{"id":120,"date":"2026-03-13T13:27:53","date_gmt":"2026-03-13T12:27:53","guid":{"rendered":"https:\/\/kleinessinchen.feralnetworks.com\/?p=120"},"modified":"2026-04-08T08:24:57","modified_gmt":"2026-04-08T07:24:57","slug":"windows-xp-hardening","status":"publish","type":"post","link":"https:\/\/kleinessinchen.feralnetworks.com\/?p=120","title":{"rendered":"Windows XP Hardening?"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">How about still using Windows XP? Simplicity, lack of bloat, lack of AI, support for old games. I\u2019ve always loved XP. Of course it didn\u2019t feel lightweight in 2002 when installing the first Windows NT version intended for home users. Way bigger than 98SE, more demanding than 2000 Professional and with a nauseating default theme that is as dysfunctional as the (then) newly introduced Start Menu. Over the years I\u2019ve mastered switching off all crap on a fresh XP installation in very few minutes. Still in muscle memory to this day. Using XP gives me a nostalgic feeling just like the boot sound of a PlayStation 1 coming from the powerful speakers of a big CRT TV.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">In this entry I want to explore this classic OS from the perspective of security. This could be very short by saying, \u201cThere is no way to truly secure it.\u201d Nevertheless I\u2019ll try my best.<\/p>\n\n\n\n<!--more-->\n\n\n\n<p class=\"wp-block-paragraph\">This blog entry assumes your XP machine will be used as isolated sandbox for legacy software. The primary threats are remote network exploits (hence the solution: air-gapped offline machine). Other attack vectors are malicious USB devices, exploits in data files you copy to the vintage machine and physical theft. It is possible to deal with the latter threats to some extent.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"> <strong><mark style=\"background-color:rgba(0, 0, 0, 0);color:#ff0000\" class=\"has-inline-color\">\u26a0\ufe0f <\/mark><\/strong><mark style=\"background-color:rgba(0, 0, 0, 0);color:#ff0000\" class=\"has-inline-color\">0 \u2013 Important Warning and Disclaimer Box <\/mark><strong><mark style=\"background-color:rgba(0, 0, 0, 0);color:#ff0000\" class=\"has-inline-color\">\u26a0\ufe0f <\/mark><\/strong><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">In order to prevent cluttering my text with warnings interrupting the reading flow I\u2019ll just put everything in this regard inside the box below. This doesn\u2019t mean the warnings are unimportant or should be skipped. Quite the contrary.<\/p>\n\n\n\n<div class=\"wp-block-group has-background has-global-padding is-layout-constrained wp-container-core-group-is-layout-ca18955b wp-block-group-is-layout-constrained\" style=\"background-color:#fbf9cc;padding-top:var(--wp--preset--spacing--20);padding-right:var(--wp--preset--spacing--70);padding-bottom:var(--wp--preset--spacing--20);padding-left:var(--wp--preset--spacing--70)\">\n<details class=\"wp-block-details is-layout-flow wp-block-details-is-layout-flow\"><summary><strong>Skipping the warnings can put your modern machines at risk!<\/strong><\/summary>\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Just stating the obvious, but I have to: <strong><mark style=\"background-color:rgba(0, 0, 0, 0);color:#ff0000\" class=\"has-inline-color\">Windows XP is not secure and never will be secure again!<\/mark><\/strong> If you have to really protect data, you are at the wrong place right now. Stop reading this blog entry and stop playing around with vintage computers! Full confidentiality of your data can only be achieved by applying proper full disk encryption in conjunction with file based encryption on a modern machine running a security-focused, modern operating system. Tinkering with outdated OSs on museum computers is fun\u2014if and only if \u2013 such PCs are fully isolated from important devices\n<ul class=\"wp-block-list\">\n<li>Side note for modern systems: <strong>I recommend using GrapheneOS and Qubes OS<\/strong>. Store data at rest encrypted by LUKS or VeraCrypt (or BitLocker when using latest Windows 11). Avoid the default TPM-only option for BitLocker. It is inherently flawed and has seen many ways of bypassing<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Please acknowledge that this text is NOT a tutorial and not an advice to use outdated operating systems in practice or even online. <\/strong>Therefore I won\u2019t provide 100% detailed step-by-step instructions on all settings. The author of this blog entry takes no responsibility for anything you do based on this text. Again: This is not a tutorial, just sharing my experiences while inviting you to have some fun with legacy hard- and software. <strong>Stay safe online and keep vintage PCs isolated and offline!<\/strong><\/li>\n\n\n\n<li>Careless playing around with ATA Security is highly dangerous. <strong><mark style=\"background-color:rgba(0, 0, 0, 0);color:#ff0000\" class=\"has-inline-color\">The Linux program <code>hdparm<\/code> is not a toy! You can lose all your data, permanently lock yourself out of your HDD\/SSD or even cause irreparable hardware<\/mark><\/strong><mark style=\"background-color:rgba(0, 0, 0, 0);color:#000000\" class=\"has-inline-color\"><strong> <\/strong><\/mark><strong><mark style=\"background-color:rgba(0, 0, 0, 0);color:#ff0000\" class=\"has-inline-color\">damage<\/mark><\/strong><mark style=\"background-color:rgba(0, 0, 0, 0);color:#000000\" class=\"has-inline-color\"><strong>.<\/strong> <\/mark>Before using <code>hdparm<\/code>, do some serious RTFM! I\u2019m not kidding! More general background information can be found in another box below dedicated to HDD passwords<\/li>\n\n\n\n<li><strong><mark style=\"background-color:rgba(0, 0, 0, 0);color:#ff0000\" class=\"has-inline-color\">Don\u2019t reuse important passwords for BIOS or HDD\/SSD locking!