Microsoft Solutions for

Security

Windows XP Security Guide v2.0

M

Information in this document, including URL and other Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e – addresses, logos, , places and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e – mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

© 2004 Microsoft Corporation. All rights reserved.

Microsoft and , ActiveX, Authenticode, Jscript, Media Player, MSDN, MS – DOS, MSN Messenger, NetMeeting, , Windows, Windows XP Professional, Windows NT 4.0, , Windows 2003, Visual Basic, Visual Basic Scripting Edition are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their respective owners. Acknowledgments

The Microsoft Solutions for Security group (MSS) would like to acknowledge and thank the team that produced the Windows XP Security Guide. The following people were either directly responsible or made a substantial contribution to the writing, development, and testing of this solution.

Authors Reviewers Mike Danseglio Eric Cameron José Maldonado Duane Crider Bob Partridge Steve Dodson Tony Quinn Adam Edwards Mike Kaczmarek Content Contributors Chrissy Lewis Kurt Dillard Mike Lonergan Jesper Johansson Joe Porter Testers Brian Schafer Gaurav Singh Bora Ben Smith Paresh Gujar Josh Vincent Ashish Java Jeff Williams Mehul Mediwala Contributors Editors Ignacio Avellaneda Reid Bannecker Ganesh Balakrishnan John Cobb Derick Campbell Kelly McMahon Sean Finnegan Jon Tobey Joanne Kennedy Steve Wacker Geoff Morris Jeff Newfeld Chase Carpenter Rob Oikawa Bomani Siwatu Bill Reid Reviewers Bryan Chee Rich Benack Graham Whiteley Shelly Bird Jay Zhang

At the request of Microsoft, the Center for Internet Security (CIS) and the United States Department of Commerce National Institute of Standards and Technology (NIST) participated in the final review of this Microsoft security guide and provided comments that were incorporated into the published version.

Table of Contents

Chapter 1: Introduction to the Windows XP Security Guide 1 Overview ...... 1 Executive Summary ...... 2 Who Should Read This Guide ...... 3 Get Secure Stay Secure ...... 4 Get Secure ...... 4 Stay Secure...... 4 Scope of this Guide...... 5 Enterprise ...... 5 High Security ...... 5 Stand – Alone Environment...... 5 Chapter Overview ...... 6 Chapter 1: Introduction to the Windows XP Security Guide ...... 6 Chapter 2: Configuring the Active Directory Domain Infrastructure...... 6 Chapter 3: Security for Windows XP Clients...... 6 Chapter 4: Administrative Templates for Windows XP ...... 6 Chapter 5: Securing Stand – Alone Windows XP Clients ...... 7 Chapter 6: Software Restriction Policies for Windows XP Clients...... 7 Chapter 7: Conclusion...... 7 Appendix A: Additional Guidance for Windows XP Service Pack 2...... 7 Download Content ...... 8 Skills and Readiness...... 9 Requirements...... 10 Style Conventions ...... 11 Summary...... 12 More Information ...... 12

Chapter 2: Configuring the Active Directory Domain Infrastructure 13 Overview ...... 13 OU Design to Support Security Management...... 14 Department OU ...... 15 GPO Design to Support Security Management...... 16 Security Templates...... 18 Administrative Templates ...... 19 Domain Level ...... 19 Password Policy...... 20 Enforce password history...... 20 Maximum password age ...... 20 Minimum password age ...... 21 Minimum password length...... 22 Password must meet complexity requirements...... 22 Store password using reversible encryption for all users in the domain...... 23 Preventing Users from Changing Passwords Except When Required ...... 23 Account Lockout Policy...... 25 Account lockout duration...... 26 Account lockout threshold ...... 26 Reset account lockout counter after...... 27 User Rights Assignment ...... 28 Add workstations to domain ...... 28 Security Settings ...... 29 Microsoft network server: Disconnect clients when logon hours expire ...... 29 Network Access: Allow anonymous SID/NAME translation ...... 30 Network Security: Force Logoff when Logon Hours expire...... 30 Kerberos Policy...... 31 OU Level Group Policies...... 32 Security Settings Group Policy...... 32 Software Restriction Policy Settings ...... 32 Group Policy Tools...... 33 Forcing a Group Policy Update ...... 33 Viewing the Resultant Set of Policies...... 33 Summary...... 34 More Information ...... 34

Chapter 3: Security Settings for Windows XP Clients 37 Overview ...... 37 Account Policy Settings ...... 38 Local Policy Settings...... 38 Audit Policy Settings ...... 38 Audit account logon events ...... 39 Audit account management...... 39 Audit directory service access...... 39 Audit logon events...... 40 Audit object access ...... 40 Audit policy change ...... 42 Audit privilege use ...... 42 Audit process tracking ...... 42 Audit system events ...... 43 User Rights Assignment Settings ...... 44 Access this computer from network ...... 44 Act as part of the ...... 44 Adjust memory quotas for a process...... 45 Allow log on locally ...... 45 Allow log on through Terminal Services...... 46 Back up files and directories ...... 46 Change the system time...... 47 Create a pagefile ...... 47 Create permanent shared objects...... 47 Create a token object ...... 48 Debug programs...... 48 Deny access to this computer from the network ...... 48 Deny log on locally ...... 49 Deny log on through Terminal Services ...... 49 Enable computer and user accounts to be trusted for delegation...... 49 Force shutdown from a remote system...... 50 Generate Security Audits ...... 50 Increase scheduling priority...... 50 Load and unload device drivers ...... 51 Log on as a batch job ...... 51 Log on as a service ...... 51 Manage auditing and security log ...... 52 Modify firmware environment variables...... 52 Perform volume maintenance tasks...... 52 Profile single process ...... 53 Profile system performance...... 53 Replace a process level token ...... 53 Restore files and directories...... 54 Shut down the system ...... 54 Take ownership of files or other objects...... 54 Security Option Settings ...... 55 Accounts: Guest account status...... 55 Accounts: Limit local account use of blank passwords to console logon only ...... 55 Accounts: Rename administrator account ...... 56 Accounts: Rename guest account ...... 56 Devices: Allow undock without having to log on ...... 57 Devices: Allowed to format and eject removable media ...... 57 Devices: Prevent users from installing printer drivers...... 57 Devices: Restrict CD – ROM access to locally logged – on user only ...... 58 Devices: Restrict floppy access to locally logged – on user only ...... 58 Devices: Unsigned driver installation behavior ...... 59 Domain member: digitally encrypt or sign secure channel data (always)...... 59 Domain member: digitally encrypt secure channel data (when possible)...... 60 Domain member: digitally sign secure channel data (when possible) ...... 60 Domain member: Disable machine account password changes ...... 60 Domain member: Maximum machine account password age ...... 61 Domain member: Require strong (Windows 2000 or later) session key...... 61 Interactive logon: Do not display last user name ...... 61 Interactive logon: Do not require CTRL+ALT+DEL...... 62 Interactive logon: Message text for users attempting to log on...... 62 Interactive logon: Message title for users attempting to log on...... 63 Interactive logon: Number of previous logons to cache (if domain controller not available).. 63 Interactive logon: Prompt user to change password before expiration...... 64 Interactive logon: Require Domain Controller authentication to unlock workstation...... 64 Interactive logon: Smart card removal behavior...... 64 Microsoft network client: Digitally sign communications (always)...... 65 Microsoft network client: Digitally sign communications (if server agrees)...... 65 Microsoft network client: Send unencrypted password to third – party SMB servers ...... 66 Microsoft network server: Amount of idle time required before suspending session...... 66 Microsoft network server: Digitally sign communications (always) ...... 66 Microsoft network server: Digitally sign communications (if client agrees)...... 67 Network access: Allow anonymous SID/Name translation ...... 67 Network access: Do not allow anonymous enumeration of SAM accounts...... 68 Network access: Do not allow anonymous enumeration of SAM accounts and shares...... 68 Network access: Do not allow storage of credentials for network authentication...... 68 Network access: Let everyone permissions apply to anonymous users ...... 69 Network access: Shares that can be accessed anonymously...... 69 Network access: Sharing and security model for local accounts...... 70 Network security: Do not store LAN Manager hash value on next password change...... 70 Network security: LAN Manager authentication level ...... 71 Network security: LDAP client signing requirements ...... 71 Network security: Minimum security for NTLM SSP based (including secure RPC) clients.. 72 Network security: Minimum security for NTLM SSP based (including secure RPC) servers 73 : Allow automatic administrative logon ...... 73 Recovery console: Allow floppy copy and access to all drives and all folders...... 74 Shutdown: Allow system to be shut down without having to log on...... 74 Shutdown: Clear virtual memory pagefile ...... 75 System cryptography: Use FIPS compliant algorithms (encryption, hashing, and signing)... 75 System objects: Default owner for objects created by Administrators group...... 76 System objects: Require case insensitivity for non-windows subsystems...... 76 System objects: Strengthen default permissions of internal system objects ...... 76 Event Log Security Settings...... 77 Maximum application log size ...... 78 Maximum security log size ...... 78 Maximum system log size ...... 78 Prevent local guests group from accessing application log ...... 79 Prevent local guests group from accessing security log ...... 79 Prevent local guests group from accessing system log ...... 79 Retention method for application log...... 80 Retention method for security log...... 80 Retention method for system log...... 80 Restricted Groups ...... 81 System Services ...... 83 Alerter ...... 84 ClipBook ...... 84 Computer Browser ...... 84 Fax Service...... 85 FTP Publishing Service ...... 85 IIS Admin Service...... 85 ...... 86 Messenger...... 86 NetMeeting Remote Desktop Sharing...... 86 Network DDE...... 87 Network DDE DSDM ...... 87 Remote Desktop Help Session Manager ...... 87 Remote Registry Service...... 88 Routing and Remote Access...... 88 SSDP Discovery Service...... 88 Task Scheduler ...... 89 Telnet...... 89 Terminal Services...... 89 Universal Plug and Play host ...... 90 World Wide Web Publishing Service...... 90 Configuring Internet Connection Firewall...... 91 Additional Registry Settings ...... 92 Disable Auto Generation of 8.3 File Names ...... 92 Disable Autorun: Disable Autorun for all drives...... 93 Make Screensaver Password Protection Immediate ...... 93 Security Log Near Capacity Warning ...... 94 Enable Safe DLL Search Order: Enable Safe DLL search mode (recommended)...... 94 Disable Automatic Logon: Disable Automatic Logon ...... 95 Delete Administrative Shares: Delete Administrative Shares ...... 96 Enable IPSec to protect Kerberos RSVP Traffic...... 96 Hide the Computer from Network Neighborhood Browse Lists ...... 97 How to Modify the Security Configuration Editor User Interface ...... 98 Additional Security Settings ...... 103 Manual Hardening Procedures...... 103 Securing the ...... 104 Advanced Permissions...... 104 Summary...... 106 More Information ...... 106

Chapter 4: Administrative Templates for Windows XP 107 Overview ...... 107 Computer Configuration Settings...... 109 Windows Components ...... 109 NetMeeting...... 109 Disable remote Desktop Sharing...... 109 ...... 110 Disable Automatic Install of Internet Explorer components ...... 110 Disable Periodic Check for Internet Explorer software updates...... 111 Disable software update shell notifications on program launch...... 111 Make proxy settings per – machine (rather than per – user)...... 112 Security Zones: Do not allow users to add/delete sites ...... 112 Security Zones: Do not allow users to change policies...... 113 Security Zones: Use only machine settings ...... 113 Terminal Services\Client/Server data redirectio ...... 114 Do not allow drive redirection...... 114 Terminal Services\Encryption and Security ...... 115 Always prompt client for password upon connection ...... 115 Set client connection encryption level ...... 115 ...... 116 Do not allow Windows Messenger to be run...... 116 ...... 117 Configure Automatic Updates ...... 118 No auto – restart for scheduled Automatic Updates installations...... 119 Reschedule Automatic Updates scheduled installations ...... 119 Specify intranet Microsoft update service location...... 120 Microsoft Office XP ...... 121 Microsoft Office XP\Security Settings ...... 122 Access: Trust all installed add – ins and templates...... 123 Disable VBA for Office applications ...... 124 Excel: Macro Security Level...... 124 Excel: Trust access to Visual Basic Project ...... 125 Excel: Trust all installed add – ins and templates ...... 125 Outlook: Macro Security Level ...... 126 PowerPoint: Macro Security Level ...... 126 PowerPoint: Trust access to Visual Basic Project...... 126 PowerPoint: Trust all installed add – ins and templates...... 127 Publisher: Macro Security Level...... 128 Publisher: Trust all installed add – ins and templates ...... 128 Unsafe ActiveX Initialization...... 129 Word: Macro Security Level ...... 129 Word: Trust access to Visual Basic Project ...... 130 Word: Trust all installed add – ins and templates...... 130 System ...... 131 Turn off ...... 131 System\Logon ...... 132 Do not process the legacy run list ...... 132 Do not process the run once list...... 132 System\Group Policy ...... 134 Internet Explorer Maintenance policy processing ...... 134 Registry policy processing...... 135 System\Remote Assistance...... 136 Offer Remote Assistance ...... 136 Solicit Remote Assistance...... 137 System\Error Reporting ...... 138 Display Error Notification...... 138 Report Errors...... 139 User Configuration Settings...... 140 Internet Explorer ...... 141 Browser menus\Disable Save this program to disk option...... 141 Internet \Disable the Advanced Page...... 141 Internet Control Panel\Disable the Security Page...... 141 Offline Pages\Disable adding channels ...... 143 Offline Pages\Disable adding schedules for offline pages...... 143 Offline Pages\Disable all scheduled offline pages ...... 143 Offline Pages\Disable channel user interface completely...... 144 Offline Pages\Disable downloading of site subscription content...... 144 Offline Pages\Disable editing and creating of schedule groups...... 145 Offline Pages\Disable editing schedules for offline pages ...... 145 Offline Pages\Disable offline page hit logging...... 145 Offline Pages\Disable removing channels ...... 146 Offline Pages\Disable removing schedules for offline pages...... 146 Configure Outlook Express ...... 146 Disable Changing Advanced page settings ...... 147 Disable Changing Automatic Configuration Settings ...... 147 Disable Changing Certificate Settings...... 148 Disable Changing Connection Settings...... 148 Disable Changing Proxy Settings...... 149 Do not allow AutoComplete to save passwords...... 149 Windows Explorer ...... 150 Remove CD Burning features ...... 150 Remove Security tab ...... 150 System ...... 151 Prevent access to registry editing tools...... 151 System\Power Management...... 152 Prompt for password on resume from hibernate / suspend ...... 152 Summary...... 153 More Information ...... 153

Chapter 5: Securing Stand-Alone Windows XP Clients 155 Overview ...... 155 Windows XP in a Windows NT 4.0 Domain...... 156 Local Group Policy Object Settings ...... 157 Account Policies ...... 157 Local Policies...... 157 Importing Security Templates into Windows XP...... 158 Configuration ...... 158 Applying the Policy ...... 159 Summary...... 164 More Information ...... 164

Chapter 6: Software Restriction Policy for Windows XP Clients 165 Overview ...... 165 Software Restriction Policy Architecture...... 166 Unrestricted or Disallowed Settings ...... 166 Four Rules to Identify Software...... 167 Software Restriction Policy Options...... 181 DLL Checking...... 181 Skip Administrators ...... 182 Software Restriction Policy Design and Deployment...... 187 Integration with Group Policy ...... 187 Designing a Policy...... 188 Stepping Through the Process...... 189 Deploying Software Restriction Policy ...... 191 Summary...... 193 More Information ...... 193

Chapter 7: Conclusion 195 Securing the Client...... 196 Enterprise ...... 196 High Security ...... 196 Stand – Alone Clients ...... 196 Software Restriction Policy ...... 197 Summary...... 198 More Information ...... 198

Appendix A: Additional Guidance for Windows XP Service Pack 2 199 Overview of Windows XP SP2...... 199 Changes to Security Settings...... 200 Changes to Administrative Templates ...... 200 New Administrative Templates...... 200 Computer Configuration Settings...... 201 Internet Explorer...... 201 Terminal Services\Client ...... 209 Windows Update ...... 209 System...... 210 \Domain Profile...... 215 Windows Firewall\Standard Profile ...... 222 User Configuration Settings...... 230 Attachment Manager ...... 230 Summary...... 232

1 Introduction to the Windows XP Security Guide

Overview Welcome to the Windows XP Security Guide. This guide is designed to provide you with the best information available to assess and counter security risks specific to Microsoft® Windows® XP Professional with Service Pack One in your environment. The chapters in this guide provide detailed information on configuring enhanced security settings and features in Windows XP wherever possible to address threats identified in your environment. If you are a consultant, designer, or systems engineer involved in a Windows XP environment, this guide has been designed with you in mind. The guidance has been reviewed and approved by Microsoft engineering teams, consultants, support engineers, and by customers and partners to make it: ● Proven — based on field experience ● Authoritative — offers the best advice available ● Accurate — technically validated and tested ● Actionable — provides the steps to success ● Relevant — addresses real – world security concerns

Working with consultants and systems engineers who have implemented Windows XP Professional, Server™ 2003, and Windows 2000 in a variety of environments has established the latest best practices to secure the clients and servers that are detailed in this guide. This guide includes step – by – step security prescriptions, procedures, and recommendations to provide you with a list of tasks to transform the security state of computers running Windows XP Professional in your organization to a higher level of security. If you want more in – depth discussion of the concepts behind this material, refer to resources such as: Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP, Microsoft Windows XP Resource Kit, the Microsoft Windows 2003 Server Resource Kit, the Microsoft Windows Security Resource Kit, and Microsoft TechNet. This guide was originally created for Windows XP Service Pack 1, We have subsequently supplied information about Windows XP Service Pack 2 in Appendix A.

Executive Summary Whatever your environment, you are strongly advised to take security seriously. Many organizations make the mistake of underestimating the value of their information technology (IT) environment, generally because they exclude substantial indirect costs. If an attack on the servers in your environment is severe enough, it could greatly damage the entire organization. For example, an attack in which your corporate Web site is brought down and causes a major loss of revenue or customer confidence might lead to the collapse of your corporation’s profitability. When evaluating security costs, you should include the indirect costs associated with any attack, as well as the costs of lost IT functionality. Vulnerability, risk, and exposure analysis with regard to security informs you of the trade – offs between security and usability that all computer systems are subject to in a networked environment. This guide documents the major security countermeasures available in Windows XP, the vulnerabilities that they address, and the potential negative consequences, if any, of implementing each countermeasure. The guide then provides specific recommendations for hardening these systems in three common environments: one consisting of only Windows XP in an Enterprise environment; one in which concern for security is so high that a significant loss of functionality and manageability is acceptable; and one consisting of only Windows XP Professional in a stand – alone environment. These environments are referred to respectively as: Enterprise Client, High Security and Stand – alone throughout this guide. The settings defined will work in Windows 2000, Windows Server 2003, and stand – alone environments, and still maintain a level of functionality that will allow common applications to run properly. This guide is organized for easy accessibility so that you can quickly find the information you need to determine what settings are suitable for your organization's computers running Windows XP. Although targeted at the enterprise customer, much of this guide is appropriate for organizations of any size. To get the most value out of this material, you will need to read the entire guide. The team that produced this guide hopes that you will find the material covered in it useful, informative, and interesting. For further information, you can also refer to the companion guide Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP, available for download at: http://go.microsoft.com/fwlink/?LinkId=15159.

2 Who Should Read This Guide This guide is primarily intended for consultants, security specialists, systems architects, and IT professionals who are responsible for the planning stages of application or infrastructure development and deployment of Windows XP workstations in an enterprise environment. This guide is not intended for home users. This guide is targeted at individuals whose job roles include the following: ● System architects and planners who are responsible for driving the architecture efforts for the workstations in their organizations. ● IT security specialists who are focused purely on providing security across platforms within an organization. ● Business analysts and business decision – makers (BDMs) who have critical business objectives and requirements that need IT desktop or laptop support. ● Consultants from both Microsoft Services and partners who need knowledge – transfer tools for enterprise customers and partners.

3 Get Secure Stay Secure In October 2001, Microsoft launched an initiative known as the Strategic Technology Protection Program (STPP). The aim of this program is to integrate Microsoft products, services, and support that focus on security. Microsoft sees the process of maintaining a secure environment as two related phases: Get Secure and Stay Secure. Get Secure The first phase is called Get Secure. To help your organization achieve an appropriate level of security, follow the Get Secure recommendations provided by Microsoft in this and other security guides. For links to additional resources, see the More Information section below. Stay Secure The second phase is known as Stay Secure. It is one thing to create an environment that is initially secure. However, once your environment is up and running, it is entirely another thing to maintain the security of the environment over time, take preventative action against threats, and respond to them effectively when they occur. To help your organization maintain an appropriate level of security over time, follow the Stay Secure recommendations in the Microsoft Security Tool Kit, which can be accessed online. For more information on the Microsoft Security Tool Kit, see the More Information section below.

4 Scope of this Guide This guide is focused on the how to create and maintain a secure environment for desktops and laptops running Windows XP Professional Service Packs 1 or 2. It is not designed for the home user. The guide explains the different stages of how to secure the environment and what each setting addresses for the desktop and laptop. Settings that are not specifically recommended in this guide are not documented within the guide. For a thorough discussion of all the security settings in Windows XP refer to the companion guide: Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP at: http://go.microsoft.com/fwlink/?LinkId=15159. The guide covers the enterprise, high security and stand – alone environments. Enterprise The enterprise environment consists of a Windows 2000 or Windows Server 2003 Microsoft Active Directory® domain. The clients in this environment will be managed using Group Policy that is applied to containers, sites, domains and Organizational Units (OUs). Group Policy provides a centralized method to manage security policy across the environment. High Security The high security environment consists of elevated security settings for the client. When applying high security settings, user functionality is limited to specific functions that are only required for the necessary tasks. Access is limited to approved applications, services, and infrastructure environments. Stand – Alone Environment The stand – alone environment consists of those organizations that have some computers that cannot be joined to a domain or computers that are members of a Windows NT 4.0 domain. These clients have to be configured using Local Policy settings. The management of stand – alone machines can be considerably more challenging than using an Active Directory – based domain for management of user accounts and policies.

5 Chapter Overview Windows XP provides the most dependable version of Windows ever, with the best security and privacy features. Overall security has been improved in Windows XP to help ensure your organization can work in a safe and secure computing environment. The Windows XP Security Guide consists of seven chapters and one appendix. Chapters two through six of this guide discuss the procedures involved in creating such an environment. Each of these chapters builds on an end – to – end process to secure the computers running Windows XP in your environment. Chapter 1: Introduction to the Windows XP Security Guide This chapter includes an overview of the guide, including descriptions of the intended audience, the problems that are discussed in the guide, and the overall intent of the guide. Chapter 2: Configuring the Active Directory Domain Infrastructure Group policy can be used to manage user and computer environments in Windows Server 2003 and Windows 2000 domains. This chapter discusses the preliminary steps that must be performed in your domain prior to applying group policy to your Windows XP clients. Group policy settings are stored in Group Policy objects (GPOs) on domain controllers. GPOs are linked to containers, sites, domains, and OUs within the Active Directory structure. Because group policy is so closely integrated with Active Directory, it is important to have a basic understanding of Active Directory structure and security implications prior to implementing group policy. Group policy is an essential tool for securing Windows XP, and can be used to apply and maintain a consistent security policy across a network from a central location. Chapter 3: Security Settings for Windows XP Clients This chapter covers the security settings for Windows XP clients that may be set via Group Policy in a Windows 2000 or Windows Server 2003 Active Directory domain. Guidance is not provided for all of the available settings — only the settings for which applying the recommended configurations will secure the environment from most current threats, while allowing users to perform normal job functions on their computers, are provided. The settings configured should be based on your organizational security goals. Chapter 4: Administrative Templates for Windows XP In this chapter, settings that can be added to Windows XP using Administrative Templates are discussed. Administrative Templates are Unicode files that you can use to configure the registry – based settings that govern the behavior of many services, applications, and operating system components. There are five Administrative Templates that ship with Windows XP, which contain more than 600 settings.

6 Chapter 5: Securing Stand – Alone Windows XP Clients This chapter discusses the configuration of stand – alone Windows XP clients. While the deployment of Windows XP in an Active Directory domain infrastructure is recommended, it is not always possible. This chapter provides guidance on applying the recommended configurations to Windows XP clients that are not members of a Windows 2000 or Windows Server 2003 domain. Chapter 6: Software Restriction Policies for Windows XP Clients This chapter provides a basic overview of software restriction policies. Software restriction policies provide administrators with a policy driven mechanism to identify and limit the software that can be run in their domain. Using a software restriction policy, an administrator can prevent unwanted programs from running; as well as viruses, Trojan horses, or other malicious code. Software restriction policies fully integrate with Active Directory and group policy. Software restriction policies can be used in an environment without a Windows Server 2003 domain infrastructure when applied to only the local computer. Chapter 7: Conclusion The concluding chapter of this guide recaps the important points of the guide content in a brief overview of everything discussed in the previous chapters. Appendix A: Additional Guidance for Windows XP Service Pack 2 This appendix discusses the changes to security guidance based on the release of Windows XP Service Pack 2 (SP2) for Windows XP Professional. It is intended to supplement the other content in this guide and covers only the configuration changes specific to SP2. You should not consider this appendix a self-contained document.

7 Download Content A collection of security templates, scripts, and additional tools are included with this guide to make it easier for your organization to evaluate, test, and implement the countermeasures recommended in this guide. The security templates are text files that can be imported into domain – based group policies, or applied locally using the Security Configuration and Analysis snap – in. These procedures are detailed in Chapter 2, "Configuring the Domain Infrastructure." The scripts included with this guide can be used to implement these recommendations on stand – alone workstations. This guide also includes a Microsoft Excel workbook called Windows XP Security Guide Settings, which documents the settings included in each of the security templates. These tools and templates are included in the self – extracting WinZip archive that contains this guide. When you extracted the files from this archive the following folder structure is created in the location you specified: ● \Windows XP Security Guide — contains the Portable Document Format (PDF) file that you are currently reading, as well as the Test Guide, Delivery Guide, and Support Guide associated with this material. ● \Windows XP Security Guide\Tools and Templates — contains subdirectories for any items that may accompany this guide. ● \Windows XP Security Guide\Tools and Templates\Security Guide\Security Templates — contains all security templates that are discussed in Chapter 2 and Chapter 3 of the guide. ● \Windows XP Security Guide\Tools and Templates\Security Guide\Administrative Templates — contains all administrative templates that are discussed in Chapter 4 of the guide. ● \Windows XP Security Guide\Tools and Templates\Security Guide\Checklists— contains checklists for implementing the settings recommended in the guide. ● \Windows XP Security Guide\Tools and Templates\Security Guide\Stand Alone Clients — contains all sample scripts and templates for implementing hardening stand – alone machines as discussed in Chapter 5 of the guide. ● Windows XP Security Guide\Tools and Templates\Test Guide— contains tools related to the test guide. ● \Windows XP Security Guide\Tools and Templates\Delivery Guide— contains tools related to the delivery guide.

8 Skills and Readiness The following knowledge and skills are prerequisite for administrators or architects charged with developing, deploying, and securing Windows XP clients in an enterprise. ● MCSE 2000 certification with more than 2 years of security – related experience or the equivalent. ● In – depth knowledge of corporate domain and Active Directory environments. ● Use of management tools; including Microsoft Management Console (MMC), secedit, gpupdate, and gpresult. ● Experience administering group policy. ● Experience deploying applications and clients in enterprise environments.

9 Requirements The hardware requirements for the Windows XP Security Guide are: ● Personal computers with 300 megahertz or higher processor clock speed; 233 MHz minimum required (single or dual processor system); Intel Pentium/Celeron family, or AMD K6/Athlon/Duron family, or compatible processors. ● At least 128 megabytes (MB) of RAM or more (64 MB minimum supported, which may limit performance and some features). ● A minimum of 1.5 gigabytes (GB) of available hard disk space for the operating system. ● Super VGA (800 × 600) or higher – resolution video adapters and monitors. ● CD – ROM or DVD drive on the clients. ● Keyboard and Microsoft Mouse or compatible pointing device.

10 Style Conventions This guide uses the following style conventions and terminology. Table 1.1: Style Conventions

Element Meaning Bold font Characters that are typed exactly as shown, including commands and switches. User interface elements in text that is prescriptive are also bold. Italic font Placeholder for variables where specific values are supplied. For example, Filename.ext could refer to any valid file name for the first case in question. Important Alerts the reader to supplementary information that is essential to the completion of the task. Monospace font Code samples. %SystemRoot% The folder in which the Windows operating system is installed.

Note Alerts the reader to supplementary information. Screen Para Messages that appear on screen and command line commands are styled in this font. 1.

11 Summary This chapter has introduced you to Windows XP Security Guide and summarized the chapters in it. Now that you understand how the guide is organized, you are ready to take full advantage of the key security options built into Windows XP. Effective, successful security operations require effort in all of the areas covered in this guide, not just improvements in one. For this reason, it is highly recommended to implement all of the procedures recommended in this guide. More Information The following information sources were the latest available on topics closely related to securing Windows XP Professional at the time this guide was released to the pubic. For more information about security settings that can be configured on Microsoft Windows XP see the companion guide, Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP available at: http://go.microsoft.com/fwlink/?LinkId=15159. For more details on how The Microsoft Operations Framework (MOF) can assist you in your enterprise, see: http://www.microsoft.com/business/services/mcsmof.asp. For information on the Microsoft Strategic Technology Protection Program, see: http://microsoft.com/security/mstpp.asp. For information on the Microsoft Security Notification Service, see: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ notify.asp. For more information on data recovery and protection, see: http://www.microsoft.com/windowsxp/pro/techinfo/administration/recovery/default.asp.

12 2 Configuring the Active Directory Domain Infrastructure

Overview Group Policy is a feature of Microsoft® Active Directory® directory service that facilitates change and configuration management in Microsoft Windows Server™ 2003 and Microsoft Windows® 2000 Server domains. However, you need to perform certain preliminary steps in your domain prior to applying Group Policy to the Microsoft Windows XP Professional clients in your environment. Group Policy settings are stored in Group Policy objects (GPOs) in the Active Directory database. The GPOs are linked to containers, which include Active Directory sites, domains, and Organizational Units (OUs). Because Group Policy is so closely integrated with Active Directory, it is important to have a basic understanding of Active Directory structure and the security implications of configuring different design options within it prior to implementing Group Policy. For more information on Active Directory design, see Chapter 2, "Configuring the Domain Infrastructure," of the Windows Server 2003 Security Guide. Group Policy is an essential tool for securing Windows XP. This chapter provides details on how to use Group Policy to apply and maintain a consistent security policy across a network from a central location. This guide presents options for both Enterprise and High Security environments. The settings recommended in this chapter are identical for both desktop and laptop clients. Table 2.1: Baseline Security Templates

Description Enterprise Client High Security Baseline security templates for clients Enterprise client – domain.inf High Security – domain.inf 2.

OU Design to Support Security Management An OU is a container within an Active Directory domain. An OU may contain users, groups, computers, and other organizational units, known as child OUs. You can link GPO to an OU. You can also delegate administrative authority to the OU. OUs offer an easy way to group users, computers, and other security principals, as well as provide an effective way to segment administrative boundaries. Assign users and computers to separate OUs, because some settings only apply to users and some only apply to computers. You can delegate control over a group or an individual OU by using the Delegation Wizard that is available as part of the Active Directory Users and Computers Microsoft Management Console (MMC) snap – in tool. See the More Information section at the end of this chapter for links to documentation about delegating authority. One of the primary goals in designing the OU structure for any environment is to provide a foundation for creating a seamless Group Policy implementation that will cover all workstations residing in Active Directory, while ensuring that they meet the security standards of your organization. The OU structure must also be designed to provide adequate security settings for specific types of users in an organization. For example, developers may be permitted to do things on their workstations that average users should not be allowed to do. Laptop users also may have slightly different security requirements than desktop users. The following figure illustrates a simple OU structure that is sufficient for the purpose of discussing Group Policy in this chapter. The structure of this OU may differ from the organizational requirements of your environment.

Figure 2.1 a. The OU structure for Windows XP computers

14 Department OU As security requirements often vary within an organization, it may make sense to create department OUs in your environment. The departmental security settings can be applied via a GPO to the computers and users in their respective department OUs. Secured XP Users OU This OU contains the accounts for users participating in the both the Enterprise Client and High Security environments. The settings applied to this OU are discussed in the User Configuration section of Chapter 4, "Administrative Templates for Windows XP." Windows XP OU This OU contains child OUs for each type of Windows XP client in your environment. Guidance is included here for desktop and laptop clients. For this reason, a Desktop OU and a Laptop OU have been created. ● Desktop OU: This OU contains desktop computers that remain connected constantly to your corporate network. The settings applied to this OU are discussed in detail in Chapter 3, "Security Settings for Windows XP Clients," and Chapter 4, "Administrative Templates for Windows XP." ● Laptop OU: This OU contains laptop computers for mobile users that are not always connected to your corporate network. Chapter 3, "Security Settings for Windows XP Clients," and Chapter 4, "Administrative Templates for Windows XP" discusses the settings applied to this OU in detail.

15 GPO Design to Support Security Management Use GPOs to ensure that specific settings, user rights, and behavior apply to all workstations or users within an OU. By using Group Policy rather than manual steps, it is simple to update a number of workstations or users with additional changes required in the future. The alternative to using GPOs to apply these settings is sending a technician to configure them manually on each client.

Figure 2.2 b. GPO application order The illustration above shows the order in which GPOs are applied to a computer that is a member of the Child OU. Group policies are applied first from the local policy of each Windows XP workstation. After the local policies are applied, any GPOs are applied at the site level, and then at the domain level. For Windows XP clients nested in several OU layers, GPOs are applied in order from the highest OU level in the hierarchy to the lowest. The final GPO is applied from the OU containing the client computer. This order of GPO processing — local policy, site, domain, parent OU, and child OU — is significant because GPOs applied later in the process will overwrite those applied earlier. User GPOs are applied in the same manner.

16 Keep the following considerations in mind when designing Group Policy. ● An administrator must set the order in which you link multiple GPOs to an OU, or the policies will be applied by default in the order they were linked to the OU. If the same setting is configured in multiple policies, the policy highest on the policy list for the container will take precedence. ● You may configure a GPO with the No Override option. By selecting this option, other GPOs cannot override the settings configured for this policy. ● You may configure an Active Directory, site, domain, or OU with the Block policy inheritance option. This option blocks GPO settings from GPOs that are higher in Active Directory hierarchy, unless they have the No Override option selected. In other words, the No Override option has precedence over the Block policy inheritance option. ● Group Policy settings apply to users and computers, based on where the user or computer object is located in Active Directory. In some cases, user objects may need policy applied to them, based on the location of the computer object, not the location of the user object. The Group Policy loopback feature gives the administrator the ability to apply user Group Policy settings, based on which computer the user is logged on. For more information on loopback support, see the Group Policy white paper listed in the More Information section of this chapter.

The following figure expands the preliminary OU structure to show how GPOs may be applied to clients running Windows XP that belong to the Laptop and Desktop OUs.

Figure 2.3 c. Expanded OU structure with security GPOs for desktop and laptop computers running Windows XP

17 In the example above, laptop computers are members of the Laptop OU. The first policy applied is the Local Security Policy on the laptop computers running Windows XP. Because there is only one site in this example, no GPO is applied at the site level, leaving the Domain GPO as the next policy to be applied. Finally, the Laptop GPO is applied.

Note: The Desktop Policy is not applied to any laptops because it is not linked to any OUs in the hierarchy containing the Laptop OU. In addition, the Secured XP Users OU does not have a corresponding security template (.inf file) because it only includes settings from the Administrative Templates.

As an example of how precedence works between GPOs, if the Windows XP OU policy setting for Allow logon through Terminal Services is set to the Administrators group. The Laptop GPO setting for Allow logon through Terminal Services is set to the Power Users and Administrators groups. In this case, a user whose account is in the Power Users group can log on to a laptop using Terminal Services. This is because the Laptop OU is a child of the Windows XP OU. If the No Override policy option in the Windows XP GPO is enabled, only those with accounts in the Administrators group are allowed to log on to the client using Terminal Services. Security Templates Security templates are text files that contain security setting values. For GPOs, these options located under the Computer Configuration\Windows Settings\Security Settings folder in group policy. You can change these files using the Security Templates snap – in to the MMC, or by using a text editor such as Notepad. Some sections of the template files contain specific access control lists (ACLs), defined by the Security Descriptor Definition Language (SDDL). For details on editing security templates and SDDL, see the More Information section in this chapter. Security Template Management It is very important that the security templates used in a production environment are stored in a secure location in the infrastructure. Access to security templates should only be granted to the administrators responsible for implementing Group Policy. The security templates included with Windows XP, Windows 2000, and Windows Server 2003 are stored in the %SystemRoot%\security\templates folder by default. As explained in Chapter 1 the security templates included with this guide are copied to the \Windows XP Security Guide\Tools and Templates\Security Guide\Security Templates folder when you extracted the files included in the self – extracting WinZip archive that contains this guide. You may want to copy or move the security templates from this guide to the default location for the built-in security templates in order to keep them all centrally located. The %SystemRoot%\security\templates folder is not replicated across domain controllers. Therefore, you will need to select a domain controller to hold the master copy of the security templates so that you do not encounter version control problems with the templates. This best practice ensures that you are always modifying the same copy of the templates.

18 Importing a Security Template Use the following procedure to import a security template. To import a security template into a GPO: 1. Navigate to the Windows Settings folder in the Group Policy Object Editor. 2. Expand the Windows Settings folder and select Security Settings. 3. Right – click the Security Settings folder, and then click Import Policy… 4. Select the security template you want to import, and click Open. The settings from the file are then imported into the GPO.

