Internet Tips: Tweak Windows XP SP2 Security to Your Advantage

Windows XP is a safe and secure operating system. Really, it is--as long as you don't connect it to the Internet. To be fair, other operating systems, including Linux and Mac OS X, are vulnerable to online attacks, too. But Windows gets more attention, and hackers were quick to discover serious flaws in the OS that made possible the Blaster and Sasser worms, along with a legion of other exploits.

Trying to make Windows more secure, Microsoft released Windows XP Service Pack 1 in 2003, and Service Pack 2 recently. Whereas SP1 focused on remedying antitrust violations with bundled Windows utilities, almost all of SP2 is devoted to beefing up Internet security. SP2 doesn't thoroughly shield you from attacks, but it's definitely worth installing for its firewall improvements, Internet Explorer pop-up blocking, and security-configuration changes. Once you've installed it, you'll probably want to tweak some of SP2's new settings, and to know where--tweaked or not--the reinforced OS remains vulnerable.

SP2's most noticeable change to Windows XP is its introduction of a new Security Center Control Panel applet (see

FIGURE 1: Monitor Windows XP'S security status and modify settings in SP2's Security Center.
FIGURE 1). Security Center itself doesn't do much, but it provides a single location where you can view the status of the Windows Firewall (formerly known as Internet Connection Firewall) and of Windows' Automatic Updates service. The utility also tracks if you have an antivirus program installed, running, and updated.

If any of these three key security tools has been disabled or is less than fully functional, Security Center changes their corresponding status lights from green to either red or amber. The program also displays a warning icon in the system tray. A red light means that you should probably take steps to beef up security in the indicated area. An amber light signifies a service that is only partly enabled, or that a third-party product handles.

But even if all your dashboard security lights are green, you aren't necessarily safe. Conversely, certain red or amber conditions--triggered when Windows doesn't recognize your third-party firewall or antivirus program, for example--may be acceptable to you. So how do you disable that pesky tray icon?

Start by opening the Security Center: Choose Start, Control Panel and click Security Center. Many people will see a bank of green lights, thanks to SP2's more secure default settings. The firewall is now enabled by default for all Internet connections, which is a good thing if you don't have a third-party firewall program. The Automatic Updates feature downloads and installs often-crucial security updates from Microsoft while you're online. Unless you went out of your way to disable it during installation of Service Pack 2, this option will be fully enabled as well. And if you've installed an antivirus program that Microsoft recognizes, you'll get a green light in the virus-protection area.

Tweak the Firewall

Windows firewall, which is enabled by default, blocks incoming worms, like Blaster, that try to enter your PC through a network connection; but it can't stop malicious apps that are already on your PC from making outgoing connections. You get no protection from viruses, worms, Trojan horses, and spyware that sneak onto your computer via your Web browser, e-mail, or instant messaging program. I recommend using a bidirectional third-party firewall such as Zone Labs' free ZoneAlarm (see "Security Must-Haves" for download details). For PC World's most recent review of firewalls, see June's "Bigger Threats, Better Defense."

Once you've installed a bidirectional firewall, I recommend disabling the Windows Firewall altogether. Occasionally, firewalls obstruct an application you're trying to use over a network connection--and there's nothing more frustrating than spending a half hour tweaking, disabling, and even uninstalling a firewall, only to discover that the other firewall was the culprit. To disable the Windows Firewall in the Security Center, click the Windows Firewall link at the bottom of the dialog box, check Off (not recommended) in the next window, and click OK.

Alas, Windows may not recognize the third-party firewall installed on your PC. (It didn't see my copy of Sygate Personal Firewall, for example.) In such cases, Windows displays the security-warning icon in the system tray. That's no big deal, except that when other security lapses crop up they probably won't come to your attention. To disable the firewall security warning in the Security Center, click Recommendations in the Firewall pane, check I have a firewall solution that I'll monitor myself, and click OK (see

FIGURE 2: Prevent annoying alerts when SP2 fails to detect other firewall utilities.
FIGURE 2). Windows will then switch your firewall status to amber, and stop pestering you with firewall warnings in the system tray.

If Windows fails to recognize your antivirus program, you can easily disable Security Center false alarms: Click Recommendations in the Antivirus Protection pane, check I have an antivirus program that I'll monitor myself, and click OK.

Automatic Updates

In general, it's unwise to let your computer automatically connect to the Internet, and then download and install software on its own. After all, that's how viruses, worms, Trojan horses, and spyware do their dirty work. But the tremendous threat posed by Internet attacks has changed the rules. Because viruses and worms often take advantage of flaws in Windows or its Internet Explorer Web browser, you need to install patches as soon as Microsoft makes them available (the same is true of your antivirus program's signature database files).