<\/mark><\/strong> Very weak hashing (old BIOS) or even plaintext storage (on HDD platters) might essentially disclose your secrets to advanced adversaries when you do this anyway. A simple to mediocre password is enough for adding these little hurdles. Generally you should avoid reusing any good passwords for anything on vintage machines. To prevent forgetting sparingly used passwords applied to museum PCs: store them in a password manager. But don&#8217;t resort to reusing important ones!<\/li>\n\n\n\n<li><strong>Encrypting File System (EFS) is not sufficient to guarantee confidentiality. <\/strong>For additional security you should store important files in a VeraCrypt container. But please acknowledge that temporary files, metadata and registry artifacts aren\u2019t protected without full encryption applied on the system drive. The possibilities of leaks are numerous and you can\u2019t rule out that an attacker is able to partially access private information despite EFS and VeraCrypt containers.<\/li>\n\n\n\n<li><strong>Signature based anti-malware is intentionally omitted in this text.<\/strong> Almost no anti-malware product receiving latest signatures will still run under an OS published in 2002. A seemingly still working free version of Avast (or was it AVG?) trashed one of my XP installations for no apparent reason. Signature based approaches (blacklisting) or heuristics is a totally flawed concept in the first place. False negatives (malware slips through) and false positives (useful software gets blocked) are very common. If you still want the opinion of a malware scanner I recommend connecting your vintage drive via a IDE\u2192USB or SATA\u2192USB adapter to a modern PC<\/li>\n\n\n\n<li>I\u2019m not a security professional, but an interested user. I probably missed crucial things or even messed up badly. Let me repeat: <strong>This is not a tutorial!<\/strong><\/li>\n<\/ul>\n<\/details>\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\"><br>1 \u2013 Basic Installation<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">With the warning-and-disclaimer-BS out of the way, what can we do to minimize attack vectors while maximizing usefulness of an XP computer? As an example I will take an Acer Extensa 3000. This is a lowest end PC that was already garbage-grade in the year 2006. A friendly lady has been ripped off when buying this as her first laptop. I could rant away about integrated SiS graphics, a dysfunctional battery, too little RAM\u2026 alas\u2026 it is too much off-topic and bad for my blood pressure.<\/p>\n\n\n\n<figure class=\"wp-block-gallery has-nested-images columns-default is-cropped wp-block-gallery-1 is-layout-flex wp-block-gallery-is-layout-flex\">\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1405\" height=\"1487\" data-id=\"127\" src=\"https:\/\/kleinessinchen.feralnetworks.com\/wp-content\/uploads\/2026\/03\/Acer_Extensa_3000_showing_HDD_password_prompt.jpg\" alt=\"Old Acer Extensa laptop waiting for unlocking the HDD\" class=\"wp-image-127\" srcset=\"https:\/\/kleinessinchen.feralnetworks.com\/wp-content\/uploads\/2026\/03\/Acer_Extensa_3000_showing_HDD_password_prompt.jpg 1405w, https:\/\/kleinessinchen.feralnetworks.com\/wp-content\/uploads\/2026\/03\/Acer_Extensa_3000_showing_HDD_password_prompt-283x300.jpg 283w, https:\/\/kleinessinchen.feralnetworks.com\/wp-content\/uploads\/2026\/03\/Acer_Extensa_3000_showing_HDD_password_prompt-968x1024.jpg 968w, https:\/\/kleinessinchen.feralnetworks.com\/wp-content\/uploads\/2026\/03\/Acer_Extensa_3000_showing_HDD_password_prompt-768x813.jpg 768w\" sizes=\"auto, (max-width: 1405px) 100vw, 1405px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1423\" height=\"1469\" data-id=\"128\" src=\"https:\/\/kleinessinchen.feralnetworks.com\/wp-content\/uploads\/2026\/03\/Acer_Extensa_3000_showing_Syskey_password_prompt.jpg\" alt=\"Old Acer Extensa laptop waiting for Syskey password to be entered\" class=\"wp-image-128\" srcset=\"https:\/\/kleinessinchen.feralnetworks.com\/wp-content\/uploads\/2026\/03\/Acer_Extensa_3000_showing_Syskey_password_prompt.jpg 1423w, https:\/\/kleinessinchen.feralnetworks.com\/wp-content\/uploads\/2026\/03\/Acer_Extensa_3000_showing_Syskey_password_prompt-291x300.jpg 291w, https:\/\/kleinessinchen.feralnetworks.com\/wp-content\/uploads\/2026\/03\/Acer_Extensa_3000_showing_Syskey_password_prompt-992x1024.jpg 992w, https:\/\/kleinessinchen.feralnetworks.com\/wp-content\/uploads\/2026\/03\/Acer_Extensa_3000_showing_Syskey_password_prompt-768x793.jpg 768w\" sizes=\"auto, (max-width: 1423px) 100vw, 1423px\" \/><\/figure>\n<\/figure>\n\n\n\n<p class=\"has-medium-font-size wp-block-paragraph\"><mark style=\"background-color:#F6CFF4\" class=\"has-inline-color\">(Open all images in this blog entry in a new tab for full resolution!)