Administrative Templates Additional security settings are available in Unicode – based files called Administrative Templates. Administrative Templates are files containing registry settings that affect Windows XP and its components, along with other applications such as Microsoft Office XP. Administrative Templates may include computer settings as well as user settings. Computer settings are stored in the HKEY_LOCAL_MACHINE registry hive. User settings are stored in the HKEY_CURRENT_USER registry hive. Administrative Template Management It is important to store the administrative templates used in a production environment in a secure location in the infrastructure, just as the best practice above for storing the security templates. Only administrators responsible for implementing Group Policy should have access to this location. Administrative templates that ship with Windows XP and Windows 2003 server are stored in the %systemroot%\inf directory. Additional templates for Office XP are included with the Office XP Resource Kit. The administrative templates provided by Microsoft should not be edited since they may change when service packs are released. Adding an Administrative Template to a Policy In addition to the administrative templates that shipped with Windows XP, apply the Office XP templates to those GPOs in which you want to configure Office XP settings. Use the following procedure to add an additional template to a GPO. To add an Administrative Template to a GPO: 1. Navigate to the Administrative Templates folder in the Group Policy Object Editor. 2. Right – click the Administrative Templates folder, and then click Add/Remove Templates. 3. In the Add/Remove Templates dialog box, click Add. 4. Navigate to the folder containing your Administrative Template files. 5. Select the template you want to add, and click Open, and then Close.

Domain Level Group Policy The domain level Group Policy includes settings that apply to all computers and users in the domain. Domain level security is covered in detail in Chapter 2, ”Configuring the Domain Infrastructure," of the Windows Server 2003 Security Guide at: http://go.microsoft.com/fwlink/?LinkId=14845.

19 Password Policy Complex passwords that change regularly reduce the likelihood of a successful password attack. Password policy settings control the complexity and lifetime of passwords. This section discusses each password policy setting for the Enterprise Client and High Security environments. Configure the following values in the Domain Group Policy at the following location in the Group Policy Object Editor: Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy The following table includes the Password Policy recommendations for the two types of secure environments defined in this guide. Enforce password history Table 2.2: Settings

Domain Controller Default Enterprise Client High Security 24 passwords 24 passwords 24 passwords 3. The Enforce password history setting determines the number of unique new passwords that have to be associated with a user account before an old password can be reused. The value for this setting must be between 0 and 24 passwords. The default value for Windows XP is 0 passwords, but the default setting in a domain is 24 passwords. To maintain the effectiveness of the password history, use the Minimum password age setting to prevent users from repeatedly changing their password to circumvent the Enforce password history setting. Configure the Enforce password history setting to 24 passwords for the two security environments defined in this guide. Maximum password age Table 2.3: Settings

Domain Controller Default Enterprise Client High Security 42 days 42 days 42 days 4. Values for this setting range from 1 to 999 days. You may also set the value to 0 in order to specify that passwords never expire. This setting defines how long a user can use thier password before it expires. The default value for this setting is 42 days. Most passwords can be cracked, therefore, the more frequently the password is changed the less opportunity an attacker has to use a cracked password. However, the lower this value is set, the higher the potential for an increase in calls to help desk support.Configure the Maximum password age setting to a value of 42 days for the two security environments defined in this guide

20 Minimum password age Table 2.4: Settings

Domain Controller Default Enterprise Client High Security 1 day 2 days 2 days 5. The Minimum password age setting determines the number of days that a password must be used before a user may change it. The range of values for this setting is between 1 and 998 days, or you can allow password changes immediately by setting the value for this setting to 0. The default value for the setting is 0 days. The value for the Minimum password age setting must be less than that specified for the Maximum password age setting, unless the value for the Maximum password age setting is configured to 0, which causes passwords never to expire. If the value for the Maximum password age setting is configured to 0, the value for the Minimum password age setting can be configured to any value between 0 and 999. If you want the Enforce password history setting to be effective, configure this value to be greater than 0. Without a value for the Minimum password age setting, users can cycle through passwords repeatedly until they get to an old favorite. The default value for this setting does not follow this recommendation. This is so an administrator can specify a password for a user and then require the user to change the administrator – defined password when the user logs on. If the Enforce password history is set to 0, the user does not have to choose a new password. Configure Minimum password age to a value of 2 days for the two security environments defined in this guide. The value of 2 days is appropriate when the setting is used in conjunction with a similar short time period value for the Enforce password history setting. This restriction discourages users from recycling the same password repeatedly by ensuring that users must wait a full 2 days to change passwords. This value also encourages users to remember new passwords by forcing them to use them for at least 2 days before they can reset them, and prevents users from circumventing the Enforce password history setting restriction by rapidly setting 24 new passwords.

21 Minimum password length Table 2.5: Settings

Domain Controller Default Enterprise Client High Security 7 characters 8 characters 12 characters 6. The Minimum password length setting determines the least number of characters that make up a password for a user account. There are many different theories on determining the best password length for an organization, but perhaps "pass phrase" is a better term than "password." In Microsoft Windows 2000 and later versions, pass phrases can be quite long and they can include spaces. Therefore, a phrase such as "I want to drink a $5 milkshake" is a valid pass phrase, and it is considerably stronger than an 8 or 10 character string of random numbers and letters, and yet is easier to remember. Remember that users must be educated on the proper selection and maintenance of passwords, especially regarding password length. In the Enterprise Client environment, ensure that the value for the Minimum password length setting is configured to 8 characters. This password setting is long enough to provide adequate security, but still short enough for users to easily remember. In the High Security environment, configure the value to 12 characters. Password must meet complexity requirements Table 2.6: Settings

Domain Controller Default Enterprise Client High Security Enabled Enabled Enabled 7. The Password must meet complexity requirements setting checks all new passwords to ensure that they meet basic requirements for strong passwords. By default, the value for this setting in Windows XP is configured to Disabled, but this setting is Enabled in a Windows Server 2003 domain. In addition, each additional character in a password increases its complexity exponentially. For instance, a seven digit password would have 267, or 1 x 107, possible combinations. A seven character alphabetic password with case sensitivity has 527 combinations. A seven character case – sensitive alphanumeric password without punctuation has 627 combinations. At 1,000,000 attempts per second, it would only take 48 minutes to crack. An eight character password has 268, or 2 x 1011, possible combinations. On the surface, this might seem a mind – boggling number. However, at 1,000,000 attempts per second, a capability of many password – cracking utilities, it would take only 59 hours to try all possible passwords. Remember these times will greatly increase with passwords that use ALT characters and other special keyboard characters, for example ! or @. Using these settings in conjunction makes it very difficult, if not impossible, to mount a brute force attack.

22 Store password using reversible encryption for all users in the domain Table 2.7: Settings

Domain Controller Default Enterprise Client High Security Disabled Disabled Disabled 8. The Store password using reversible encryption for all users in the domain setting determines whether the operating system stores passwords using reversible encryption. This setting provides support for applications that use protocols requiring knowledge of the user's password for authentication purposes. Storing passwords using reversible encryption is essentially the same thing as storing clear – text versions of the passwords. For this reason, this policy should never be enabled unless application requirements outweigh the need to protect password information. The default value for this setting is Disabled. This policy is required when using the Challenge – Handshake Authentication Protocol (CHAP) through remote access or Internet Authentication Service (IAS). It is also required when using Digest Authentication in Microsoft Internet Information Services (IIS). Ensure that the value for the Store password using reversible encryption for all users in the domain setting is configured to Disabled. This setting is disabled in the Default Domain GPO of Windows Server 2003, and in the local security policy for workstations and servers. Because of the high vulnerability that activating this setting poses, Microsoft recommends enforcing the Disabled default value in the two environments defined in this guide. Preventing Users from Changing Passwords Except When Required In addition to the password policies above, centralized control over all users is a requirement for some organizations. This section describes how to prevent users from changing their passwords except when they are required to do so. Centralized control of user passwords is a cornerstone of a well – crafted Windows XP security scheme. You can use Group Policy to set minimum and maximum password ages as discussed previously. But bear in mind that requiring frequent password changes can enable users to circumvent the password – history setting for your environment. Requirements for passwords that are too long may also lead to more calls to the help desk due to users forgetting passwords. Users can change their passwords during the period between the minimum and maximum password age settings. However, the High Security environment security design requires that users change their passwords only when the operating system prompts them to after their passwords have reached the maximum age of 42 days. The administrator can configure Windows to permit users to change passwords only when the operating system prompts them to do so. To prevent users from changing their passwords (except when required), you can disable the Change Password… button in the Windows Security dialog box that appears when you press CTRL+ALT+DELETE.

23 You can implement this configuration for an entire domain by using a Group Policy, or implement it for one or more specific users by editing the registry. For more detailed instructions on this configuration, see the Microsoft Knowledge Base article 324744, "How To: Prevent Users from Changing a Password Except When Required in Windows Server 2003,” located at: http://support.microsoft.com/default.aspx?scid=324744. If you have a Windows 2000 domain, see the Microsoft Knowledge Base article 309799, "How To: Prevent Users from Changing a Password Except When Required in Windows 2000," located at: http://support.microsoft.com/default.aspx?scid=309799.

24 Account Lockout Policy The Account Lockout Policy is an Active Directory security feature that locks a user account after a number of failed logon attempts occur within a specified period. The number of attempts allowed and the time period are based on the values configured for the security policy lockout settings. A user cannot log on to a locked account. Domain controllers track logon attempts, and the server software can be configured to respond to this type of potential attack by disabling the account for a preset period. When configuring the Account Lockout Policy in an Active Directory domain, an administrator can set any value for the attempt and time period variables. However, if the value for the Reset account lockout counter after setting is greater than the value for the Account lockout duration setting, the domain controller automatically adjusts the value of the Account lockout duration setting to the same value as the Reset account lockout counter after setting. In addition, if the value of the Account lockout duration setting is lower than the value configured for the Reset account lockout counter after setting, the domain controller automatically adjusts the value of the Reset account lockout counter after to the same value as the Account lockout duration setting. Therefore, if a value for the Account lockout duration setting is defined, the value for the Reset account lockout counter after setting must be less than or equal to the value configured for the Account lockout duration setting. The domain controller does this to avoid conflicting setting values in the security policy. If an administrator configures the Reset account lockout counter after setting to a value that is greater than the value for the Account lockout duration setting, then enforcement of the value configured for the Account lockout duration setting will expire first, and thus make it possible for the user to log back on to the network. However, the Reset account lockout counter after setting will continue to count down. Because of this, the Account lockout threshold setting will remain at the maximum of three invalid attempts, and the user will not be able to log on. To avoid this situation, the domain controller automatically resets the value for the Reset account lockout counter after setting to be equal to the value for the Account lockout duration setting. These security policy settings help prevent attackers from guessing user passwords, and they decrease the likelihood of successful attacks on your network environment. The values in the following table can be configured in the Domain Group Policy at the following location in the Group Policy Object Editor: Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy The table below includes the Account Lockout Policy recommendations for both security environments defined in this guidance.

25 Account lockout duration Table 2.8: Settings

Domain Controller Default Enterprise Client High Security Not Defined 30 minutes 30 minutes 9. The Account lockout duration setting determines the length of time that must pass before an account is unlocked and a user can try to log on again. The setting does this by specifying the number of minutes a locked out account will remain unavailable. If the value for the Account lockout duration setting is configured to 0, locked out accounts will remain locked out until an administrator unlocks them. The Windows XP default value for this setting is Not Defined. To reduce the number of helpdesk support calls, while also providing a secure infrastructure, configure the value for the Account lockout duration setting to 30 minutes for the two environments defined in this guide. While configuring the value for this setting to never automatically unlock may seem like a good idea, doing so can increase the number of calls the help desk in your organization receives to unlock accounts that were locked by mistake. Configuring the value for this setting to 30 minutes for each of the lockdown levels decreases the chance of a denial of service (DoS) attack. This setting value also gives users the chance to log on again in 30 minutes if they are locked out of their accounts, a period of time they are more likely to accept without resorting to the help desk. Account lockout threshold Table 2.9: Settings

Domain Controller Default Enterprise Client High Security 0 invalid logon attempts 50 invalid logon 50 invalid logon attempts attempts 10. The Account lockout threshold setting determines the number of attempts that a user can make to log on to an account before it is locked. Authorized users can lock themselves out of an account by mistyping their password or by remembering it incorrectly, or by changing their password on a computer while logged on to another computer. The computer with the incorrect password continuously tries to authenticate the user, and because the password it is using to authenticate is incorrect, the user account is eventually locked out. This issue does not exist for organizations that only use domain controllers running Windows Server 2003 or earlier. To avoid locking out authorized users, set the account lockout threshold to a high number. The default value for this setting is 0 invalid logon attempts. Configure the value for Account lockout threshold to 50 invalid logon attempts for the two environments defined in this guide.

26 Because vulnerabilities can exist both when the value for this setting is configured and when and it is not, distinct countermeasures for each of these possibilities are defined. Your organization should weigh the choice between the two based on the identified threats and the risks you are trying to mitigate. There are two options to consider for this setting. ● Configure the value for Account lockout threshold to 0 to ensure that accounts will not be locked out. This setting value will prevent a DoS attack aimed at intentionally locking out accounts in your organization. This will also reduce help desk calls because users cannot accidentally lock themselves out of their accounts. Because this setting will not prevent a brute force attack, only configure it to a value higher than 0 if both of the following criteria are explicitly met: ● The password policy forces all users to have complex passwords made up of 8 or more characters. ● A robust auditing mechanism is in place to alert administrators when a series of account lockouts are occurring in the environment. For example, the auditing solution should monitor for security event 539, which is a logon failure. This event means that the account was locked out at the time the logon attempt was made.

If the criteria above cannot be met, the second option is: ● Configure the Account lockout threshold setting to a high enough value to provide users with the ability to accidentally mistype their password several times without locking themselves out of their accounts, while ensuring that a brute force password attack will still lock out the account. In this case, configuring the value for this setting to a number such as 3 – 5 invalid logon attempts ensures adequate security and acceptable usability. This setting value will prevent accidental account lockouts and reduce help desk calls, but will not prevent a DoS attack as described above.

Reset account lockout counter after Table 2.10: Settings

Domain Controller Default Enterprise Client High Security Not Defined 30 minutes 30 minutes 11. The Reset account lockout counter after setting determines the length of time before the Account lockout threshold resets to zero. The default value for this setting is Not Defined. If the Account lockout threshold is defined, then this reset time must be less than or equal to the value for the Account lockout duration setting. Configure the Reset account lockout counter after setting to 30 minutes for the two environments defined in this guide. Leaving this setting at its default value, or configuring the value at an interval that is too long, could make your environment vulnerable to a DoS attack. An attacker could maliciously perform a number of failed logon attempts on all users in the organization, locking out their accounts as described above. If no policy is determined to reset the account lockout, administrators would have to manually unlock all accounts. Conversely, if a reasonable time value is configured for this setting, users would be locked out for a set period until all of the accounts are unlocked automatically. Therefore, the recommended setting value of 30 minutes defines a period users are more likely to accept without resorting to the help desk.

27 User Rights Assignment User Rights assignments are covered in detail in Chapter 3, "Security Settings for Windows XP Clients." However, the Add workstations to the domain user right should be set on all domain controllers and for this reason is discussed in this chapter. Additional information on member server and domain controller settings may be found in the chapters 3 and 4 of the Windows 2003 Server Security Guide. Add workstations to domain Table 2.11: Settings

Domain Controller Default Enterprise Client High Security Authenticated Users Administrators Administrators 12. The Add workstations to domain user right allows the user to add a computer to a specific domain. For this right to take effect, it must be assigned to the user as part of the Default Domain Controllers Policy for the domain. A user granted this right can add up to 10 workstations to the domain. Users granted the Create Computer Objects permission for an OU or the Computers container in Active Directory can also join a computer to a domain. Users granted this permission can add an unlimited number of computers to the domain regardless of whether they have been assigned the Add workstations to a domain user right or not. By default, all users in the Authenticated Users group have the ability to add up to 10 computer accounts to an Active Directory domain. These new computer accounts are created in the Computers container. In an Active Directory domain, each computer account is a full security principal with the ability to authenticate and access domain resources. Some organizations want to limit the number of computers in an Active Directory environment so that they can consistently track, build, and manage them. Allowing users to add workstations to the domain can hamper this effort. It also provides avenues for users to perform activities that are more difficult to trace because they can create additional unauthorized domain computers. For these reasons, the Add workstations to domain user right is granted only to the Administrators group in the two environments defined in this guide.

28 Security Settings The account policy must be defined in the Default Domain Policy and is enforced by the domain controllers that make up the domain. A domain controller always obtains the account policy from the Default Domain Policy GPO, even if there is a different account policy applied to the OU that contains the domain controller. There are two policies in Security Options that also behave like account policies to consider at the domain level. You can configure the Domain Group Policy values in the following table at the following location in the Group Policy Object Editor: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options Microsoft network server: Disconnect clients when logon hours expire Table 2.12: Settings

Domain Member Default Enterprise Client High Security Not Defined Enabled Enabled The Microsoft network server: Disconnect clients when logon hours expire setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the (SMB) component. When this policy is enabled, it causes client sessions with the SMB service to be forcibly disconnected when the client's logon hours expire. If this policy is disabled, an established client session is allowed to continue after the client's logon hours have expired. When enabling this setting, ensure that the Network security: Force logoff when logon hours expire setting is also enabled. If your organization has configured logon hours for users, then it makes sense to enable this policy. Otherwise, users assumed to be unable to access network resources outside of their logon hours may actually be able to continue to use those resources through sessions established during allowed hours. If logon hours are not used in your organization, enabling this setting will have no impact. If logon hours are used, then existing user sessions will be forcibly terminated when their logon hours expire.

29 Network Access: Allow anonymous SID/NAME translation Table 2.13: Settings

Domain Member Default Enterprise Client High Security Not Defined Disabled Disabled 13. The Network Access: Allow anonymous SID/NAME translation setting determines if an anonymous user can request the SID for another user. If this setting is enabled on a domain controller, a user who knows an administrator's SID attributes could contact a computer that also has this policy enabled and use the SID to obtain the administrator's name. That person could then use the account name to initiate a password guessing attack. The default setting on member computers is Disabled, which will have no impact on them. However, the default setting for domain controllers is Enabled. Disabling this setting may cause legacy systems to be unable to communicate with Windows Server 2003 based domains such as: ● Microsoft Windows NT® 4.0 – based Remote Access Service servers. ● When a Web application on IIS is configured to allow Basic authentication and at the same time has Anonymous access disabled, the built – in Guest user account cannot access the Web application. In addition, if you rename the built – in Guest user account to another name, the new name cannot be used to access the Web application. ● Remote Access Service servers running on Windows 2000 – based computers that are located in Windows NT 3.x domains or Windows NT 4.0 domains.

Network Security: Force Logoff when Logon Hours expire Table 2.14: Settings

Domain Member Default Enterprise Client High Security Disabled Enabled Enabled 14. The Network Security: Force Logoff when Logon Hours expire setting determines whether to disconnect users who are connected to a local computer outside their user account's valid logon hours. This setting affects the SMB component. Enabling this policy forcibly disconnects client sessions with the SMB server when the client's logon hours expire and the user will be unable to log on to the system until his or her next scheduled access time. Disabling this policy maintains an established client session after the client's logon hours expire. To affect domain accounts, this setting must be defined in the Default Domain Policy.

30 Kerberos Policy Policies for the Kerberos version 5 authentication protocol are configured on domain controllers, not member computers of the domain. These policies determine Kerberos – related settings, such as ticket lifetimes and enforcement. Kerberos policies do not exist in the Local Computer Policy. In most environments, the default values for these policies should not be changed. This guidance does not provide any changes for the default Kerberos Policy. For more information on these settings, see the companion guide Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP at http://go.microsoft.com/fwlink/?LinkId=15159.

31 OU Level Group Policies Security settings included in the OU Level Group Policy should be specific to the OU. These include both computer settings and user settings. To facilitate manageability and improve security, the section covering Software Restriction Policies (SRP) is separated from the other security settings in this guidance. Chapter 6, "Software Restriction Policy for Windows XP Clients," discusses SRP in detail. Security Settings Group Policy You will need to create a GPO for each category of Windows XP computer in your environment. Laptops and desktops are divided into separate OUs in this guidance in order to apply GPOs customized for each of these computer categories. Software Restriction Policy Settings Create dedicated GPOs for configuring SRP settings in your environment. There are a couple of compelling reasons to keep the SRP settings separate from the remaining Group Policy settings. First, SRP is conceptually different from other Group Policy settings. Rather than enabling or disabling options, or configuring values, SRP requires that the administrators identify the set of applications that will be supported; what restrictions will be applied; and how exceptions will be handled. Second, this method facilitates a quick recovery if a catastrophic mistake is made implementing SRP policies in the production environment: administrators can temporarily disable GPOs where SRP settings are defined without affecting any other security settings.

32 Group Policy Tools There are several tools that ship with Windows XP which make working with GPOs easier. A brief overview of some of these tools is provided in the following section. For more information on these tools, see the Help for Windows XP. Forcing a Group Policy Update Active Directory updates Group Policy periodically, but you can force the version on your client computers to be updated by using GpUpdate, a command – line tool that ships with Windows XP Professional. The tool must be run locally on client computers. To update a local computer using the GpUpdate tool, type the following command: Gpupdate /force After running GpUpdate the following confirmation information will be returned: C:\Documents and Settings\administrator.MSSLAB>gpupdate /force Refreshing Policy... User Policy Refresh has completed. Computer Policy Refresh has completed. To check for errors in policy processing, review the event log. C:\Documents and Settings\administrator.MSSLAB> For user – based group policies, you will have to log off and log back on to the computer you are using to test policies. Computer polices should be updated immediately. To see additional options for running Gpupdate type: Gpupdate /? Viewing the Resultant Set of Policies Two tools that ship with Windows XP allow you to determine what policies have been applied to computers in your environment, when they were applied, and in what order. RSoP Snap – in The Resultant Set of Policy tool (RSoP.msc) is an MMC snap – in tool that displays the aggregate settings of all policies that have been applied to a computer. The tool may be run locally or remotely from another computer. For each policy setting, the RSoP tool shows the computer setting and the source GPO. GpResult GpResult is a command – line tool that provides statistics on when Group Policy was most recently applied to a computer, what GPOs were applied to the computer and in what order. The tool also provides information on any GPOs that were applied through filtering. The GpResult tool can be used remotely or locally on client computers.

33 Summary Group Policy is an Active Directory – based feature that is designed for controlling user and computer environments in Windows Server 2003 and Windows 2000 domains. Before applying Group Policy to the Windows XP desktops in your environment, you must perform certain preliminary steps in your domain. Group Policy settings stored in Group Policy objects (GPOs) on the domain controllers in your environment are linked to containers, which include Web sites, domains and OUs that reside within the Active Directory structure. It is important to understand Active Directory structure and the security implications of configuring different design options within it prior to implementing Group Policy. Group Policy is an essential tool for securing Windows XP. This chapter includes details on how you can use it to apply and maintain a consistent security policy across your network from a central location. The chapter also provides information on the different levels of Group Policy, and special tools available for Windows XP that can be used to update the Group Policy in your environment. More Information For more information on Active Directory management and design, see the white paper "Design Considerations for Delegation of Administration in Active Directory" on the Microsoft Web site at: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/ad/ windows2000/plan/addeladm.asp. For more information on Active Directory design, see the white paper, "Best Practice Active Directory Design for Managing Windows Networks," on the Microsoft Web site at: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/ad/ windows2000/plan/bpaddsgn.asp. For more information on Group Policy, see the white paper, "Step – by – Step Guide to Understanding the Group Policy Feature Set," on the Microsoft Web site at: http://www.microsoft.com/windows2000/techinfo/planning/management/groupsteps.asp. For more information on Windows XP Security, see the Windows XP Professional Resource Kit online documentation on the Microsoft Web site at: http://www.microsoft.com/WindowsXP/pro/techinfo/productdoc/resourcekit.asp. To find out new security information for Windows XP, see the white paper, "What's New in Security for Windows XP Professional and Windows XP Home Edition," on the Microsoft Web site at: http://www.microsoft.com/technet/prodtechnol/winxppro/evaluate/xpsec.asp. For more information about Administrative Templates, see the white paper, "Implementing Registry – Based Group Policy," on the Microsoft Web site at: http://www.microsoft.com/windows2000/techinfo/howitworks/management/rbppaper.asp. For additional information on the Group Update (GpUpdate) tool, see: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/ winxppro/proddocs/refrGP.asp.

34 For additional information on the Result Set of Policy (RSoP) tool, see: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/ winxppro/proddocs/RSPintro.asp. For more information on the Group Policy Results (GpResult) tool, see: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/ winxppro/proddocs/gpresult.asp. For more information on delegating authority in Active Directory, see the Windows 2000 Resource Kits section on "Planning Distributed Security," at: http://www.microsoft.com/windows2000/techinfo/reskit/en-us/ default.asp?url=/windows2000/techinfo/reskit/en-us/deploy/dgbe_sec_haqs.asp.

35

3 Security Settings for Windows XP Clients

Overview This chapter covers in detail the primary security settings configured via Group Policy in a Microsoft® Windows Server 2003™ domain. Implementing the prescribed settings will ensure that the desktops and laptops in your organization running Microsoft Windows® XP Professional are secure. Guidance is not provided on all available settings in Windows XP. Settings that are new in Windows XP Service Pack 2 are provided in Appendix A. As described in Chapter 1, "Introduction to the Windows XP Security Guide," the guidance presented in this chapter is specific to the Enterprise Client environment and the High Security environment defined in this guide. In some instances, this guide recommends settings for laptops different than those for desktops because portable computers are mobile and not always connected to domain controllers in your environment via the corporate network. Laptop users are also assumed to work at times outside of normal working hours without on site technical support. For these reasons settings that require connectivity to a domain controller or that govern logon hours are different for laptop clients. Keep in mind that the guidance in this chapter comprises recommendations only for you to tailor to your business needs. The following table defines the infrastructure (.inf) files available with this guidance. The files contain all of the baseline security setting prescriptions for the two environments defined in this guide.

Table 3.1: Baseline Security Templates

Description Enterprise Client High Security Baseline security templates for desktops Enterprise Client – desktop.inf High Security – desktop.inf Baseline security templates for laptops Enterprise Client – laptop.inf High Security – laptop.inf 15. For further details on the settings discussed in this chapter, see the companion guide, Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP.

Account Policy Settings Account Policy settings are not covered in this chapter. These settings are discussed in Chapter 2, "Configuring the Active Directory Domain Infrastructure," of this guide.

Local Policy Settings Local Policy settings may be configured locally on any computer running Windows XP Professional using the Local Security Policy Console or through Microsoft Active Directory® domain – based Group Policy objects (GPOs). Local Policy settings include Audit Policy, User Rights Assignments, and Security Options.

Audit Policy Settings An Audit Policy determines the security events to report to administrators so that user or system activity in specified event categories is recorded. The administrator can monitor security – related activity, such as who accesses an object, when a user logs on to or off from a computer, or if changes are made to an Audit Policy setting. For all of these reasons, Microsoft recommends that you form an Audit Policy for an administrator to implement in your environment. Before implementing an Audit Policy, you must decide which event categories need to be audited in your corporate environment. The auditing settings you choose within the event categories define your corporate auditing policy. By defining Audit Policy settings for specific event categories, an administrator can create an Audit Policy to suit the security needs of your organization. If no auditing settings are configured, it will be difficult or impossible to determine what took place during a security incident. However, if auditing is configured so that too many authorized activities generate events, the security event logs will fill up with useless data. The following recommendations are designed to help provide a balance for decision – making on what to monitor and how to collect relevant auditing data for your organization. The Audit Policy settings in Windows XP can be configured at the following location using the Group Policy Object Editor: Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy

38 Audit account logon events Table 3.2: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Success, Failure Success, Failure Success, Failure Success, Failure 16. The Audit account logon events setting determines whether to audit each instance of a user logging on to another computer that validates the account. Authenticating a domain user account on a domain controller generates an account logon event. The event is logged in the domain controller's security log. Authenticating a local user on a local computer generates a logon event. The event is logged in the local security log. There are no Account logoff events logged. For these reasons, the Audit account logon events setting is configured to Success and Failure in the two environments defined in this guide. Audit account management Table 3.3: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Success, Failure Success, Failure Success, Failure Success, Failure 17. The Audit account management setting is used to track attempts to create new users or groups, rename users or groups, enable or disable user accounts, change account passwords, and enable auditing for Account Management events. Enabling this Audit Policy setting allows an administrator to track events to detect malicious, accidental, and authorized creation of user and group accounts. The Audit account management setting is configured to Success and Failure in the two environments defined in this guide. Audit directory service access Table 3.4: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop No Auditing No Auditing No Auditing No Auditing 18. The Audit directory service access setting can only be enabled to perform auditing on domain controllers. For this reason, this setting is not defined at the workstation level. This setting does not apply to computers running Windows XP Professional. For this reason, ensure that the Audit directory service access setting is configured to No Auditing in the two environments defined in this guide.

39 Audit logon events Table 3.5: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Success, Failure Success, Failure Success, Failure Success, Failure 19. The Audit logon events setting determines whether to audit each instance of a user logging on to or off of a computer. Records are generated from the Account logon events setting on domain controllers to monitor domain account activity and on local computers to monitor local account activity. Configuring the Audit logon events setting to No auditing makes it difficult or impossible to determine which user has either logged on or attempted to log on to computers in the enterprise. Enabling the Success value for the Auditing logon events setting on a domain member will generate an event each time that someone logs on to the system regardless of where the accounts reside on the system. If the user logs on to a local account, and the Audit account logon events setting is Enabled, the user logon will generate two events. The Audit logon events setting is configured to Success and Failure in the two environments defined in this guide. Audit object access Table 3.6: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Success, Failure Success, Failure Success, Failure Success, Failure 20. By itself, this setting will not cause any events to be audited. The Audit object access setting determines whether to audit the event of a user accessing an object — for example, a file, folder, registry key, printer, and so forth — that has a specified SACL. A SACL is comprised of access control entries (ACEs). Each ACE contains three pieces of information: ● The security principal (user, computer, or group) to be audited. ● The specific access type to be audited, called an access mask. ● A flag to indicate whether to audit failed access events, successful access events, or both.

Configuring this setting to Success generates an audit entry each time that a user successfully accesses an object with a specified SACL. Configuring this setting to Failure generates an audit entry each time that a user unsuccessfully attempts to access an object with a specified SACL. Corporations should define only the actions they want enabled when configuring SACLs. For example, you might want to enable the Write and Append Data auditing setting on executable files to track the replacement or changes to those files, which computer viruses, worms, and Trojan horses will commonly cause. Similarly, you might want to track changes to or even the reading of sensitive documents.

40 The Audit object access setting is configured to Failure in the Enterprise environment and to Success and Failure in the High Security environment defined in this guide. The following procedures detail how to manually set up auditing rules on a file or folder, and then test each audit rule for each object in the specified file or folder. This procedure may be automated via scripting. To define an audit rule for a file or folder: 1. Locate the file or folder using Windows Explorer and select it. 2. Click the File menu and select Properties. 3. Click the Security tab, and then click the Advanced button. 4. Click the Auditing tab. 5. Click the Add button, and the Select User, Computer, or Group dialog box will appear. 6. Click the Object Types… button, and then in the Object Types dialog box, select the object types you want to find.

Note: The User, Group, and Built – in security principal object types are selected by default.

7. Click the Locations… button, then in the Location: dialog box, select either your domain or local computer. 8. In the Select User or Group dialog box, type the name of the group or user you want to audit. Then, in the Enter the object names to select dialog box, type Authenticated Users in order to audit the access of all authenticated users, and click OK. The Auditing Entry dialog box opens. 9. Determine the type of access you want to audit on the file or folder using the Auditing Entry dialog box.

Note: Keep in mind that each access may generate multiple events in the Event Log, causing the log to grow rapidly.

10. In the Auditing Entry dialog box, next to List Folder / Read Data, select Successful and Failed, and click OK. 11. The audit entries you have enabled will appear under the Auditing tab of the Advanced Security Setting dialog box. 12. Click OK to close the Properties dialog box.

Use the following procedure to test each of the audit rules that you have configured. To test an audit rule for the file or folder: 1. Open the file or folder. 2. Close the file or folder. 3. Start the . Several Object Access events with Event ID 560 will appear in the Security Event Log. 4. Double – click the events as needed to view details on them.

41 Audit policy change Table 3.7: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Success Success Success Success 21. The Audit policy change setting determines whether to audit every incident of a change to user rights assignment policies, audit policies, or trust policies. This includes making changes to the audit policy itself. The recommended settings would let you see any account privileges that an attacker attempts to elevate — for example, by adding the Debug programs privilege or the Back up files and directories privilege. The Audit policy change setting is configured to Success in the two environments described in this guide. Including the setting value for Failure will not provide meaningful access information in the Security Event Log. See the Microsoft Windows Security Resource Kit referenced in the More Information section of this chapter for additional information. Audit privilege use Table 3.8: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Failure Failure Failure Failure 22. The Audit privilege use setting determines whether to audit each instance of a user exercising a user right. Configuring this value to Success generates an audit entry each time that a user right is exercised successfully. Configuring this value to Failure generates an audit entry each time that a user right is exercised unsuccessfully. Enabling privilege auditing generates a very large number of event records. The Audit privilege use setting is configured to Failure in the two environments to audit all unsuccessful attempts to use extra privileges. Audit process tracking Table 3.9: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop No Auditing No Auditing No Auditing No Auditing 23. The Audit process tracking setting determines whether to audit detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access. Enabling Audit process tracking will generate a large number of events, so typically it is set to No Auditing. However, these settings can provide a great benefit during an incident response from the detailed log of the processes started and the time when they were launched. The Audit process tracking setting is configured to No Auditing in the two environments defined in this guide.

42 Audit system events Table 3.10: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Success Success Success, Failure Success, Failure 24. The Audit system events setting is very important because it allows you to monitor system events that succeed and fail, and provides a record of these events that may help determine instances of unauthorized system access. System events include starting or shutting down computers in your environment, full event logs, or other security related events that impact the entire system. The Audit system events setting is configured to Success in the Enterprise Client environment. However, for additional security this setting is configured to Success and Failure in the High Security environment.

43 User Rights Assignment Settings In conjunction with many of the privileged groups in Windows XP Professional, a number of user rights may be assigned to users or groups to grant them privileges above those of normal users. Not all of these additional user rights apply to Windows XP Professional, but many do. To set the value of a user right to No One, enable the setting, but do not add any users or groups to it. To set the value of a user right to Not Defined, do not enable the setting. The User Rights Assignment settings can be configured in Windows XP at the following location in the Group Policy Object Editor: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment Access this computer from network Table 3.11: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Administrators, Administrators, Administrators, Users Administrators, Users Backup Operators, Backup Operators, Power Users, Users Power Users, Users 25. The Access this computer from the network user right allows a user to connect to the computer from the network. This user right is required by a number of network protocols including Server Message Block (SMB) – based protocols, Network Basic Input/Output System (NetBIOS), Common Internet File System (CIFS), and Plus (COM+).The Access this computer from network user right is restricted to the Administrators, Backup Operators, Power Users and Users groups in the Enterprise environment and only Administrators and Users in the high security environment. Act as part of the operating system Table 3.12: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop No One No One No One No One 26. The Act as part of the operating system user right allows a process to assume the identity of any user and thus gain access to the resources that the user is authorized to access. For this reason, the Act as part of the operating system right is restricted to No One in both environments defined in this guide.

44 Adjust memory quotas for a process Table 3.13: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Not Defined Not Defined Administrators, Local Administrators, Local Service, Network Service, Network Service Service 27. The Adjust memory quotas for a process user right allows a user to adjust the maximum memory available to a process. This privilege is useful for system tuning, but it can be abused. In the wrong hands, it could be used to launch a denial of service (DoS) attack. For this reason, the Adjust memory quotas for a process user right is restricted to Administrators, Local Service, and Network Service in the High Security environment, and configured to Not Defined in the Enterprise Client environment. Allow log on locally Table 3.14: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Users, Administrators Users, Administrators Users, Administrators Users, Administrators 28. The Allow log on locally user right determines which users can interactively log on to computers in your environment. Logons initiated by pressing the CTRL+ALT+DEL key sequence on the keyboard attached to the client requires the user to have this logon right. Users attempting to logon via Terminal Services or Microsoft Internet Information Services (IIS) also require this right. The Guest account is granted this user right by default. Although this account is disabled by default, Microsoft recommends enabling this right via Group Policy. However, this privilege in general should be restricted to the Administrators and Users groups. Grant this right to the Backup Operators group if your company requires this group to have this privilege. The Allow log on locally user right is restricted to the Users and Administrators groups in the two environments defined in this guide.

45 Allow log on through Terminal Services Table 3.15: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Administrators, Administrators, No One No One Remote Desktop Remote Desktop Users Users 29. The Allow log on through Terminal Services user right determines which users or groups have the right to logon as a Terminal Services client. Remote desktop users need this right. If you are using Remote Assistance as part of your corporate Help Desk strategy, create a group and grant it this right via Group Policy. If the Help Desk in your organization does not use Remote Assistance, then only grant this right to the Administrators group or use the restricted groups feature to ensure that no user accounts are part of the Remote Desktop Users group. Restricting this right to the Administrators group, and possibly the Remote Desktop Users group, will prevent unwanted users from gaining access to computers on your network via the new Remote Assistance feature in Windows XP Professional. For these reasons, the Allow log on through Terminal Services user right is restricted to Administrators and Remote Desktop Users in the Enterprise Client environment, and for additional security this right is configured to No One in the High Security environment. Back up files and directories Table 3.16: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Not Defined Not Defined Administrators Administrators 30. The Back up files and directories user right allows users to circumvent file and directory permissions to back up the system. This right is enabled only when an application attempts to access a file or directory using the NTFS file system backup application programming interface (API), for example, NTBACKUP.EXE. Otherwise, normal file and directory permissions apply. For this reason, the Back up files and directories user right is restricted to the Administrators group only in the High Security environment. No groups are prescribed for this user right in the Enterprise Client environment.

