XP's Do-It-Yourself Security

The good news is that the operating system offers solid protection. The bad news is that you have to search out and set up features that should be front and center

In Windows XP, Microsoft (MSFT ) is finally offering an operating system designed for consumer use that offers solid security. The entire computer can be off-limits to anyone without a user name and password, and all individual users control who has access to their files. You can safely share some files on a network while keeping others private. There is even a simple firewall to deter intruders lurking on the Internet.

There's only one problem. When you buy a new computer with XP or upgrade an existing one from Windows 98 or Me, most of the good security features are turned off. Unlike those versions, XP can be made secure. But Microsoft has left it up to you to make that happen.

CREATE PASSWORDS. For example, Windows XP automatically comes with an account called "administrator," which has no password. If you don't do something about it, your computer will always have a huge security hole because anyone can gain access just by typing "administrator" and hitting return. During setup, you are asked for the names of the users of the computer. Windows creates an account with each name, but again, they start off with no passwords. Every account should be protected by a password. Requiring a password to log on to your own PC is a bit of a nuisance, but as we have learned in so many other areas, giving up a little convenience to gain security can be worth the trouble.

For the best security, I recommend that everyone normally use a "limited account" and log on to an "administrator account" only when needed--for example, when installing software. But make sure you remember the administrator-account password since there's no way to recover it if it gets lost.

To get the full benefit of user accounts, you have to take another seemingly unrelated step. Windows XP offers two different systems for storing files on your hard drive. The distinctions aren't worth going into, but the method, called FAT32, which is also used by Windows 98 and Me, is far less secure than the alternative, called NTFS. Running FAT32 disables many XP security features. You can set up separate accounts for your kids, but they may still be able to get into your files. When you share files over a network, you can't be sure that access is limited to the material you want to make public.

If you install XP yourself, you are offered a choice of file formats. But most computer manufacturers ship XP systems with FAT32. Microsoft includes a utility to convert drives without disturbing their contents, but it's hard to find. The simplest way to discover it is to search for "convert" after clicking Help and Support in the Start menu. (Windows XP comes with excellent online help, but it's no substitute for a printed manual. When you pay $100 for a piece of software, you shouldn't have to shell out an additional $30 to $50 for a book on how to use it.)

If your computer is connected to the Internet with anything fancier than a standard dial-up modem, you are vulnerable to hackers and need some sort of protection. Microsoft has included a protective firewall as part of Windows XP. There are more sophisticated products around from companies such as Symantec (SYMC ), Network Associates (NETA ), and Zone Labs. Microsoft's version is adequate for many people, and it's already installed on every XP machine, but it won't help unless you turn it on. Fortunately, that's simple to do, though more obscure than it ought to be. Once again, go to Windows Help, search for "firewall" and follow the step-by-step instructions for enabling the Internet Connection Firewall.

Microsoft products have long been criticized for sacrificing security in the interest of convenience, and nowhere has this been more true than in consumer operating systems. Windows XP Home goes halfway toward rectifying the problem. All the tools are there, but in the interest of making things easy, Microsoft's defaults allow too many of them to go unused.


    Before it's here, it's on the Bloomberg Terminal.