<\/mark><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><mark style=\"background-color:#fbecfa\" class=\"has-inline-color\">1.1 \u2013 Things Needed from Microsoft<\/mark><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>XP Professional SP3<\/strong>\u2192 Home Edition is useless<\/li>\n\n\n\n<li><strong>Internet Explorer 8<\/strong>\n<ul class=\"wp-block-list\">\n<li>It won\u2019t work with any modern website and you shouldn\u2019t use it. The only real use of IE is Legacy Update and local stuff from old \u201cinteractive CD-ROMs\u201d<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Windows Media Player 11<\/strong><\/li>\n\n\n\n<li><strong>.NET Framework 4 and 3.5<\/strong> (containing 2.0 as well) and all applicable <strong>VCRedist<\/strong> \u2192 Increases complexity and attack surface, but also compatibility<\/li>\n\n\n\n<li>If you have a license (I don\u2019t): <strong>Microsoft Office 2010<\/strong>. I had to resort to my 2007 license<\/li>\n\n\n\n<li><strong>All updates up to April 2014<\/strong>\n<ul class=\"wp-block-list\">\n<li>Windows updates<\/li>\n\n\n\n<li>.NET updates<\/li>\n\n\n\n<li>Internet Explorer updates<\/li>\n\n\n\n<li>Windows Media Player updates<\/li>\n\n\n\n<li>All applicable Microsoft Office updates (if installed)<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>All updates up to April 2019<\/strong> with the POSReady 2009 registry setting if your CPU supports NX, DEP, PAE and possibly SSE2 instruction set<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Legacy Update will make installing all updates easy. It will also only offer setting the POSReady registry hack if your CPU is compatible. The process takes a few reboots and a few hours until there are no more updates left.<\/p>\n\n\n\n<p class=\"has-medium-font-size wp-block-paragraph\">No, I do <strong>not<\/strong> want to use some pirated sketchy, unofficial \u201cultimate\u201d version with all updates already applied and I also saw no need to slipstream everything into a custom CD image (will most likely not fit on CD anymore, which is bad for laptops with CD-only drive. I have and actually use computers <em>that<\/em> old)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><mark style=\"background-color:#fbecfa\" class=\"has-inline-color\">1.2 \u2013 Backup Image Time!<\/mark><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Having all updates installed is a great moment to backup the installation with Clonezilla. Nothing is more frustrating than waiting hours and hours for updates to finish\u2026 just to have a perfect installation trashed by a dumb mistake or a failing HDD<\/p>\n\n\n\n<div class=\"wp-block-group has-global-padding is-layout-constrained wp-container-core-group-is-layout-27be8982 wp-block-group-is-layout-constrained\" style=\"padding-top:var(--wp--preset--spacing--20);padding-right:var(--wp--preset--spacing--30);padding-bottom:var(--wp--preset--spacing--20);padding-left:var(--wp--preset--spacing--30)\">\n<details class=\"wp-block-details is-layout-flow wp-block-details-is-layout-flow\"><summary>Before rebooting to Clonezilla you should clean up to reduce image size and speed up image creation<\/summary>\n<ul class=\"wp-block-list\">\n<li>Run <code>cleanmgr.exe<\/code><\/li>\n\n\n\n<li>Delete all <code>$NtUninstall<\/code> folders in <code>C:\\Windows<\/code> as well as log files created by updates<\/li>\n\n\n\n<li>Clean all temp folders: <code>C:\\Windows\\temp<\/code> and temp in your user account<\/li>\n\n\n\n<li>Remove all system restore points<\/li>\n\n\n\n<li>Disable page file and hibernation file (don\u2019t forget to re-enable after backup)<\/li>\n\n\n\n<li>Run defragmentation on <code>C:\\<\/code><\/li>\n<\/ul>\n<\/details>\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\">2 \u2013 OS-Independent Security Aspects<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><mark style=\"background-color:#fbecfa\" class=\"has-inline-color\">2.1 \u2013 Physical Security<\/mark><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">If your system is as weak as my old laptop and cannot handle full disk encryption with VeraCrypt 1.25.9 an attacker can bypass all security by booting from CD\/DVD\/USB or by simply accessing the drive in their own PC. Physical security (lock away laptop, tamper evident seals) is needed to counter this. Elaborating on physical security and Evil Maid Attacks would need at least three times the text of this lengthy blog entry. Trying to prevent Evil Maid Attacks requires behavioral changes for most people and additional surveillance technology to protect your belongings. \u2192 Off-topic, out of scope<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><mark style=\"background-color:#fbecfa\" class=\"has-inline-color\">2.2 \u2013 BIOS Passwords<\/mark><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">BIOS passwords protecting boot process (set to internal HDD only or at least as first option) are of questionable effect. Often there are ways to circumvent them with hardcoded master passwords and\/or resetting CMOS by physically shorting two points on the motherboard. Laptops generally perform a bit better than desktops in this regard, but often can be unlocked with publicly available key generators.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><mark style=\"background-color:#fbecfa\" class=\"has-inline-color\">2.3 \u2013 ATA Security (HDD Password)<\/mark><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">A very slightly more effective measurement is applying ATA Security also known as HDD password. First of all: circumventing ATA Security is possible. Expensive and specialized forensic software leveraging firmware shortcomings is able to reset HDD passwords or even retrieve them in seconds on many models. In some cases advanced hobbyists successfully attacked HDDs on hardware level. <strong>Do not overestimate the security of this simple gatekeeper!