46 Change the system time Table 3.17: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Not Defined Not Defined Administrators Administrators 31. The Change the system time user right determines which users and groups can change the time and date on the internal clock of the computers in your environment. Users assigned this user right can affect the appearance of event logs. Changing the system time causes logged events to reflect the new time, not the actual time that the events occurred. The Change the system time user right is configured to Not Defined in the Enterprise Client environment, and restricted to the Administrators group in the High Security environment.

Note: Discrepancies between the time on the local computer and on the domain controllers in your environment may cause problems for the Kerberos authentication protocol, which could make it impossible for users to log on to the domain or to get authorization to access domain resources after logging on to the network. In addition, problems will occur when applying Group Policy to clients if the system time is not synchronized with the domain controllers.

Create a pagefile Table 3.18: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Not Defined Not Defined Administrators Administrators 32. The Create a pagefile user right allows users to change the size of the pagefile. By making the pagefile extremely large or extremely small, an attacker could easily affect the performance of a compromised machine. The Create a pagefile user right is configured to Not Defined in the Enterprise Client environment, and restricted to the Administrators group in the High Security environment. Create permanent shared objects Table 3.19: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Not Defined Not Defined No One No One 33. The Create permanent shared objects user right allows a user to create a directory object in the . This means that users with this privilege can create shared folders, printers, and other objects. This privilege is useful to kernel – mode components that extend the object namespace. Components that are running in kernel mode have this privilege inherently. Therefore, it is normally not necessary to specifically assign this privilege. Fore these reasons, the Create a pagefile user right is configured to Not Defined in the Enterprise Client environment, and to No One in the High Security environment.

47 Create a token object Table 3.20: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Not Defined Not Defined No One No One 34. The Create a token object user right allows a process to create an , which may provide elevated rights to access sensitive data. In environments where high security is a concern, this right should not be granted to any users. Any processes that require this privilege should utilize the Local System account, which has this right by default. The Create a token object user right is configured to Not Defined in the Enterprise Client environment, and restricted to No One in the High Security environment. Debug programs Table 3.21: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Administrators Administrators Administrators Administrators 35. The Debug programs user right determines which users can attach a debugger to any process or to the kernel. This user right provides complete access to sensitive and critical operating system components. The risk of attackers exploiting this user right is mitigated by the fact that the Debug programs user right is by default assigned only to the Administrators group. Deny access to this computer from the network Table 3.22: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Not Defined Not Defined Everyone Everyone 36. The Deny access to this computer from the network user right prohibits users from connecting to a computer from across the network. This right will allow users to access and potentially modify data remotely. In a high security environment, there should be no need for remote users to access data on a workstation. Instead, file sharing should be performed through the use of network servers. The Deny access to this computer from the network user right is applied to the Everyone group in the High Security environment, and is configured to Not Defined in the Enterprise Client environment.

48 Deny log on locally Table 3.23: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Support_388945a0, Support_388945a0, Support_388945a0, Support_388945a0, Guest Guest Guest, Any Service Guest, Any service Accounts accounts 37. The Deny log on locally user right prohibits users from logging in directly to a computer console. If unauthorized users have the ability to log in locally on a machine, they could potentially download malicious code that could elevate their privilege on the machine. Additionally, if attackers have physical access to the console, there are other risks that should be considered, but this right should only be granted to those users that need physical access to the computer console. The Deny log on locally user right is applied to the Support_388945a0 and the Guest account in both environments. Additionally, any service accounts used on the machine should be restricted using this right to prevent their abuses in the High Security environment. Deny log on through Terminal Services Table 3.24: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Not Defined Not Defined Everyone Everyone 38. The Deny log on through Terminal Services user right prohibits users from logging on to computers in your environment using a Remote Desktop connection. Restricting members of the Everyone group from logging on through Terminal Services also prevents members of the default Administrators group from using Terminal Services to log on to computers in your environment. The Deny log on through Terminal Services user right is restricted to the Everyone group in the High Security environment, and is configured to Not Defined in the Enterprise Client environment. Enable computer and user accounts to be trusted for delegation Table 3.25: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop No One No One No One No One 39. The Enable computer and user accounts to be trusted for delegation user right allows users change the Trusted for Delegation setting on a computer object in Active Directory. Abuse of this privilege could allow unauthorized users to impersonate other users on the network. For this reason, the Enable computer and user accounts to be trusted for delegation user right is granted to No One in both security environments.

49 Force shutdown from a remote system Table 3.26: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Not Defined Not Defined Administrators Administrators 40. The Force shutdown from a remote system user right allows users to shut down computers running Windows XP from a remote location on the network. Any user with access to shut down a computer in your environment can cause a DoS condition, making the computer unavailable to service user requests. Thus, Microsoft recommends restricting this user right to only highly trusted administrators. For this reason, the Force shutdown from a remote system user right is restricted to the Administrators group in the High Security environment, and is configured to Not Defined in the Enterprise Client security environment. Generate Security Audits Table 3.27: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Not Defined Not Defined Local Service, Local Service, Network Service Network Service 41. The Generate Security Audits user right determines which users or processes can generate audit records in the security log. This right can be abused by an attacker that may want to create a large number of audited events to make it more difficult for a system administrator to locate any illicit activity. Additionally, if the event log is configured to overwrite events as needed, any evidence of unauthorized activities can be overwritten by a large flood of unrelated events. For this reason, the Generate Security Audits user right is configured for the Local Service and Network Service groups in the High Security environment defined in this guide. The Enterprise Client environment is Not Defined for flexibility, but should utilize the same values as they are the defaults. Increase scheduling priority Table 3.28: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Not Defined Not Defined Administrators Administrators 42. The Increase scheduling priority user right allows users to change the amount of processor time that a process utilizes. By increasing a process priority to real-time, an attacker may be able to create a denial of service condition for a machine. For this reason, the Increase scheduling priority user right is configured for the Administrators group in the High Security environment defined in this guide. The Enterprise Client environment leaves this right Not Defined for flexibility, but should utilize the same value as it is the default.

50 Load and unload device drivers Table 3.29: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Not Defined Not Defined Administrators Administrators 43. The Load and unload device drivers user right allows users to dynamically load a new device driver on a system. An attacker could potentially use this right to install malicious code that appears to be a device driver. This right, along with membership of either the Power Users group or the Administrators group is required for users to add local printers or printer drivers on Windows XP. For this reason, the Load and unload device drivers user right is configured for the Administrators group in the High Security environment defined in this guide. The Enterprise Client environment leaves this right Not Defined for flexibility. Log on as a batch job Table 3.30: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Not Defined Not Defined No One No One 44. The Log on as a batch job user right allows users to log on using the task scheduler service. The task scheduler is often used for administrative purposes, so it may be needed in the Enterprise environment. However, it's use should be restricted in the High Security environment to prevent misuse of system resources or to prevent attackers from using the right to launch malicious code after gaining user level access to a machine. For this reason, the Log on as a batch job user right is configured for No One in the High Security environment defined in this guide. The Enterprise Client environment leaves this right Not Defined for flexibility. Log on as a service Table 3.31: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Not Defined Not Defined No One No One 45. The Log on as a service user right allows accounts to launch network services or to register a process as a service running on the system. This right should be restricted on any machine in a high security environment, but because many applications may require this privilege, it should be carefully evaluated and tested before configuring it in an enterprise. The Log on as a service user right is Not Defined in the Enterprise Client Environment, and is granted to No One in the High Security Environment defined in this guide.

51 Manage auditing and security log Table 3.32: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Not Defined Not Defined Administrators Administrators 46. The Manage auditing and security log user right determines which users can change the auditing options for files and directories as well as clear the security log. Because this is a relatively small threat, the Manage auditing and security log user right enforces the default value of the Administrators group in the High Security environment, and configured to Not Defined in the Enterprise Client environment. Modify firmware environment variables Table 3.33: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Not Defined Not Defined Administrators Administrators 47. The Modify firmware environment variables user right allows users to configure the system wide environment variables that affect hardware configuration. This information is typically stored in the Last Known Good Configuration. Modification of these values could lead to a hardware failure, resulting in a Denial of Service condition. Because this is a relatively small threat, the Modify firmware environment variables user right enforces the default value of the Administrators group in the High Security environment, and configured to Not Defined in the Enterprise Client environment. Perform volume maintenance tasks Table 3.34: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Not Defined Not Defined Administrators Administrators 48. The Perform volume maintenance tasks user right allows users to manage the system's volume or disk configuration. This right could allow a user to delete a volume, resulting in data loss and a Denial of Service condition. The Perform volume maintenance user right is enforces the default value of the Administrators group in the High Security environment, and configured to Not Defined in the Enterprise Client environment.

52 Profile single process Table 3.35: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Not Defined Not Defined Administrators Administrators 49. The Profile single process user right determines which users can use tools to monitor the performance of nonsystem processes. Ordinarily, you do not need to configure this user right to use the Performance snap – in. However, you do need this user right if System Monitor is configured to collect data using Windows Management Instrumentation (WMI). Restricting the Profile single process user right prevents intruders from gaining additional information that could be used to mount an attack on the system. The Profile single process user right is restricted to the Administrators group in the High Security environment, and configured to Not Defined in the Enterprise Client environment. Profile system performance Table 3.36: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Not Defined Not Defined Administrators Administrators 50. The Profile system performance user right allows users to use tools to view the performance of different system processes. This right could be abused to allow attackers to determine what processes are running on a system, giving them insight into the potential attack surface of the computer. The Profile system performance user right enforces the default of the Administrators group in the High Security environment, and configured to Not Defined in the Enterprise Client environment. Replace a process level token Table 3.37: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Local Service, Local Service, Local Service, Local Service, Network Service Network Service Network Service Network Service 51. The Replace a process level token user right allows one process or service to start another service or process with a different security access token. This right can be utilized to modify the security access token of that sub – process, which may result in the escalation of privileges. The Replace a process level token user right is restricted to the default values of Local Service and Network Service in both environments.

53 Restore files and directories Table 3.38: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Not Defined Not Defined Administrators Administrators, Users 52. The Restore files and directories user right determines which users can bypass file, directory, registry, and other persistent object permissions when restoring backed up files and directories on computers running Windows XP in your environment. This user right also determines which users can set valid security principals as object owners. This right is similar to the Back up files and directories user right in nature. The Restore files and directories user right is restricted to the Administrators group in the High Security environment for desktops, and the Administrators and Users groups in the High Security environment for laptops. The Users group is included in the High Security environment for laptop clients because mobile users may need to restore files while away from their corporate offices. However, this setting is configured to Not Defined in the Enterprise Client environment. Shut down the system Table 3.39: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Not Defined Not Defined Users, Administrators Users, Administrators 53. The Shut down the system user right determines which users logged on locally to the computers in your environment can shut down the operating system using the Shut Down command. Misuse of this user right can result in a denial of service. In a high security environment, Microsoft recommends only granting this right to the Administrators and Users groups. There is no prescribed restriction for this user right in the Enterprise Client environment. The Shut down the system user right is restricted to the Administrators and Users groups in the High Security environment. However, this user right is left at the default Not Defined in the Enterprise Client environment. Take ownership of files or other objects Table 3.40: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Not Defined Not Defined Administrators Administrators 54. The Take ownership of files or other objects user right allows users to take ownership of files, folders, registry keys, processes or threads. Using this right bypasses any permissions that are in place to protect the object, and give ownership to the specified user. The Take ownership of files or other objects user right is restricted to the default value of the Administrators group in the High Security environment. However, this user right is Not Defined in the Enterprise Client environment.

54 Security Option Settings The Security Options settings applied via Group Policy in the computers running Windows XP in your environment are used to enable or disable such things as the digital signing of data, administrator and guest account names, floppy disk drive and CD – ROM drive access, driver installation behavior, and logon prompts. The Security Options settings can be configured in Windows XP at the following location in the Group Policy Object Editor: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options Not all of the security settings included in this section exist on all types of systems. Therefore, the settings that comprise the Security Options portion of Group Policy defined in this section may need to be manually modified on systems in which these settings are present to make them fully operable. Alternatively, the Group Policy templates can be edited individually to include the appropriate setting options so that the settings prescriptions will take full effect. Accounts: Guest account status Table 3.41: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Disabled Disabled Disabled Disabled 55. The Accounts: Guest account status security option setting determines whether the Guest account is enabled or disabled. This account allows unauthenticated network users to gain access to the system by logging in as Guest. Therefore, this security option setting is configured to Disabled in all two environments defined in this guide. Accounts: Limit local account use of blank passwords to console logon only Table 3.42: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Enabled Enabled Enabled Enabled 56. The Accounts: Limit local account use of blank passwords to console logon only security option setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. Enabling this setting prevents a local account with a nonblank password from logging on to a network from a remote client, and local accounts that are not password protected will only be able to log on physically via the keyboard of the computer. The Accounts: Limit local account use of blank passwords to console logon only setting is configured to Enabled in the two environments defined in this guide.

55 Accounts: Rename administrator account Table 3.43: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Recommended Recommended Recommended Recommended 57. The built – in local administrator account is a well – known account name that attackers will prey on. Microsoft recommends choosing another name for this account, and to avoid using names that denote administrative or elevated access accounts. Be sure to also change the default description for the local administrator using the Computer Management console. For these reasons, Microsoft recommends using the Accounts: Rename administrator account setting to rename this account to something that does not denote either an administrative or elevated privilege access account. This recommendation applies to the two environments defined in this guide.

Note: This setting is not configured in the security templates, and a new username for the account is not suggested here so that organizations implementing this guidance will not use the same new username for the administrator account in their environments.

Accounts: Rename guest account Table 3.44: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Recommended Recommended Recommended Recommended 58. The built – in local guest is another well known name to hackers. Microsoft also recommends renaming this Account to something that in this case does not denote a guest user. Even after disabling this guest account setting, which is recommended, ensure that you rename it for added security. For these reasons, Microsoft recommends using the Accounts: Rename guest account setting to rename this account to something that does not denote either a guest or elevated privilege access account. This recommendation applies to the two environments defined in this guide.

Note: This setting is not configured in the security templates, and a new username for the account is not suggested here so that organizations implementing this guidance will not use the same new username for the guest account in their environments.

56 Devices: Allow undock without having to log on Table 3.45: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Disabled Disabled Disabled Disabled 59. The Devices: Allow undock without having to log on security option setting determines whether a portable computer can be undocked without the user having to log on to the system. Enabling this setting eliminates a logon requirement and allows using an external hardware eject button to undock the computer. Disabling this setting means a user must be granted the Remove computer from docking station user right (not defined in this guidance) in order to undock the computer without logging on to the system. The Devices: Allow undock without having to log on setting is configured to Disabled for the two environments defined in this guide. Devices: Allowed to format and eject removable media Table 3.46: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Administrator, Administrator, Administrators Administrators Interactive Users Interactive Users 60. The Devices: Allow to format and eject removable media setting determines who is allowed to format and eject removable media. Restricting this privilege prevents unauthorized users from removing media from one computer to access it from another computer in which they have local administrator privileges. For this reason, the Devices: Allow to format and eject removable media setting is restricted to the Administrators and Interactive Users groups in the Enterprise Client environment, and to the Administrators group only for added security in the High Security environment. Devices: Prevent users from installing printer drivers Table 3.47: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Enabled Disabled Enabled Disabled 61. It is feasible for a hacker to disguise a Trojan horse program as a printer driver. The program may appear to users as if they must use it in order to print, but the program may instead unleash malicious code on your computer network. Allowing only administrators to install printer drivers in the majority of cases reduces the chance of an unsuspecting user from compromising his or her computer by installing an unreliable driver. Since laptops are mobile devices, laptop users may need to occasionally install a printer driver from a remote source in order to continue their work. Therefore, this setting should be disabled for laptop users, but always enabled for desktop users. Therefore, the Devices: Prevent users from installing printer drivers setting is configured to Enabled for desktops in the two environments defined in this guide. The setting is configured to Disabled for laptop users in both environments.

57 Devices: Restrict CD – ROM access to locally logged – on user only Table 3.48: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Disabled Disabled Disabled Disabled 62. The Devices: Restrict CD – ROM access to locally logged – on user only setting determines whether the CD – ROM drive is accessible to both local and remote users simultaneously. Enabling this setting allows only interactively logged – on users to access media from the CD – ROM drive. When this setting is enabled and no one is logged – on, the CD – ROM drive can be accessed over the network. The Devices: Restrict CD – ROM access to locally logged – on user only setting is configured to Disabled in the two environments defined in this guide. Devices: Restrict floppy access to locally logged – on user only Table 3.49: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Disabled Disabled Disabled Disabled 63. The Devices: Restrict floppy access to locally logged – on user only setting determines whether the floppy drive is accessible to both local and remote users simultaneously. Enabling this setting allows only interactively logged – on users to access floppy drive media. When this setting is enabled and no one is logged on, floppy drive media can be accessed over the network. The Devices: Restrict floppy access to locally logged – on user only setting is configured to Disabled in the two environments defined in this guide.

58 Devices: Unsigned driver installation behavior Table 3.50: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Warn but allow Warn but allow Do not allow Do not allow installation installation installation installation 64. The Devices: Unsigned driver installation behavior security option setting determines what happens when an attempt is made to install a device driver (by means of Setup API) that has not been approved and signed by the Windows Hardware Quality Lab (WHQL). This option prevents the installation of unsigned drivers or warns the administrator that an unsigned driver is about to be installed. This can prevent installing drivers that have not been certified to run on Windows XP. One potential problem with configuring this setting to the Warn but allow installation value is that unattended installation scripts will fail when installing unsigned drivers. For this reason, the Devices: Unsigned driver installation behavior setting is configured to the Warn but allow installation option in the Enterprise Client environment, and to the Do not allow installation option for added security in the High Security environment.

Note: When implementing this setting in the High Security environment defined in this guide, the clients should be fully configured with all of your standard software applications before applying Group Policy to mitigate the risk of this setting causing installation errors.

Domain member: digitally encrypt or sign secure channel data (always) Table 3.51: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Not Defined Not Defined Enabled Enabled 65. The Domain member: Digitally encrypt or sign secure channel data (always) security option setting determines whether all secure channel traffic initiated by the domain member must be signed or encrypted. If a system is set to always encrypt or sign secure channel data, then it cannot establish a secure channel with a domain controller that is not capable of signing or encrypting all secure channel traffic, because all secure channel data is signed and encrypted. This security option is set to Not Defined in the Enterprise Client environment and to Enabled in the High Security environment.

59 Domain member: digitally encrypt secure channel data (when possible) Table 3.52: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Enabled Enabled Enabled Enabled 66. The Domain member: Digitally encrypt secure channel data (when possible) security option setting determines whether a domain member may attempt to negotiate encryption for all secure channel traffic that it initiates. Enabling this setting causes the domain member to request encryption of all secure channel traffic. Disabling this setting prevents the domain member from negotiating secure channel encryption. Therefore, this setting is configured to Enabled in both of the environments defined in this guide. Domain member: digitally sign secure channel data (when possible) Table 3.53: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Enabled Enabled Enabled Enabled 67. The Domain member: Digitally sign secure channel data (when possible) security option setting determines whether a domain member may attempt to negotiate signing for all secure channel traffic that it initiates. Signing protects the traffic from being modified by anyone who captures the data en route. This setting is configured to Enabled in both of the environments defined in this guide. Domain member: Disable machine account password changes Table 3.54: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Disabled Disabled Disabled Disabled 68. The Domain member: Disable machine account password changes security option setting determines whether a domain member may periodically change its computer account password. Enabling this setting prevents the domain member from changing its computer account password. Disabling this setting allows the domain member to change its computer account password as specified by the Domain Member: Maximum age for machine account password setting, which by default is every 30days. Computers that are no longer able to automatically change their account passwords are in risk of an attacker determining the password for the system's domain account. Therefore, set this countermeasure to Disabled in both of the environments defined in this guide.

60 Domain member: Maximum machine account password age Table 3.55: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop 30 days 30 days 30 days 30 days 69. The Domain member: Maximum machine account password age security option setting determines the maximum allowable age for a computer account password. By default, the domain members automatically change their domain passwords every 30 days. Increasing this interval significantly, or setting it to 0 so that the computers no longer change their passwords, gives an attacker more time to undertake a brute force password guessing attack against one of the computer accounts. Therefore, this setting is configured to the 30 days in both of the environments defined in this guide. Domain member: Require strong (Windows 2000 or later) session key Table 3.56: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Enabled Enabled Enabled Enabled 70. When the Domain member: Require strong (Windows 2000 or later) session key setting is enabled, a Secure Channel may only be established with domain controllers capable of encrypting Secure Channel data using a strong (128 – bit) session key. In order to enable this setting, all domain controllers in the domain must be capable of encrypting Secure Channel data using a strong key. To encrypt data using the strong key, all domain controllers must be running Microsoft Windows® 2000 or later. If communication to non – Windows 2000 domains is required, Microsoft recommends disabling this setting. The Domain member: Require strong (Windows 2000 or later) session key setting is configured to Enabled in both of the environments defined in this guide. Interactive logon: Do not display last user name Table 3.57: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Enabled Enabled Enabled Enabled 71. The Interactive logon: Do not display last user name setting determines whether the account name of the last user to log on to the clients in your environment will be displayed in each computer's respective Windows logon screen. Enabling this setting prevents intruders from collecting account names visually from the screens of desktop or laptop computers in your organization. The Interactive logon: Do not display last user name setting is configured to Enabled in the two environments defined in this guide.

61 Interactive logon: Do not require CTRL+ALT+DEL Table 3.58: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Disabled Disabled Disabled Disabled 72. The CTRL+ALT+DEL key combination establishes a trusted path to the operating system when a user enters a username and password. When the Interactive logon: Do not require CTRL+ALT+DEL setting is enabled, users are not required to use this key combination to log on to the network. Enabling this setting poses a security risk because it provides an opportunity for users to log on to the client using weaker logon credentials. The Interactive logon: Do not require CTRL+ALT+DEL setting is configured to Disabled in the two environments defined in this guide. Interactive logon: Message text for users attempting to log on Table 3.59: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop This system is This system is This system is This system is restricted to restricted to restricted to restricted to authorized users. authorized users. authorized users. authorized users. Individuals attempting Individuals attempting Individuals attempting Individuals attempting unauthorized access unauthorized access unauthorized access unauthorized access will be prosecuted. will be prosecuted. will be prosecuted. will be prosecuted. 73. The Interactive logon: Message text for users attempting to log on security option setting specifies a text message that is displayed to users when they log on. This text is often used for legal reasons, for example, to warn users about the ramifications of misusing company information or to warn them that their actions may be audited. The message text setting is recommended for all three environments.

Note: Any warning that you display should first be approved by your organization's legal and human resources representatives. In addition, both the Interactive logon: Message text for users attempting to log on and the Interactive logon: Message title for users attempting to log on settings must both be enabled in order for either one to work properly.

62 Interactive logon: Message title for users attempting to log on Table 3.60: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop IT IS AN OFFENSE IT IS AN OFFENSE IT IS AN OFFENSE IT IS AN OFFENSE TO CONTINUE TO CONTINUE TO CONTINUE TO CONTINUE WITHOUT PROPER WITHOUT PROPER WITHOUT PROPER WITHOUT PROPER AUTHORIZATION. AUTHORIZATION. AUTHORIZATION. AUTHORIZATION. 74. The Interactive logon: Message title for users attempting to log on security option setting allows text to be specified in the title bar of the window that contains the Interactive logon users see when they log on to the system. The reasoning behind this setting is the same as that for the Message text for user attempting to log on setting. Organizations that do not utilize this setting are more legally vulnerable to trespassers who attack the system. Therefore, this setting is enabled in both of the environments defined in this guide.

Note: Any warning that you display should first be approved by your organization's legal and human resources representatives. In addition, both the Interactive logon: Message text for users attempting to log on and Interactive logon: Message title for users attempting to log on settings must both be enabled in order for either one to work properly.

Interactive logon: Number of previous logons to cache (in case domain controller is not available) Table 3.61: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop 2 2 0 1 75. The Interactive logon: Number of previous logons to cache (in case domain controller is not available) security option setting determines whether a user can log on to a using cached account information. Logon information for domain accounts can be cached locally so that in the event that a domain controller cannot be contacted on subsequent logons, a user can still log on. This setting determines the number of unique users for whom logon information is cached locally. Configuring this value to 0 disables logon caching. The Interactive logon: Number of previous logons to cache (in case domain controller is not available) setting is configured to 2 for both desktop and laptop computers in the Enterprise Client environment. However, this setting is configured to 0 for desktops and 1 for laptops in the High Security environment because laptop users are not always connected to the corporate network.

63 Interactive logon: Prompt user to change password before expiration Table 3.62: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop 14 days 14 days 14 days 14 days 76. The Interactive logon: Prompt user to change password before expiration setting determines how far in advance users are warned that their password will expire. Microsoft recommends configuring this setting to 14 days to sufficiently warn users when their passwords will expire. The Interactive logon: Prompt user to change password before expiration setting is configured to 14 days in the two environments defined in this guide. Interactive logon: Require Domain Controller authentication to unlock workstation Table 3.63: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Disabled Disabled Enabled Disabled 77. When the Interactive logon: Require Domain Controller authentication to unlock workstation setting is enabled, a domain controller must authenticate the domain account used to unlock the computer. When this setting is disabled, cached credentials can be used to unlock the computer. Microsoft recommends disabling this setting for laptop users in both environments, because mobile users do not have network access to domain controllers. The Interactive logon: Require Domain Controller authentication to unlock workstation setting is configured to Disabled for both desktop and laptop computers in the Enterprise Client environment. However, this setting is configured to Enabled for desktops and Disabled for laptops in the High Security environment. Interactive logon: Smart card removal behavior Table 3.64: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Lock Workstation Lock Workstation Lock Workstation Lock Workstation 78. The Interactive logon: Smart card removal behavior security option setting determines what happens when the smart card for a logged – on user is removed from the smart card reader. Setting this option to Lock Workstation locks the workstation when the smart card is removed, allowing users to leave the area, take their smart cards with them, and automatically lock their workstations. Setting this option to Force Logoff automatically logs the user off when the smart card is removed. The Interactive logon: Smart card removal behavior setting is configured to the Lock Workstation option in the two environments defined in this guide.

64 Microsoft network client: Digitally sign communications (always) Table 3.65: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Not Defined Not Defined Enabled Enabled 79. The Microsoft network client: Digitally sign communications (always) security option setting determines whether packet signing is required by the SMB client component. Enabling this setting prevents the Microsoft network client from communicating with a Microsoft network server unless that server agrees to perform SMB packet signing. In mixed environments with legacy clients, set this option to Disabled as these clients will not be able to authenticate or gain access to domain controllers. However, you can use this setting in Windows 2000 or later environments. Therefore, this setting not defined in the Enterprise Client environment and it is configured to Enabled in the High Security environment.

Note: When Windows XP machines have this setting enabled and they are connecting to file or print shares on remote servers it is important that this setting is synchronized with its companion setting, Microsoft network client: Digitally sign communications (always), on those servers. For more details on these settings please see the section called " Microsoft network client and server: Digitally sign communications (four related settings)" in Chapter 5 of the companion guide Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP, available for download at: http://go.microsoft.com/fwlink/?LinkId=15159

Microsoft network client: Digitally sign communications (if server agrees) Table 3.66: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Enabled Enabled Enabled Enabled 80. The Microsoft network client: Digitally sign communications (if server agrees) security option setting determines whether the SMB client will attempt to negotiate SMB packet signing. Implementing digital signing in Windows networks helps to prevent session hijacking. By enabling this setting, the Microsoft network client on member servers will request signing only if the servers with which it is communicating accept digitally signed communication. The Microsoft network client: Digitally sign communications (if server agrees) setting is configured to Enabled in the two environments defined in this guide.

Note: Enable this setting on SMB clients on your network to make them fully effective for packet signing with all clients and servers in your environment.

65 Microsoft network client: Send unencrypted password to third – party SMB servers Table 3.67: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Disabled Disabled Disabled Disabled 81. Disabling the Microsoft network client: Send unencrypted password to third – party SMB servers setting prevents the SMB redirector from sending plaintext passwords to non – Microsoft SMB servers that do not support password encryption during authentication. Microsoft recommends disabling this setting unless there is a strong business case to enable it. This is because enabling the setting will allow unencrypted passwords to be sent across the network. The Microsoft network client: Send unencrypted password to third – party SMB servers setting is configured to Disabled in the two environments defined in this guide. Microsoft network server: Amount of idle time required before suspending session Table 3.68: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop 15 minutes 15 minutes 15 minutes 15 minutes 82. Enabling the Microsoft network server: Amount of idle time required before suspending session setting allows you to determine the amount of continuous idle time that must pass in an SMB session before the session is suspended due to inactivity. Administrators can use this setting to control when a computer suspends an inactive SMB session. If client activity resumes, the session is automatically reestablished. The Microsoft network server: Amount of idle time required before suspending session setting is configured to Enabled for a period of 15 minutes in both of the environments defined in this guide. Microsoft network server: Digitally sign communications (always) Table 3.69: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Enabled Enabled Enabled Enabled 83. The Microsoft network server: Digitally sign communications (always) setting determines if the SMB server is required to perform SMB packet signing. Enabling this setting provides an added benefit in a mixed environment because it prevents downstream clients from using the workstation as a network server. The Microsoft network server: Digitally sign communications (always) setting is configured to Enabled in both of the environments defined in this guide.

66 Microsoft network server: Digitally sign communications (if client agrees) Table 3.70: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Enabled Enabled Enabled Enabled 84. The Microsoft network server: Digitally sign communications (if client agrees) setting determines if the SMB server performs SMB packet signing. Enabling this setting causes SMB servers to digitally sign packets when communicating with SMB clients in which SMB signing is enabled and required. The Microsoft network server: Digitally sign communications (if client agrees) setting is configured to Enabled in the two environments defined in this guide.

Note: Enable this setting on SMB clients on your network to make them fully effective for packet signing with all clients and servers in your environment.

Network access: Allow anonymous SID/Name translation Table 3.71: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Disabled Disabled Disabled Disabled 85. The Network access: Allow anonymous SID/Name translation setting determines if an anonymous user can request security identifier (SID) attributes for another user, or use a SID to obtain its corresponding username. Disabling this setting prevents users from obtaining usernames associated with their respective SIDs. The Network access: Allow anonymous SID/Name translation setting is configured to Disabled in the two environments defined in this guide.

67 Network access: Do not allow anonymous enumeration of SAM accounts Table 3.72: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Enabled Enabled Enabled Enabled 86. The Network access: Do not allow anonymous enumeration of SAM accounts setting controls the ability of anonymous users to enumerate the accounts in the Security Accounts Manager (SAM). Enabling this setting prevents users with anonymous connections from enumerating domain account user names on the workstations in your environment. This setting also allows additional restrictions on anonymous connections. The Network access: Do not allow anonymous enumeration of SAM accounts setting is configured to Enabled in the two environments defined in this guide. Network access: Do not allow anonymous enumeration of SAM accounts and shares Table 3.73: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Enabled Enabled Enabled Enabled 87. The Network access: Do not allow anonymous enumeration of SAM accounts and shares setting controls the ability of anonymous users to enumerate SAM accounts and shares. Enabling this setting prevents anonymous users from enumerating domain account user names and network share names on the workstations in your environment. The Network access: Do not allow anonymous enumeration of SAM accounts and shares setting is configured to Enabled in the two environments defined in this guide. Network access: Do not allow storage of credentials or .NET Passports for network authentication Table 3.74: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Enabled Enabled Enabled Enabled 88. The Network access: Do not allow storage of credentials or .NET Passports for network authentication setting controls the storage of authentication credentials and passwords on the local system. The Network access: Do not allow storage of credentials or .NET Passports for network authentication setting is configured to Enabled in the two environments defined in this guide.

68 Network access: Let everyone permissions apply to anonymous users Table 3.75: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Disabled Disabled Disabled Disabled 89. The Network access: Let Everyone permissions apply to anonymous users security option setting determines what additional permissions are granted for anonymous connections to the computer. Enabling this setting allows anonymous Windows users to perform certain activities, such as enumerating the names of domain accounts and network shares. An unauthorized user could anonymously list account names and shared resources and use the information to guess passwords or perform social engineering attacks. Therefore, this setting is configured to Disabled in both of the environments defined in this guide. Network access: Shares that can be accessed anonymously Table 3.76: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop comcfg, dfs$ comcfg, dfs$ comcfg, dfs$ comcfg, dfs$ 90. The Network access: Shares that can be accessed anonymously security option setting determines which network shares can be accessed by anonymous users. The default for this setting has little impact as all users have to be authenticated before they can access shared resources on the server. Therefore, ensure that this setting is configured to comcfg, dfs$ in both of the environments defined in this guide.

Note: Adding other shares to this Group Policy setting is very dangerous; any shares that are listed can be accessed by any network user. This could lead to the exposure or corruption of sensitive corporate data.

69 Network access: Sharing and security model for local accounts Table 3.77: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Classic – local users Classic – local users Classic – local users Classic – local users authenticate as authenticate as authenticate as authenticate as themselves themselves themselves themselves 91. The Network access: Sharing and security model for local accounts security option setting determines how network logons using local accounts are authenticated. The Classic setting allows fine control over access to resources. Using the Classic setting allows you to grant different types of access to different users for the same resource. Using the Guest only setting allows you to treat all users equally. In this context, all users authenticate as Guest only to receive the same access level to a given resource. Therefore, the Classic default setting option is used for both of the environments defined in this guide. Network security: Do not store LAN Manager hash value on next password change Table 3.78: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Enabled Enabled Enabled Enabled 92. The Network security: Do not store LAN Manager hash value on next password change security option setting determines whether the LAN Manager (LM) hash value for the new password is stored when the password is changed. The LM hash is relatively weak and prone to attack, as compared with the cryptographically stronger Windows NT hash. For this reason, this setting is configured to Enabled in both of the security environments defined in this guide.

Note: Very old legacy operating systems and some third – party applications may fail when this setting is enabled. Also you will need to change the password on all accounts after enabling this setting.

70

Network security: LAN Manager authentication level Table 3.79: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Send NTLMv2 Send NTLMv2 Send NTLMv2 Send NTLMv2 responses only responses only response only\refuse response only\refuse LM and NTLM LM and NTLM 93. The Network security: LAN Manager authentication level setting specifies the type of challenge/response authentication for network logons with non – Windows 2000 and Window XP Professional clients. LanManager authentication (LM) is the least secure method, allowing encrypted passwords to be easily sniffed on the network and cracked. NT LanManager (NTLM) is somewhat more secure. NTLMv2 is a more robust version of NTLM available in Windows XP Professional, Windows 2000, and Windows NT 4.0 Service Pack 4 and later. NTLMv2 is also available with /98 along with the optional Directory Services Client. The following parameter options for this setting are: ● Send LM & NTLM responses ● Send LM & NTLM – use NTLMv2 session security if negotiated ● Send NTLM response only ● Send NTLMv2 response only ● Send NTLMv2 response only\refuse LM ● Send NTLMv2 response only\refuse LM and NTLM

Microsoft recommends setting this parameter to the strongest authentication level possible for your environment. In environments running only Windows 2000 Server or Windows Server 2003 with Windows XP Professional workstations, this parameter may be set to the option for Sent NTLMv2 response only\refuse LM and NTLM for the highest security. The parameter option for the Network security: LAN Manager authentication level setting is configured to Send NTLMv2 response only for the Enterprise Client environment. However, the parameter for this setting is configured to Send NTLMv2 response only\refuse LM and NTLM in the High Security environment. Network security: LDAP client signing requirements Table 3.80: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Not Defined Not Defined Require signing Require signing 94. The Network security: LDAP client signing requirements security option setting determines the level of data signing that is requested on behalf of clients issuing LDAP BIND requests. Unsigned network traffic is susceptible to man – in – the – middle attacks. In the case of an LDAP server, this means that an attacker could cause a server to make decisions based on false queries from the LDAP client. Therefore, the value for this setting is configured to Not defined in the Enterprise Client environment and to Require Signing in the High Security environment.

71 Network security: Minimum session security for NTLM SSP based (including secure RPC) clients Table 3.81: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Require message Require message Require message Require message confidentiality, confidentiality, confidentiality, confidentiality, Require message Require message Require message Require message integrity, Require integrity, Require integrity, Require integrity, Require NTLMv2 session NTLMv2 session NTLMv2 session NTLMv2 session security, security, security, security, Require 128 bit Require 128 bit Require 128 bit Require 128 bit encryption encryption encryption encryption 95. The Network security: Minimum session security for NTLM SSP based (including secure RPC) clients setting determines the minimum application – to – application communications security standards for clients. The options for this setting are: ● Require message integrity ● Require message confidentiality ● Require NTLMv2 session security ● Require 128 – bit encryption

If all of the computers on your network are running Windows XP Professional or Windows Server 2003 with 128 – bit encryption enabled, all four setting options may be selected for maximum security. All four options are enabled for the Network security: Minimum session security for NTLM SSP based (including secure RPC) clients setting in the two environments defined in this guide.

72 Network security: Minimum session security for NTLM SSP based (including secure RPC) servers Table 3.82: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Require message Require message Require message Require message confidentiality, confidentiality, confidentiality, confidentiality, Require message Require message Require message Require message integrity, Require integrity, Require integrity, Require integrity, Require NTLMv2 session NTLMv2 session NTLMv2 session NTLMv2 session security, security, security, security, Require 128 bit Require 128 bit Require 128 bit Require 128 bit encryption encryption encryption encryption 96. The Network security: Minimum session security for NTLM SSP based (including secure RPC) servers setting is similar to the previous setting but affects the server side of communication with applications. The options for this setting are the same: ● Require message integrity ● Require message confidentiality ● Require NTLMv2 session security ● Require 128 – bit encryption

If all of the computers on your network are running Windows XP Professional or Windows Server 2003 with 128 – bit encryption enabled, all four options may be selected for maximum security. All four options are enabled for the Network security: Minimum session security for NTLM SSP based (including secure RPC) clients setting in the two environments defined in this guide. Recovery console: Allow automatic administrative logon Table 3.83: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Disabled Disabled Disabled Disabled 97. The recovery console is a command line environment used to recover from system problems. Enabling the Recovery console: Allow automatic administrative logon setting automatically logs on the administrator account to the recovery console when this setting is invoked during startup. Microsoft recommends disabling this setting to require administrators to enter a password in order to access the recovery console. The Recovery console: Allow automatic administrative logon setting is configured to Disabled in the two environments defined in this guide.

