security.
We’ve succeeded in getting online using Firefox, enabling modern websites to render correctly. This will be essential for performing the next step, which is to update Windows’ underlying crypto libraries and SSL root certificates – this will allow us to update Windows to the most-current state (circa 2014 with a few more recent WannaCry related patches) and install antivirus and antimalware products.
The first step will be to install the following hotfix from Microsoft, enabling XP to accept certificates using SHA256 encryption:
Next up, because your relic has been offline and/or un-updated for a long period of time, it will be relying on SSL root certificates that have long since expired. Microsoft did release a handy hotfix in 2013 that updated the root certificates for a number of the “big boys” of SSL such as GlobalSign, Verisign, Thawte et al but it has since been pulled. Fortunately, we have a copy of it for download here.
If you don’t trust a hotfix that doesn’t come directly from Microsoft, you’ll have to download and install the root certificates manually, for the services you require. At minimum, you’ll need to do it for Symantec’s Class 3 SSL Root Certificates, because that’s what Microsoft use to encrypt their HTTPS content, including Windows Update:
With this done, and the computer rebooted, you can successfully update Windows:
Windows Update in progress…
Let the process complete, bearing in mind that it might take multiple reboots and Windows Update re-runs to get XP to the very latest level (still pretty venerable, but sheer madness to be behind!) Bear in mind that you’re making some fairly substantial under-the-hood modifications to the operating system, so it would make sense to test all applications following the update. If they exhibit problems or simply don’t work… bad luck – revert to the image backup you took and forget about taking this computer online, it’s simply too risky.
At this point I’d recommend installing up-to-date antivirus and antimalware. For Antivirus, the best product that still boasts XP compatibility is probably AVG Antivirus. It’s effective, cheap (£23.33 at the time of writing) and wont place too much of a demand on what is probably quite decrepit hardware! In terms of antimalware, a good balanced product for an older computer is Super Antispyware.
Whilst I’ve already spoken of installing a hardware firewall to keep the XP devices secure on the network (this is essential, and should be kept in place) you might wish to add a belt to these braces and add a software firewall that allows you to easily flag up undesirable access inbound or outbound. A good bet in this regard would be ZoneAlarm, costing just $39.95 per year for one PC.
With these measures taken, your relic will be fully hardened, and in good shape to remain secure into the future. That said, if there’s *any* possibility to upgrade your computer to a newer and still-supported operating system you should take that opportunity to do so. I hope that this has proved useful, be sure to check out our other technical blog posts in the future!