<\/strong><\/p>\n\n\n\n<div class=\"wp-block-group has-background has-global-padding is-layout-constrained wp-container-core-group-is-layout-27be8982 wp-block-group-is-layout-constrained\" style=\"background-color:#fbf9cc;padding-top:var(--wp--preset--spacing--20);padding-right:var(--wp--preset--spacing--30);padding-bottom:var(--wp--preset--spacing--20);padding-left:var(--wp--preset--spacing--30)\">\n<details class=\"wp-block-details is-layout-flow wp-block-details-is-layout-flow\"><summary>Background Information on ATA Security<\/summary>\n<p class=\"wp-block-paragraph\">ATA Security offers two different passwords, <em>Master<\/em> and <em>User<\/em>. Many laptops, including my weak old Acer, only allow setting the <em>User<\/em> part while leaving <em>Master<\/em> on factory default setting. The security level is set to <em>\u201cHigh\u201d<\/em>. For ATA Security to be of any notable value you must also set <em>Master<\/em> password with <code>hdparm<\/code> to prevent access via known default keys. Some drives do not implement these functions correctly and fail setting the <em>Master<\/em> part or don\u2019t unlock with <em>Master<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">I want to add my two cents on the misleading naming of the two available security levels:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>The default option is called <em>\u201cHigh\u201d<\/em> \u2013 a more fitting description would be <em>\u201cBasic\u201d<\/em> since access by somebody else (<em>Master<\/em>) is intentionally(!) given. It doesn\u2019t matter much when you close this loophole yourself with <code>hdparm<\/code><\/li>\n\n\n\n<li>Option number two is called <em>\u201cMaximum\u201d<\/em> suggesting a silver bullet against all possible attacks. A better description would be <em>\u201cEnhanced \u201c<\/em>, because a firmware exploit or hardware attack is needed to access the protected HDD without knowing <em>User<\/em> password. <em>Master<\/em> may only force erase the drive when security is set to <em>\u201cMaximum\u201d<\/em><\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">You must set the <em>User<\/em> HDD password using BIOS setup, <strong>not<\/strong> <code>hdparm<\/code>. Often BIOS doesn\u2019t use the entered password directly. Instead it uses scancode numbers associated with the keys you pressed (or it might even obfuscate your password before sending it to the drive). Setting a <em>User<\/em> password with <code>hdparm<\/code> will make the same password fail on the BIOS prompt and your laptop won&#8217;t boot!<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">For SSDs one can assume them to be self-encrypting devices (SEDs). In addition to OPAL Storage Specification, SATA based SSDs should support the old ATA Security feature. Don\u2019t assume SEDs to be flawless. A quick search for \u201cSelf-encrypting deception\u201d will lead to a notable video showing bypasses on earlier models.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Despite neither BIOS password nor ATA Security are on par with data protection offered by LUKS, Bitlocker or VeraCrypt there is no reason to not use them (no performance penalty) when applied correctly (no reuse of good passwords you applied on important, modern stuff)<\/p>\n<\/details>\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\">3 \u2013 Locking Down XP<\/h2>\n\n\n\n<details class=\"wp-block-details\"><summary>For anything below to be effective I assume you will <strong><mark style=\"background-color:#f9f9e7\" class=\"has-inline-color is-layout-flow wp-block-details-is-layout-flow\">work with a limited user account<\/mark><mark style=\"background-color:#fbf9cc\" class=\"has-inline-color\"><\/mark><\/strong> after initially setting things up with an admin account. <mark style=\"background-color:#f9f9e7\" class=\"has-inline-color\">Use two different, strong passwords for admin and limited user account.<\/mark> Seriously, do NOT use an account with admin rights for everyday tasks.<\/summary>\n<p class=\"wp-block-paragraph\">This is still true for modern Windows by the way. User Account Control (UAC), introduced in Windows Vista, is <strong>not<\/strong> a security feature. This is especially true when staying on default configuration on Windows 7 and newer. UAC is a convenience tool. Just look up \u201cUAC bypass\u201d. Being logged into an admin account artificially limited by UAC can give you the false impression of security.<\/p>\n<\/details>\n\n\n\n<p class=\"wp-block-paragraph\">Install all programs you want to have on your XP machine. Of course most software compatible with such an old OS isn\u2019t maintained anymore which means any application you add will potentially add attack surface. You must therefore strictly control which files may go into your XP box.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Unfortunately I do not have an installation of XP in English language at hand. Because of this my screenshots are in German. But since this is not a step-by-step tutorial it should be acceptable. An easy search will immediately give you recommendations on which services can be safely disabled.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Before continuing you have to ask yourself: <strong>\u201cWhat is my vintage PC going to be used for?\u201d<\/strong> Depending on the designated task you can secure things pretty tight\u2026 or not.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><mark style=\"background-color:#fbecfa\" class=\"has-inline-color\">3.1 \u2013 Option A) Gaming<\/mark><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">When loading old games, including their dubious CD\/DVD based copy protection schemes, all security goes down the drain. Same if you use cracked versions. No matter what you try. Many older games do not work correctly when using limited user accounts and some even write their save data outside the user profile (into <code>C:\\Program Files\\Game<\/code> or even worse <code>C:\\Game<\/code>). Games will often mess up NTFS Access Control Lists (ACLs) undermining the security model. In this case: keep the system offline, don\u2019t exchange any data with any modern system and happy gaming! A gaming PC doesn\u2019t need to be a fortress.