73 Recovery console: Allow floppy copy and access to all drives and all folders Table 3.84: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Enabled Enabled Disabled Disabled 98. Enabling the Recovery console: Allow floppy copy and access to all drives and all folders security option setting makes the Recovery Console SET command available, which allows you to set the following Recovery Console environment variables: ● AllowWildCards: Enables wildcard support for some commands (such as the DEL command) ● AllowAllPaths: Allows access to all files and folders on the computer ● AllowRemovableMedia: Allows files to be copied to removable media, such as a floppy disk ● NoCopyPrompt: Does not prompt when overwriting an existing file

For maximum security, this setting is configured to Disabled in the High Security environment. Shutdown: Allow system to be shut down without having to log on Table 3.85: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Disabled Disabled Disabled Disabled 99. The Shutdown: Allow system to be shut down without having to log on setting determines if the system can be shut down when a user is not logged on to it. Enabling this setting makes the shutdown command available on the Windows logon screen. Microsoft recommends disabling this setting to restrict the ability to shut down the system to users with credentials on the system. The Shutdown: Allow system to be shut down without having to log on setting is configured to Disabled in the two environments defined in this guide.

74 Shutdown: Clear virtual memory pagefile Table 3.86: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Disabled Disabled Enabled Enabled 100. The Shutdown: Clear virtual memory page file security option setting determines whether the virtual memory pagefile is cleared when the system is shut down. When this setting is enabled, it causes the system pagefile to be cleared each time that the system shuts down gracefully. If you enable this security setting, the hibernation file (hiberfil.sys) is also zeroed out when hibernation is disabled on a portable computer system. Shutting down and restarting the server will take longer and will be especially noticeable on servers with large paging files. For these reasons, this setting is configured to Enabled in the High Security environment but set to Disabled in the Enterprise Client environment. System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing Table 3.87: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Disabled Disabled Disabled Disabled 101. The System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing security option setting determines whether the Transport Layer Security/Secure Sockets Layer (TL/SS) Security Provider supports only the TLS_RSA_WITH_3DES_EDE_CBC_SHA cipher suite. Although this setting increases security most public websites secured with TLS or SSL do not support these algorithms. Client computers that have this setting enabled will also be unable to connect to Terminal Services on servers that are not configured to use the FIPS compliant algorithms This setting is configured to Disabled in both of the environments defined in this guide.

Note: Enabling this setting results in slower computer performance because the three DES process is performed on each block of data in the file three times. This setting should only be enabled if your organization is required to be FIPS compliant.

75 System objects: Default owner for objects created by members of the Administrators group Table 3.88: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Object Creator Object Creator Object Creator Object Creator 102. The System objects: Default owner for objects created by members of the Administrators group setting determines whether the Administrators group or the Object Creator group is the default owner of new system objects. To provide greater accountability the System objects: Default owner for objects created by members of the Administrators group setting is configured to the Object Creator group in the two environments defined in this guide. System objects: Require case insensitivity for non- windows subsystems Table 3.89: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Enabled Enabled Enabled Enabled 103. The System objects: Require case insensitivity for non – Windows subsystems security option setting determines whether case insensitivity is enforced for all subsystems. The Microsoft Win32® subsystem is case insensitive. However, the kernel supports case sensitivity for other subsystems, such as the Portable Operating System Interface for UNIX (POSIX). Since Windows is case insensitive (but the POSIX subsystem will support case sensitivity), not enforcing this setting makes it possible for a user of this subsystem to create a file with the same name as another file by using mixed case to label it. Doing this may block another user accessing these files with normal Win32 tools, because only one of the files will be available. To ensure consistency of file names, this setting is set to Enabled in both of the environments defined in this guide. System objects: Strengthen default permissions of internal system objects Table 3.90: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Enabled Enabled Enabled Enabled 104. The System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links) security option setting determines the strength of the default discretionary access control list (DACL) for objects. The setting helps secure objects that can be located and shared among processes. Ensuring that this setting is set to the default strengthens the DACL, allowing users who are not administrators to read shared objects but not to modify any that they did not create. Therefore, this setting is configured to the default Enabled in both of the environments defined in this guide.

76 Event Log Security Settings The Event Log settings are used to record system events. The security log contains audit events. The Event Log container for Group Policy is used to define attributes related to the application, security, and system event logs, such as maximum log size, access rights for each log, as well as retention period settings and methods. The settings for the application, security, and system event logs are configured in the Windows XP security template and applied to all workstations in an OU. Configure the Event Log settings in the following location in the Group Policy Object Editor: Computer Configuration\Windows Settings\Security Settings\Event Log Fragmented log files in memory can cause significant performance problems on busy systems. The theoretical limit for memory – mapped files suggests that you can configure the logs on your system to hold up to 1 gigabyte (GB) of event log records. Moreover, the user interface (UI) in the Event Viewer used for configuring the event logs, as well as the Group Policy Object Editor allows you to specify up to 4 GB per log. However, Microsoft has verified that the practical log file size limit is around 300 megabytes (MB) for all event logs combined on most servers. Thus, on Windows XP Professional the combined size of the application, security, and system event logs should not exceed 300 MB. This combined log size limitation has caused problems for some Microsoft customers, but addressing them will require fundamental changes to the architecture for recording system events. Microsoft is working to resolve these problems in the next version of Windows by rewriting the event logging system from the ground up. While there is no simple equation to determine the best log size for a particular client, you can determine a reasonable size by considering the information discussed above with the understanding that the average event requires about 500 bytes to record in each log, and the event record retention period you want to specify for each log. Since the size of each log file must be a multiple of 64 kilobytes (KB), estimate the average number of events generated each day for each log in your enterprise to determine a sensible size for each log file on your clients. For example, if your average client generates 1200 events per day in its Security Log and you want to ensure that you have at least 4 weeks of data available at all times, then configure the size of this log to about 16.8 MB based on the following equation: (500 bytes * 1200 events/day * 28 days = 16,800,000 bytes). After configuring the log size, check the client occasionally over the next four weeks to verify that the log is adequately retaining events during the period. Event log size and log wrapping should be defined to match the business and security requirements of your enterprise security plan. For further information on determining optimal log sizes, see Chapter 6, "Event Log," in the companion guide, Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP.

77 Maximum application log size Table 3.91: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop 20480 KB 20480 KB 20480 KB 20480 KB 105. The Maximum application log size security setting specifies the maximum size of the application event log, which has a maximum capacity of 4 gigabytes (GB), although this is not recommended because of the risk of memory fragmentation leading to slow performance and unreliable event logging. Requirements for the application log size vary depending on the function of the platform and the need for historical records of application related events. The Maximum application log size setting is configured to 20,480 KB in the two environments defined in this guide. Maximum security log size Table 3.92: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop 40960 KB 40960 KB 81920 KB 81920 KB 106. The Maximum security log size security setting specifies the maximum size of the security event log, which has a maximum capacity of 4 gigabytes (GB), although this is not recommended because of the risk of memory fragmentation leading to slow performance and unreliable event logging. Requirements for the security log size vary depending on the function of the platform and the need for historical records of application related events. The Maximum security log size setting is configured to 40,960 KB in the Enterprise Client environment, and 81,920 KB in the High Security environment. Maximum system log size Table 3.93: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop 20480 KB 20480 KB 20480 KB 20480 KB 107. The Maximum system log size security setting specifies the maximum size of the application event log, which has a maximum capacity of 4 GB — although this is not recommended because of the risk of memory fragmentation leading to slow performance and unreliable event logging. Requirements for the application log size vary depending on the function of the platform and the need for historical records of application related events. The Maximum system log size setting is configured to 20,480 KB in the two environments defined in this guide.

78 Prevent local guests group from accessing application log Table 3.94: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Enabled Enabled Enabled Enabled 108. The default installation of Windows XP Professional allows guests and null logons to view the Event Log. While the Security Log is protected from guest access by default, it may be viewed by users who have the Manage Audit Logs user right. The Prevent local guests group from accessing application log setting restricts guests and null logons from viewing any event logs. Preventing unauthenticated users from viewing the application event log is a security best practice. The setting for Prevent local guests group from accessing application log setting is configured to Enabled in the two environments defined in this guide. Prevent local guests group from accessing security log Table 3.95: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Enabled Enabled Enabled Enabled 109. The default installation of Windows XP Professional allows guests and null logons to view event logs. While the Security Log is protected from guest access by default, it may be viewed by users who have the Manage Audit Logs user right. The Prevent local guests group from accessing security log setting restricts guests and null logons from viewing any event logs. Preventing unauthenticated users from viewing the security event log is a security best practice. The Prevent local guests group from accessing security log setting is configured to Enabled in the two environments defined in this guide. Prevent local guests group from accessing system log Table 3.96: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Enabled Enabled Enabled Enabled 110. The default installation of Windows XP Professional allows guests and null logons to view event logs. While the Security Log is protected from guest access by default, it may be viewed by users who have the Manage Audit Logs user right. The Prevent local guests group from accessing system log setting restricts guests and null logons from viewing any event logs. Preventing unauthenticated users from viewing the system event log is a security best practice. The Prevent local guests group from accessing system log setting is configured to Enabled in the two environments defined in this guide.

79 Retention method for application log Table 3.97: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop As Needed As Needed As Needed As Needed 111. The Retention method for application log security setting determines the "wrapping" method for the application log. It is imperative that the application log is archived regularly if historical events are desirable for either forensics or troubleshooting purposes. Overwriting events as needed ensures that the log always stores the most recent events, although this could result in a loss of historical data. Retention method for security log Table 3.98: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop As Needed As Needed As Needed As Needed 112. The Retention method for security log security setting determines the "wrapping" method for the security log. It is imperative that the security log is archived regularly if historical events are desirable for either forensics or troubleshooting purposes. Overwriting events as needed ensures that the log always stores the most recent events, although this could result in a loss of historical data. Retention method for system log Table 3.99: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop As Needed As Needed As Needed As Needed 113. The Retention method for system log security setting determines the "wrapping" method for the system log. It is imperative that the logs are archived regularly if historical events are desirable for either forensics or troubleshooting purposes. Overwriting events as needed ensures that the log always stores the most recent events, although this could result in a loss of historical data.

80 Restricted Groups The Restricted Groups setting allows you to manage the membership of groups in Windows XP Professional. Determine the groups you want to restrict based on the needs of your organization. For the purposes of this guidance, the Power Users group is restricted in the High Security Environment. Although members of the Power Users group have less system access than members in the Administrators group, Power Users group members can still access the system in powerful ways. If your organization uses the Power Users group, then carefully control the members of this group and do not implement the guidance for the Restricted Groups setting. The Restricted Groups setting can be configured in Windows XP Professional at the following location in the Group Policy Object Editor: Computer Configuration\Windows Settings\Security Settings\Restricted Groups\ Administrators may configure restricted groups for a GPO by adding the desired group directly to the Restricted Groups node of the GPO namespace. When a group is restricted you have the option of defining its members and other groups in which it is a member. Not specifying these group members leaves the group totally restricted. Groups can only be restricted by using security templates. To view or modify the Restricted Groups setting: 1. Open the Security Templates Management Console.

Note: The Security Templates Management Console is not added to the Administrative Tools menu by default. To add it, start the Microsoft Management Console (mmc.exe) and add the Security Templates Add – in.

2. Double – click the configuration file directory, and then the configuration file. 3. Double – click the Restricted Groups item. 4. Right – click Restricted Groups. 5. Select Add Group. 6. Click the Browse button, the Locations button, select the locations you want to browse, and click OK.

Note: Generally this will result in a local computer appearing at the top of the list.

7. Type the group name in the Enter the object names to select text box and press the Check Names button. – Or – Click the Advanced button, and then the Find Now button to list all available groups. 8. Select the groups you want to restrict, and then click OK. 9. Click OK on the Add Groups dialog box to close it.

81 For all listed groups, any groups or users listed that are not currently members of the listed groups are added, and any users or groups that are currently members of the listed group are removed from the security template. In this guidance, the settings were removed for all user and group members of the Power Users and Backup Operators groups in order to totally restrict these groups in both environments. Microsoft recommends restricting any built – in group you do not plan to use in your organization.

82 System Services When Windows XP Professional installs, default system services are created and configured to run when the system starts. Many of these system services do not need to run in the environments defined in this guide. There are additional optional services available with Windows XP Professional, such as IIS, that are not installed during the default installation of the operating system. You can add these optional services to an existing system by using Add/Remove Programs or creating a customized automated installation of Windows XP Professional.

Important: Keep in mind that any service or application is a potential point of attack. Therefore, any unneeded services or executable files should be disabled or removed in your environment.

The System Services settings can be configured in Windows XP Professional at the following location in the Group Policy Object Editor: Computer Configuration\Windows Settings\Security Settings\System Services An administrator can set the startup mode of the System Services and change the security settings for each of them. To view the System Services settings: 1. Open the Security Templates Management Console.

Note: The Security Templates Management Console is not added to the menus by default. To add it, start the Microsoft Management Console (mmc.exe) and add the Security Templates Add – in.

2. Double – click the security template file directory, and then the security template file. 3. Double – click the System Services item to display the available services in the right pane. 4. Double – click the service you want to configure and the properties dialog box for it will open. 5. Select the Define this policy setting in the template check box. 6. Under Select service startup mode, select either Automatic, Manual, or Disabled. 7. Click the Edit Security… button to access the security permission options to change the service.

Note: Changes to security permissions should be thoroughly tested in a lab environment prior to implementing them via Group Policy.

8. Click OK to close the security settings dialog box, and OK again to close the Service Properties dialog box.

This section provides details on the prescribed system services for the two environments defined in this guide. The summary of the prescribed settings in the following table is also available in the Windows XP Security Guide Settings Excel workbook. For information on the default settings and a detailed explanation of each setting discussed in this section, see the companion guide, Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP, available at: http://go.microsoft.com/fwlink/?LinkId=15159.

83 Alerter Table 3.100: Settings

Service Name Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Alerter Disabled Disabled Disabled Disabled 114. The Alerter service notifies selected users and computers of administrative alerts. Use the Alerter service to send alert messages to specified users connected to your network. To ensure greater security in the two environments defined in this guide, the Alerter service is configured to Disabled for the two environments defined in this guide to prevent information from being sent across the network.

Note: Disabling this service can break functionality in uninterruptible power supply (UPS) alert message systems.

ClipBook Table 3.101: Settings

Service Name Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop ClipSrv Disabled Disabled Disabled Disabled 115. The ClipBook service allows the Clipbook Viewer to create and share “pages” of data that may be viewed by remote computers. This service depends on the Network Dynamic Data Exchange (NetDDE) service to create the actual file shares that other computers can connect to, while the Clipbook application and service allow you to create the pages of data to share. Any services that explicitly depend on this service will fail. However, clipbrd.exe can be used to view the local Clipboard — where data is stored when a user selects text and then clicks Copy on the Edit menu, or presses CTRL+C. To ensure greater security in the two environments defined in this guide, the ClipBook service is configured to Disabled. Computer Browser Table 3.102: Settings

Service Name Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Browser Not Defined Not Defined Disabled Disabled 116. The Computer Browser system service maintains an up – to – date list of computers on your network and supplies the list to programs that request it. The Computer Browser service is used by Windows – based computers that need to view network domains and resources. To ensure greater security in the High Security environment this service is configured to disabled but it is set to Not Defined in the Enterprise Client environment..

84 Fax Service Table 3.103: Settings

Service Name Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Fax Manual Manual Disabled Disabled 117. The Fax Service service, a Telephony API (TAPI) – compliant service, provides fax capabilities on the clients in your environment. The Fax Service allows users to send and receive faxes from their desktop applications using either a local fax device or a shared network fax device. The Fax Service is configured to Manual in the Enterprise Client. However, this service is set to Disabled in the High Security environment to ensure greater security. FTP Publishing Service Table 3.104: Settings

Service Name Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop MSFtpsvr Disabled Disabled Disabled Disabled 118. The FTP Publishing Service provides connectivity and administration through the IIS snap – in. Microsoft recommends to not install the FTP Publishing Service on Windows XP clients in your environment unless there is a business need for the service. For this reason, the FTP Publishing Service is configured to Disabled in the two environments defined in this guide. IIS Admin Service Table 3.105: Settings

Service Name Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop IISADMIN Disabled Disabled Disabled Disabled 119. The IIS Admin Service allows administration of IIS components, such as FTP, Applications Pools, Web sites, and Web service extensions. Disabling this service prevents users from running Web or FTP sites on their computers. These features are not needed on most Windows XP client computers. The IIS Admin Service is configured to Disabled in the two environments defined in this guide.

85 Indexing Service Table 3.106: Settings

Service Name Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop cisvc Disabled Disabled Disabled Disabled 120. The Indexing Service indexes contents and properties of files on local and remote computers and provides rapid access to files through a flexible querying language. The Indexing Service also enables quick searching of documents on local and remote computers and a search index for content shared on the Web. The Indexing Service is configured to Disabled in the two environments defined in this guide Messenger Table 3.107: Settings

Service Name Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Messenger Disabled Disabled Disabled Disabled 121. The Messenger service transmits and sends Alerter service messages between clients and servers. This service is not related to Windows Messenger or MSN Messenger and is not a requirement for Windows XP client computers. For this reason, the Messenger service is configured to Disabled in the two environments defined in this guide. NetMeeting Remote Desktop Sharing Table 3.108: Settings

Service Name Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop mnmsrvc Disabled Disabled Disabled Disabled 122. The NetMeeting Remote Desktop Sharing service allows an authorized user to access a client remotely by using Microsoft NetMeeting® over a corporate intranet. This service must be explicitly enabled in NetMeeting. You can also disable this feature in NetMeeting, shut down the service via a Windows tray icon, or disable this feature in group policy by configuring the setting Disable remote Desktop Sharing, discussed in Chapter 4, "Administrative Templates for Windows XP." Microsoft recommends disabling this service to prevent users from accessing clients in your environment remotely. The NetMeeting Remote Desktop Sharing service is configured to Disabled in the two environments defined in this guide.

86 Network DDE Table 3.109: Settings

Service Name Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop NetDDE Manual Manual Disabled Disabled 123. The Network DDE service provides network transport and security for Dynamic Data Exchange (DDE) programs running on the same computer or on different computers. Attackers can exploit the Network DDE service, and other such automated network services. The Network DDE setting is configured to Disabled in the High Security environment to ensure greater security. However, this service is left at the Manual default setting in the Enterprise Client environment. Network DDE DSDM Table 3.110: Settings

Service Name Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop NetDDEdsdm Manual Manual Disabled Disabled 124. The Network DDE DSDM service manages DDE network shares. This service is used only by the Network DDE service to manage shared DDE conversations. Attackers can exploit the Network DDE DSDM service, and other such automated network services. The Network DDE DSDM service is configured to Disabled in the High Security environment to ensure greater security. However, this service is left at the Manual default setting in the Enterprise Client environment. Remote Desktop Help Session Manager Table 3.111: Settings

Service Name Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop RDSessMgr Not Defined Not Defined Disabled Disabled 125. The Remote Desktop Help Session Manager system service manages and controls the Remote Assistance feature in the Help and Support Center application (helpctr.exe). This service is configured to Disabled in the High Security environment and to Not Defined in the Enterprise Client environment.

87 Remote Registry Service Table 3.112: Settings

Service Name Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop RemoteRegistry Automatic Automatic Disabled Disabled 126. The Remote Registry Service allows remote users to modify registry settings on your computer — provided they have the required permissions. This service is primarily used by remote administrators and performance counters. Disabling the Remote Registry Service restricts the ability to modify the registry only on the local computer, and any services that explicitly depend on this service will fail. The Remote Registry Service is configured to Automatic in the Enterprise Client environment, and Disabled in the High Security environment.

Note: Disabling this service will break most patch management solutions including the Software Update Service and Windows Automated Update. If you disable this service, you will have to perform patch management manually on each desktop and laptop in your environment or provide media for the users in your environment to install patches.

Routing and Remote Access Table 3.113: Settings

Service Name Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop RemoteAccess Disabled Disabled Disabled Disabled 127. The Routing and Remote Access system service provides multi – protocol LAN – to – LAN, LAN – to – WAN, VPN, and NAT routing services. In addition, this service also provides dial – up and VPN remote access services. This service is configured to Disabled in both of the environments defined in this guide. SSDP Discovery Service Table 3.114: Settings

Service Name Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop SSDPSrv Disabled Disabled Disabled Disabled 128. The Universal Plug and Play host service supports peer-to-peer Plug and Play functionality for network devices. The UPnP specification is designed to simplify device and network service installation and management. The Universal Plug and Play host service uses the Simple Service Discovery Protocol (SSDP) to locate and identify UPnP network devices. Disabling the SSDP Discovery Service will prevent the system from finding UPnP devices on the network, which will lead to the Universal Plug and Play host service failing to find and interact with UPnP devices. This service is configured to Disabled in both of the environments defined in this guide.

88 Task Scheduler Table 3.115: Settings

Service Name Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Schedule Not Defined Not Defined Disabled Disabled 129. The Task Scheduler system service enables you to configure and schedule automated tasks on your computer. The Task Scheduler service monitors whatever criteria you choose and carries out the task when the criteria have been met. This service is configured to Disabled in the High Security environment and to Not Defined in the Enterprise Client environment. Telnet Table 3.116: Settings

Service Name Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop TlntSvr Disabled Disabled Disabled Disabled 130. The Telnet service for Windows provides ASCII terminal sessions to Telnet clients. This service supports two types of authentication and the following four types of terminals: ANSI, VT – 100, VT – 52, and VTNT. However, this service is not a requirement for most Windows XP clients. The Telnet service is configured to Disabled in the two environments defined in this guide. Terminal Services Table 3.117: Settings

Service Name Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop TermService Not Defined Not Defined Disabled Disabled 131. The Terminal Services system service provides a multi – session environment that allows client devices to access a virtual Windows desktop session and Windows – based programs running on the server. On Windows XP, Terminal Services allows remote users to be connected interactively to a computer and to display desktops and applications on remote computers. This service is configured to Disabled in the High Security environment and to Not Defined in the Enterprise Client environment.

89 Universal Plug and Play host Table 3.118: Settings

Service Name Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop W3SVC Not Defined Not Defined Disabled Disabled 132. The Universal Plug and Play host service supports peer-to-peer Plug and Play functionality for network devices. The UPnP specification is designed to simplify device and network service installation and management. UPnP accomplishes device and service discovery and control through a driver-less, standards-based protocol mechanisms. Universal Plug and Play devices can auto-configure network addressing, announce their presence on a network subnet, and enable the exchange of descriptions device and service descriptions. A Windows XP computer can act as an UPnP control point to discover and control the devices through a web or application interface. This service is configured to Disabled in the High Security environment and to Not Defined in the Enterprise Client environment. World Wide Web Publishing Service Table 3.119: Settings

Service Name Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop W3SVC Disabled Disabled Disabled Disabled 133. The World Wide Web Publishing Service provides Web connectivity and administration through the IIS snap – in. However, this service is not a requirement for most Windows XP clients. The World Wide Web Publishing Service is configured to Disabled in the two environments defined in this guide.

90 Configuring Internet Connection Firewall

An Internet firewall can help prevent outsiders from getting to your computer through the Internet. Windows XP includes a built-in firewall called the Internet Connection Firewall (ICF). By default it is disabled, but for many organizations ICF can provide an additional layer of protection against network based attacks such as worms and denial – of – service attacks. 1. Click Start, and then click Control Panel. 2. Click Network and Internet Connections, and then click Network Connections. 3. Under the Dial-Up or LAN or High Speed Internet category, click the icon to select the connection that you want to help protect. 4. In the task pane on the left, under Network Tasks, click Change settings of this connection (or right-click the connection you want to help protect, and then click Properties). 5. On the Advanced tab, under Internet Connection Firewall, check the box next to Protect my computer and network by limiting or preventing access to this computer from the Internet. 6. If you have more than one connection to the Internet, such as broadband and a dial-up connection, then repeat steps 5 through 7 for each connection.

There are some limitations with ICF that organizations must consider before enabling it throughout their enterprise. ICF does not have the rich feature set provided by many third party products. This is because ICF is intended only as a basic intrusion prevention feature. ICF prevents people from gathering data about the PC and blocks unsolicited connection attempts. ICF does not provide outbound filtering. Management of ICF is challenging in large networks because it filter rules can not be configured via scripts or by group policy. Once enabled, the default settings in ICF may impact some enterprise management tools such as Microsoft Systems Management Server (SMS) or the Microsoft Baseline Security Analyzer. ICF will also cause network browsing and viewing My Network Neighborhood to fail because the Master Browser computer is unable to connect back to the client computer to send the Browse list. Other problems with network applications are likely to appear when ICF is enabled, organizations will have to calculate the benefit of increased security with reduced flexibility for end – users. Alternatively, organizations may want to consider deploying personal firewall software from a third – party vendor that can be managed centrally. For more information on the Internet Connection Firewall see the Microsoft Knowledge Base Article Description of the Windows XP Internet Connection Firewall available online at: http://support.microsoft.com/?kbid=320855.

91 Additional Registry Settings Additional registry value entries were created for the baseline security template files that are not defined within the Administrative Template (.adm) file for both of the security environments defined in this guide. The .adm file defines the system policies and restrictions for the desktop, shell, and security for Windows XP. These settings are embedded within the security templates, in the Security Options section, to automate the changes. If the policy is removed, these settings are not automatically removed with it and must be manually changed by using a registry editing tool such as Regedt32.exe. The same registry values are applied across all three environments. This guide includes additional settings added to the Security Configuration Editor (SCE) by modifying the sceregvl.inf file, located in the %windir%\inf folder, and re – registering scecli.dll. The original security settings, as well as the additional ones, appear under Local Policies\Security Options in the snap – ins and tools listed previously in this chapter. You should update the sceregvl.inf file and re – register scecli.dll on any computers where you will be editing the security templates and Group Policies provided with this guide, as described the next section. This section is only a summary of the additional registry settings that were covered in full in the companion guide. For information on the default settings and a detailed explanation of each of the settings discussed in this section, see the companion guide, Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP, available at: http://go.microsoft.com/fwlink/?LinkId=15159. Disable Auto Generation of 8.3 File Names: Enable the computer to stop generating 8.3 style filenames Table 3.120: Settings

Subkey Registry Format Enterprise Enterprise High High Value Entry Client Client Security Security Desktop Laptop Desktop Laptop NtfsDisable8dot3Na DWORD 1 1 1 1 meCreation 134. This entry appears as MSS: (NtfsDisable8dot3NameCreation) Enable the computer to stop generating 8.3 style filenames (recommended) in the SCE. Windows Server 2003 supports 8.3 file name formats for backward compatibility with16 – bit applications. The 8.3 file name convention is a naming format that allows file names up to eight characters long. The following registry value entry has been added to the template file in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\FileSystem\ registry key.

92 Disable Autorun: Disable Autorun for all drives Table 3.121: Settings

Subkey Registry Format Enterprise Enterprise High High Value Entry Client Client Security Security Desktop Laptop Desktop Laptop NoDriveTypeAutoR DWORD 0xFF 0xFF 0xFF 0xFF un 135. This entry appears as MSS: (NoDriveTypeAutoRun) Disable Autorun for all drives (recommended) in the SCE. Autorun begins reading from a drive on your computer as soon as media is inserted into it. As a result, the setup file of programs and the sound on audio media starts immediately. The following registry value entry has been added to the template file in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ Explorer\ registry key. Make Screensaver Password Protection Immediate: The time in seconds before the screen saver grace period expires (0 recommended) Table 3.122: Settings

Subkey Registry Format Enterprise Enterprise High High Value Entry Client Client Security Security Desktop Laptop Desktop Laptop ScreenSaverGrace String 0 0 0 0 Period 136. This entry appears as MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended) in the SCE. Windows includes a grace period between when the screen saver is launched and when the console is actually locked automatically when screen saver locking is enabled. The following registry value entries have been added to the template file the HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\ Windows NT\CurrentVersion\\ registry key.

93 Security Log Near Capacity Warning: Percentage threshold for the security event log at which the system will generate a warning Table 3.123: Settings

Subkey Registry Format Enterprise Enterprise High High Value Entry Client Client Security Security Desktop Laptop Desktop Laptop WarningLevel DWORD 0 0 90 90 137. This entry appears as MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning in the SCE. This option became available with SP3 for Windows 2000, a new feature for generating a security audit in the security event log when the security log reaches a user – defined threshold. For example, if this value is set to 90, when the security log reaches 90 percent of capacity, it will show one event entry for eventID 523 with the following text: “The security event log is 90 percent full.”

Note: If log settings are configured for Overwrite events as needed or Overwrite events older than x days, this event will not be generated.

The following registry value entries have been added to the security template file the HKEY_LOCAL_MACHINE\ SYSTEM\CurrentControlSet\Services\Eventlog\Security\ registry key. Enable Safe DLL Search Order: Enable Safe DLL search mode (recommended) Table 3.124: Settings

Subkey Registry Format Enterprise Enterprise High High Value Entry Client Client Security Security Desktop Laptop Desktop Laptop SafeDllSearchMode DWORD 1 1 1 1 138. This entry appears as MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended) in the SCE. The DLL search order can be configured to search for DLLs requested by running processes in one of two ways: ● Search folders specified in the system path first, and then search the current working folder. ● Search current working folder first, and then search the folders specified in the system path.

94 The registry value is set to 1. With a setting of 1, the system first searches the folders that are specified in the system path and then searches the current working folder. With a setting of 0, the system first searches the current working folder and then searches the folders that are specified in the system path. The following registry value entries have been added to the template file the HKEY_LOCAL_MACHINE\ SYSTEM\CurrentControlSet\Control\Session Manager\ registry key. Disable Automatic Logon: Disable Automatic Logon Table 3.125: Settings

Subkey Registry Format Enterprise Enterprise High High Value Entry Client Client Security Security Desktop Laptop Desktop Laptop AutoAdminLogon DWORD Not Defined Not Defined 0 0 139. This entry appears as MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended) in the SCE. This setting is separate from the Welcome screen feature in Windows XP, disabling that feature does not disable this setting. If you configure a computer for automatic logon, anyone who can physically gain access to the computer can also gain access to everything that is on the computer, including any network or networks that the computer is connected to. In addition, if you enable automatic logon, the password is stored in the registry in plain text. The specific registry key that stores this value is remotely readable by the Authenticated Users group. As a result, using this setting is appropriate only if the computer is physically secured and if you ensure that untrusted users cannot remotely see the registry. By default this setting is not enabled, nevertheless it is recommended that it is explicitly disabled for the High Security environment. For additional information see the Microsoft Knowledge Base Article "How to Enable Automatic Logon in Windows" available online at: http://support.microsoft.com/default.aspx?scid=kb;en-us;315231 The following registry value entry has been added to the template file in the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ registry key.

95 Delete Administrative Shares: Delete Administrative Shares Table 3.126: Settings

Subkey Registry Format Enterprise Enterprise High High Value Entry Client Client Security Security Desktop Laptop Desktop Laptop AutoShareWks DWORD Not Defined Not Defined 0 0 140. This entry appears as MSS: (AutoShareWks) Enable Administrative Shares (not recommended except for highly secure environments) in the SCE. By default Windows XP Professional automatically creates administrative shares such as C$ and Admin$, since these shares are well known and present on the vast majority of Windows systems malicious users often target them for brute force password guessing and other attacks. However, deleting these shares can cause problems for administrators and programs or services that rely on these shares. For example, both Microsoft Systems Management Server (SMS) and Microsoft Operations Manager 2000 require administrative shares for correct installation and operation. So do many third party network backup applications. For these reasons Microsoft recommends deleting these shares for only the High Security environment. For additional information see the Microsoft Knowledge Base Article "HOW TO: Create and Delete Hidden or Administrative Shares on Client Computers" available online at: http://support.microsoft.com/default.aspx?scid=kb;en-us;314984 The following registry value entry has been added to the template file in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Para meters\ registry key. Enable IPSec to protect Kerberos RSVP Traffic: Enable NoDefaultExempt for IPSec Filtering Table 3.127: Settings

Subkey Registry Format Enterprise Enterprise High High Value Entry Client Client Security Security Desktop Laptop Desktop Laptop NoDefaultExempt DWORD Not Defined Not Defined 1 1 141. This entry appears as MSS: (NoDefaultExempt) Enable NoDefaultExempt for IPSec Filtering (recommended) in the SCE. The default exemptions to IPsec policy filters are documented in the Microsoft Windows 2000 and Microsoft Windows XP online help. These filters make it possible for Internet Key Exchange (IKE) and Kerberos to function. The filters also make it possible for the network Quality of Service (QoS) to be signaled (RSVP) when the data traffic is secured by IPsec, and for traffic that IPsec might not secure such as multicast and broadcast traffic. As IPsec is increasingly used for basic host-firewall packet filtering, particularly in Internet-exposed scenarios, the affect of these default exemptions has not been fully understood. Because of this, some IPsec administrators may create IPsec policies that they think are secure, but are not actually secure against inbound attacks that use the default exemptions. Microsoft recommends that you disable these default exemptions if you are planning on using IPSec filters to help lock down your Windows XP computers.

96 For additional information see the Microsoft Knowledge Base Article "IPSec Default Exemptions Can Be Used to Bypass IPsec Protection in Some Scenarios" available online at: http://support.microsoft.com/default.aspx?scid=kb;en-us;811832 The following registry value entry has been added to the template file in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\IPSEC\ registry key. Hide the Computer from Network Neighborhood Browse Lists: Hide Computer From the Browse List Table 3.128: Settings

Subkey Registry Format Enterprise Enterprise High High Value Entry Client Client Security Security Desktop Laptop Desktop Laptop Hidden DWORD Not Defined Not Defined 1 1 142. This entry appears as MSS: (Hidden) Hide Computer From the Browse List (not recommended except for highly secure environments) in the SCE. You can configure a computer so that it does not send announcements to browsers on the domain. If you do so, you hide the computer from the Browser list, which means that the computer will stop announcing itself to other computers on the same network. An attacker who knows the name of a computer can more easily gather additional information about the system, enabling this setting removes one method an attacker might use to gather information about computers on the network. Additionally, enabling this setting can help reduce network traffic. However, the security benefits of this setting are small because attackers can use alternative methods to identify and locate potential targets. For these reasons Microsoft recommends enabling this setting only in the High Security Environment. For additional information see the Microsoft Knowledge Base Article "HOW TO: Hide a Windows 2000-Based Computer from the Browser List " available online at: http://support.microsoft.com/default.aspx?scid=kb;en-us;321710 The following registry value entry has been added to the template file in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Lanmanserver\Para meters\ registry key.