For most PC users, enabling Automatic Updates is the way to go. Nevertheless, situations may arise in which the default settings aren't optimal. For example, by default the service downloads and installs updates at 3 a.m., without inquiring into the user's preferences. But if your computer is always asleep or disconnected from the Internet at 3 a.m., you might never get any updates under the default arrangement. And if, like me, you regard Microsoft with less than complete trust, you might want to inspect the updates that are available for downloading before agreeing to install them on your PC.

To change Automatic Updates' settings, click the System link at the bottom of the Security Center window (or choose Start, Control Panel, and click or double-click the System icon). Select the Automatic Updates tab. To choose a time when you know your PC will be awake and available to download and install updates, select Automatic (recommended), and pick a time from the drop-down list (see

FIGURE 3: Tweak Automatic Updates in Win XP with SP2 to suit your situation.
FIGURE 3). To instruct Windows to download but not automatically install updates until you can inspect them, select Download updates for me, but let me choose when to install them.

Finally, if you frequently rely on dial-up or wireless links that aren't suitable for Automatic Updates' sometimes-massive downloads, choose the option labeled Notify me but don't automatically download or install them. This setting gives you the greatest control over updates, enabling you to veto downloading or installing any update. On the other hand, it also increases your risk of getting hit by an exploit that Microsoft has already issued a fix for, so use it with caution. (I can't think of a single good reason to turn off Automatic Updates altogether.) Click OK to save your settings.

Pop-Ups Begone

The ability to block pop-up browser windows, besides being convenient, can protect you from browser hijacking (where an unscrupulous Web site installs itself as your home page or runs ActiveX programs). Some other browsers, including Mozilla, Netscape, and Opera, have had pop-up blockers for a while. SP2 adds this long-needed feature to IE and activates it by default. (On a related note, SP2 also disables Windows' Messenger service, which formerly allowed spammers and other miscreants to pop up message windows on your Internet-connected PC.)

Though Internet Explorer's newfound pop-up blocking prowess is generally a positive thing, it can cause problems when you visit Web sites that use subsidiary, pop-up style windows for logging in, completing surveys, displaying videos, or performing other special tasks. If you discover that your favorite site doesn't work as expected after you've installed SP2, don't get too upset.

First, to test whether IE's pop-up blocker is responsible, disable it by choosing Tools, Pop-up Blocker, Turn off Pop-up Blocker. If that tactic solves the problem, you can instruct IE not to block pop-ups from that one site. To do so, first copy the site's address in IE's Address field (click the address to select it, and then press Ctrl-C). Choose Tools, Pop-up Blocker, Pop-up Blocker Settings, press Ctrl-V to paste the address into the 'Address of Web site to allow' field, and click Add (see

FIGURE 4: Customize IE's new pop-up blocker to allow desired pop-ups at select sites.
FIGURE 4). Alternatively, you can type addresses directly into the field, if you prefer.

SP2 introduces a related security feature in the Outlook Express e-mail program. To block the tiny invisible images called Web bugs that sites use to identify you online, Outlook Express by default now blocks downloads of any external images referenced in HTML messages. If you receive one of those slick-looking e-mail newsletters, it may not look so slick after you've installed SP2.

To re-enable the display of these image links in e-mail messages (and risk having your e-mail newsletter--reading habits monitored by the newsletter's publisher), choose Tools, Options, Security, uncheck Block images and other external content in HTML e-mail, and click OK.

Version Tracker: Security Must-Haves

Windows XP may be getting safer with SP2, but it's still a good idea to download and install the latest versions of the following free (and excellent) utilities to plug remaining security gaps.

ZoneAlarm 5: Despite Microsoft's efforts to beef up security in Windows, the operating system's built-in firewall can't block outgoing traffic, including the dastardly activities of worms, backdoor programs, and other menaces to your privacy and online security. Zone Labs' $40 ZoneAlarm Pro recently received a PC World Best Buy, but you don't need to spend a dime to get its essential features. The free version of ZoneAlarm omits Pro's pop-up blocker and e-mail virus filter, but none of its top-notch firewall capabilities.


Spybot Search & Destroy 1.3: Patrick M. Kolla's indispensable tool for detecting and removing spyware and adware is now better than ever. The latest version significantly improves Spybot's real-time spyware scanner, blocks unsafe downloads in Internet Explorer, and preserves Windows system settings from spyware and adware attacks.


Send your questions and tips to We pay $50 for published items. Click for more Internet Tips. Scott Spanbauer is a contributing editor for PC World.

Subscribe to the Best of PCWorld Newsletter