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><mark style=\"background-color:#fbecfa\" class=\"has-inline-color\">3.1 \u2013 Option B) Reliable Office PC<\/mark><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The other and far more interesting case: Maximizing local security for creating a reliable office PC. What could be the reason for having an XP installation nowadays? Special hardware without drivers for modern OSs is a classic case. Although Windows is pretty good at supporting many old 32-bit programs developed in roughly three decades, there are sometimes some exceptions. This is especially true in conjunction with the specialized hardware example. It is also not a good idea to install legacy software on a productive, modern system. Legacy apps can bring their own security implications on said modern devices.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">You might have guessed it\u2026 a weak Acer Extensa 3000 with integrated SiS graphics is completely incapable of running games beyond Minesweeper and Solitaire. No wonder I went with the more interesting approach!<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><mark style=\"background-color:#fbecfa\" class=\"has-inline-color\">3.1.1 \u2013 Option Various Settings in <code>secpol.msc<\/code> and Deactivating Services<\/mark><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">A well-known and effective harm reduction method is reducing attack surface in the form of reducing complexity. Any background service which is not needed should be inactive.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Non-exhaustive unsorted list of services to disable:<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">smb (sharing files and printers), automatic updates since there are none left, Network Location Awareness, Computer Browser, Server, Remote Desktop (Terminal Services), UPnP, Webclient, Media Player Network Share, Fax<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Giving concrete recommendations is hard since it will depend on what you actually need to be running on *your* computer. Just look at the amount of services I set to being permanently inactive<\/p>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1280\" height=\"800\" src=\"https:\/\/kleinessinchen.feralnetworks.com\/wp-content\/uploads\/2026\/03\/Services.png\" alt=\"services.msc running. Services are sorted by their status. A red box is drawn around all disabled services to immediately show that there are many.\" class=\"wp-image-131\" style=\"aspect-ratio:1.5999716762982166;width:654px;height:auto\" srcset=\"https:\/\/kleinessinchen.feralnetworks.com\/wp-content\/uploads\/2026\/03\/Services.png 1280w, https:\/\/kleinessinchen.feralnetworks.com\/wp-content\/uploads\/2026\/03\/Services-300x188.png 300w, https:\/\/kleinessinchen.feralnetworks.com\/wp-content\/uploads\/2026\/03\/Services-1024x640.png 1024w, https:\/\/kleinessinchen.feralnetworks.com\/wp-content\/uploads\/2026\/03\/Services-768x480.png 768w\" sizes=\"auto, (max-width: 1280px) 100vw, 1280px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Useful Security Policies:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Deactivate build-in Administrator and Guest accounts<\/li>\n\n\n\n<li>Disable creating LM password hashes, change your passwords afterwards to make sure LM hashes are purged<\/li>\n\n\n\n<li>Require CTRL+ALT+DEL for login<\/li>\n\n\n\n<li>Don\u2019t show last username<\/li>\n\n\n\n<li>Password complexity<\/li>\n\n\n\n<li>Lock accounts for 30 minutes after 5 failed login attempts to prevent hammering attacks<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"619\" src=\"https:\/\/kleinessinchen.feralnetworks.com\/wp-content\/uploads\/2026\/03\/Security_Polcies-1024x619.png\" alt=\"gpedit.msc running showing security options for local policies (which are also available directly with secpol.msc)\" class=\"wp-image-132\" style=\"aspect-ratio:1.6542785476023616;width:574px;height:auto\" srcset=\"https:\/\/kleinessinchen.feralnetworks.com\/wp-content\/uploads\/2026\/03\/Security_Polcies-1024x619.png 1024w, https:\/\/kleinessinchen.feralnetworks.com\/wp-content\/uploads\/2026\/03\/Security_Polcies-300x181.png 300w, https:\/\/kleinessinchen.feralnetworks.com\/wp-content\/uploads\/2026\/03\/Security_Polcies-768x464.png 768w, https:\/\/kleinessinchen.feralnetworks.com\/wp-content\/uploads\/2026\/03\/Security_Polcies.png 1280w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Useful Group Policies:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Disable Autorun for all drives<\/li>\n\n\n\n<li>Disable Movie Maker, Messenger, Remoteshell<\/li>\n\n\n\n<li>Disable Internet communication (publish online, order pictures, error reporting, printing over HTTP and so on)<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"> XP can almost count as modern OS in regarding the amount of stuff that should be neutralized. I makes little sense to list every single setting within the vast <code>gpedit.msc<\/code> \u2013 but it makes much sense for you to go through the complete thing once.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><mark style=\"background-color:#fbecfa\" class=\"has-inline-color\">3.1.2 \u2013 Software Restriction Policies (SRP) aka &#8220;Safer&#8221; <\/mark><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Software Restriction Policies were introduced into Windows with XP and still exist today (deprecated, not working out of the box on later Win 11). <br>For incomprehensible reasons even currently supported versions of Microsoft Windows allow executing arbitrary programs from arbitrary locations. This includes the directory where you e-mail client just put \u201c<code>invoice.pdf.exe<\/code>\u201d which appears as \u201c<code>invoice.pdf<\/code>\u201d in explorer when still having default configuration. One weak moment and you will start the malware yourself.<em>What a great form security!