97 How to Modify the Security Configuration Editor User Interface The Security Configuration Editor (SCE) set of tools are used to define security templates that can be applied to individual computers or any number of computers via group policy. Security templates can contain password policies, lockout policies, Kerberos policies, audit policies, event log settings, registry values, service startup modes, service permissions, user rights, group membership restrictions, registry permissions and file system permissions. The SCE appears in a number of MMC snap – ins and Administrator Tools. It is used by the Security Templates snap – in and the Security Configuration and Analysis snap – in. The Group Policy Editor snap – in uses it for the Security Settings portion of the Computer Configuration tree. It is also used for the Local Security Settings, Domain Controller Security Policy, and the Domain Security Policy tools as well. This guide includes additional settings added to the SCE by modifying the sceregvl.inf file, located in the %systemroot%\inf folder, and re – registering scecli.dll. The original security settings, as well as the additional ones, appear under Local Policies\Security Options in the snap – ins and tools listed previously in this chapter. You should update the sceregvl.inf file and re – register scecli.dll on any computers where you will be editing the security templates and group policies provided with this guide, as described below. The customization to sceregvl.inf provided below uses features only available on Microsoft Windows® XP Professional with Service Pack 1 and Windows Server 2003 — do not try to install it on older versions of Windows. Once the Sceregvl.inf file has been modified and registered, the custom registry values are exposed in the SCE user interfaces on that computer. You will see the new settings at the bottom of the list of items in the SCE, they are all preceded by the text "MSS:" MSS stands for Microsoft Solutions for Security, the name of the group that created this guide. You can then create security templates or policies that define these new registry values. These templates or policies can then be applied to any computer regardless of whether Sceregvl.inf has been modified on the target computer or not. Subsequent launches of the SCE UI's exposes your custom registry values. The previous section of this guide discusses many of the settings added by the procedures explained below, a number of the new settings that will appear in the SCE are not documented in this guide because they are typically not configured for end-user systems. For further information about these new settings you can refer to the companion guide Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP, available for download at: http://go.microsoft.com/fwlink/?LinkId=15159. To update sceregvl.inf 1. Open the %systemroot%\inf\sceregvl.inf file in a text editor such as Notepad. 2. Navigate to the bottom of the [Register Registry Values] section and copy the following text, without any page breaks, into the file:

98

;======MSS Values ======MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\EnableICMPRedirect, 4,%EnableICMPRedirect%,0 MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\SynAttackProtect,4, %SynAttackProtect%,3,0|%SynAttackProtect0%,1|%SynAttackProtect1% MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\EnableDeadGWDetect, 4,%EnableDeadGWDetect%,0 MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\EnablePMTUDiscovery ,4,%EnablePMTUDiscovery%,0 MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\KeepAliveTime,4,%Ke epAliveTime%,3,150000|%KeepAliveTime0%,300000|%KeepAliveTime1%,600000|%KeepAli veTime2%,1200000|%KeepAliveTime3%,2400000|%KeepAliveTime4%,3600000|%KeepAliveT ime5%,7200000|%KeepAliveTime6% MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\DisableIPSourceRout ing,4,%DisableIPSourceRouting%,3,0|%DisableIPSourceRouting0%,1|%DisableIPSourc eRouting1%,2|%DisableIPSourceRouting2% MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxConnectRespon seRetransmissions,4,%TcpMaxConnectResponseRetransmissions%,3,0|%TcpMaxConnectR esponseRetransmissions0%,1|%TcpMaxConnectResponseRetransmissions1%,2|%TcpMaxCo nnectResponseRetransmissions2%,3|%TcpMaxConnectResponseRetransmissions3% MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxDataRetransmi ssions,4,%TcpMaxDataRetransmissions%,1 MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\PerformRouterDiscov ery,4,%PerformRouterDiscovery%,0 MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\TCPMaxPortsExhauste d,4,%TCPMaxPortsExhausted%,1 MACHINE\System\CurrentControlSet\Services\Netbt\Parameters\NoNameReleaseOnDema nd,4,%NoNameReleaseOnDemand%,0 MACHINE\System\CurrentControlSet\Control\FileSystem\NtfsDisable8dot3NameCreati on,4,%NtfsDisable8dot3NameCreation%,0 MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTyp eAutoRun,4,%NoDriveTypeAutoRun%,3,0|%NoDriveTypeAutoRun0%,255|%NoDriveTypeAuto Run1% MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security\WarningLevel,4,%Wa rningLevel%,3,50|%WarningLevel0%,60|%WarningLevel1%,70|%WarningLevel2%,80|%War ningLevel3%,90|%WarningLevel4% MACHINE\SYSTEM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScreenSaverGracePeriod,4,%ScreenSaverGracePeriod%,1 MACHINE\System\CurrentControlSet\Services\AFD\Parameters\DynamicBacklogGrowthD elta,4,%DynamicBacklogGrowthDelta%,1 MACHINE\System\CurrentControlSet\Services\AFD\Parameters\EnableDynamicBacklog, 4,%EnableDynamicBacklog%,0 MACHINE\System\CurrentControlSet\Services\AFD\Parameters\MinimumDynamicBacklog ,4,%MinimumDynamicBacklog%,1 MACHINE\System\CurrentControlSet\Services\AFD\Parameters\MaximumDynamicBacklog ,4,%MaximumDynamicBacklog%,3,10000|%MaximumDynamicBacklog0%,15000|%MaximumDyna micBacklog1%,20000|%MaximumDynamicBacklog2%,40000|%MaximumDynamicBacklog3%,800 00|%MaximumDynamicBacklog4%,160000|%MaximumDynamicBacklog5%

99 MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SafeDllSearchMode,4,%SafeDllSearchMode%,0 MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlog\AutoAdminLogon,4,%DisableAutoLogon%,0 MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters\AutoShareWks ,4,%AdminShares%,0 MACHINE\System\CurrentControlSet\Services\IPSEC\NoDefaultExempt,4,%IPSecNoDefa ultExempt%,0 MACHINE\System\CurrentControlSet\Services\Lanmanserver\Parameters\Hidden,4,%Hi deFromBrowseList%,0

3. Navigate to the bottom of the [Strings] section and copy the following text, without any page breaks, into the file:

;======MSS Settings ======EnableICMPRedirect = "MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes" SynAttackProtect = "MSS: (SynAttackProtect) Syn attack protection level (protects against DoS)" SynAttackProtect0 = "No additional protection, use default settings" SynAttackProtect1 = "Connections time out sooner if a SYN attack is detected" EnableDeadGWDetect = "MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways (could lead to DoS)" EnablePMTUDiscovery = "MSS: (EnablePMTUDiscovery) Allow automatic detection of MTU size (possible DoS by an attacker using a small MTU)" KeepAliveTime = "MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds" KeepAliveTime0 ="150000 or 2.5 minutes" KeepAliveTime1 ="300000 or 5 minutes (recommended)" KeepAliveTime2 ="600000 or 10 minutes" KeepAliveTime3 ="1200000 or 20 minutes" KeepAliveTime4 ="2400000 or 40 minutes" KeepAliveTime5 ="3600000 or 1 hour" KeepAliveTime6 ="7200000 or 2 hours (default value)" DisableIPSourceRouting = "MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)" DisableIPSourceRouting0 = "No additional protection, source routed packets are allowed" DisableIPSourceRouting1 = "Medium, source routed packets ignored when IP forwarding is enabled" DisableIPSourceRouting2 = "Highest protection, source routing is completely disabled" TcpMaxConnectResponseRetransmissions = "MSS: (TcpMaxConnectResponseRetransmissions) SYN-ACK retransmissions when a connection request is not acknowledged" TcpMaxConnectResponseRetransmissions0 = "No retransmission, half-open connections dropped after 3 seconds" TcpMaxConnectResponseRetransmissions1 = "3 seconds, half-open connections dropped after 9 seconds"

100 TcpMaxConnectResponseRetransmissions2 = "3 & 6 seconds, half-open connections dropped after 21 seconds" TcpMaxConnectResponseRetransmissions3 = "3, 6, & 9 seconds, half-open connections dropped after 45 seconds" TcpMaxDataRetransmissions = "MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)" PerformRouterDiscovery = "MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)" TCPMaxPortsExhausted = "MSS: (TCPMaxPortsExhausted) How many dropped connect requests to initiate SYN attack protection (5 is recommended)" NoNameReleaseOnDemand = "MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers (Only recommended for servers)" NtfsDisable8dot3NameCreation = "MSS: (NtfsDisable8dot3NameCreation) Enable the computer to stop generating 8.3 style filenames (recommended)" NoDriveTypeAutoRun = "MSS: (NoDriveTypeAutoRun) Disable Autorun for all drives (recommended)" NoDriveTypeAutoRun0 = "Null, allow Autorun" NoDriveTypeAutoRun1 = "255, disable Autorun for all drives" WarningLevel = "MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning" WarningLevel0 = "50%" WarningLevel1 = "60%" WarningLevel2 = "70%" WarningLevel3 = "80%" WarningLevel4 = "90%" ScreenSaverGracePeriod = "MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)" DynamicBacklogGrowthDelta = "MSS: (AFD DynamicBacklogGrowthDelta) Number of connections to create when additional connections are necessary for Winsock applications (10 recommended)" EnableDynamicBacklog = "MSS: (AFD EnableDynamicBacklog) Enable dynamic backlog for Winsock applications (recommended)" MinimumDynamicBacklog = "MSS: (AFD MinimumDynamicBacklog) Minimum number of free connections for Winsock applications (20 recommended for systems under attack, 10 otherwise)" MaximumDynamicBacklog = "MSS: (AFD MaximumDynamicBacklog) Maximum number of 'quasi-free' connections for Winsock applications" MaximumDynamicBacklog0 = "10000" MaximumDynamicBacklog1 = "15000" MaximumDynamicBacklog2 = "20000 (recommended)" MaximumDynamicBacklog3 = "40000" MaximumDynamicBacklog4 = "80000" MaximumDynamicBacklog5 = "160000" SafeDllSearchMode = "MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)" DisableAutoLogon = "MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)"

101 AdminShares = "MSS: (AutoShareWks) Enable Administrative Shares (not recommended except for highly secure environments)" IPSecNoDefaultExempt = "MSS: (NoDefaultExempt) Enable NoDefaultExempt for IPSec Filtering (recommended)" HideFromBrowseList = "MSS: (Hidden) Hide Computer From the Browse List (not recommended except for highly secure environments)"

4. Save the file and close the text editor. 5. Open a command prompt window and type the command scecli.dll to re – register the SCE DLL. 6. Subsequent launches of the SCE will display these custom registry values.

102 Additional Security Settings Although most of the countermeasures used to harden the client systems in the two environments defined in this guide were applied through Group Policy, there are additional settings that are difficult or impossible to apply with Group Policy. For a detailed explanation of each of the countermeasures discussed in this section, see the companion guide, Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP, available at: http://go.microsoft.com/fwlink/?LinkId=15159. Manual Hardening Procedures This section describes how some additional countermeasures were implemented manually to secure the Windows XP clients for each of the security environments defined in this guide. Disable Dr. Watson: Disable Automatic Execution of Dr. Watson System Debugger Some organizations may feel that system debuggers such as the Dr. Watson tool included with Windows could be exploited by knowledgeable attackers. For instructions on disabling the Dr. Watson system debugger see the Microsoft Knowledge Base Article "How to Disable Dr. Watson for Windows" available online at: http://support.microsoft.com/default.aspx?scid=kb;en-us;188296 Disable SSDP/UPNP: Disable SSDP/UPNP Some organizations may feel that the Universal Plug and Play features included with subcomponents of Windows XP should be completely disabled. Even though the Universal Plug and Play host service is disabled in this guide there are other applications such as Windows Messenger will use the Simple Service Discovery Protocol (SSDP) discovery service discovery process to identify network gateways or other network devices. You can ensure that no applications use the SSDP and UPnP features included with Windows XP by adding a REG_DWORD registry value called UPnPMode to the following registry key HKEY_LOCAL_MACHINE\Software\Microsoft\DirectPlayNATHelp\DPNHUPnP\ and setting it to 2. For additional information see the Microsoft Knowledge Base Article "Traffic Is Sent After You Turn Off the SSDP Discover Service and Universal Plug and Play Device Host" available online at: http://support.microsoft.com/default.aspx?scid=kb;en-us;317843

103 Securing the File System The NTFS files system has been improved with each new version of Microsoft Windows®. The default permissions for NTFS are adequate for most organizations. The settings discussed in this section are for organizations using laptops and desktops in the High Security environment defined in this guide. File system security settings may be modified using Group Policy. The File System settings can be configured at the following location in the Group Policy Object Editor: Computer Configuration\Windows Settings\Security Settings\File System

Note: Any changes to the default file system security settings should be thoroughly tested in a lab environment prior to deploying them in a large organization. There have been cases when file permissions have been altered to the point where the computers impacted by them must be completely rebuilt.

Advanced Permissions You can set file permissions with more control than they initially appear to offer in the Permissions dialog box by clicking the Advanced button. The following table shows a list of these advanced permissions. Table 3.129: Advanced File Permissions and Descriptions

Advanced Permission Description Traverse Folder/Execute The Traverse Folder permission allows or denies user requests to move through folders to reach other files or folders, even if the user has no permission to traverse folders (this permission applies to folders only). List Folders/Read Data The List Folder permission allows or denies user requests to view file names and subfolder names within the specified folder. This permission only affects the contents of that folder and does not affect whether the folder you are setting the permission on will be listed. This permission applies to folders only. The Read Data permission allows or denies viewing data in files (this permission applies to files only). Read Attributes The Read Attributes permission allows or denies user requests to view the attributes of a file or folder, such as read – only and hidden. Attributes are defined by NTFS. Read Extended Attributes The Read Extended Attributes permission allows or denies user requests to view the extended attributes of a file or folder. Extended attributes are defined by programs and may vary by program. Create Files/Write Data The Create Files permission allows or denies user requests to create files within the folder (this permission applies to folders only). The Write Data permission allows or denies user requests to make changes to the file and overwrite existing content (this permission applies to files only).

104 (continued) Create Folders/Append Data The Create Folders permission allows or denies user requests to create folders within a specified folder (this permission applies to folders only). The Append Data permission allows or denies user requests to make changes to the end of the file, but not changing, deleting, or overwriting existing data (this permission applies to files only). Write Attributes The Write Attributes permission allows or denies user requests to change the attributes of a file or folder, such as read – only or hidden. Attributes are defined by NTFS. Write Extended Attributes The Write Extended Attributes permission allows or denies user requests to change the extended attributes of a file or folder. Extended attributes are defined by programs and may vary by program. Delete Subfolders and Files The Delete Subfolders and Files permission allows or denies user requests to delete subfolders and files, even if the Delete permission has not been granted on the subfolder or file (this permission applies to folders). Delete The Delete permission allows or denies user request to delete a file or folder. If you do not have the Delete permission enabled on a file or folder, you can still delete them if you have been granted the Delete Subfolders and Files permission on the parent folder. Read Permissions Read Permissions allows or denies user requests to read the permissions of files or folders, such as Full Control, Read, and Write. Change Permissions Change Permissions allows or denies user requests to change permissions of files or folders, such as Full Control, Read, and Write. Take Ownership The Take Ownership permission allows or denies user requests to take ownership of files or folders. The owner of a file or folder can always change permissions on it, regardless of any existing permissions that protect the file or folder. 143. The following three additional terms are used to describe the inheritance of permissions applied to files and folders: ● Propagate refers to propagating inheritable permissions to all subfolders and files. Any child objects of an object inherit the parent object's security settings, provided the child object is not protected from accepting permission inheritance. If there is a conflict, the explicit permissions on the child object will override the permissions inherited from the parent object. ● Replace refers to replacing existing permissions on all subfolders and files with inheritable permissions. The parent object's permission entries will override any security settings on the child object, regardless of the child object's settings. The child object will have identical access control entries as the parent object. ● Ignore refers to not allowing permissions on a file or folder (or key) to be replaced. Use this setting option if you do not want to configure or analyze security for this object or any of its child objects.

105 Summary This chapter has covered in detail the primary security settings and recommended configurations for each setting to secure computers running Windows XP Professional in the two environments defined in this guide. When considering the security policies for your organization, keep in mind the tradeoffs between security and user productivity. In order to protect users from malicious code and attackers, a balance must be struck between adequate computer security and ensuring that users can continue to perform their jobs without overly restrictive security policies that may frustrate their efforts. More Information For more information on maintaining security for Windows XP Professional, see: The Help and Support tool included with Windows XP. http://www.microsoft.com/windowsxp/security/. For more information on new security features in Windows XP, see "What’s New in Security for Windows XP Professional and Windows XP Home Edition," at: http://www.microsoft.com/windowsxp/pro/techinfo/planning/security/whatsnew/ default.asp. For more information on secure channels, see the Windows 2000 Magazine article "Secure Channels in NT 4.0," at: http://msdn.microsoft.com/library/default.asp?url=/library/ en-us/dnntmag00//secure.asp. For more information on security for the Windows operating system, see the Microsoft Windows Security Resource Kit, at: http://www.microsoft.com/MSPress/books/6418.asp. For more information on the feature of Windows XP, see "Encrypt Your Data to Keep It Safe," at: http://www.microsoft.com/windowsxp/pro/using/howto/security/encryptdata.asp. For more information about the Internet Connection Firewall in Windows XP, see "Description of the Windows XP Internet Connection Firewall," at: http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/ kb/articles/q320/8/55.asp&NoWebContent=1

106 4 Administrative Templates for Windows XP

Overview In this chapter, the process of configuring and applying additional security settings to Microsoft® Windows® XP Professional using Administrative Templates is covered in detail. Administrative Template (.adm) files are used to configure settings in the Windows XP registry that govern the behavior of many services, applications, and operating system components.

Note: There are numerous additions to the available configuration settings that are made available by Windows XP Service Pack 2. For more information, see Appendix A.

Five Administrative Templates ship with Windows XP Service Pack 1, which includes more than 600 settings with over 100 new settings for Windows XP Professional. There are several settings in the Microsoft Windows Server 2003™ Administrative Templates that do not work with Windows XP. For a complete listing of all the Administrative Template settings available with Windows XP, see the Policy Settings Excel workbook referenced in the More Information section at the end of this chapter. The following table includes the .adm files, and outlines the applications and services they affect. Table 4.1: Administrative Template Files

File Name Operating System Description System.adm Windows XP Professional Contains many settings to customize the user’s operating environment. Inetres.adm Windows XP Professional Contains settings for Internet Explorer. Conf.adm Windows XP Professional Contains settings to configure Microsoft NetMeeting. Wmplayer.adm Windows XP Professional Contains settings to configure . Wuau.adm Windows XP Professional Contains settings to configure Windows Update. 144.

Note: You must manually configure the Administrative Template settings in the Group Policy object (GPO) to apply them to the computers and users in your environment.

The settings in the Administrative Templates divide into two major groups: ● Computer Configuration settings stored in the HKEY_Local_Machine registry hive. ● User Configuration settings stored in the HKEY_Current_User registry hive.

As in Chapter 3, "Security Settings for Windows XP Clients," setting prescriptions are included for the Enterprise Client and High Security environments defined in this guide. The Computer Configuration settings discussed in the first part of this chapter apply to the two environments defined in this guide. The User Configuration settings, which are discussed latter in the chapter, also apply to both environments.

Note: The user settings are applied to an OU containing users via a linked GPO. See chapter 2, "Configuring the Active Directory Domain Infrastructure," for additional details on this OU.

Some settings are available under both Computer Configuration and User Configuration in the Group Policy Object Editor. If a setting that applies to a user logging on to a computer that has had the same Computer Configuration setting applied to it via Group Policy, the Computer Configuration setting takes precedence over the User Configuration setting. Additional Administrative Templates for Microsoft Office XP are available in the Microsoft Office XP Resource Kit. If there are additional settings you want to apply via Group Policy in Windows XP Professional, you can develop your own custom templates. See the white papers listed in the More Information section at the end of this chapter for details on developing your own Administrative Templates. This chapter does not cover all possible settings available in the Administrative Templates provided by Microsoft; many of the settings in the Administrative Templates discussed are user interface (UI) settings that are not specific to security. Base decisions on which of the setting configurations prescribed in this guidance apply to your environment on the security goals of your organization.

108 Computer Configuration Settings The following sections discuss the settings prescribed under Computer Configuration in the Group Policy Object Editor. Configure these settings at the following location: Computer Configuration\Administrative Templates Apply these settings via a GPO linked to an OU containing the computer accounts in your environment. Include the laptop settings in the GPO linked to the laptop OU, and the desktop settings in the GPO linked to the desktop OU.

Windows Components Guidance on the following Microsoft Windows® components is not provided: Application Compatibility, , and Windows Media Player®.

NetMeeting Microsoft NetMeeting® allows users to conduct virtual meetings across the network in your organization. Configure the prescribed computer setting below related to NetMeeting in the Administrative Template at the following location using the Group Policy Object Editor: Computer Configuration\Administrative Templates\Windows Components\NetMeeting Disable remote Desktop Sharing Table 4.2: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Not Configured Not Configured Enabled Enabled 145. The Disable remote Desktop Sharing setting disables the remote desktop sharing feature of NetMeeting. Enabling this setting prevents users from configuring NetMeeting to automatically answer incoming calls and allow remote control of the local desktop. The Disable remote Desktop Sharing setting is set to Not Configured in the Enterprise Client environment. However, it is configured to Enabled in the High Security environment to prevent users from sharing desktops remotely using NetMeeting.

109 Internet Explorer Microsoft Internet Explorer group policies help you enforce security requirements for Windows XP workstations, and prevent the exchange of unwanted content via the browser. Use the following criteria to secure Internet Explorer on the workstations in your environment: ● Ensure requests to the Internet only occur in direct response to user actions. ● Ensure that information sent to specific Web sites only reaches those sites unless specific user actions are allowed to transmit information to other destinations. ● Ensure that trusted channels to servers/sites are clearly identified along with who owns the servers/sites on each channel. ● Ensure that any script or program that runs with Internet Explorer executes in a restricted environment. Programs delivered through trusted channels may be enabled to operate outside of the restricted environment.

Note: There are numerous additions to the available Internet Explorer settings that are provided in Windows XP Service Pack 2. For more information, see Appendix A.

Configure the prescribed computer settings below for Internet Explorer in the Administrative Template at the following location using the Group Policy Object Editor: Computer Configuration\Administrative Templates\Windows Components\Internet Explorer

Note: The settings for Security Zones cannot be set via Group Policy. The Internet Explorer Administration Kit (IEAK) may be used to configure these settings. Refer to the More Information section of this chapter for details on obtaining the IEAK.

Disable Automatic Install of Internet Explorer components Table 4.3: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Enabled Enabled Enabled Enabled 146. Enabling the Disable Automatic Install of Internet Explorer components setting prevents Internet Explorer from downloading components when users browse to Web sites that require these components to fully function. Disabling or not configuring this setting prompts users to download and install components each time they visit Web sites that use them. Microsoft recommends configuring the Disable Automatic Install of Internet Explorer components setting to Enabled in the two environments defined in this guide.

Note: Before enabling this setting, Microsoft recommends setting up an alternative strategy to update Internet Explorer using Software Update Service or a similar service.

110 Disable Periodic Check for Internet Explorer software updates Table 4.4: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Enabled Enabled Enabled Enabled 147. Enabling the Disable Periodic Check for Internet Explorer software updates setting prevents Internet Explorer from determining whether a later browser version is available and notifying users if this is the case. Disabling this policy or not configuring it causes Internet Explorer to check for updates every 30 days by default, and then notify users if a new version is available. Microsoft recommends configuring the Disable Periodic Check for Internet Explorer software updates setting to Enabled in the two environments defined in this guide.

Note: Before enabling this policy, Microsoft recommends setting up an alternative strategy for the administrators in your organization to ensure they periodically accept new updates for Internet Explorer on the clients in your environment.

Disable software update shell notifications on program launch Table 4.5: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Enabled Enabled Enabled Enabled 148. The Disable software update shell notifications on program launch setting specifies that programs using Microsoft Software Distribution Channels will not notify users when they install new components. The Software Distribution Channel is a means of updating software dynamically on user computers based on Open Software Distribution (.osd) technologies. Microsoft recommends configuring the Disable software update shell notifications on program launch setting to Enabled in the two environments defined in this guide.

111 Make proxy settings per – machine (rather than per – user) Table 4.6: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Enabled Disabled Enabled Disabled 149. Enabling the Make proxy settings per – machine (rather than per – user) setting prevents users from altering user – specific proxy settings. They must use the zones created for all users of the computers they access. Microsoft recommends configuring the Make proxy settings per – machine (rather than per – user) setting to Enabled for Desktop clients in the two environments defined in this guide, and to Disabled for Laptop clients because mobile users may have to change their proxy settings as they travel. Security Zones: Do not allow users to add/delete sites Table 4.7: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Enabled Enabled Enabled Enabled 150. Enabling the Security Zones: Do not allow users to add/delete sites setting disables the site management settings for security zones. (To see the site management settings for security zones, in the Internet Options dialog box, click the Security tab, and then click Sites.) Disabling or not configuring this setting allows users to add or remove Web sites in the Trusted Sites and Restricted Sites zones, as well as alter settings in the Local Intranet zone. Microsoft recommends configuring the Security Zones: Do not allow users to add/delete sites setting to Enabled in the two environments defined in this guide.

Note: Enabling the Disable the Security page setting (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), removes the Security tab from the interface and causes this setting to take precedence over the Security Zones: Do not allow users to add/delete sites setting.

112 Security Zones: Do not allow users to change policies Table 4.8: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Enabled Enabled Enabled Enabled 151. Enabling the Security Zones: Do not allow users to change policies setting has the effect of disabling the Custom Level button and Security level for this zone slider on the Security tab in the Internet Options dialog box. Disabling or not configuring this setting allows users to change the settings for security zones. This setting prevents users from changing security zone policy settings established by the administrator. Microsoft recommends configuring the Security Zones: Do not allow users to change policies setting to Enabled in the two environments defined in this guide.

Note: Enabling the Disable the Security page setting (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel) removes the Security tab from Internet Explorer in the Control Panel and causes this setting to take precedence over the Security Zones: Do not allow users to change policies setting.

Security Zones: Use only machine settings Table 4.9: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Enabled Enabled Enabled Enabled 152. Enabling the setting for Security Zones: Use only machine settings allows changes that the user makes to a security zone to apply to all users of that computer. Disabling or not configuring this setting allows users of the same computer to establish their own security zone settings. This policy is intended to ensure that security zone settings remain uniformly in effect on the same computer and do not vary from user to user. For these reasons, Microsoft recommends configuring the setting for Security Zones: Use only machine settings to Enabled in the two environments defined in this guide.

113 Terminal Services\Client/Server data redirection Terminal Services provides options for redirecting client resources to servers that are accessed via Terminal Services. The following setting is specific to Terminal Services. Configure the prescribed computer setting below for Client/Server data redirection under Terminal Services in the Administrative Template at the following location using the Group Policy Object Editor: Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Client/Server data redirection Do not allow drive redirection Table 4.10: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Not Configured Not Configured Enabled Enabled 153. The Do not allow drive redirection setting prevents users from sharing the local drives on their clients to Terminal Servers they access. Mapped drives appear in the session folder tree in Windows Explorer or My Computer in the following format: \\TSClient\$ The potential for sharing local drives leaves them vulnerable to intruders intent on exploiting the data stored on them. For this reason, this guide recommends configuring the Do not allow drive redirection setting to Enabled in the High Security environment. However, Microsoft suggests configuring this setting to Not Configured in the Enterprise Client environment.

114 Terminal Services\Encryption and Security Configure the prescribed computer settings below for encryption and security under Terminal Services in the Administrative Template at the following location using the Group Policy Object Editor: Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Encryption and Security Always prompt client for password upon connection Table 4.11: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Not Configured Not Configured Enabled Enabled 154. The Always prompt client for a password on connection setting specifies whether Terminal Services always prompts the client for a password upon connection. You can use this setting to enforce a password prompt for users logging on to Terminal Services, even if they already provided the password in the Remote Desktop Connection client. By default, Terminal Services allows users to automatically log on by entering a password in the Remote Desktop Connection client. Microsoft recommends configuring the Always prompt client for password upon connection setting to Enabled in the High Security environment. However, Microsoft suggests configuring this setting to Not Configured in the Enterprise Client environment.

Note: If you do not configure this setting, the local computer administrator can use the Terminal Services Configuration tool to either allow or prevent passwords from being automatically sent.

Set client connection encryption level Table 4.12: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop High Level High Level High Level High Level 155. The Set Client Connection Encryption Level setting specifies whether to enforce an encryption level for all data sent between the client and the remote computer during a Terminal Server session. For the two environments defined in this guide, it is recommended to strengthen the encryption level to High Level to enforce 128 – bit encryption.

115 Windows Messenger Windows Messenger is used to send instant messages to other users on a computer network. The messages may include files and other attachments. Configure the prescribed computer setting below for Windows Messenger in the Administrative Template at the following location using the Group Policy Object Editor: Computer Configuration\Administrative Templates\Windows Components\Windows Messenger Do not allow Windows Messenger to be run Table 4.13: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Not Configured Not Configured Enabled Enabled 156. The Do not allow Windows Messenger to be run setting allows you to disable Windows Messenger. Configuring this setting to Enabled prevents Windows Messenger from running. This guide recommends configuring the Do not allow Windows Messenger to be run setting to Enabled in the High Security environment. However, Microsoft suggests configuring this setting to Not Configured in the Enterprise Client environment.

Note: Configuring this setting to Enabled prevents Remote Assistance from using Windows Messenger and users from using MSN® Messenger.

116 Windows Update Administrators use Windows Update settings to manage how patches and hotfixes are applied on Windows XP workstations. Updates are available from the Microsoft Windows Update Web site. Alternatively, you can set up an intranet Web site to distribute patches and hotfixes in a similar manner with additional administrative control. The Windows Update Administrative Template (WUAU.adm) is new with Windows XP Service Pack 1. Software Update Services (SUS) is a component of the Strategic Technology Protection Program (STPP) that builds on the success of the Microsoft Windows Update technologies available to all users from the Windows Update Web site. SUS manages and distributes critical Windows patches that resolve known security vulnerabilities and other stability issues with Microsoft Windows® operating systems. Until recently, system administrators had to periodically check the Windows Update Web site or the Microsoft Security Web site for new patches. Then they had to manually download and test them in their environment, and then either distribute the patches manually or use traditional software – distribution tools to implement them. SUS eliminates these manual steps with a dynamic notification system for critical updates to Windows clients that are available through your intranet server. No Internet access is required from clients to use this service. This technology also provides a simple and automatic solution for distributing updates to your Windows workstations and servers. Software Update Services also offers the following features: ● Administrator control over content synchronization within your intranet. This synchronization service is a server – side component that retrieves the latest critical updates from Windows Update. As new updates are added to Windows Update, the server running SUS automatically downloads and stores them, based on an administrator – defined schedule. ● An intranet – hosted Windows Update server. This easy – to – use server acts as the virtual Windows Update server for client computers. It contains synchronization service and administrative tools for managing updates. It services requests for approved updates from client computers connected to it using the Hypertext Transfer Protocol (HTTP) protocol. This server can also host critical updates downloaded from the synchronization service, and refer client computers to those updates. ● Administrator control over updates. The administrator can test and approve updates from the public Windows Update site before deployment on the corporate intranet. Deployment takes place on a schedule the administrator creates. If multiple servers are running SUS, the administrator controls which computers access particular servers running the service. Administrators enable this level of control with Group Policy in a Microsoft Active Directory® directory service environment, or through registry keys. ● Automatic updates on computers (workstations or servers). Automatic Updates is a Windows feature that can be set up to automatically check for updates published on Windows Update. SUS uses this Windows feature to publish administrator approved updates on an intranet.

Note: If you choose to distribute patches via another channel, such as Microsoft Systems Management Server, this guide recommends disabling the Configure Automatic Updates setting.

117 There are several Windows Update settings. There are three minimum settings required to make Windows update work: Configure Automatic Updates, No auto – restart for scheduled Automatic Updates installations, and Reschedule Automatic Updates scheduled installations. A fourth setting is optional depending on the requirements of your organization: Specify intranet Microsoft update service location. Configure the prescribed computer settings below for Windows Update in the Administrative Template at the following location using the Group Policy Object Editor: Computer Configuration\Administrative Templates\Windows Components\Windows Update The settings discussed in this section do not individually address specific security risks. They are related more to administrator preference. However, configuring Windows Update is essential to maintaining the security of your environment because it ensures that the clients in your environment receive security patches from Microsoft soon after they are available.

Note: Windows Update is dependent on several services, including the Remote Registry service and the Background Intelligence Transfer Service. In Chapter 3, "Security Settings for Windows XP Clients," these services are disabled in the High Security environment. Therefore, if these services are disabled, Windows Update will not work in the High Security environment, and the following four setting prescriptions may be disregarded for this environment only.

Configure Automatic Updates Table 4.14: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Enabled Enabled Enabled Enabled 157. The Configure Automatic Updates setting specifies whether computers in your environment will receive security updates from Windows Update or SUS. Configuring this setting to Enabled allows the operating system to recognize when a network connection is available and then use the network connection to search the Windows Update Web site or your designated intranet site for updates that apply to them. After configuring this setting to Enabled, select one of the following three options in the Configure Automatic Updates Properties dialog box to specify how the service will work: ● 2 — Notify before downloading any updates and notify again before installing them. ● 3 — Download the updates automatically and notify when they are ready to be installed (Default setting) ● 4 — Automatically download updates and install them on the schedule specified below

Disabling this setting requires you to download and install manually any available updates from the Windows Update Web site at http://windowsupdate.microsoft.com. Microsoft recommends setting the Configure Automatic Updates setting to Enabled in the two environments defined in this guide. After enabling this setting, select the option from the list above that is appropriate for your environment.

118 No auto – restart for scheduled Automatic Updates installations Table 4.15: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Disabled Disabled Disabled Disabled 158. Enabling the No auto – restart for scheduled Automatic Updates installations setting causes the computer to wait for a logged – on user to restart it to complete a scheduled installation instead of completing the restart automatically. Configuring this setting to Enabled also prevents Automatic Updates from restarting computers automatically during a scheduled installation. If a user is logged on to a computer when Automatic Updates requires a restart to complete an update installation, the user is notified and given the option to delay the restart. Automatic Updates will not detect future updates until the restart occurs. Configuring this setting to Disabled or Not Configured causes Automatic Updates to notify the user that the computer will automatically restart in 5 minutes to complete the installation. If automatically restarting the clients in your environment is a concern, consider enabling the No auto – restart for scheduled Automatic Updates installations setting. If you do enable this setting, schedule your clients to restart after normal business hours to ensure the installation is completed. For these reasons, this guide recommends configuring the No auto – restart for scheduled Automatic Updates installations setting to Disabled in the two environments defined in this guide.

Note: This setting only works when Automatic Updates is configured to perform scheduled update installations. If the Configure Automatic Updates setting is configured to Disabled, it will not work. A restart is generally required to complete an update installation.

Reschedule Automatic Updates scheduled installations Table 4.16: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Enabled Enabled Enabled Enabled 159. The Reschedule Automatic Updates scheduled installations setting determines the amount of time before previously scheduled Automatic Update installations will proceed after system startup. Configuring this setting to Enabled causes a previously scheduled installation to install after a specified number of minutes when the computer is next started. Configuring this setting to Disabled or Not Configured causes a previously scheduled installation to occur during the next regularly scheduled installation time. Microsoft recommends setting the Reschedule Automatic Updates scheduled installations setting to Enabled in the two environments defined in this guide. After enabling the setting, you may change the default waiting period to a period appropriate for your environment.

119

Note: This setting only works when Automatic Updates is configured to perform scheduled update installations. If the Configure Automatic Updates setting is disabled, the Reschedule Automatic Updates scheduled installations setting has no effect. Enabling the latter two settings ensures that previously missed installations will be scheduled to install each time the computer restarts.

Specify intranet Microsoft update service location Table 4.17: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Enabled Enabled Enabled Enabled 160. The Specify intranet Microsoft update service location setting specifies an intranet server to host updates from the Microsoft Update Web sites. You can then use this update service to automatically update computers on your network. This setting lets you specify a Software Update Server (SUS) server on your network to function as an internal update service. The Automatic Updates client will work with the SUS server to search the service for updates that apply to the computers on your network. Microsoft recommends configuring the Specify intranet Microsoft update service location setting to Enabled for both of the environments defined in this guide.

Note: Enabling the Specify intranet Microsoft update service location setting has no effect if the Configure Automatic Updates setting is disabled.

120 Microsoft Office XP Before you can access the Administrative Template Settings for Microsoft Office XP you must apply the Administrative Templates via the Group Policy Object Editor. The templates are available with the Office XP Resource Kit, and they are also included with this guidance. The following table includes all of the Office XP Administrative Template files. The Office10.adm template file contains all the settings for the programs and features listed in the table, which are discussed in this section. The other template files contain UI settings. You must add the Office10.adm file to Administrative Templates in the Group Policy Object Editor before configuring the Office XP settings prescribed in this section. For details on how to add Administrative Templates to the Group Policy Object Editor, see Chapter 2, "Configuring the Active Directory Domain Infrastructure," in this guide. Table 4. 18: Microsoft Office XP Administrative Templates

Template File Policies Included Access10.adm Microsoft Access 2002 Excel10.adm Microsoft Excel 2002 Fp10.adm Microsoft FrontPage 2002 Gal10.adm Microsoft Office XP Clip Organizer Instlr11.adm Windows Installer 1.1 Ppt10.adm Microsoft PowerPoint 2002 Pub10.adm Microsoft Publisher 2002 Office10.adm Shared Office XP components Outlk10.adm Microsoft Outlook 2002 Word10.adm Microsoft Word 2002 161.

121 Microsoft Office XP\Security Settings Configure the prescribed computer settings below for Office XP in the Administrative Template at the following location using the Group Policy Object Editor: Computer Configuration\Administrative Templates\Microsoft Office XP\Security Settings A key feature of Office XP is macro security. There are a few things you should consider when setting up macro security for the clients in your environment. Macro security depends on a certificate associated with an Office data file or executable code attached to a document, workbook, presentation or e – mail message. The validation of the certificate requires authenticating the author who signed the certificate, and the digital signature created for the author. A certificate of authenticity is attached to executable code, a Microsoft ActiveX® control, or a dynamic – link library (DLL) file. The author must obtain a certificate from a Certificate Authority. The Certificate Authority may be either an internal authority set up by your organization or an external authority operated by another company. The term macro also implies the use of ActiveX controls, Component Object Model (COM) objects, OLE objects, and other executable programs that can be attached to a document, worksheet, or e – mail message. The term macro in the context of this chapter is explicitly used for macros used by Microsoft Visual Basic® for Applications (VBA). Macro security levels determine how Office applications respond to them. Security levels for the following macro categories are summarized as follows: ● Unsigned macros. ● High: Macros are disabled when the document, workbook, presentation or e – mail message is opened. ● Medium: Users are prompted to enable or disable macros.

● Signed macros from a trusted source with a valid certificate. ● High and Medium: Macros are enabled when the document, workbook, presentation, or e – mail message is opened.

● Signed macros from an unknown source with a valid certificate. ● High and Medium: A dialog box appears with information about the certificate. Users must then determine whether to enable macros based on the content of the certificate. To enable macros, users must accept the certificate.

● Signed macros from any source with an invalid certificate. ● High and Medium: Users are warned of potential virus. Macros are disabled.

● Signed macros from any source when the certificate cannot be validated. This occurs when the public key is missing or an incompatible encryption method was used. ● High: Users are warned that certificate validation is not possible. Macros are disabled. ● Medium: Users are warned that certificate validation is not possible. Users are given the option to enable or disable macros.

122 ● Signed macros from any source with expired certificates revoked by a Certificate Authority. ● High: Users are warned that the certificate has expired or was revoked. Macros are disabled. ● Medium: Users are warned that the certificate has expired or was revoked. Users are given the option to enable or disable macros.

For additional information on Macro Security and Trusted Sources, see the references to the Office XP Resource Kit in the More Information section at the end of this chapter. Access: Trust all installed add – ins and templates Table 4.19: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Disabled Disabled Disabled Disabled 162. You can configure all of the products in Office XP to trust installed COM add – ins automatically. Disabling the Access: Trust all installed add – ins and templates setting causes Access to ensure that all add – ins are digitally signed by a trusted source. Signed components may then be loaded at any security level. Unsigned components or components signed by a distrusted source causes Access to respond to them based on which of the following macro security levels in the Security Level: dialogue box is in effect: ● High: add – ins and template components cannot load. ● Medium: users are warned of the potential security risk of using unsigned components. ● Low: add – ins and template components will load and run without user intervention.

For these reasons, the Access: Trust all installed add – ins and templates setting is configured to Disabled in the two environment defined in this guide.

Note: Configuring the Access: Trust all installed add – ins and templates setting to Disabled causes Access to treat add – ins and templates as macros from a security perspective.

