Windows 7 Security - 5 things you can do to secure XP Mode

Filed Under: Malware

XP Mode Setup
After a busy summer, I finally got around to spending some quality time with Windows 7 "XP Mode" beta on the RTM version of Windows 7.

Sophos CTO Richard Jacobs commented on XP Mode's lack of management included in the base operating system on Graham's blog. Today I am going to cover security in XP mode as a user, excluding my comments on management.

During setup XP Mode prompts you to determine what password you would like to apply to the XPMUser account that the Virtual PC instance will run under. It of course offers to store these credentials for you, and recommends this action. It is very important that you do not use the same password here as you use for administrator or your user account. If you carefully review the help Microsoft warns: "Any application that runs on the host in the context of the user logged on to the host can access the credentials stored for Windows XP Mode."

If you were to have a malware infection or spyware on your host, this makes it more trivial than usual to compromise your system. Be sure to set a separate secure password even if you choose for Virtual PC to remember it out of convenience.

As setup proceeds Microsoft prompts you to enable automatic updating and reminds you of the importance of maintaining your Windows XP machine no different than a real computer. I was pleased to see this, although there is no mention of installing a real firewall, or anti-virus protection. The SP3 .vhd Microsoft provides is reasonably up to date, and patched through Windows Update in a matter of minutes on my test workstation.

My computer reached the desktop around 5 minutes after beginning the install, quite impressive. The first thing to grab my attention was the Windows XP Security Center warning me to install anti-virus. Excellent. I immediately installed the latest Sophos Anti-Virus for Windows from our support page.

Performance was good, and some applications I have that would not play nicely with Windows 7 installed easily. On initial inspection it appears to be like any other virtual machine of Windows XP, but Microsoft has integrated some convenient functions to make XP Mode more seamless. Some of these, however, may have serious security implications.
XP Mode settings

As you can see in the screenshot above, XP Mode defaults to mapping all of your host OS drives to the guest. For the sake of convenience this is nice, however I do not see why I shouldn't just use the integrated cut and paste to move things back and forth, and spare myself the risk of infections passing themselves back to Windows 7 from my Windows XP, which doesn't have nearly as strong a security posture.

In summary, if you choose to install Windows XP Mode consider the following:

  1. Choose a secure password that is not the same as other host accounts for XPMUser
  2. Enable automatic updating (Windows Update)
  3. Install security software the same as any other host on your network
  4. If possible disable drive auto-mapping under integration features to further isolate the virtual environment
  5. If browsing in XP Mode be sure to update your Flash player, Acrobat Reader, and other plugins when you update your host OS.

, ,

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.