<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">SRP, also known as \u201cSafer\u201d (it\u2019s name in the registry) is a pretty powerful whitelisting feature.<mark style=\"background-color:rgba(0, 0, 0, 0);color:#0000ff\" class=\"has-inline-color\"> <\/mark><mark style=\"background-color:rgba(0, 0, 0, 0);color:#008800\" class=\"has-inline-color\"><strong>I would go as far as saying it is THE most important and most effective harm reduction measurement you can apply on legacy Windows<\/strong><\/mark><mark style=\"background-color:rgba(0, 0, 0, 0);color:#00ff00\" class=\"has-inline-color\"><strong>.<\/strong><\/mark><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">SRP is not bulletproof and certainly will have known ways of circumvention by now. I confess I was too lazy to look up the details. What SRP will achieve despite possible circumvention methods is: Make <em>accidentally<\/em> starting malware yourself highly unlikely. Of course it can\u2019t compete with the currently maintained App Control for Business in Windows 10\/11 (which you should <strong>definitely<\/strong> use to protect your modern Windows PCs from unknown malware). Even App Locker, available since Windows 7 Ultimate, is more versatile. \u2192 off-topic, out of scope<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">On good old NT 5.1 we are limited to what &#8220;Safer&#8221; offers.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Open <code>secpol.msc <\/code>and create new SRP<\/li>\n\n\n\n<li>Set default policy to \u201cNot allowed\u201d\n<ul class=\"wp-block-list\">\n<li>Apply rules to all executable files including DLLs. Enforcing restrictions on DLLs might cause a slight performance hit but I didn\u2019t even notice it on my pathetic laptop<\/li>\n\n\n\n<li>Apply rules to normal users only. Local admins can write into whitelisted locations and switch of SRP off altogether. Trying to limit them make little sense. If an attacker gets local admin they have already fully <em>pwnd<\/em> you\u2026 <em>Game Over!<\/em><\/li>\n\n\n\n<li>(Optional) blacklist all drive letters but <code>C:\\<\/code> with path rules forbidding <code>A:\\* B:\\* D:\\*<\/code> and so on<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Tighten ACLs. Make sure non-admin users have no write privileges for <strong>any<\/strong> sub folder or file under \u201c<code>C:\\Program Files<\/code>\u201d and\/or \u201c<code>C:\\Windows<\/code>\u201d<\/li>\n\n\n\n<li>Installers of older software, including games, might create loopholes. Since the default policies allow starting any <code>.exe<\/code> file located under these folders, the protection offered by our whitelisting feature gets nullified if there is a single file or folder with write access for normal users within the whitelisted folders.<\/li>\n\n\n\n<li><strong>Default ACLs contain \u201c<code>OWNER CREATOR<\/code>\u201d<\/strong> \u2013 this might backfire! Replace ACLs with restrictive versions. Administrators and System may have full access, standard users may only read and execute (from trusted locations)<\/li>\n<\/ol>\n\n\n\n<figure class=\"wp-block-gallery has-nested-images columns-default is-cropped wp-block-gallery-2 is-layout-flex wp-block-gallery-is-layout-flex\">\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"404\" height=\"448\" data-id=\"135\" src=\"https:\/\/kleinessinchen.feralnetworks.com\/wp-content\/uploads\/2026\/03\/SRP1.png\" alt=\"SRP set on enforcing on all files. DLLs not excluded, but no enforcement on local admins.\" class=\"wp-image-135\" srcset=\"https:\/\/kleinessinchen.feralnetworks.com\/wp-content\/uploads\/2026\/03\/SRP1.png 404w, https:\/\/kleinessinchen.feralnetworks.com\/wp-content\/uploads\/2026\/03\/SRP1-271x300.png 271w\" sizes=\"auto, (max-width: 404px) 100vw, 404px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"404\" height=\"448\" data-id=\"136\" src=\"https:\/\/kleinessinchen.feralnetworks.com\/wp-content\/uploads\/2026\/03\/SRP2.png\" alt=\"SRP Selected default is &quot;Not allowed&quot; activating whitelist mode\" class=\"wp-image-136\" srcset=\"https:\/\/kleinessinchen.feralnetworks.com\/wp-content\/uploads\/2026\/03\/SRP2.png 404w, https:\/\/kleinessinchen.feralnetworks.com\/wp-content\/uploads\/2026\/03\/SRP2-271x300.png 271w\" sizes=\"auto, (max-width: 404px) 100vw, 404px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1280\" height=\"800\" data-id=\"137\" src=\"https:\/\/kleinessinchen.feralnetworks.com\/wp-content\/uploads\/2026\/03\/SRP3-1.png\" alt=\"All my SRP rules, including the default allow rules for C:\\Program Files and C:\\Windows redundant deny entries for all drives but C:\\\" class=\"wp-image-137\" srcset=\"https:\/\/kleinessinchen.feralnetworks.com\/wp-content\/uploads\/2026\/03\/SRP3-1.png 1280w, https:\/\/kleinessinchen.feralnetworks.com\/wp-content\/uploads\/2026\/03\/SRP3-1-300x188.png 300w, https:\/\/kleinessinchen.feralnetworks.com\/wp-content\/uploads\/2026\/03\/SRP3-1-1024x640.png 1024w, https:\/\/kleinessinchen.feralnetworks.com\/wp-content\/uploads\/2026\/03\/SRP3-1-768x480.png 768w\" sizes=\"auto, (max-width: 1280px) 100vw, 1280px\" \/><\/figure>\n<\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">A serious limitation of SRP is that it can&#8217;t apply hash based rules on <code>.DLL<\/code> files, at least under XP. Whitelisting only trusted applications (based on their hash or signing certificate) is a way more robust defense than path based rules. App Control for Business should be your friend on modern Windows. Below a screenshot showing SRP in action. Any executable file outside the trusted locations is blocked. For demonstration purposes I tried starting the <code>eicar.com<\/code> not-a-virus test file simulating a user error which normally would lead to malware execution.