123 Disable VBA for Office applications Table 4.20: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Disabled Disabled Enabled Enabled 163. VBA is usually mistaken as the root of all security risks in Office applications. However, it is a common misconception that disabling VBA will completely prevent application security breaches. This is not entirely true because ActiveX controls can still run without VBA. Enabling the Disable VBA for Office applications setting disables many useful features within Office XP. These features include Office Tools on the Web, many wizards, templates, COM add – ins, and macros. Any customizations that rely on macros, such as buttons or menu commands, will no longer work. If a document contains macros or ActiveX controls, users must first open it on a read – only basis and then save changes to it in a new document. However, enabling this setting does make Office applications somewhat more secure. For these reasons, the Disable VBA for Office applications setting is configured to Enabled only in the High Security environment. However, Microsoft suggests configuring this setting to Disabled in the Enterprise Client environment.

Important: Disabling VBA may result in users losing the ability to open Office data files containing macros. Refer to the discussion on macro security above for details on how Office data files containing macros are handled.

Excel: Macro Security Level Table 4.21: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Medium Medium High High 164. It may be tempting to permanently disable all macro functionality in your environment. While you can do this in Office XP, improvements in the management and security of macros in Office make this unnecessary. The Medium security level for the Excel: Macro Security Level setting allows users to choose whether to run potentially unsafe macros. The High security level for this setting only allows signed macros from trusted sources to run, and automatically disables unsigned macros. For these reasons, the Excel: Macro Security Level setting is configured to Enabled with the Medium option in the Enterprise Client environment, and Enabled with the High option in the High Security environment defined in this guide.

124 Excel: Trust access to Visual Basic Project Table 4.22: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Disabled Disabled Disabled Disabled 165. The Excel: Trust access to Visual Basic Project setting lets you control whether to trust Excel to access VBA code attached to documents. Enforcing the Disabled default for this setting ensures that macros attached to any files or documents that you open cannot access core Visual Basic objects, methods, and properties. The macro security level is configured to High by default for this setting. In this way the default setting eliminates a possible security hazard. For this reason, the Excel: Trust access to Visual Basic Project setting is configured to Disabled in the two environments defined in this guide. Excel: Trust all installed add – ins and templates Table 4.23: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Disabled Disabled Disabled Disabled 166. You can configure all products in Office XP to trust installed COM add – ins automatically. Disabling the Excel: Trust all installed add – ins and templates setting causes Excel to ensure add – ins are digitally signed by trusted sources. Trusted components and templates can then load in the computer at any security level. Unsigned components or components signed by distrusted sources causes Excel to respond to them based on which of the following macro security levels in the Security Level: dialogue box is in effect: ● High: add – ins and template components cannot load. ● Medium: users are warned of the potential security risk of using unsafe components. ● Low: add – ins and template components will load and run without user prompting.

For these reasons, the Excel: Trust all installed add – ins and templates setting is configured to Disabled in the two environments defined in this guide.

Note: Configuring the Excel: Trust all installed add – ins and templates setting to Disabled causes Excel to treat add – ins and templates as macros from a security perspective.

125 Outlook: Macro Security Level Table 4.24: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop High High High High 167. It may be tempting to permanently disable all macro functionality in your environment. While you can do this in Office XP, improvements in the management and security of Macros in Office make this unnecessary. The High security level for the Outlook: Macro Security Level setting only allows signed macros from trusted sources to run, and automatically disables unsigned macros. The risk from e – mail attachments introducing malicious code to your environment is extremely high. Thus, the recommended macro security level for Microsoft Outlook® is higher than that for other Office applications. For this reason, the Outlook: Macro Security Level setting is configured to Enabled with the High option in the two environments defined in this guide. PowerPoint: Macro Security Level Table 4.25: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Medium Medium High High 168. It may be tempting to permanently disable all macro functionality in your environment. While you can do this in Office XP, improvements in the management and security of Macros in Office make this unnecessary. The Medium security level for the PowerPoint: Macro Security Level setting allows users to choose whether to run potentially unsafe macros. The High security level for this setting only allows signed macros from trusted sources to run, and automatically disables unsigned macros. For these reasons, this PowerPoint: Macro Security Level setting is configured to Enabled with the Medium option in the Enterprise Client environment, and Enabled with the High option in the High Security environment defined in this guide. PowerPoint: Trust access to Visual Basic Project Table 4.26: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Disabled Disabled Disabled Disabled 169. The PowerPoint: Trust access to Visual Basic Project setting allows you to control whether PowerPoint may have access to VBA code attached to files and documents. Configuring this setting to the default Disabled blocks macros in any files and documents that you open by accessing core Visual Basic objects, methods, and properties. In this way, the default setting eliminates a possible security hazard. For this reason, the PowerPoint: Trust access to Visual Basic Project setting is configured to Disabled in the two environments defined in this guide.

126 PowerPoint: Trust all installed add – ins and templates Table 4.27: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Disabled Disabled Disabled Disabled 170. You can configure all products in Microsoft Office XP to trust installed COM add – ins automatically. Configuring the PowerPoint: Trust all installed add – ins and templates setting to Disabled causes PowerPoint to ensure that all add – ins are digitally signed by trusted sources. Signed components may then load in the computer at any security level. Unsigned components or components signed by distrusted sources causes PowerPoint to respond to them based on which of the following macro security levels in the Security Level: dialogue box is in effect: ● High: add – ins and template components cannot load. ● Medium: users are warned of the potential security risk of using unsafe components. ● Low: add – ins and template components will load and run without user intervention.

For this reason, the PowerPoint: Trust all installed add – ins and templates setting is configured to Disabled in the two environments defined in this guide.

Note: Configuring the PowerPoint: Trust all installed add – ins and templates setting to Disabled causes PowerPoint to treat add – ins and templates as macros from a security perspective.

127 Publisher: Macro Security Level Table 4.28: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Medium Medium High High 171. It may be tempting to permanently disable all macro functionality in your environment. While you can do this in Office XP, improvements in the management and security of Macros in Office make this unnecessary. The Medium security level for Publisher: Macro Security Level setting allows users to choose whether to run potentially unsafe macros. The High security level for this setting only allows signed macros from trusted sources to run, and automatically disables unsigned macros. For these reasons, the Publisher: Macro Security Level setting is configured to Enabled with the Medium option in the Enterprise Client environment, and to Enabled with the High option in the High Security environment defined in this guide. Publisher: Trust all installed add – ins and templates Table 4.29: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Disabled Disabled Disabled Disabled 172. All of the products in Office XP can be configured to trust installed COM add – ins automatically. Disabling the Publisher: Trust all installed add – ins and templates setting causes Publisher to ensure that all add – ins are digitally signed by trusted sources. Signed components can then load in the computer at any security level. Unsigned components or components signed by distrusted sources causes Publisher to respond to them based on which of the following macro security levels in the Security Level: dialogue box is in effect: ● High: add – ins and template components cannot load. ● Medium: users are warned of the potential security risk of using unsafe components. ● Low: add – ins and template components will load and run without user intervention.

For these reasons, the Publisher: Trust all installed add – ins and templates setting is configured to Disabled in the two environments defined in this guide.

Note: Configuring the Publisher: Trust all installed add – ins and templates setting to Disabled causes Publisher to treat add – ins and templates as macros from a security perspective.

128 Unsafe ActiveX Initialization Table 4.30: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Enabled Enabled Enabled Enabled 173. ActiveX controls offer a great deal of useful functionality within Office XP and Internet Explorer. ActiveX controls are actually executable pieces of code that a malicious developer can use to steal or damage information on the computers in your environment. To provide security against malicious use of ActiveX controls, Office XP allows you to specify that end users may only use ActiveX controls digitally signed by their originators, thus giving you a degree of assurance about their origin and safety. Enabling the Unsafe ActiveX Initialization setting may cause problems when viewing or using documents or forms that contain ActiveX controls because it strips away data stored by the control, and forces the control to reinitialize itself each time it is activated. Thus, it is a best practice to test all applications and forms used with earlier versions of Office before deploying Office XP on the computers in your environment. The following options are available with this setting: ● Initialize using control defaults ● Ask user: persisted data or control default

For these reasons, the Unsafe ActiveX Initialization setting is configured to Enabled with the option for Initialize using control defaults in the two environments defined in this guide. The Initialize using control defaults option is prescribed to prevent ActiveX controls from using persisted data that may be used to attack your clients. Word: Macro Security Level Table 4.31: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Medium Medium High High 174. It may be tempting to permanently disable all macro functionality in your environment. While you can do this in Office XP, improvements in the management and security of macros in Office XP make this unnecessary. The Medium security level for the Word: Macro Security Level setting allows the user to choose whether to run potentially unsafe macros. The High security level for this setting only allows signed macros from trusted sources to run, and automatically disables unsigned macros. For these reasons, the Word: Macro Security Level setting is configured to Enabled with the Medium option in the Enterprise Client environment, and to Enabled with the High option in the High Security environment defined in this guide.

129 Word: Trust access to Visual Basic Project Table 4.32: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Disabled Disabled Disabled Disabled 175. The Word: Trust access to Visual Basic Project setting allows you to control whether Word may access VBA code attached to documents. Configuring this setting to Disabled prevents macros in any documents that you open from accessing core Visual Basic objects, methods, and properties. Disabling this setting eliminates a possible security hazard. For this reason, the Word: Trust access to Visual Basic Project setting is configured to Disabled in the two environments defined in this guide. Word: Trust all installed add – ins and templates Table 4.33: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Disabled Disabled Disabled Disabled 176. You can configure all products in Microsoft Office XP to trust installed COM add – ins automatically. Disabling the Word: Trust all installed add – ins and templates setting causes Word to ensure that all add – in are digitally signed by trusted sources. Signed components may then load in the computer at any security level. Unsigned components or components from distrusted sources causes Word to respond to them based on which of the following macro security levels in the Security Level: dialogue box is in effect: ● High: add – ins and template components cannot load. ● Medium: users are warned of the potential security risk of using unsafe components. ● Low: add – ins and template components will load and run without user intervention.

For these reasons, the Word: Trust all installed add – ins and templates setting is configured to Disabled in the two environments defined in this guide.

Note: Configuring the Word: Trust all installed add – ins and templates setting to Disabled causes Word to treat add – ins and templates as macros from a security perspective.

130 System Configure the prescribed computer setting below for System in the Administrative Template at the following location using the Group Policy Object Editor: Computer Configuration\Administrative Templates\System Turn off Autoplay Table 4.34: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Not Configured Not Configured Enabled – All Drives Enabled – All Drives 177. Autoplay starts reading from a drive as soon as you insert media in the drive, causing the setup file for programs or audio media to start immediately. An attacker could use this feature to launch a program to damage a client or data on the computer. Enabling the Turn off Autoplay setting turns off the Autoplay feature. Autoplay is disabled by default on some removable drive types, such as floppy disk and network drives; but this is not the case on CD – ROM drives. For these reasons, the Turn off Autoplay setting is configured to Enabled in the High Security environment only. However, Microsoft recommends setting Turn off Autoplay to Not Configured in the Enterprise Client environment defined in this guide.

Note: You cannot use this setting to enable Autoplay on computer drives in which it is disabled by default, such as floppy disk and network drives.

131 System\Logon Configure the prescribed computer settings below for Logon in the Administrative Template at the following location using the Group Policy Object Editor: Computer Configuration\Administrative Templates\System\Logon Do not process the legacy run list Table 4.35: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Not Configured Not Configured Enabled Enabled 178. The Do not process the legacy run list setting causes the run list, which is a list of programs that Windows XP runs automatically when it starts, to be ignored. The customized run lists for Windows XP are stored in the registry at the following locations: ● HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run ● HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Enabling the Do not process the legacy run list setting prevents a malicious user from running a program each time Windows XP starts that could compromise data on the computer or cause other harm. Enabling this setting also prevents certain system programs from running, such as antivirus software, and software distribution and monitoring software. To ensure Enterprise system software still runs during startup, configure the Run these applications at startup setting to Enabled via Group Policy. Evaluate the threat level to your environment this setting is designed to safeguard against before deciding on a strategy to use this setting for your organization. For these reasons, the Do not process the legacy run list setting is configured to Not Configured in the Enterprise Client environment, and to Enabled in the High Security environment only defined in this guide. Do not process the run once list Table 4.36: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Not Configured Not Configured Enabled Enabled 179. The Do not process the run once list setting causes the run once list, which is the list of programs that Windows XP runs automatically when it starts, to be ignored. This setting differs from the Do not process the legacy run list setting in that programs on this list will run one time only the next time the client restarts. Setup and installation programs are sometimes added to this list to complete installations after a client restarts. Enabling this setting also prevents attackers from using the run – once list to launch rogue applications, which was a common method of attack in the past. A malicious user can exploit the run – once list to install a program that may compromise the security of Windows XP clients.

132

Note: Customized run – once lists are stored in the registry at the following location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce.

Enabling the Do not process the run once list setting should cause minimal functionality loss to users in your environment, especially if the clients have been configured with all of your organization's standard software prior to applying this setting via Group Policy. For these reasons, the Do not process the run once list setting is configured to Not Configured in the Enterprise Client environment, and to Enabled in the High Security environment defined in this guide.

133 System\Group Policy Configure the prescribed computer settings below for Group Policy in the Administrative Template at the following location using the Group Policy Object Editor: Computer Configuration\Administrative Templates\System\Group Policy Internet Explorer Maintenance policy processing Table 4.37: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Enabled Enabled Enabled Enabled 180. The Internet Explorer Maintenance policy processing setting determines when Internet Explorer Maintenance policies are updated. This setting affects all policies that use the Internet Explorer Maintenance component of Group Policy, such as those located in Windows Settings\Internet Explorer Maintenance. This setting overrides customized settings that the Internet Explorer Maintenance policy program set when it was installed. Disabling or not configuring this setting has no effect on the system. Enabling this setting provides you with the following options: ● Allow processing across a slow network connection. ● Do not apply during periodic background processing. ● Process even if the Group Policy objects have not changed.

Enabling this setting allows other setting changes to be applied to your workstations in a timely manner. This is especially useful if you discover a security vulnerability that needs to be addressed rapidly. For these reasons, the Internet Explorer Maintenance policy processing setting is configured to Enabled in the two environments defined in this guide. After enabling this setting, clear the Allow processing across a slow network connection check box, and then select the following options: ● Do not apply during periodic background processing ● Process even if the Group Policy objects have not changed

134 Registry policy processing Table 4.38: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Enabled Enabled Enabled Enabled 181. The Registry policy processing setting determines when registry policies are updated. This setting affects all policies in the Administrative Templates folder, and any other policies that store values in the registry. Enabling this setting provides the following options: ● Do not apply during periodic background processing ● Process even if the Group Policy objects have not changed

Some settings configured via the Administrative Templates are made in areas of the registry that are accessible to users. Enabling this setting will overwrite user changes to these settings. For these reasons, the Registry policy processing setting is configured to Enabled in both of the environments defined in this guide. After enabling the Registry policy processing setting, select the following two options: ● Do not apply during periodic background processing ● Process even if the Group Policy objects have not changed

135 System\Remote Assistance Configure the prescribed computer settings below for Remote Assistance in the Administrative Template at the following location using the Group Policy Object Editor: Computer Configuration\Administrative Templates\System\Remote Assistance Offer Remote Assistance Table 4.39: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Not Configured Not Configured Disabled Disabled 182. The Offer Remote Assistance setting determines whether a support person or an IT "expert" administrator can offer remote assistance to computers in your environment without an user explicitly requesting assistance first via a channel, e – mail, or Instant Messenger.

Note: The expert cannot connect to the computer unannounced or control it without permission from the user. When the expert tries to connect, the user can still choose to deny the connection (giving the expert view – only privileges to the user's workstation). The user has to explicitly click the Yes button to allow the expert to remotely control the workstation after the Offer Remote Assistance setting is configured to Enabled.

Enabling this setting provides you with the following options: ● Allow helpers to only view the computer ● Allow helpers to remotely control the computer

When configuring this setting, you can also specify a list of users or user groups known as "helpers" who may offer remote assistance. To configure the list of helpers: 1. In the Offer Remote Assistance setting configuration window, click Show. A new window opens in which you can enter helper names. 2. Add each user or group to the Helper list using one or the other of the following formats: ● \\

Disabling or not configuring the Offer Remote Assistance setting prevents users or groups from offering unsolicited remote assistance to computers in your environment. For these reasons, the Offer Remote Assistance setting is configured to Not Configured in the Enterprise Client environment defined in this guide. However, in order to avoid anyone accessing Windows XP clients across the network, this setting is configured to Disabled in the High Security environment.

136 Solicit Remote Assistance Table 4.40: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Not Configured Not Configured Disabled Disabled 183. The Solicit Remote Assistance setting determines whether remote assistance may be solicited from the Windows XP computers in your environment. Enabling this setting allows user to solicit remote assistance to their workstations from an IT "expert" administrator.

Note: The expert cannot connect to the computer unannounced or control it without permission from the user. When the expert tries to connect, the user can still choose to deny the connection (giving the expert view – only privileges to the user's workstation). The user has to explicitly click the Yes button to allow the expert to remotely control the workstation.

Enabling this setting provides you with the following options to permit remote control of the user computer: ● Allow helpers to remotely control the computer ● Allow helpers to only view the computer

In addition, the following options are available to configure the amount of time a user help request remains valid: ● Maximum ticket time (value): ● Maximum ticket time (units): hours, minutes or days

When the ticket (help request) expires, the user must send another request before an expert can connect to the computer. If you disable the Solicit Remote Assistance setting, users cannot send help requests and the expert cannot connect to their computers to response to requests. When this setting is not configured, users can configure solicited remote assistance via the Control Panel. The following settings are enabled by default via the Control Panel: Solicited remote assistance, Buddy support, and Remote control. The value for the Maximum ticket time is set to 30 days. Disabling this setting prevents anyone from accessing Windows XP clients across the network. For these reasons, the Solicit Remote Assistance setting is configured to Not Configured in the Enterprise Client environment, and to Disabled in the High Security environment defined in this guide.

137 System\Error Reporting These settings control how operating system and application errors are reported. When an error occurs, the user is notified by default via a pop – up dialog box that asks if the user wants to send an error report to Microsoft. Microsoft has strict policies in place to protect data received in these reports, however, the data is transmitted in clear text, making it a potential security risk. Microsoft provides the Corporate Error Reporting tool for corporations to collect the reports locally rather than sending them to Microsoft over the Internet. Microsoft recommends using Corporate Error Reporting in the High Security environment to prevent any information about your environment from traveling over the Internet. Additional information on this tool is included in the More Information section at the end of this chapter. Configure the prescribed computer settings below for Error Reporting in the Administrative Template at the following location using the Group Policy Object Editor: Computer Configuration\Administrative Templates\System\Error Reporting Display Error Notification Table 4.41: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Enabled Enabled Enabled Enabled 184. The Display Error Notification setting controls whether error messages are displayed to users on their computer screens. Enabling this setting allows error message notifications to be sent when errors occur, and gives users access to details about them. Disabling this setting prevents users from viewing error notifications. When an error occurs, it is important that the user is aware of the problem. Disabling the Display Error Notification setting will prevent this from happening. For this reason, the Display Error Notification setting is configured to Enabled in the two environments defined in this guide.

138 Report Errors Table 4.42: Settings

Enterprise Client Enterprise Client High Security High Security Desktop Laptop Desktop Laptop Enabled Enabled Enabled Enabled 185. The Report Errors setting controls whether errors are reported. Enabling the Report Errors setting gives users the choice of whether to report errors when they occur. Errors may be reported to Microsoft via the Internet or to a local corporate file share. Enabling this setting also provides the following options: ● Do not display links to any Microsoft provided “more information” Web sites ● Do not collect additional files ● Do not collect additional machine data ● Force queue mode for application errors ● Corporate upload file path ● Replace instances of the word “Microsoft with”

Disabling the Report Errors setting prevents users from reporting errors. If the Display Error Notification is enabled, users will receive error notifications, but cannot report them. The Report Errors setting allows you to customize an error reporting strategy for your organization and collect reports for local analysis. For these reasons, this setting is configured to Enabled in the two environments defined in this guide. In addition, in the High Security environment Microsoft recommends selecting the following setting options: ● Do not collect additional files ● Do not collect additional machine data ● Force queue mode for application errors

Also select the option for Corporate upload file path and include the path to the server in which you have installed Corporate Error Reporting. Determine which of these settings options to use based on the needs of your organization.

139 User Configuration Settings The remaining sections of this chapter discuss settings prescribed under User Configuration in the Group Policy Object Editor. Configure the settings under User Configuration in the Administrative Template at the following location using the Group Policy Object Editor: User Configuration\Administrative Templates Apply these settings via a GPO linked to an OU containing user accounts.

Note: User configuration settings are applied to any client a user logs on to in an Active Directory domain, while computer configuration settings apply to all clients governed by a GPO in Active Directory no matter which user logs on to the client. For this reason, the tables in this section contain only recommended settings for the Enterprise Client and the High Security environments defined in this guide. There are no laptop or desktop prescriptions for these settings.

140 Internet Explorer Configure the prescribed user settings below for Internet Explorer in the Administrative Template at the following location using the Group Policy Object Editor: User Configuration\Administrative Templates\Windows Components\Internet Explorer

Note: There are numerous additions to the available Internet Explorer settings that are provided in Windows XP Service Pack 2. For more information, see Appendix A.

Browser menus\Disable Save this program to disk option Table 4.43: Settings

Enterprise Client High Security Not Configured Enabled 186. The Browser menus\Disable Save this program to disk option setting prevents users from saving a program or file that Internet Explorer has downloaded to the hard disk. Enabling this setting blocks users from saving programs to disk using the Save This Program to Disk command when a user attempts to download a program. The program file will not download, and the user is informed that the command is not available. This setting prevents users from downloading potentially harmful content and saving it to disk. For these reasons, the Browser menus\Disable Save this program to disk option setting is configured to Enabled only in the High Security environment defined in this guide. Internet Control Panel\Disable the Advanced Page Table 4.44: Settings

Enterprise Client High Security Not Configured Enabled 187. The Internet Control Panel\Disable the Advanced Page setting works in conjunction with other settings to prevent users from changing settings configured removes the Advanced tab from the UI of Internet Explorer. The Internet Control Panel\Disable the Advanced Page setting is configured to Enabled only in the High Security environment defined in this guide. Internet Control Panel\Disable the Security Page Table 4.45: Settings

Enterprise Client High Security Not Configured Enabled 188. The Internet Control Panel\Disable the Security Page setting works in conjunction with other settings to prevent users from changing settings configured via Group Policy. This setting removes the Security tab from the Internet Options dialog box. Enabling this policy prevents users from viewing and changing settings for security zones, such as scripting, downloads, and user authentication. Microsoft recommends enabling this

141 setting to prevent users from changing settings that will weaken other security settings in Internet Explorer. For these reasons, the Internet Control Panel\Disable the Security Page setting is configured to Enabled only in the High Security environment defined in this guide.

142 Offline Pages\Disable adding channels Table 4.46: Settings

Enterprise Client High Security Enabled Enabled 189. The Offline Pages\Disable adding channels setting prevents users from adding channels to Internet Explorer. Channels are Web sites that are updated automatically on workstations running Internet Explorer, according to a schedule specified by the channel provider. This is one of several settings that will prevent Internet Explorer from automatically downloading content. It is a best practice to only allow a computer to download pages from the Internet when a user makes requests directly from the computer. For these reasons, the Offline Pages\Disable adding channels setting is configured to Enabled in the two environments defined in this guide. Offline Pages\Disable adding schedules for offline pages Table 4.47: Settings

Enterprise Client High Security Enabled Enabled 190. The Offline Pages\Disable adding schedules for offline pages setting prevents users from specifying that Web pages can be downloaded for offline viewing. When users make Web pages available for offline viewing, they can view the content when their computer is not connected to the Internet. For these reasons, the Offline Pages\Disable adding schedules for offline pages setting is configured to Enabled in the two environments defined in this guide. Offline Pages\Disable all scheduled offline pages Table 4.48: Settings

Enterprise Client High Security Enabled Enabled 191. The Offline Pages\Disable all scheduled offline pages setting disables existing schedules for downloading Web pages for offline viewing. Enabling this policy clears the check boxes for schedules on the Schedule tab of the Web page properties dialog box to prevent users from selecting them. To display this tab, users click the Tools menu, Synchronize, select a Web page, then click the Properties button and the Schedule tab. This is one of several settings that will prevent Internet Explorer from automatically downloading content. For these reasons, the Offline Pages\Disable all scheduled offline pages setting is configured to Enabled in the two environments defined in this guide.

143 Offline Pages\Disable channel user interface completely Table 4.49: Settings

Enterprise Client High Security Enabled Enabled 192. The Offline Pages\Disable channel user interface completely setting prevents users from viewing the Channel Bar interface. Channels are Web sites automatically updated on computers according to a schedule specified by the channel provider. Enabling this setting prevents users from accessing the Channel Bar interface and selecting the Internet Explorer Channel Bar check box on the Web tab in the Display Properties dialog box. This is one of several settings that will prevent Internet Explorer from automatically downloading content. For these reasons, the Offline Pages\Disable channel user interface completely setting is configured to Enabled in the two environments defined in this guide. Offline Pages\Disable downloading of site subscription content Table 4.50: Settings

Enterprise Client High Security Enabled Enabled 193. The Offline Pages\Disable downloading of site subscription content setting prevents users from downloading subscription content from Web sites. Enabling this setting prevents this, however, synchronization of Web page content will still occur when the user returns to a page previously accessed to determine if any content has been updated.This is one of several settings that will prevent Internet Explorer from automatically downloading content. For these reasons, the Offline Pages\Disable downloading of site subscription content setting is configured to Enabled in the two environments defined in this guide.

144 Offline Pages\Disable editing and creating of schedule groups Table 4.51: Settings

Enterprise Client High Security Enabled Enabled 194. The Offline Pages\Disable editing and creating of schedule groups setting prevents users from adding, editing, or removing schedules for offline viewing of Web pages and groups of Web pages users subscribe to. A subscription group is a favorite Web page along with the Web pages that link to it. Enabling this policy dims the Add, Remove, and Edit buttons on the Schedule tab in the Web page Properties dialog box. To display this tab, on the main menu in Internet Explorer, users click Tools, Synchronize, select a Web page, click the Properties button, and then click the Schedule tab. This is one of several settings that will prevent Internet Explorer from automatically downloading content. For these reasons, the Offline Pages\Disable editing and creating of schedule groups setting is configured to Enabled in the two environments defined in this guide. Offline Pages\Disable editing schedules for offline pages Table 4.52: Settings

Enterprise Client High Security Enabled Enabled 195. The Offline Pages\Disable editing schedules for offline pages setting prevents users from editing an existing schedule for downloading Web pages for offline viewing. Enabling this policy prevents users from displaying the schedule properties of pages that have been set up for offline viewing. On the main menu in Internet Explorer, when users click Tools, Synchronize, select a Web page, and then click the Properties button, no properties display. Users do not receive an alert stating that the command is unavailable. This is one of several settings that will prevent Internet Explorer from automatically downloading content. For these reasons, the Offline Pages\Disable editing schedules for offline pages setting is configured to Enabled in the two environments defined in this guide. Offline Pages\Disable offline page hit logging Table 4.53: Settings

Enterprise Client High Security Enabled Enabled 196. The Offline Pages\Disable offline page hit logging setting prevents channel providers from recording how often their channel pages are viewed by users working offline. This is one of several settings that will prevent Internet Explorer from automatically downloading content. For these reasons, the Offline Pages\Disable offline page hit logging setting is configured to Enabled in the two environments defined in this guide.

145 Offline Pages\Disable removing channels Table 4.54: Settings

Enterprise Client High Security Enabled Enabled 197. The Offline Pages\Disable removing channels setting prevents users from disabling channel synchronization in Internet Explorer. It is a best practice to only allow a computer to download pages from the Internet when a user makes requests directly from the computer. For these reasons, the Offline Pages\Disable removing channels setting is configured to Enabled in the two environments defined in this guide. Offline Pages\Disable removing schedules for offline pages Table 4.55: Settings

Enterprise Client High Security Enabled Enabled 198. The Offline Pages\Disable removing schedules for offline pages setting prevents users from clearing preconfigured settings for Web pages to download them for offline viewing. Enabling this setting protects preconfigured Web page settings, and is one of several settings that will prevent Internet Explorer from automatically downloading content. For these reasons, the Offline Pages\Disable removing schedules for offline pages setting is configured to Enabled in the two environments defined in this guide. Configure Outlook Express Table 4.56: Settings

Enterprise Client High Security Enabled Enabled 199. The Configure Outlook Express setting allows administrators to enable and disable the ability for Microsoft Outlook® Express users to save or open attachments that can potentially contain a virus. Selecting the block attachments option of this setting prevents users from opening or saving attachments to e – mail that could potentially contain a virus. Users cannot disable the Configure Outlook Express setting to stop it from blocking attachments. To enforce this setting, click Enable and select Block attachments that could contain a virus. For these reasons, the Configure Outlook Express setting is configured to Enabled with the Block attachments that could contain a virus in the two environments defined in this guide.

146 Disable Changing Advanced page settings Table 4.57: Settings

Enterprise Client High Security Not Configured Enabled 200. The setting for Disable Changing Advanced page settings prevents users from changing settings on the Advanced tab in the Internet Options dialog box of Internet Explorer. Enabling this setting prevents users from changing advanced settings related to security, multimedia, and printing in the browser. Users cannot select or clear the check boxes for these options on the Advanced tab of the Internet Options dialog box. This also setting prevents users from changing settings configured via Group Policy. For these reasons, the setting for Disable Changing Advanced page settings is configured to Enabled only in the High Security environment defined in this guide.

Note: If you configure the Disable the Advanced page setting (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), you do not need to configure this setting because enabling the Disable the Advanced page setting removes the Advanced tab from the Internet Options dialogue box.

Disable Changing Automatic Configuration Settings Table 4.58: Settings

Enterprise Client High Security Not Configured Enabled 201. The setting for Disable Changing Automatic Configuration Settings prevents users from changing automatically configured settings. Administrators use automatic configuration to update browser settings periodically. Enabling this setting dims the automatic configuration settings in Internet Explorer. These settings are located in the Automatic Configuration area of the LAN Settings dialog box. This setting also prevents users from changing settings configured via Group Policy. To view the LAN Settings dialog box: 1. Open the Internet Options dialog box, and click the Connections tab. 2. Click the LAN Settings button to view the settings.

For these reasons, the setting for Disable Changing Automatic Configuration Settings is configured to Enabled only in the High Security environment defined in this guide.

Note: Configuring the Disable the Connections page setting (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), which removes the Connections tab from Internet Explorer in Control Panel, causes this setting to take precedence over Disable Changing Automatic Configuration Settings. If the former setting is enabled, the latter setting is ignored.

147 Disable Changing Certificate Settings Table 4.59: Settings

Enterprise Client High Security Not Configured Enabled 202. The setting for Disable Changing Certificate Settings prevents users from changing certificate settings in Internet Explorer. Certificates are used to verify the identity of software publishers. Enabling this setting dims these settings in the Certificates area of the Content tab in the Internet Options dialog box. This setting prevents users from changing settings configured via Group Policy. For these reasons, the setting for Disable Changing Certificate Settings is configured to Enabled only in the High Security environment defined in this guide.

Note: When this setting is enabled, users can still run the Certificate Manager Import Wizard by double – clicking the software publishing certificate (.spc) file. This wizard enables users to import and configure settings for certificates from software publishers not already configured in Internet Explorer.

Note: Configuring the Disable the Content page setting (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), which removes the Content tab from Internet Explorer in Control Panel, causes this setting to take precedence over Disable Changing Certificate Settings. If the former setting is enabled, the latter setting is ignored.

Disable Changing Connection Settings Table 4.60: Settings

Enterprise Client High Security Not Configured Enabled 203. The setting for Disable Changing Connection Settings prevents users from changing dial – up settings. Enabling this policy dims the Settings button on the Connections tab in the Internet Options dialog box. This setting prevents users from changing settings configured via Group Policy. You may want to disable this setting for laptop users if their travel requires them to change their connection settings. For these reasons, the setting for Disable Changing Connection Settings is configured to Enabled only in the High Security environment defined in this guide.

Note: If you configure the Disable the Connections page setting (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), you do not need to configure this setting because it removes the Connections tab from the interface.

148 Disable Changing Proxy Settings Table 4.61: Settings

Enterprise Client High Security Not Configured Enabled 204. The setting for Disable Changing Proxy Settings prevents users from changing proxy settings. Enabling this setting dims the proxy settings. These settings are located in the Proxy Server area of the LAN Settings dialog box, which appears when the user clicks the Connections tab and then the LAN Settings button in the Internet Options dialog box. This setting prevents users from changing settings configured via Group Policy. You may want to disable this setting for laptop users if their travel requires them to change their connection settings. For these reasons, the setting for Disable Changing Proxy Settings is configured to Enabled only in the High Security environment defined in this guide.

Note: If you configure the Disable the Connections page setting (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), you do not need to configure this setting because it removes the Connections tab from the interface.

Do not allow AutoComplete to save passwords Table 4.62: Settings

Enterprise Client High Security Enabled Enabled 205. The Do not allow AutoComplete to save passwords setting disables automatic completion of user names and passwords in forms on Web pages, and prevents user prompts to save passwords. Enabling this setting dims the check boxes for User Names and Passwords on Forms and Prompt Me to Save Passwords, and prevents users from saving passwords locally. To display these check boxes, users can open the Internet Options dialog box, click the Content tab, and then the AutoComplete button. For these reasons, the Do not allow AutoComplete to save passwords setting is configured to Enabled in the two environments defined in this guide.

149 Windows Explorer Windows Explorer is used to navigate the file system on clients running Windows XP Professional. Configure the prescribed user settings below for Windows Explorer in the Administrative Template at the following location using the Group Policy Object Editor: User Configuration\Administrative Templates\Windows Components\Windows Explorer Remove CD Burning features Table 4.63: Settings

Enterprise Client High Security Not Configured Enabled 206. The Remove CD Burning features setting removes the built – in CD burning features in Windows XP available for Windows Explorer. Windows XP allows you to create and modify rewritable CDs if you have a read/write CD drive connected to your computer. This feature can be used to copy large amounts of data from a hard drive to a CD. The CD may then be removed from the computer. For these reasons, the Remove CD Burning features setting is configured to Not Configured in the Enterprise Client environment defined in this guide. However, this setting is configured to Enabled in the High Security environment.

Note: This setting does not prevent third – party applications from creating or modifying CDs with a CD writer. This guide recommends using software restriction policies to block third – party applications from creating or modify CDs. For more information, see Chapter 6, "Software Restriction Policy for Windows XP Clients." Another way to prevent users from burning CDs is to remove the CD writers from the clients in your environment and replace them with read – only CD drives, or remove them all together.

Remove Security tab Table 4.64: Settings

Enterprise Client High Security Not Configured Enabled 207. The Remove Security tab setting disables the Security tab on the file and folder properties dialog boxes in Windows Explorer. Enabling this setting prevents users from accessing the Security tab after opening the Properties dialog box for all file system objects, including folders, files, shortcuts, and drives. This prevents users from changing settings under the Security tab or viewing the list of users after accessing the properties dialog box. For these reasons, the Remove Security tab setting is configured to Not Configured in the Enterprise Client environment defined in this guide. However, this setting is configured to Enabled in the High Security environment.

150 System Configure the prescribed user setting below for System in the Administrative Template at the following location using the Group Policy Object Editor: User Configuration\Administrative Templates\System Prevent access to registry editing tools Table 4.65: Settings

Enterprise Client High Security Not Configured Enabled 208. The Prevent access to registry editing tools setting disables the editors Regedit.exe and Regedt32.exe. Enabling this setting causes a message to appear when the user tries to start a registry editor informing them that they cannot use either of these editors. This setting prevents users or intruders from accessing the registry using these tools, but does not prevent access to the registry itself. For these reasons, the Prevent access to registry editing tools setting is configured to Not Configured in the Enterprise Client environment defined in this guide. However, this setting is configured to Enabled in the High Security environment.

151 System\Power Management Configure the prescribed user setting below for System\Power Management in the Administrative Template at the following location using the Group Policy Object Editor: User Configuration\Administrative Templates\System\Power Management Prompt for password on resume from hibernate / suspend Table 4.66: Settings

Enterprise Client High Security Enabled Enabled 209. The Prompt for password on resume from hibernate / suspend setting controls whether clients in your environment are locked when they resume from a hibernated or suspended state. Enabling this setting locks clients when they resume operating from a hibernated or suspended state. Users must enter their passwords to unlock the clients. Disabling or not configuring this setting creates a serious security breach because the clients may be accessed by anyone after resuming operation. For this reason, Microsoft recommends configuring the Prompt for password on resume from hibernate / suspend setting to Enabled in the two environments defined in this guide.

152 Summary This chapter has covered many of the most important security settings available in the Administrative Templates that ship with Windows XP and the Microsoft Office XP Resource Kit that you can use to secure the desktops and laptops running Windows XP in your organization. When considering security setting policies for your organization, it is important to bear in mind the tradeoffs between security and user productivity. The goal is to protect your users from malicious programs and viruses with a secure computing experience that allows them to fully perform their jobs without frustrating their efforts with overly restrictive security settings. More Information The following information sources were the latest available on topics closely related to the Administrative Templates for Windows XP clients at the time this guide was released to the pubic. For a complete listing of all Administrative Template Group Policy settings available in Windows XP and Windows Server 2003, download the Policy Settings workbook at: http://microsoft.com/downloads/ details.aspx?FamilyId=7821C32F-DA15-438D-8E48-45915CD2BC14&displaylang=en. For more information on Microsoft Office XP Administrative Templates, see: http://www.microsoft.com/office/ork/xp/two/admb03.htm#admb03_2. For information on creating your own Administrative Templates, see the white paper "Implementing Registry – Based Group Policy," at: http://www.microsoft.com/windows2000/techinfo/howitworks/management/rbppaper.asp. For information on error reporting, see the Windows Corporate Error Reporting web site located at: http://www.microsoft.com/resources/satech/cer/. For information on Office XP templates, see the Microsoft Office XP Resource Kit article on " and Templates," at: http://www.microsoft.com/office/ork/xp/appndx/appa18.htm. For information on macro security settings and trusted sources, see the Microsoft Office XP Resource Kit article, "Security Settings and Related System Policies," at: http://www.microsoft.com/office/ork/xp/two/admc06.htm. For general information on the Software Update Service (SUS), see the "Software Update Services Overview White Paper," at: http://www.microsoft.com/windows2000/windowsupdate/sus/susoverview.asp. For information on how to deploy SUS, see the "Software Update Services Deployment White Paper," at: http://www.microsoft.com/windows2000/windowsupdate/sus/susdeployment.asp.

153 For information on server requirements and recommendations for installing SUS, see the Knowledge Base article "Server Requirements and Recommendations for Installing Microsoft Software Update Services," at: http://support.microsoft.com/default.aspx?scid=322365. To download Software Update Services Server 1.0 with Service Pack 1 program files, see: http://www.microsoft.com/downloads/ details.aspx?FamilyId=A7AA96E4-6E41-4F54-972C-AE66A4E4BF6C. To download the Software Update Services 1.0 .adm file for Service Pack 1, see: http://microsoft.com/downloads/ details.aspx?FamilyId=D26A0AEA-D274-42E6-8025-8C667B4C94E9. For more information on the new Group Policy Management Console, see the white paper, "Administering Group Policy with the GPMC," at: http://www.microsoft.com/windowsserver2003/gpmc/gpmcwp.mspx. For more information on the Internet Explorer Administration Kit, see: http://www.microsoft.com/windows/ieak/default.asp.

154 5 Securing Stand-Alone Windows XP Clients

Overview Managing computers running Microsoft® Windows® XP Professional that are not members of an Microsoft Active Directory® – based domain presents unique challenges. This chapter discusses how to most effectively apply and manage the settings recommended in the previous chapters of this guide. The prescribed setting values will ensure that desktop and laptop clients in your organization that are running Windows XP Professional are secure. The policy applies to all users logging on to the client, including the Local Administrator. Guidance is not provided on all of the available settings in Windows XP. However, the prescribed settings will provide an operating environment which is secure from the majority of current threats, while ensuring that users may continue to perform work on their computers. The settings applied from this guidance should be based on the security goals of your organization. For those organizations that have some computers that cannot be joined to an Active Directory domain, this chapter explains how to most effectively implement the countermeasures recommended in the previous chapters.

Note: There are many additions to the settings for stand-alone clients that are provided in Windows XP Service Pack 2. For more information, see Appendix A.

Windows XP in a Windows NT 4.0 Domain A specific example of a Windows XP client in a non – Active Directory domain environment would be in a legacy Microsoft Windows NT® 4.0 domain. In this environment, the Windows XP clients are treated as stand – alone machines. There is more management overhead in this environment since there is not a central location to manage the security settings. Microsoft recommends that the Windows NT 4.0 – based domain controllers be installed with Service Pack 6a (SP6a) and the most up to date patches. Windows NT 4.0 SP6a contains several fixes for NTLM authentication. Without these fixes, Windows XP – based computers in a Windows NT 4.0 – based domain may experience domain or network connectivity and communication issues. The administrator should frequently check for updates and patches. Windows XP Professional adds more settings to Local Computer Policy than previous versions of Windows, a benefit that enables you to better customize user and computer settings. There are several hundred new settings available for Windows XP Professional, in addition to those already available for Windows 2000 Professional. This powerful management feature lets you lock down and fine tune your desktop, introducing the possibility of many different customized scenarios. The Windows XP clients will only be as secure as the domain that they are a member of. The Windows XP clients in a legacy environment use a modified version of the security templates from Chapter 3, "Security Settings for Windows XP Clients," to ensure that the client can communicate with the Windows NT 4.0 domain controllers. These settings are applied by using the scripts that are outlined at the end of this guide. To communicate to a Windows NT 4.0 domain controller, the following setting is modified. Under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options: Domain member: Require strong (Windows 2000 or later) session key – Disabled The legacy information files that are used at the end of this guide have this setting pre – configured.

156 Local Group Policy Object Settings Each Windows XP Professional operating system has one local Group Policy object (GPO). The settings are applied to the Local Group Policy Object manually using the Group Policy Object Editor or by using scripts. Local Group Policy objects contain fewer settings than domain – based GPOs, particularly under Security Settings. Local Group Policy objects (LGPO) do not support , Remote Installation Service or Group Policy Software Installation when they are configured as stand – alone clients. The local policy can be used to provide a secure operating environment on stand – alone clients. The following table shows which Group Policy snap – in extensions open when the Group Policy snap – in is focused on an LGPO. Table 5.1: Group Policy Snap – in Extensions

Group Policy Snap – in Extension Available in LGPO Software Installation No Scripts Yes Security Settings Yes Administrative Templates Yes Folder Redirection No Internet Explorer Maintenance Yes Remote Installation Service No 210. Account Policies Account policies include Password Policy, Account Lockout Policy, and Kerberos Policy settings. Password Policy provides a vehicle to require complexity and frequent change of passwords in order to secure most environments. Account Lockout Policy provides the ability to automatically disable an account after a series of unsuccessful logon attempts. Kerberos policies are used for domain user accounts. They determine Kerberos – related settings, such as the Maximum lifetime for user ticket and Enforce user logon restrictions settings. However, these settings are not used in the case of a stand – alone client since the client does not participate in a domain. Normally, Account Policies are set at the domain level and are thereby configured for domain clients. In the case of stand – alone XP clients these settings need to be applied locally, along the lines of the settings described in Chapter 2, "Configuring the Active Directory Domain Infrastructure," of this guide. Local Policies Local Policies, under Computer Configuration\Windows Settings\Security Settings, will be applied to the client using the templates that are described in Chapter 3, "Security Settings for Windows XP Clients," of this guide. Using a combination of those templates and the ones that have been created for the stand – alone clients, they can be automated via scripts and applied to multiple machines in the environment. The next section describes the process for creating and deploying the policies.

157 Importing Security Templates into Windows XP There are several templates that are used to configure the stand – alone client via a script depending on the security requirements for the client. Previously, the settings and how the Group Policy Object Editor is used to configure the local policy were discussed. Using the templates that are provided, the process can be automated to configure many clients in either a network – connected or stand – alone environment. This section will explain the process of how to automate the setting of security policies. Configuration A security template is a file that represents a security configuration. Security templates may be applied to a local computer, imported to the Local Group Policy object. Since the templates already have been created in chapter 3, "Security Settings for Windows XP Clients," these templates will be used to configure the local policies. The administrator will use the Microsoft Management Console (MMC) snap – ins for Security Configuration and Analysis and Security Templates, and secedit.exe to create the account policies and merge the two to set the policies on the stand – alone machine. Creating a Security Database In order to automate the process of importing security settings on a stand – alone client, you must create a reference database to write to the local security policy. The baseline database was created using the Security Configuration and Analysis MMC snap – in. The following steps were used to create the XP Default Security.sdb database. The database used the setup security.inf as the template to establish the default settings for the stand – alone client. To create a new default security database: 1. On the , click Run, type mmc, and then click OK. 2. On the File menu, click New to create a new console. 3. On the File menu, click Add/Remove Snap – in, and then click Add on the Stand – alone tab in the Add/Remove snap – in properties box. 4. Select Security Configuration and Analysis, click Add, click Close, and then click OK. 5. Right – click the Security Configuration and Analysis scope item and then click Open Database. 6. Type a new database name (XP Default Security), and then click Open. 7. Select a security template to import (setup security.inf), and then click Open. 8. Right – click the Security Configuration and Analysis scope item, and then click Configure Computer Now. 9. In the Configure System dialog box, type the name of the log file you wish to view, and then click OK.

This process creates a database file with the default security settings that will be used in the automation process. Copy the security database to the same folder in which you have copied the scripts and the information files. The custom scripts that will be used will configure the database that will in turn configure the Local Security Policy. The administrator can use similar steps to create your own database instead of using the one that is provided with this guide.

158 Creating Custom Template Templates in the Security Template management tool define security settings in a template. These templates can be applied to your local computer. The following steps were used to create the SA Enterprise XP Account.inf and SA High Security XP Account.inf templates using the settings from the Account Policy tables in Chapter 2, "Configuring the Active Directory Domain Infrastructure." To create a custom template: 1. On the Start menu, click Run, type mmc, and then click OK. 2. On the File menu, click New to create a new console. 3. On the File menu, click Add/Remove Snap – in, and then click Add on the Stand – alone tab in the Add/Remove snap – in properties box. 4. Click Security Templates, click Add, click Close, and then click OK. 5. Open Security Templates. 6. Select the default folder to store the new template, and then click New Template. 7. In Template name text box, type the name for your new security template. 8. In Description text box, type a description of your new security template, and then click OK. 9. In the console tree, double – click the new security template to display the security areas and navigate until the security setting you want to configure is in the details pane. 10. In the details pane, right – click the security setting you want to configure and then click Properties. 11. In the Properties dialog box, select the Define this policy setting in the template check box, edit the settings, and then click OK.

After the files have been created, they can be found under %windir%\security\templates. Copy the security templates to the same folder in which you have created the Security database in order to run the scripts. These files will be used in the next phase for automating the import of the templates. Applying the Policy By calling the secedit.exe tool at a command prompt, from a batch file or automatic task scheduler, you can use it to automatically create and apply templates. You can also run it dynamically from a command prompt. The secedit.exe tool is useful when you have multiple computers on which security must be configured. The scripts provided with this guide use the secedit.exe utility to merge and apply local policy to the client. Manually Applying the Local Policy In order to apply all of the security settings included in the stand – alone security template’s .inf file included with this guide, it is necessary to use the Security Configuration and Analysis snap – in instead of the Local Computer Policy snap – in. It is not possible to import the security template using the Local Computer Policy snap – in because the security settings for System Services cannot be applied using this snap – in.

159 The following procedures detail the process for importing and applying the security template using the Security Configuration and Analysis snap – in. To import a security template: 1. Launch the Security Configuration and Analysis snap – in. 2. Right – click the Security Configuration and Analysis scope item. 3. Click Open Database. 4. Type a new database name, and then click Open. 5. Select a security template (.inf file) to import, and then click Open.

All Security Template settings will be imported, and they can now be reviewed or applied. To apply the security settings: 1. Right – click the Security Configuration and Analysis scope item. 2. Select Configure Computer Now. 3. In the Configure Computer Now dialog box, type the name of the log file you wish to view, and then click OK.

You will have to import both templates for each environment. All pertinent security template settings will be applied to the client's local policy. The following sections describe the security settings applied through local policy. Secedit Configures and analyzes system security by comparing your current configuration to at least one template. Syntax secedit /configure /db FileName [/cfg FileName ] [/overwrite][/areas Area1 Area2 ...] [/log FileName] [/quiet] Parameters /db FileName This specifies the database used to perform the security configuration. /cfg FileName This specifies a security template to import into the database prior to configuring the computer. Security templates are created using the Security Templates snap – in. /overwrite This specifies that the database should be emptied prior to importing the security template. If this parameter is not specified, the settings in the security template are accumulated into the database. If this parameter is not specified and there are conflicting settings in the database and the template being imported, the template settings win.

160 /areas Area1 Area2 This specifies the security areas to be applied to the system. If this parameter is not specified, all security settings defined in the database are applied to the system. To configure multiple areas, separate each area by a space. The following table shows the security areas that are supported. Table 5.2: Security Areas

Area Name Description SECURITYPOLICY Includes account policies, audit policies, event log settings, and security options. GROUP_MGMT Includes Restricted Group settings. USER_RIGHTS Includes User Rights Assignment REGKEYS Includes Registry Permissions. FILESTORE Includes File System permissions. SERVICES Includes System Service settings. 211. /log FileName This specifies a file in which to log the status of the configuration process. If not specified, configuration data is logged in the scesrv.log file which is located in the %windir%\security\logs directory. /quiet This specifies that the configuration process should take place without prompting the user. Automated Scripts It is always easier to use scripting to apply identical settings to many clients. Using the secedit tool described previously, the process has been automated to apply the local policy using a simple script. Copy the scripts and associated files to a subdirectory on the local hard disk, then execute the script for the client from the directory.

161 The following is one of the scripts used for importing templates into the Local Group Policy object. There is a total of four scripts to cover each of the clients. This is used in the Script for Securing Stand – Alone Windows XP clients.

REM (c) Microsoft Corporation 1997-2003

REM Script for Securing Stand Alone Windows XP REM REM Name: SA Enterprise XP Client - Desktop.CMD REM Version: 1.0

REM This CMD file provides the proper secedit.exe syntax for importing the security REM policy for the Secure Stand Alone Windows XP Client. REM Please read the entire guide before using this CMD file.

REM Resets the Policy to Default Values Secedit.exe /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose

REM Sets the Account Settings secedit.exe /configure /db "XP Default Security.sdb" /cfg "SA Enterprise XP Account.inf" /overwrite /quiet

REM Sets the Security Settings secedit.exe /configure /db "XP Default Security.sdb" /cfg "Enterprise Client - Desktop.inf"

REM Deletes the Shared Folder reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\Dele gateFolders\{59031a47-3f72-44a7-89c5-5595fe6b30ee}" /f

REM Updates the Local Policy gpupdate.exe /force

The following table includes a list of the scripts and associated files shipped with this guide. There is a set for each environment that covers desktop and laptop clients.

162

Table 5.3: Scripts and Files

Stand – Alone Scripts and Files Description SA Enterprise XP Client – Desktop.cmd Stand – alone script for setting Enterprise policy on the desktop client. SA Enterprise XP Client – Laptop.cmd Stand – alone script for setting Enterprise policy on the laptop client. SA XP High Security Client – Desktop.cmd Stand – alone script for setting High Security policy on the desktop client. SA XP High Security Client – Laptop.cmd Stand – alone script for setting High Security policy on the laptop client. SA Enterprise Account.inf Enterprise Account Policy template. SA High Security Account.inf High Security Account Policy template. Enterprise Client – Desktop.inf Enterprise Security template for the desktop client. Enterprise Client – Laptop.inf Enterprise Security template for the laptop client. High Security – Desktop.inf High Security template for the desktop client. High Security – Laptop.inf High Security template for the laptop client. XP Default Security.sdb Default Policy database. Legacy Scripts and Files Description Legacy Enterprise XP Client – Desktop.cmd Legacy script for setting Enterprise policy on the desktop client. Legacy Enterprise XP Client – Laptop.cmd Legacy script for setting Enterprise policy on the laptop client. Legacy XP High Security Client – Legacy script for setting High Security Desktop.cmd policy on the desktop client. Legacy XP High Security Client – Legacy script for setting High Security Laptop.cmd policy on the laptop client. Legacy Enterprise Account.inf Legacy Enterprise Account Policy template. Legacy High Security Account.inf Legacy High Security Account Policy template. Legacy Enterprise Client – Desktop.inf Legacy Enterprise Security template for the desktop client. Legacy Enterprise Client – Laptop.inf Legacy Enterprise Security template for the laptop client. Legacy High Security – Desktop.inf Legacy High Security template for the desktop client. Legacy High Security – Laptop.inf Legacy High Security template for the laptop client. XP Default Security.sdb Default Policy database. Note: Ensure the database has write privilege. It cannot be set to read – only. 212.

163 Summary Windows XP Local Policy is a very useful way to provide consistent security settings to Windows XP systems that aren't members of an Active Directory domain. To deploy it effectively, ensure that you are aware of how the local policies can be applied, that all of your clients are configured with the appropriate settings, and that you have defined appropriate security for each client in your environment. More Information The following information sources were the latest available on topics closely related to securing Windows XP Professional at the time this guide was released to the pubic. For more information on the Security Configuration Manager, see: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/ windowsserver2003/proddocs/entserver/scm_analyze.asp. For more information on Group Policy, see: http://www.microsoft.com/windows2000/techinfo/howitworks/management/ grouppolwp.asp. For information on troubleshooting Group Policy in Windows 2000, see: http://www.microsoft.com/Windows2000/techinfo/howitworks/management/gptshoot.asp. For more information on troubleshooting Group Policy application problems, see the following Knowledge Base article: http://support.microsoft.com/default.aspx?scid=250842. For more information security tools and checklists, see: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/ tools.asp. For more information on Securing Mobile Computers with Windows XP Professional see: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/ winxppro/evaluate/prfeatgd.asp. For information on how to identify (GPOs) in the Active Directory and SYSVOL, see the following Knowledge Base article: http://support.microsoft.com/default.aspx?scid=216359. For information on the Administrative Template for Windows XP, see the following TechNet article: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/ winxppro/proddocs/ADMinAD.asp.

164 6 Software Restriction Policy for Windows XP Clients

Overview Software restriction policy provides administrators with a policy – driven mechanism to identify software and control its ability to run on your local computer. These policies protect computers running Microsoft® Windows® XP Professional in your environment against known conflicts and safeguard the computers against malicious viruses and Trojan horse programs. Software restriction policy integrates fully with Microsoft Active Directory® and Group Policy. You can also use it on stand – alone computers. This chapter is different in structure from the others in this guide due to the nature of how software restriction policy works. Instead of configuring setting options for Group Policy based on the prescriptive recommendations in the previous chapters, an administrator first defines the set of applications allowed to run on the clients in your environment, and then determines the restrictions that the policy will apply to the clients. When implementing software restriction policies the first decision you must make is what the default security level will be: Unrestricted or Disallowed. If the default security level is Unrestricted then all software will be allowed to run and you then configure additional rules to block specific applications. The more secure approach is to configure the default security level to Disallowed, this will prevent all software from executing and you then configure additional rules to allow specific applications. You can apply the policy to multiple computers using domain – based group policies or to individual computers using local group policy. Software restriction policy provides a number of ways to identify software, as well as a policy – based infrastructure to enforce rules on how the identified software may run. When users run software programs, they must adhere to the guidelines that the administrator in your environment has established in the software restriction policy. You can use software restriction policy to do the following: ● Control what software may run on clients in your environment. ● Restrict user access to specific files on multiuser computers. ● Decide who may add trusted publishers to clients. ● Define whether the policies affect all users or a subset of users on clients. ● Prevent executable files from running on your local computer, OU, site, or domain.

Software Restriction Policy Architecture The architecture of software restriction policy provides the following powerful features: ● Policy enforcement that is either domain or local computer based. Administrators create the policy, and then define which applications are trusted and which are not. The policy is enforced at run time and users do not receive prompts allowing them to choose whether to run executable files. ● Policy that applies to more than just binary executable files. The definition of what constitutes software is ambiguous. The policy provides control over Microsoft Visual Basic® Scripting Edition (VBScript), JScript® and other scripting languages. It also integrates with the Windows Installer feature to provide control over which packages can be installed on clients. This feature includes an application programming interface (API) you can use to coordinate the policy run time with other run times. ● Policy that is scalable. Since it is implemented through group policy, software restriction policy can be effectively implemented and managed across domains consisting of tens of thousands of machines. ● Policy that is flexible. Administrators have the flexibility to prohibit unauthorized scripts, to regulate Microsoft ActiveX® controls, or to tightly lockdown client computers. ● Policy that enables strong cryptography to identify software. The policy can identify software using hashes or digital signatures.

Implementing the architecture for a software restriction policy includes three phases: 1. The administrator or a delegated authority creates the policy using the Group Policy Microsoft Management Console (MMC) snap –in for the Active Directory container site, domain, or OU. Microsoft recommends creating a separate GPO for Software Restriction Policy.

Note: To create a new software restriction policy for a local stand – alone computer, you must be a member of the Administrators group on the local computer. To configure these settings, click Windows Settings, Security Settings, and then Software Restriction Policy.

2. The machine – level policy downloads and takes effect at start up. User policies take effect when the user logs on to the system or domain. To update the policy, access it using the gpupdate.exe /force command. 3. When a user starts a program or script, the operating system or scripting host, the policy determines if it may run according to precedence rules that it enforces.

Unrestricted or Disallowed Settings A software restriction policy consists of two parts: ● A default rule for which programs may run. ● An inventory of exceptions to the default rule.

166 You can set the default rule used to identify software to Unrestricted or Disallowed — essentially run, or do not run all software. Setting the default rule to Unrestricted allows an administrator to define exceptions, or a set of programs that are not allowed to run. Use the Unrestricted default setting in an environment with loosely managed clients. For example, you can prevent users from installing a program that will conflict with existing programs by creating a rule to block it. A more secure approach is to set the default rule to Disallowed and then allow only a specific set of programs to run. Under the Disallowed default setting, the administrator has to define all the rules for each application and ensure that users have the correct security settings on their computers to access the applications they are allowed to run. The Disallowed default setting is the preferred default for securing Windows XP clients. Four Rules to Identify Software Rules in a software restriction policy identify one or more applications to specify whether they are allowed to run. Creating rules largely consists of identifying applications and then categorizing them as exceptions to the Disallowed default setting. Each rule can include comments to describe its purpose. The enforcement engine in Windows XP queries the rules in the software restriction policy before allowing a program to run. A software restriction policy uses the following four rules to identify software: ● Hash Rule — Uses a cryptographic fingerprint of the executable file. ● Certificate Rule — Uses a digitally signed certificate from a software publisher for the .exe file. ● Path Rule — Uses the local, Universal Naming Convention (UNC) or registry path of the .exe file location. ● Zone Rule — Uses the Internet Zone where the executable file originated (if it was downloaded using Microsoft Internet Explorer).

The Hash Rule A hash is a digital fingerprint that uniquely identifies a software program or executable file even if the program or executable file is moved or renamed. In this way, an administrator can use a hash to track a particular version of an executable file or program that he or she may not want users to run. With a hash rule, software programs remain uniquely identifiable because the hash rule match is based on a cryptographic calculation involving the contents of the file. The only file types that are affected by hash rules are those that are listed in the Designated File Types section of the details pane for Software Restriction Policies. Hash rules work effectively in a static environment. If software in your environment is upgraded the hash needs to be re – calculated for each updated executable file. Hash rules work very well in environments where software changes or upgrades are infrequent. A hash rule consists of the following three pieces of data, separated by colons: ● The MD5 or SHA – 1 hash value. ● The file length. ● The hash algorithm ID number.

167 Digitally signed files use the hash value contained in the signature, which may be MD5 or SHA – 1. Executable files that are not digitally signed use an MD5 hash value. Hash rules are formatted as follows: [MD5 or SHA1 hash value]:[file length]:[hash algorithm id] The following hash rule example is for a 126 – byte long file with contents that match the MD5 hash value (denoted by the hash algorithm identifier 32771) and the hash algorithm 7bc04acc0d6480af862d22d724c3b049: 7bc04acc0d6480af862d22d724c3b049:126:32771 Each file that the administrator wants to restrict or allow needs to contain a hash rule. After software is updated, the administrator must create a new hash rule for each application because the hash values for the original executable files will not match those of the new files. Use the following steps to create a hash rule for an executable file. To apply a hash rule to an existing executable file: 1. On the Group Policy Object Editor tool bar, click Windows Settings, Security Settings, Software Restriction Policy, and then right – click Additional Rules. 2. Click New Hash Rule on the shortcut menu.

Figure 6.1 The New Hash Rule dialog box

168 3. Click Browse to select the file for which you want to create a hash. In this example, the executable file is Excel.exe. The new file hash value displays in the File Hash: box. The application version displays in the File Information: box. 4. Select the security level default setting that you want for this rule. The options for this are: ● Disallowed ● Unrestricted

The Certificate Rule A certificate rule specifies a software publisher's certificate used for code-signing. For example, an administrator can require signed certificates for all scripts and ActiveX controls. Allowable sources that comply with the certificate rule include: ● A commercial certificate authority (CA), such as VeriSign. ● A Microsoft Windows® 2000/Windows Server 2003™ Public Key Infrastructure (PKI). ● A self – signed certificate.

A certificate rule is a strong way to identify software because it uses signed hashes contained in the signature of the signed file to match files regardless of name or location. Unfortunately, few software vendors utilize code-signing technology, and even those that do typically sign a small percentage of the executable files that they distribute. For these reasons certificate rules are often only used for a few specific application types such as Active-X controls or internally developed applications. To make exceptions to a certificate rule, you can use a hash rule to identify them. Enabling Certificate Rules Certificate rules are not enabled by default. Use the following steps to enable the rules. To enable the certificate rules: 1. Open the GPO in the Group Policy Object Editor. 2. In the console tree, click Security Options. 3. In the details pane, double-click System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies. 4. Click Enabled to make the certificate rules available.

Many commercial Web sites have their software code – signed by a commercial CA. These certificates are usually valid from one to several years. When using certificate rules, be aware that the certificates carry expiration dates. You may be able contact the software publisher to find out more information on the expiration period for their published certificate. When receiving a certificate from a commercial CA, you can export it to a file to create a certificate rule. Use the following steps to export a certificate.

169 To export a certificate: 1. Select the trusted publisher that will issue the certificate. In this example, the certificate publisher is Microsoft MSN®.

Figure 6.2 The Security Warning dialog box showing the trusted publisher

170 2. Click the Details tab.

Note: Copy this certificate to a file and use it to create a Certificate Rule.

Figure 6.3 The details tab of the Certificate dialog box

171 3. The Certificate Export Wizard welcome page appears. Click Next to continue.

Figure 6.4 The Certificate Export Wizard welcome page

172 4. On the Export File Format page, select DER encoded binary X.509 (.CER) and click Next to create the certificate file with a (.cer) extension.

Figure 6.5 The Certificate Export Wizard, Export File Format page showing the selected encoding method 5. On the File to Export page, designate a descriptive certificate rule file name. The certificate will be exported to the Certificate Directory in Windows XP.

Figure 6.6 The Certificate Export Wizard, File to Export page showing an example file name

173 6. The Completing the Certificate Export Wizard page appears with a list showing the certificate file’s specified settings. Review the settings and click Finish to export the file.

Figure 6.7 The Certificate Export Wizard Completion page showing the specified settings

174 You can now create a certificate rule using this file.

Figure 6.8 The New Certificate dialog box showing the specified settings The Path Rule A path rule specifies either a folder or fully qualified path to a program. When a path rule specifies a folder, it matches any program contained in that folder and any programs contained in subfolders of that folder. Path rules support both local and UNC paths. The administrator must define all directories for launching a specific application in the path rule. For example, if the administrator has created a shortcut on the desktop to launch an application, in the path rule the user must have access to both the executable file and the shortcut paths to run the application. Attempting to run the application using only one piece of the puzzle will trigger the Software Restricted warning. Many applications use the %ProgramFiles% variable to install files on the hard drive of computers running Windows XP Professional. If this variable is set to another directory on a different drive, some applications will still copy files to the original C:\Program Files subdirectory. Therefore, it is a best practice to leave path rules defined to the default directory location.

175 Using Environment Variables in Path Rules You can define a path rule to use environment variables. Since path rules are evaluated in the client environment, using environment variables allows an administrator to adapt a rule to a particular user’s environment. The following two examples show instances of applying environment variables to a path rule. ● “%UserProfile%” matches C:\Documents and Settings\User and all subfolders under this directory. ● “%ProgramFiles%\Application” matches C:\Program Files\Application and all subfolders under this directory.

Note: Environment variables are not protected by Access Control Lists (ACLs). There are two types of environment variables, User and System. Users able to start a command prompt can redefine the Users environment variable to a different path. Only users in the Administrators group can change the System environment variable.

Below is a current list of default environment variables in Windows XP Professional: Table 6.1: Default Environment Variables for Windows XP Professional

Variable Name Description ALLUSERSPROFILE A local variable that returns the All Users Profile location. A local variable that returns the location where applications APPDATA store data by default. CD A local variable that returns the current directory string. A local variable that returns the exact command line used to CMDCMDLINE start the current Cmd.exe program. A system variable that returns the version number of the CMDEXTVERSION current Command Processor Extensions. COMPUTERNAME A system variable that returns the name of the computer. A system variable that returns the exact path to the command COMSPEC shell executable. A system variable that returns the current date. This variable uses the same format as the date /t command. The Cmd.exe DATE program generates this variable. For more information, see the Date command. A system variable that returns the error code of the most ERRORLEVEL recently used command. A non – zero value usually indicates an error. A system variable that returns the local workstation drive letter of the user's home directory. This variable is set based HOMEDRIVE on the value of the home directory specified in the groups for Local Users and Groups. A system variable that returns the full path of the user's home directory. This variable is set based on the value of the home HOMEPATH directory specified in the groups for Local Users and Groups.

176 (continued) A system variable that returns the network path to the user's shared home directory. This variable is set based on the HOMESHARE value of the home directory specified in the groups for Local Users and Groups. A local variable that returns the name of the domain controller LOGONSEVER that validated the current logon session. A system variable that specifies the number of processors NUMBER_OF_PROCESSORS installed on the computer. A system variable that returns the operating system name. OS Windows XP Professional displays the operating system as Microsoft Windows NT. A system variable that specifies the search path for PATH executable files. A system variable that returns a list of the file extensions that PATHEXT the operating system considers to be executable. A system variable that returns the processor's chip PROCESSOR_ARCHITECTURE architecture. Values: x86, IA64. PROCESSOR_IDENTFIER A system variable that returns a description of the processor. A system variable that returns the model number of the PROCESSOR_LEVEL computer's processor. A system variable that returns the revision number of the PROCESSOR_REVISION processor. A local variable that returns the command prompt settings for PROMPT the current interpreter. Generated by Cmd.exe. A system variable that returns a random decimal number RANDOM between 0 and 32767. Generated by the Cmd.exe program. A system variable that returns the drive containing the SYSTEMDRIVE Windows root directory (for example, the system root). A system variable that returns the location of the Windows SYSTEMROOT root directory. A system and user variable that returns the default temporary directories for applications available to users who are TEMP or TMP currently logged on. Some applications require TEMP and others require TMP. A system variable that returns the current time. This variable TIME uses the same format as the time /t command. Generated by Cmd.exe. For more information, see the Time command. A local variable that returns the name of the domain that USERDOMAIN contains the user's account. A local variable that returns the name of the user currently USERNAME logged on. A local variable that returns the location of the profile for the USERPROFILE current user. A system variable that returns the location of the operating WINDIR system directory.

177 Using Wildcards in Path Rules A path rule can incorporate the "?" and "*" wildcards. The following examples show wildcards applied to different path rules: ● “\\DC – ??\login$” matches \\DC – 01\login$, \\DC – 02\login$, and so on. ● “*\Windows” matches C:\Windows, D:\Windows, E:\Windows and all subfolders under each directory. ● “C:\win*” matches C:\winnt, C:\windows, C:\windir and all subfolders under each directory. ● “*.vbs” matches any application that has this extension in Windows XP Professional. ● “C:\Application Files\*.*” matches all application files in the specific subdirectory.

Registry Path Rules Many applications store paths to their installation folders or application directories in the Microsoft Windows® registry. Some applications can be installed anywhere on the file system. To locate them, you can create a path rule to look up these registry keys. These locations may not be easily identified using specific folder paths, such as C:\Program Files\Microsoft Platform SDK, or environment variables, such as %ProgramFiles%\Microsoft Platform SDK. However, if the program stores its application directories in the registry, you can create a path rule that will use the value stored in the registry, such as: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PlatformSDK\Directories\Install Dir%. This type of path rule, called a registry path rule, is formatted as follows: %\\%

Note: Any registry path rule suffix should not contain a \ character immediately after the last % sign in the rule. The registry hive name must be written out; abbreviations will not work.

When the default rule is set to Disallowed, there are four registry paths that are setup so the operating system has access to system files for normal operation. These registry path rules are created as a safeguard against locking yourself and all other users out of the system. These registry rules are set to Unrestricted. Only advanced users should consider modifying or deleting these rules. The registry path rule settings are: ● %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\ CurrentVersion\SystemRoot% ● %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\ CurrentVersion\SystemRoot%\*.exe ● %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\ CurrentVersion\SystemRoot%\System32\*.exe ● %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\ProgramFilesDir%

178 Path Rule Precedence When there are multiple matching path rules, the most specific matching rule takes precedence over the others. The following set of paths is ordered from highest precedence (most specific match) to lowest precedence (most general match): ● Drive:\Folder1\Folder2\FileName.Extension ● Drive:\Folder1\Folder2\*.Extension ● *.Extension ● Drive:\Folder1\Folder2\ ● Drive:\Folder1\

Zone Rule You can use a zone rule to identify software downloaded from any of the following zones defined in Internet Explorer: ● Internet ● Intranet ● Restricted Sites ● Trusted Sites ● My Computer

The current version of the Internet zone rule applies to only Windows Installer (*.msi) packages. This rule does not apply to software downloaded via Internet Explorer. All other file types affected by zone rules are listed in the table on designated file types that appears later in this chapter. There is one list of designated file types that is shared by all zone rules.

179 Rule Recommendations Use the following table to determine which type of Rule is best suited for the application’s users and environment. Table 6.2: Determining the Best Rule for a Given Application

Task Recommended Rule Allow or disallow a specific program Hash rule version. Browse to the file to create a hash. Identify a program always installed in the Path rule with environment variables same place. %ProgramFiles%\Internet Explorer\iexplore.exe Identify a program that can be installed Registry path rule anywhere on client machines. %HKEY_LOCAL_MACHINE\SOFTWARE\ ComputerAssociates\InoculateIT\6.0\Path\HOME% Identify a set of scripts on a central server. Path rule \\SERVER_NAME\Share Identify a set of scripts on a set of servers. Path rule with wildcard For example, DC01, DC02, and DC03. \\DC??\Share Disallow all .vbs files, except those in a Path rule with wildcard login script directory. *.VBS set to Disallowed \\LOGIN_SRV\Share\*.VBS set to Unrestricted Disallow a file installed by a virus that is Path rule always called flcss.exe. flcss.exe, set to Disallowed Identify a set of scripts that can be run Certificate rule anywhere. Use a certificate to digitally sign the scripts. Allow software to be installed from trusted Zone rule Internet zone sites. Set Trusted Sites to Unrestricted.

Software Restriction Policy Precedence Rules Rules are evaluated in a specific order. The rules that more specifically match a program take precedence over rules that more generally match the same program. If two identical rules with differing security levels are established for the same software, the rule with the highest security level takes precedence. For example, if two hash rules — one with the security level Disallowed and one with the security level Unrestricted — are applied to the same software program, the rule with the security level Disallowed takes precedence, and the program will not run. The following list defines the precedence order for the rules in terms of the most specific to the least specific rule: 1. Hash rule 2. Certificate rule 3. Path rule 4. Zone rule 5. Default rule

180 Software Restriction Policy Options This section discusses the various enforcement options that influence the behavior of a software restriction policy. These options alter the enforcement behavior scope of the Microsoft Authenticode® trust settings for digitally signed files. There are two enforcement options: Dynamic – link library (DLL) Checking and Skip Administrators. DLL Checking Most programs consist of an executable file and many supporting DLLs. By default software restriction policy rules are not enforced on DLLs. For the following three reasons the default is recommended for most customers: ● Disallowing the main executable file prevents the program from running, so there is no need to disallow the constituent DLLs. ● DLL checking degrades system performance because it has to check all libraries linked to the application. For example, if a user runs 10 programs during a logon session, the software restriction policy evaluates each program. With DLL checking turned on, the software restriction policy evaluates each DLL load within each program. If each program uses 20 DLLs, this results in 10 executable program checks plus 200 DLL checks, so the software restriction policy must perform 210 evaluations. A program such as Internet Explorer consists of an executable file, iexplore.exe, and many supporting DLLs. ● Setting the default security level to Disallowed forces the system to not only identify the main executable file before it is allowed to run, but all of the .exe file's constituent DLLs, which places added burden on the system.

DLL Checking is the recommended option when you want the highest assurance possible for the programs running in your environment. This is because while viruses primarily target executable files, some specifically target DLLs.

181 To ensure that a program does not contain a virus, you can use a set of hash rules that identify the executable file and all of its constituent DLLs. To turn off the DLL Checking option: In the Enforcement Properties dialog box, select All software files except libraries (such as DLLs).

Figure 6.9 The Enforcement Properties dialog box showing file and user enforcement options Skip Administrators An administrator may want to disallow programs from running for most users, but allow administrators to run all of them. For example, an administrator may have a shared computer that multiple users connect to using Terminal Server. The administrator may want users to run only specific applications on the computer, but members in the local Administrators group to be able to run anything. Use the Skip Administrators enforcement option to do this. If the software restriction policy is created in a GPO linked to an object in Active Directory, instead of using the Skip Administrators option, Microsoft recommends denying the Apply Group Policy permission on the GPO to the Administrators group. This consumes less network traffic because GPO settings that do not apply to administrators are not downloaded.

182

Note: Software restriction policy defined in local security policy objects cannot filter user groups. In this case, use the Skip Administrators option.

To turn on the Skip Administrators option: In the Enforcement Properties dialog box in Figure 6.9 above, select All users except local administrators. Defining Executables The Designated File Types Properties dialog box in Figure 6.10 below lists the file types governed by software restriction policy. The file types designated are considered as executable files. For example, a screen saver file (.scr), is considered an executable file because it loads as a program when you double – click it in Windows Explorer. Software restriction policy rules only apply to the file types listed in the Designated File Types Properties dialog box. If your environment uses a file type that you want to apply rules to, add it to the list. For example, for Perl scripting files you may choose to add .pl and other file types associated with the Perl engine to the Designated file types: list under the General tab of the Designated File Types Properties dialog box.