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"803\" height=\"599\" src=\"https:\/\/kleinessinchen.feralnetworks.com\/wp-content\/uploads\/2026\/03\/Eicar.com_blocked.png\" alt=\"Error message by software restrictions when trying to start eicar.com not-a-virus test file as normal user.\" class=\"wp-image-158\" style=\"aspect-ratio:1.3405732306134603;width:465px;height:auto\" srcset=\"https:\/\/kleinessinchen.feralnetworks.com\/wp-content\/uploads\/2026\/03\/Eicar.com_blocked.png 803w, https:\/\/kleinessinchen.feralnetworks.com\/wp-content\/uploads\/2026\/03\/Eicar.com_blocked-300x224.png 300w, https:\/\/kleinessinchen.feralnetworks.com\/wp-content\/uploads\/2026\/03\/Eicar.com_blocked-768x573.png 768w\" sizes=\"auto, (max-width: 803px) 100vw, 803px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\"><mark style=\"background-color:#fbecfa\" class=\"has-inline-color\">3.1.3 \u2013 EMET (Enhanced Mitigation Experience Toolkit 4.1)<\/mark><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">EMET was an effort of trying to add exploit mitigation methods to Windows. Since Windows 10 EMET is neither supported nor needed because everything it offered (and more!) is already part of the OS itself. Many options like mandatory ASLR require Windows Vista or 7 at minimum, but a few technologies can be applied on XP.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">EMET allows automatically setting <code>\/NoExecute=AlwaysOn<\/code> in <code>boot.ini<\/code> for enforcing DEP\/NX on all processes. Below a screenshot on the overview showing DEP is forced for all processes and two running programs (HxD, notepad++) are protected by EMET.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"660\" height=\"660\" src=\"https:\/\/kleinessinchen.feralnetworks.com\/wp-content\/uploads\/2026\/03\/EMET_Overview.png\" alt=\"EMET main window showing DEP is enforced for all processes as well as two active applications protected by all exploit mitigation options.\" class=\"wp-image-139\" style=\"width:366px;height:auto\" srcset=\"https:\/\/kleinessinchen.feralnetworks.com\/wp-content\/uploads\/2026\/03\/EMET_Overview.png 660w, https:\/\/kleinessinchen.feralnetworks.com\/wp-content\/uploads\/2026\/03\/EMET_Overview-300x300.png 300w, https:\/\/kleinessinchen.feralnetworks.com\/wp-content\/uploads\/2026\/03\/EMET_Overview-150x150.png 150w\" sizes=\"auto, (max-width: 660px) 100vw, 660px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Structured Exception Handler Overwrite Protection (SEHOP) can&#8217;t be applied system-wide on XP, but it is possible for individual executable files. ASLR is missing altogether. It is and stays an OS from 2002\u2026<br>All applications marked in <strong>bold<\/strong> on the next screenshot are given by default \u2013 mitigation options are selected regardless if these apps are installed or not. Those not written bold have been added manually. Activate everything for a program and see if it works normally. More information is in the EMET manual.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1280\" height=\"800\" src=\"https:\/\/kleinessinchen.feralnetworks.com\/wp-content\/uploads\/2026\/03\/EMET_App_Settings.png\" alt=\"EMET app window listing all applications with rules. Default entries and a few I added myself (chrome.exe for Supermium, mypal.exe for MyPal browser, notepad++ and some more)\" class=\"wp-image-140\" style=\"aspect-ratio:1.5999716762982166;width:544px;height:auto\" srcset=\"https:\/\/kleinessinchen.feralnetworks.com\/wp-content\/uploads\/2026\/03\/EMET_App_Settings.png 1280w, https:\/\/kleinessinchen.feralnetworks.com\/wp-content\/uploads\/2026\/03\/EMET_App_Settings-300x188.png 300w, https:\/\/kleinessinchen.feralnetworks.com\/wp-content\/uploads\/2026\/03\/EMET_App_Settings-1024x640.png 1024w, https:\/\/kleinessinchen.feralnetworks.com\/wp-content\/uploads\/2026\/03\/EMET_App_Settings-768x480.png 768w\" sizes=\"auto, (max-width: 1280px) 100vw, 1280px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\"><mark style=\"background-color:#fbecfa\" class=\"has-inline-color\">3.1.4 \u2013 Encryption File System (EFS)<\/mark><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Without encryption any mildly competent adversary will be able to access your data. To achieve at least a minimum of protection, please encrypt your personal folders with EFS. Just open properties of a folder and select \u201cEncrypt files\u201d. That\u2019s it. Well, that\u2019s it for the encryption part.<\/p>\n\n\n\n<div class=\"wp-block-group is-nowrap is-layout-flex wp-container-core-group-is-layout-3a88641f wp-block-group-is-layout-flex\">\n<figure class=\"wp-block-image size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"524\" height=\"515\" src=\"https:\/\/kleinessinchen.feralnetworks.com\/wp-content\/uploads\/2026\/03\/EFS2-1.png\" alt=\"Sina's home folder. The vast majority of files and folders appears in green showing that EFS is active\" class=\"wp-image-147\" style=\"width:400px;height:auto\" srcset=\"https:\/\/kleinessinchen.feralnetworks.com\/wp-content\/uploads\/2026\/03\/EFS2-1.png 524w, https:\/\/kleinessinchen.feralnetworks.com\/wp-content\/uploads\/2026\/03\/EFS2-1-300x295.png 300w\" sizes=\"auto, (max-width: 524px) 100vw, 524px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"384\" height=\"309\" src=\"https:\/\/kleinessinchen.feralnetworks.com\/wp-content\/uploads\/2026\/03\/EFS1-2.png\" alt=\"Explorer settings dialog showing checked box for encryption\" class=\"wp-image-144\" srcset=\"https:\/\/kleinessinchen.feralnetworks.com\/wp-content\/uploads\/2026\/03\/EFS1-2.png 384w, https:\/\/kleinessinchen.feralnetworks.com\/wp-content\/uploads\/2026\/03\/EFS1-2-300x241.png 300w\" sizes=\"auto, (max-width: 384px) 100vw, 384px\" \/><\/figure>\n<\/div>\n\n\n\n<p class=\"wp-block-paragraph\">Unfortunately EFS has an unflattering nickname. Sometimes it is called <em>\u201cDelayed Recycle Bin\u201d<\/em>. This term refers to the fact that the certificate, notably the private key, needed to perform decryption has to be exported and backed manually to ensure future access. Even when backing up your files to another medium the (transparent) encryption will stay in effect. If your laptop HDD dies or you reinstall Windows, all backups on NTFS formatted backup media become useless random data without the certificate!<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Newer Windows versions automatically open a user friendly wizard after encrypting your first file. In case of XP you have to do it manually. \u2192 Look it up, too much text and\/or too many screenshots would be required here<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Security provided by EFS is directly dependent on your login password. If this password is in range of bruteforce or raibow table attacks an attacker can decrypt your data.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><mark style=\"background-color:#fbecfa\" class=\"has-inline-color\">3.1.5 \u2013 (Optional) Activate Syskey SAM Database Protection<\/mark><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Yes, it is old. No, it isn\u2019t secure by today\u2019s standards (RC4, MD5). It has been abused by scammers as ransomware and rightfully has been removed from Windows. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">A strong Syskey will add a little protection against offline bruteforce attacks. EFS relies on your account password stored within SAM database in hashed form. A strong Syskey will protect the SAM.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">I would not recommend an automatically created key on a floppy disk: Anybody that has the floppy can decrypt your SAM, while a strong password is in your head. In free constitutional states passwords are covered by no self-incrimination laws. I\u2019ll omit any further comment on this important achievement of civilization gradually being removed.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"353\" height=\"583\" src=\"https:\/\/kleinessinchen.feralnetworks.com\/wp-content\/uploads\/2026\/03\/Syskey.png\" alt=\"Syskey SAM protection tool about to apply a very long passphrase of more than 30 characters)\" class=\"wp-image-149\" style=\"width:257px;height:auto\" srcset=\"https:\/\/kleinessinchen.feralnetworks.com\/wp-content\/uploads\/2026\/03\/Syskey.png 353w, https:\/\/kleinessinchen.feralnetworks.com\/wp-content\/uploads\/2026\/03\/Syskey-182x300.png 182w\" sizes=\"auto, (max-width: 353px) 100vw, 353px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">In case of a powerful computer, especially one with a CPU supporting hardware AES, you should skip EFS and Syskey in favor of VeraCrypt. Side note: For a modern Windows PC you should consider combining full disk encryption (Bitlocker or VeraCrypt) with file based encryption (EFS). The additional layer allows putting your personal data at rest (purging encryption key from memory) by logging out. The impact on performance of modern systems is negligible.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">4 \u2013 Backup Image Time! (2)<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Enjoy a classic operating system! Distraction free working and access to legacy software are good reasons for setting up an XP box. But for the case anything goes wrong later on:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Run Clonezilla again, this time containing your entire configuration and your software. Depending on how much software you installed the compressed image might even fit on a single DVD, maybe dual layer. An archival grade disc will keep your work secure for decades; probably longer than your computer will last.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>How about still using Windows XP? Simplicity, lack of bloat, lack of AI, support for old games. I\u2019ve always loved XP. Of course it didn\u2019t feel lightweight in 2002 when installing the first Windows NT version intended for home users. Way bigger than 98SE, more demanding than 2000 Professional and with a nauseating default theme [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21,19],"tags":[14,26,20],"class_list":["post-120","post","type-post","status-publish","format-standard","hentry","category-security","category-software","tag-security","tag-veracrypt","tag-windows-xp"],"_links":{"self":[{"href":"https:\/\/kleinessinchen.feralnetworks.com\/index.php?rest_route=\/wp\/v2\/posts\/120","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kleinessinchen.feralnetworks.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kleinessinchen.feralnetworks.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kleinessinchen.feralnetworks.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kleinessinchen.feralnetworks.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=120"}],"version-history":[{"count":68,"href":"https:\/\/kleinessinchen.feralnetworks.com\/index.php?rest_route=\/wp\/v2\/posts\/120\/revisions"}],"predecessor-version":[{"id":214,"href":"https:\/\/kleinessinchen.feralnetworks.com\/index.php?rest_route=\/wp\/v2\/posts\/120\/revisions\/214"}],"wp:attachment":[{"href":"https:\/\/kleinessinchen.feralnetworks.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=120"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kleinessinchen.feralnetworks.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=120"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kleinessinchen.feralnetworks.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=120"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}