Figure 6.10 The Designated File Types Properties dialog box

183 For this example, the file type .mdb and .lnk are removed and .ocx is added. The table below lists the designated file types. Table 6.3: Designated File Types

File Extension File Description .ade Microsoft Access Project Extension .adp Microsoft Access Project .bas Visual Basic Class Module .bat Batch File .chm Compiled HTML Help File .cmd Windows NT Command Script .com MS – DOS Application .cpl Control Panel Extension .crt Security Certificate .exe Application .hlp Windows Help File .hta HTML Applications .inf Setup Information File .ins Internet Communication Settings .isp Internet Communication Settings .js JScript File .jse JScript Encoded Script File .mde Microsoft Access MDE Database .msc Microsoft Common Console Document .msi Windows Installer Package .msp Windows Installer Patch .mst Visual Test Source File .ocx ActiveX Controls .pcd Photo CD Image .pif Shortcut to MS – DOS Program .reg Registry Entries .scr Screen Saver .sct Windows Script Component .shs Shell Scrap Object .url Internet Shortcut (Uniform Resource Locator) .vb VB File .vbe VBScript Encoded Script File .vbs VBScript Script File .wsc Windows Script Component .wsf Windows Script File .wsh Windows Scripting Host Settings File

184 Known Issues If a software restriction policy is configured to restrict 16 bit programs such as command.com or edit.com, users can still start the program even though they are not permitted to run it. The solution to this problem is to install Windows XP Professional Service Pack 1 on the clients in your environment. Software restriction policy does not prevent code from running outside the Microsoft Win32® subsystem. For example, users can run the same command from the Portable Operating System Interface (POSIX) subsystem. To prevent this, turn off the POSIX subsystem by deleting the following POSIX value: HKLM\System\CurrentControlSet\Control\SessionManager\Subsystems Trusted Publishers You can use the Trusted Publishers Properties dialog box to configure which users can select trusted publishers. You can also determine which, if any, certificate revocation checks are performed before trusting a publisher. With certificate rules enabled, software restriction policy will check a certificate revocation list (CRL) to ensure the software's certificate and signature are valid. This may decrease performance when starting signed programs. The options under the General tab of the Trusted Publishers Properties dialog box shown in Figure 6.11 below allow you to configure settings related to ActiveX controls and other signed content.

Figure 6.11 The Trusted Publisher Properties dialog box

185 The following table shows trusted publisher options related to ActiveX controls and other signed content. Table 6.4: Trusted Publisher Tasks and Settings

Setting Name Task Enterprise administrators Use to allow only Enterprise administrators to make decisions regarding signed active content. Local computer administrators Use to allow Local machine administrators to make all decisions on signed active content. End users Use to allow users to make decisions regarding signed active content. Publisher Use to ensure that the certificate the software publisher uses has not been revoked. Timestamp Use to ensure that the certificate the organization uses to time – stamp the active content has not been revoked.

186 Software Restriction Policy Design and Deployment This section covers administering software restriction policy using Group Policy snap – ins; things to consider when editing a policy for the first time; and how to apply a software restriction policy to a group of users. A variety of issues to consider when deploying software restriction policy are also covered. Integration with Group Policy You can administer software restriction policy using Group Policy snap – ins to a set of clients, as well as all the users that log on to the clients. The policy is applied to the desktops and laptops OU defined in this guide. Domain The administrator should create a separate GPO for the software restriction policy. This provides a way to remove the Group Policy without disrupting other policies applied to the object if unexpected problems should arise. Local A local policy should be configured for the stand – alone clients in your environment.

187 Designing a Policy This section outlines the steps to follow when designing and deploying a software restriction policy. Designing the policy requires making several decisions detailed in the following table. Table 6.5: Important Policy Design Decisions to Address

Decision Factors to Consider Laptops or workstations. Investigate the needs of the mobile users in your environment to determine if the laptops require a different policy than that for desktops. Laptops tend to need more flexibility than desktops. Server shares, logon scripts and You will need to define a path rule for any applications home drives. starting from a server share or home directory. You can add logon script files to the path rule. If a script calls any other script, also add the executable locations to the path rule. GPO or local security policy. In this guide, a GPO is used for this design, but you should consider the effects that local policy will have on your design. User or client policy. This design applies all settings at the client level. Default security level It is recommended to configure the default setting to Disallowed, and then configure the rest of the policy accordingly. The Unrestricted default setting is also available. Additional rules You will need to apply additional operating system path rules as needed when using the Disallowed default policy. In the Disallowed configuration, the four rules are created automatically. Policy options If you are using a local security policy, and do not want the policy to apply to administrators on the clients in your environment, select the policy enforcement option Skip Administrators. If you want to check DLLs in addition to executable files and scripts, select the policy enforcement option DLL Checking. If you want to establish rules on file types that are not in the default list of designated file types, then use the option to add them as needed to the Designated File Types Properties dialog box. If you want to change who can make decisions about downloading ActiveX controls and other signed content, then select the check box for Publisher under the General tab of the Trusted Publishers Properties dialog box . Applying the policy to a site, The policy will reside under the OU in which the desktops domain, or OU. and laptops are located.

188 Best Practices Microsoft recommends creating a separate GPO for software restriction policy, so that if you need to disable the policy in an emergency, it will not impact the rest of your domain or local policy. Also, if you accidentally lock down a workstation with software restriction policy during the design phase of your OU, restart the computer in Safe mode, log on as a local administrator, and then modify the policy. Software restriction policy is not applied when Windows is started in Safe mode. After starting the computer in Safe mode, run gpupdate.exe, and then restart it. For the best security, do not give users administrative privileges and use ACLs in conjunction with software restriction policy. Users may try to circumvent software restriction policy by renaming or moving disallowed files or by overwriting unrestricted files. To prevent this, use ACLs to deny users access to do either of these things. Users who are members of the local Administrators group will be able to bypass your software restriction policy implementation; therefore Microsoft recommends that you do not give users administrative privileges whenever feasible. Login scripts are usually located under Sysvol on the domain controller or a centralized server. Often the domain controller can change with each login. If your default rule is set to Disallowed, be sure to create rules that identify the locations of your logon scripts. If the logon servers have similar names, consider using wildcards to locate them, or use the logon script name with unrestricted settings.

Note: Test new software restriction policy settings thoroughly in test environments before applying them to your domain. New policy settings may act differently than originally expected. Testing will diminish the chance of encountering a problem when you deploy the software restriction policy settings across your network.

Stepping Through the Process Use the following steps to guide you through the process of designing a software restriction policy, and then applying it as a GPO to the laptops and desktops in your environment. Step 1. Create a GPO for the OU Locate the OU that was created for the desktops or laptops in your environment. If you are working on a stand – alone client, the settings are located in the Local Computer Policy. In this policy, click Properties, and then create a new GPO. Name the policy according to your organization's naming convention. Remember, this policy will only be used to enforce software restrictions. Step 2. Set the Software Restriction Policy Highlight the GPO and click Edit. Traverse the tree until you locate the Windows Settings\Security Settings\Software Restriction Policy. The first time you edit the policy you will see the following message: No Software Security Policies are defined. This message warns you that creating a policy will define default values. These default values can override settings from other software restriction policies. Since no software restrictions setting have been set yet, use the default settings to start. Right – click the Actions menu and select New Software Restriction Policies.

189 Step 3. Set up the Path Rules Once you determine which applications and scripts the workstations will have, you can set up the path rules. Some programs launch other programs to perform tasks. The software applications in your environment may depend on one or more supporting programs. An inventory and installation documentation on the currently installed software is very useful for tracking path rules. An example of a workstation design might include the following guidelines: ● Applications = *\Program Files ● Shared Group Applications= g:\Group Applications ● Logon script = Logon.bat ● Desktop Shortcuts = *.lnk ● Malicious VB Script =*.vbs

Step 4. Set the Policy Options The following includes the recommended settings for this design. These options alter the enforcement behavior scope or the Authenticode trust settings for digitally signed files. Enforcement — if the computer is part of the domain, ensure that the Domain Admins group is automatically added to the Administrators group. Apply to Users — this includes all users except local Administrators. Using this setting delays the launch of each application. To compensate for this, the design sets the policy not to check DLLs. Apply to Files — this includes all software files except libraries (such as DLLs). Using this setting delays the launch of each application. To compensate for this, the design sets the policy not to check DLLs. Designated file types — for the GPO design defined in this guide, .ocx files were added to the list and .mdb and .lnk file types were removed. You could add custom application file type extensions as needed to make them subject to the same rules. Trusted Publishers — for the GPO design defined in this guide, the Administrators group was enabled and the option for Trusted Publisher Properties: Local Computer Administrators was selected. Before trusting a publisher, during the design phase of creating the GPO, select the Check: Publisher option to ensure the policy will validate certificates. Step 5. Apply the Default Settings It is a best practice to configure the policy to the Unrestricted default setting. This ensures that the policy is completely configured before applying software restrictions. After reviewing the policy settings, reset the default setting to Disallowed. Step 6. Test the Policy If the computer is part of a domain, move the computer into the OU container where the policy is applied. Restart the test computer and log on to it. The test plans should have instructions on how each of the applications should work when the policy is applied. Run the applications to ensure they function fully and that you can access all of their features. After you have validated the functionality of the applications, simulate an attack on the applications to ensure that the policy has no security vulnerabilities.

190 If the computer is a stand – alone client, log on to the test computer and follow your test plan. After you have validated the applications, launch the simulated attack again to ensure that the policy has no security vulnerabilities. Deploying Software Restriction Policy After thoroughly testing the policy, apply it to the desktop or laptop OU in your environment. If it is a stand – alone client, apply it to the Local Computer Settings on the client. Open the Computers and Users MMC snap-in and traverse the directory until you reach the OU container for the desktops or laptops. Then, create the new GPO using the Group Policy Object Editor. Edit the properties and apply the appropriate settings based on the following tables to the Software Restriction Policy under Windows Settings\Security Settings. Table 6.6: Security Levels

Default Rule in UI Description Setting Disallowed Software will not run, regardless of the access rights Use this of the user. default rule

Table 6.7: Additional Rules

Path Rule Setting %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\SystemRoot% Unrestricted %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\SystemRoot%\*.exe Unrestricted %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\SystemRoot%\System32\*.exe Unrestricted %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\ProgramFilesDir% Unrestricted *.vbs Disallowed G:\Group Applications Unrestricted Logon.bat or Logon script Unrestricted *\Program Files Unrestricted

191 Table 6.8: Enforcement on Files and Users

Enforcement Options Recommendation Apply software restriction policies to the following: All software files except DLLs. Apply software restriction policies to the following users: All users except local administrators.

Table 6.9: Designated File Types

Designated File Types Recommendation Designated file types properties Remove .mdb and .lnk file types and add .ocx.

Table 6.10: Trusted Publishers

Trusted Publishers Recommendation Allow the following user groups to select trusted publishers: Local Computer Administrators Determine if the certificate is revoked. Select the Publisher option.

192 Summary Software restriction policy provides administrators with a policy – driven mechanism to identify and control software on computers running Windows XP Professional. You can create policies to block malicious scripts, further lock down computers in your environment, or prevent applications from running. In an enterprise, it is a best practice to manage software restriction policy using Group Policy objects (GPOs), and then tailor each policy you create to meet the needs of the different user groups and computers in your organization. Microsoft recommends not attempting to manage user groups in a stand – alone environment. Correctly applied, software restriction policy will improve the integrity, manageability, and ultimately lower the cost of owning and maintaining the operating systems on the computers in your organization. More Information The following information sources were the latest available on topics closely related to software restrictions policy for Windows XP Professional and Windows Server 2003 at the time Windows Server 2003 was released to the pubic. For more information on software restriction policy, see "Using Software Restriction Policies to Protect Against Unauthorized Software," at: http://www.microsoft.com/windowsxp/pro/techinfo/administration/restrictionpolicies/ default.asp. For more information on security services, see the "Technical Overview of Windows Server 2003 Security Services," at: http://www.microsoft.com/windows.netserver/techinfo/overview/security.mspx. For more information on Group Policy, see "Windows 2000 Group Policy," at: http://www.microsoft.com/windows2000/techinfo/howitworks/management/ grouppolwp.asp. For more information on securing mobile computers, see "Securing Mobile Computers with Windows XP Professional," at: http://www.microsoft.com/windowsxp/pro/techinfo/administration/mobile/default.asp.

193

7 Conclusion

Congratulations. Now that you have finished this guide, you should have a clearer understanding of how to assess risks that may impact the security of the computers running Microsoft® Windows® XP Professional in your organization. You have gained an understanding of how to plan for, and design, security into your infrastructure clients where possible. This guide included prescriptive information that may be applied to any organization. The guide includes material collected from consultants and systems engineers working in the field who have implemented Windows XP, Microsoft Windows Server™ 2003, and Windows 2000 solutions in a variety of corporate settings to provide you with a current set of best practices to perform these complex tasks. Regardless of your organization's environment, security should be taken very seriously. However, many organizations still place little emphasis on security, mistakenly viewing it as something that restricts the agility and flexibility of their enterprise. When well – designed security becomes a core business requirement, and planning accounts for it at the start of every information technology (IT) project, a properly implemented security strategy can help to improve the availability and performance of your computer systems. Conversely, when security is added to a project as an afterthought, it can have a negative effect on usability, stability, and management flexibility — all important reasons why every organization should make security a top priority.

Securing the Client Windows XP Professional offers a complete set of security solutions to safeguard against threats to desktop and laptop computers. Although users whose computers are not joined to a domain have fewer security options, both users who are connected to the domain and those who are not, benefit from secure access to their computers while working on the network or offline. Enterprise When your computer is part of a corporate network, it is possible that the network administrator will configure your computer using the Group Policy security features detailed in this guide. The Group Policy settings your network administrator applies take precedence over any Group Policy settings users configure on their computers. In this way, Administrators can manage many different environments for clients using Group Policy from the Microsoft Active Directory®. High Security The high security environment addresses the issues of access, services and infrastructure environment at a higher level. Along with elevated security controls and user authentication, administrators are allowed to have tighter control of access to resources or objects on the network and the client workstation. The administrator has to manage the environment much more closely to be able to keep data and resources secure. Stand – Alone Clients Even though there are fewer security settings available for stand – alone clients than those that belong to an Active Directory domain, the key security features are available for these computers as well. Properly configuring these settings on stand – alone computers will help to decrease the risk of vulnerabilities being exploited. The stand – alone environment imposes more administrative overhead because these computers cannot be managed via domain – based group policies. However, using the tools detailed in this guide will help to reduce administrative overhead.

196 Software Restriction Policy Software restriction policies provide administrators with a policy – driven mechanism to identify software running on clients in a domain or stand – alone environment and control its ability to execute. Software restriction policies can be used to block malicious scripts or code or prevent unwanted applications from running. Software restriction policies can also be configured for stand – alone systems or managed through domain – based Group Policy and promote improved system integrity and manageability.

197 Summary This guide explained how to effectively assess, prioritize, and mitigate security risks in three distinct environments in which computers are running Windows XP. This guide has documented methods for planning and designing security for your organization's network infrastructure, and provided detailed guidance on how to assess and mitigate specific vulnerabilities present in Windows XP. The logic behind these choices was explained in terms of the trade – offs involved in deciding whether to implement the different countermeasures for the three environments. Details were provided on how specific countermeasures may impact the functionality, manageability, performance, and reliability of the computers so that you can make informed choices on which countermeasures to implement in your own environment. Finally, it is important to understand that the task of securing the clients on your network is not a one – time project, but rather an ongoing process that organizations must include in their budgets and schedules. Implementing every countermeasure discussed in this guide will improve the security in the majority of organizations operating Windows XP Professional. However, when the next serious vulnerability is discovered, these environments may again be quite susceptible to attack. For these reasons, it is critical to monitor a variety of resources to stay current on security issues related to the operating systems, applications, and devices present in your environment. Every member of the team that produced this guide hopes that you found the material covered in it useful, informative, and easy to understand. More Information The following information sources were the latest available on topics closely related to securing Windows XP at the time this guide was released to the pubic. For links to common questions and answers, instructions, the latest downloads, and more, see the Windows XP Support Center, at: http://support.microsoft.com/default.aspx?scid=fh;en-us;winxp. For information on Maintaining Security with Windows XP, see: http://www.microsoft.com/windowsxp/security/default.asp. For information on Security in TechNet, see: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/default.asp. For information on What’s New in Security for Windows XP Professional, see: http://www.microsoft.com/windowsxp/pro/techinfo/planning/security/whatsnew/ default.asp. For how – to information on Windows XP Professional, see: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/howto/ winxphow.asp?frame=true. For how – to information Data Protection and Encrypting File System (EFS), see: http://www.microsoft.com/windowsxp/pro/techinfo/administration/recovery/default.asp.

198 Appendix A Additional Guidance for Windows XP Service Pack 2

This appendix discusses the changes to security guidance based on the release of Microsoft® Windows® XP Service Pack 2 (SP2) for Windows XP. You should already be familiar with the preceding sections of the Windows XP Security Guide before reviewing this appendix. It is intended to supplement those sections and describes only the configuration changes that are specific to SP2. You should not consider this appendix a self-contained document.

Overview of Windows XP SP2 Windows XP SP2 contains the latest collection of updates for Windows XP. These updates help improve the security, reliability, and compatibility of the operating system by introducing a set of security technologies that will help improve Windows XP-based computers' ability to withstand malicious attacks from viruses and worms. These technologies include: ● Network protection ● Memory protection ● Improved e-mail security ● Safer browsing ● Improved computer maintenance

SP2 includes numerous improvements that are related to the manageability of security services. These improvements allow administrators to implement more specific security settings across users and computers. A major change in SP2 is the shift to being more secure by default. Most of the security changes are implemented by default, and do not require configuration changes. Although many of these improvements result in compatibility challenges, the overall improvement in operating system security usually makes up for any such challenges. For more information about the extensive changes in SP2, see "Changes to Functionality in Microsoft Windows XP Service Pack 2" at www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2chngs.mspx.

Changes to Security Settings The extensive policy and settings changes made in Windows XP SP2 are primarily confined to the Administrative Templates portion of Group Policy. As a result, there are no recommended changes to the Security Settings provided in this appendix.

Changes to Administrative Templates Extensive changes were made to the Administrative Templates in Windows XP SP 2. Hundreds of new settings allow you to implement more precise control of user experience and your security environment. Most of this appendix provides details on the new settings in Administrative Templates that will help you provide stronger security in your environment.

Note: At the time of this writing, the settings described in this appendix have no effect on any operating system other than Windows XP SP2. The settings do not affect Windows XP Service Pack 1 and previous operating system versions.

New Administrative Templates Additional security settings are available in Unicode-based files called Administrative Templates. These files contain registry settings that affect Windows XP and its components. New Administrative Templates are included in Windows XP SP2. These new templates require you to use a computer running Windows XP SP2 when managing GPOs. Older versions of the Group Policy Object Editor (Gpedit.exe) do not support the new Administrative Templates. Modifications to new or existing GPOs must be performed using a computer running Windows XP SP2. For information on using other operating systems to manage GPOs, see Microsoft Knowledge Base Article 842933 at http://support.microsoft.com/?kbid=842933. The settings in the new Administrative Templates only affect computers running Windows XP SP2; Windows XP SP1 and previous operating system versions will ignore the new settings. This approach allows you to implement GPOs using the same OU structure described in Chapter 2 of the Windows XP Security Guide to enhance the security of all computers running Windows XP in your environment.

200 Computer Configuration Settings The following sections discuss the settings prescribed under Computer Configuration in the Group Policy Object Editor. Configure these settings at the following location: Computer Configuration\Administrative Templates Apply these settings through a GPO linked to an OU that contains the computer accounts in your environment. Link the laptop settings in the GPO to the laptop OU, and the desktop settings in the GPO to the desktop OU as described in Chapter 2 of the Windows XP Security Guide. Internet Explorer Use the Group Policy Object Editor to configure the proper Administrative Template. The prescribed settings are found at the following location: Computer Configuration\Administrative Templates\Windows Components\Internet Explorer Turn off Crash Detection Table A.1: Crash Detection Settings

Enterprise client Enterprise client High security High security desktop laptop desktop laptop Recommended Recommended Enabled Enabled

The Turn off Crash Detection policy setting allows you to manage the crash detection feature of add-on management in Internet Explorer. If you enable this policy setting, a crash in Internet Explorer will be similar to one on a computer running Windows XP Professional Service Pack 1 and earlier: will be invoked. If you disable this policy setting, the crash detection feature in add-on management will be functional. Because Internet Explorer crash report information could contain sensitive information from the computer's memory, this appendix recommends you configure this option to Enabled unless you are experiencing frequent repeated crashes and need to report them for follow-up troubleshooting. In those cases you could temporarily configure the setting to Disabled. Do not allow users to enable or disable add-ons Table A.2: Enable or Disable Add-ons Settings

Enterprise client Enterprise client High security High security desktop laptop desktop laptop Enabled Enabled Enabled Enabled

The Do not allow users to enable or disable add-ons policy setting allows you to manage whether users have the ability to allow or deny add-ons through Manage Add- ons. If you configure this policy setting to Enabled, users cannot enable or disable add- ons through Manage Add-ons. The only exception is if an add-on has been specifically entered into the Add-On List policy setting in a way that allows users to continue to manage the add-on. In such a case, the user can still manage the add-on through

201 Manage Add-ons. If you configure this policy setting to Disabled, the user will be able to enable or disable add-ons.

Note: For more information on managing Internet Explorer add-ons in Windows XP SP2, see KB article 883256, "How to manage Internet Explorer add-ons in Windows XP Service Pack 2" at http://support.microsoft.com/?kbid=883256.

Users often choose to install add-ons that are not permitted by an organization's security policy. Such add-ons can pose a significant security and privacy risk to your network. Therefore, this appendix recommends you configure this policy as Enabled.

Note: You should review the GPO settings in Internet Explorer\Security Features\Add- on Management to ensure that appropriate authorized add-ons can still run in your environment.

Internet Control Panel\Security Page Use the Group Policy Object Editor to configure the proper Administrative Template. The prescribed settings are found at the following location: Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page SP2 introduces several new policy settings that assist you with securing Internet Explorer zone configuration across your environment. SP2 configures computers with default values for these settings that enhance security. However, you might want to review these settings and configure these policies to either require the policies or relax them across your environment for usability or application compatibility. For example, SP2 configures Internet Explorer to block pop-ups for all Internet zones by default. You might want to ensure this setting is enforced on all computers in your environment to eliminate nagging pop-up windows and to reduce the possibility of malicious software and spyware installations that are often spawned from Internet Web sites. Conversely, your environment might contain applications that require the use of pop-ups to function. If this were the case, you could configure this policy to allow pop-ups for Web sites within your intranet. Internet Control Panel\Advanced Page Use the Group Policy Object Editor to configure the proper Administrative Template. The prescribed settings are found at the following location: Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page Allow software to run or install even if the signature is invalid Table A.3: Allow Software to Run Settings

Enterprise client Enterprise client High security High security desktop laptop desktop laptop Disabled Disabled Disabled Disabled

Microsoft ActiveX® controls and file downloads often have digital signatures attached that vouch for both the file's integrity and the identity of the signer (creator) of the software. Such signatures help ensure that unmodified software is downloaded and that you can

202 positively identify the signer to determine whether you trust them enough to run their software. The Allow software to run or install even if the signature is invalid policy setting allows you to manage whether downloaded software can be installed or run by users even though the signature is invalid. An invalid signature might indicate that someone has tampered with the file. If you enable this policy setting, users will be prompted to install or run files with an invalid signature. If you disable this policy setting, users cannot run or install files with an invalid signature. Because unsigned software can create a security vulnerability, this appendix recommends that you block such software by configuring the setting as Disabled.

Note: Some legitimate software and controls may have an invalid signature and still be OK. You should carefully test such software in isolation before allowing its use on your organization's network.

Security Features\MK Protocol Security Restriction Use the Group Policy Object Editor to configure the proper Administrative Template. The prescribed settings are found at the following location: Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\MK Protocol Security Restriction Internet Explorer Processes (MK Protocol) Table A.4: MK Protocol Settings

Enterprise client Enterprise client High security High security desktop laptop desktop laptop Enabled Enabled Enabled Enabled

The MK Protocol Security Restriction policy setting reduces attack surface area by blocking the seldom used MK protocol. Some older Web applications use the MK protocol to retrieve information from compressed files. Setting this policy to Enabled blocks the MK protocol for Windows Explorer and Internet Explorer, which causes resources that use the MK protocol to fail. Disabling this setting allows applications to use the MK protocol API. Because the MK protocol is not widely used, it should be blocked wherever it is not needed. This appendix recommends you configure this setting to Enabled to block the MK protocol unless you specifically need it in your environment.

Note: Because resources that use the MK protocol will fail when you deploy this setting, you should ensure that none of your applications use the MK protocol.

203 Security Features\Consistent MIME Handling Use the Group Policy Object Editor to configure the proper Administrative Template. The prescribed settings are found at the following location: Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Consistent MIME Handling Internet Explorer Processes (Consistent MIME Handling) Table A.5: Consistent MIME Handling Settings

Enterprise client Enterprise client High security High security desktop laptop desktop laptop Enabled Enabled Enabled Enabled

Internet Explorer uses Multipurpose Internet Mail Extensions (MIME) data to determine file handling procedures for files received through a Web server. The Consistent MIME Handling\Internet Explorer Processes policy setting determines whether Internet Explorer requires that all file-type information provided by Web servers be consistent. For example, if the MIME type of a file is text/plain but the MIME data indicates that the file is really an executable file, Internet Explorer changes its extension to reflect this executable status. This capability helps ensure that executable code cannot masquerade as other types of data that may be trusted. If you enable this policy setting, Internet Explorer examines all received files and enforces consistent MIME data for them. If you disable or do not configure this policy setting, Internet Explorer does not require consistent MIME data for all received files and will use the MIME data provided by the file. MIME file-type spoofing is a potential threat to your organization. Ensuring that these files are consistent and properly labeled helps prevent malicious file downloads from infecting your network. Therefore, this appendix recommends you configure this policy as Enabled for all environments specified in this guide.

Note: This setting works in conjunction with, but does not replace, the MIME Sniffing Safety Features settings.

Security Features\MIME Sniffing Safety Features Use the Group Policy Object Editor to configure the proper Administrative Template. The prescribed settings are found at the following location: Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\MIME Sniffing Safety Features Internet Explorer Processes (MIME Sniffing) Table A.6: MIME Sniffing Settings

Enterprise client Enterprise client High security High security desktop laptop desktop laptop Enabled Enabled Enabled Enabled

MIME sniffing is the process of examining the content of a MIME file to determine its context — whether it is a data file, an executable file, or some other type of file. This policy

204 setting determines whether Internet Explorer MIME sniffing will prevent promotion of a file of one type to a more dangerous file type. When set to Enabled, MIME sniffing will never promote a file of one type to a more dangerous file type. Disabling MIME sniffing configures Internet Explorer processes to allow a MIME sniff that promotes a file of one type to a more dangerous file type. For example, promoting a text file to an executable file is a dangerous promotion because any code in the supposed text file would be executed. MIME file-type spoofing is a potential threat to your organization. Ensuring that these files are consistently handled helps prevent malicious file downloads from infecting your network. Therefore, this appendix recommends you configure this policy as Enabled for all environments specified in this guide.

Note: This setting works in conjunction with, but does not replace, the Consistent MIME Handling settings.

Security Features\Scripted Window Security Restrictions Use the Group Policy Object Editor to configure the proper Administrative Template. The prescribed settings are found at the following location: Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Scripted Window Security Restrictions Internet Explorer Processes (Scripted Window Security Restrictions) Table A.7: Scripted Window Restrictions Settings

Enterprise client Enterprise client High security High security desktop laptop desktop laptop Enabled Enabled Enabled Enabled

Internet Explorer allows scripts to programmatically open, resize, and reposition various types of windows. Often, disreputable Web sites will resize windows to either hide other windows or force you to interact with a window that contains malicious code. The Scripted Window Security Restrictions security feature restricts pop-up windows and prohibits scripts from displaying windows in which the title and status bars are not visible to the user or hide other windows’ title and status bars. If you enable the Scripted Window Security Restrictions\Internet Explorer Processes policy setting, pop-up windows and other restrictions apply for Windows Explorer and Internet Explorer processes. If you disable or do not configure this policy setting, scripts can continue to create pop-up windows and windows that hide other windows. This appendix recommends you configure this setting to Enabled to help prevent malicious Web sites from controlling your Internet Explorer windows or fooling users into clicking on the wrong window.

205 Security Features\Protection From Zone Elevation Use the Group Policy Object Editor to configure the proper Administrative Template. The prescribed settings are found at the following location: Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Protection From Zone Elevation Internet Explorer Processes (Zone Elevation Protection) Table A.8: Zone Elevation Protection Settings

Enterprise client Enterprise client High security High security desktop laptop desktop laptop Enabled Enabled Enabled Enabled

Internet Explorer places restrictions on each Web page it opens that are dependent upon the location of the Web page (such as Internet zone, Intranet zone, or Local Machine zone). Web pages on a local computer have the fewest security restrictions and reside in the Local Machine zone, which makes the Local Machine security zone a prime target for malicious attackers. If you enable this policy setting, any zone can be protected from zone elevation by Internet Explorer processes. This approach stops content running in one zone from gaining the elevated privileges of another zone. If you disable this policy setting, no zone receives such protection for Internet Explorer processes. Because of the severity and relative frequency of zone elevation attacks, this appendix recommends that you configure this setting as Enabled in all environments. Security Features\Restrict ActiveX Install Use the Group Policy Object Editor to configure the proper Administrative Template. The prescribed settings are found at the following location: Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Restrict ActiveX Install Internet Explorer Processes (Restrict ActiveX Install) Table A.9: Restrict ActiveX Install Settings

Enterprise client Enterprise client High security High security desktop laptop desktop laptop Recommended Recommended Recommended Recommended

The Restrict ActiveX Install\Internet Explorer Processes policy setting enables blocking of ActiveX control installation prompts for Internet Explorer processes. If you enable this policy setting, prompting for ActiveX control installations will be blocked for Internet Explorer processes. If you disable this policy setting, prompting for ActiveX control installations will not be blocked. Users often choose to install software such as ActiveX controls that are not permitted by company security policy. Such software can pose significant security and privacy risks to your network. Therefore, this appendix recommends you configure this policy as Enabled.

206

Note: This setting also blocks users from installing authorized legitimate ActiveX controls that will interfere with important system components like Windows Update. If you enable this setting, make sure to implement Software Update Services (SUS) or some alternate method of deploying security updates. For more information on SUS, see the Software Update Services page (which also includes information about Windows Update Services, the successor to SUS) at www.microsoft.com/windowsserversystem/sus/default.mspx.

Security Features\Restrict File Download Use the Group Policy Object Editor to configure the proper Administrative Template. The prescribed settings are found at the following location: Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Restrict File Download Internet Explorer Processes (Restrict File Download) Table A.10: Restrict File Download Settings

Enterprise client Enterprise client High security High security desktop laptop desktop laptop Enabled Enabled Enabled Enabled

In certain circumstances, Web sites can initiate file download prompts without interaction from users. This technique can allow Web sites to put unauthorized files on users' hard drives if they click the wrong button and accept the download. If you configure the Restrict File Download\Internet Explorer Processes policy setting to Enabled, file download prompts that are not user-initiated are blocked for Internet Explorer processes. If you configure this policy setting as Disabled, prompting will occur for file downloads that are not user-initiated for Internet Explorer processes.

Note: This setting is configured as Enabled in all environments specified in this guide to help prevent attackers from placing arbitrary code on users' computers.

Security Features\Add-on Management Use the Group Policy Object Editor to configure the proper Administrative Template. The prescribed settings are found at the following location: Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management Deny all add-ons unless specifically allowed in the Add-on List Table A.11: Deny All Add-ons Unless Specifically Allowed Settings

Enterprise client Enterprise client High security High security desktop laptop desktop laptop Recommended Recommended Recommended Recommended

This policy setting, along with the Add-on List policy, allows you to control Internet Explorer add-ons. By default, the Add-on List policy setting defines a list of add-ons to be allowed or denied through Group Policy. The Deny all add-ons unless specifically

207 allowed in the Add-on List policy setting ensures that all add-ons are assumed to be denied unless they are specifically listed in the Add-on List policy setting. If you enable this policy setting, Internet Explorer only allows add-ins that are specifically listed (and allowed) through the Add-on List policy setting. If you disable this policy setting, users may use Add-on Manager to allow or deny any add-ons. You should consider using both the Deny all add-ons unless specifically allowed in the Add-on List and the Add-on List settings to control the add-ons that can be used in your environment. This approach will help ensure that only authorized add-ons are used. Add-on List Table A.12: Add-on List Settings

Enterprise client Enterprise client High security High security desktop laptop desktop laptop Recommended Recommended Recommended Recommended

This policy setting, along with the Deny all add-ons unless specifically allowed in the Add-on List policy, allows you to control Internet Explorer add-ons. By default, the Add- on List policy setting defines a list of add-ons to be allowed or denied through Group Policy. The Deny all add-ons unless specifically allowed in the Add-on List policy setting ensures that all add-ons are assumed to be denied unless they are specifically listed in the Add-on List policy setting. Enabling this policy setting requires you to enter a list of add-ons to be allowed or denied by Internet Explorer. For each entry that you add to the list, you must provide the following information: ● Name of the Value. The CLSID (class identifier) for the add-on you wish to add to the list. The CLSID should be in brackets; for example, {000000000-0000-0000- 0000-0000000000000}. The CLSID for an add-on can be obtained by reading the OBJECT tag from a Web page on which the add-on is referenced. ● Value. A number indicating whether Internet Explorer should deny or allow the add-on to be loaded. The following values are valid: Table A.13: Add-on List Setting Values

Value Description 0 Deny this add-on 1 Allow this add-on 2 Allow this add-on and permit the user to manage it through Manage Add-ons

If you disable this policy setting, the list is deleted. You should consider using both the Deny all add-ons unless specifically allowed in the Add-on List and the Add-on List settings to control the add-ons that can be used in your environment. This approach will help ensure that only authorized add-ons are used.

208 Terminal Services\Client Use the Group Policy Object Editor to configure the proper Administrative Template. The prescribed settings are found at the following location: Administrative Templates\Windows Components\Terminal Services\Client Do not allow passwords to be saved Table A.14: Do Not Allow Passwords to be Saved Settings

Enterprise client Enterprise client High security High security desktop laptop desktop laptop Enabled Enabled Enabled Enabled

The Do not allow passwords to be saved setting prevents passwords from being saved on a computer by Terminal Services clients. Enabling this setting disables the password saving checkbox in Terminal Services clients, so users will no longer be able to save passwords. Because the practice of password saving can lead to additional compromise, this setting is configured to Enabled for the environments defined in this guide.

Note: If this setting was previously configured as Disabled or Not Configured, any previously saved passwords will be deleted the first time a Terminal Services client disconnects from any server.

Windows Update Use the Group Policy Object Editor to configure the proper Administrative Template. The prescribed settings are found at the following location: Administrative Templates\Windows Components\Windows Update Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box Table A.15: Do Not Display Shut Down Options Settings

Enterprise client Enterprise client High security High security desktop laptop desktop laptop Disabled Disabled Disabled Disabled

The Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box policy setting allows you to manage whether the Install Updates and Shut Down option is displayed in the Shut Down Windows dialog box. Disabling this policy setting makes the Install Updates and Shut Down option available in the Shut Down Windows dialog box if updates are available when the user selects the Shut Down option in the Start menu or clicks the Shut Down button in the window that displays after pressing CTRL+ALT+DELETE. Because installing updates is important to the overall security of all computers, this setting is configured to Disabled for all environments defined in this guide. This setting works in conjunction with the following Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog box policy setting.

209 Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog box Table A.16: Do Not Adjust Default Shut Down Options Settings

Enterprise client Enterprise client High security High security desktop laptop desktop laptop Disabled Disabled Disabled Disabled

This Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog box policy setting allows you to manage whether the Install Updates and Shut Down option is allowed to be the default choice in the Shut Down Windows dialog. By disabling this policy setting, the Install Updates and Shut Down option will be the default option in the Shut Down Windows dialog box if updates are available for installation at the time the user selects the Shut Down option in the Start menu. Because installing updates is important to the overall security of all computers, this setting is configured to Disabled for all environments defined in this guide.

Note: This policy setting has no impact if the Computer Configuration\Administrative Templates\Windows Components\Windows Update\Do not display 'Install Updates and Shut Down' option in the Shut Down Windows dialog box policy setting is enabled.

System Use the Group Policy Object Editor to configure the proper Administrative Template. The prescribed settings are found at the following location: Computer Configuration\Administrative Templates\System Turn off Windows Update device driver search prompt Table A.17: Windows Update Device Driver Search Prompt Settings

Enterprise client Enterprise client High security High security desktop laptop desktop laptop Disabled Disabled Enabled Enabled

The Turn off Windows Update device driver search prompt setting controls whether the administrator is prompted to search Windows Update for device drivers using the Internet. If this setting is enabled, administrators will not be prompted to search Windows Update. If this setting is disabled or not configured and Turn off Windows Update device driver searching is disabled or not configured, the administrator will be prompted for consent before searching Windows Update for device drivers. Because there is some risk to downloading any device drivers from the Internet, this appendix recommends configuring the setting to Enabled for high security environments and Disabled for enterprise environments. The reason for this recommendation is because the types of attacks that can exploit a driver download will typically be mitigated by proper enterprise resource management.

Note: This setting is only effective if Turn off Windows Update device driver searching in Administrative Templates/System/Internet Communication Management/Internet Communication settings is disabled or not configured.

210 System\Error Reporting Chapter 4 of the Windows XP Security Guide prescribes several settings for configuring error reporting. These settings are the same for computers running Windows XP SP2, but the name of one of the settings has changed. The Report Errors setting described in Table 4.42 is now displayed as Configure Error Reporting. The prescribed settings are the same as the settings described in Chapter 4. System\Remote Procedure Call Use the Group Policy Object Editor to configure the proper Administrative Template. The prescribed settings are found at the following location: Administrative Templates\System\Remote Procedure Call Restrictions for Unauthenticated RPC clients Table A.18: Unauthenticated RPC Client Settings

Enterprise client Enterprise client High security High security desktop laptop desktop laptop Enabled Enabled Enabled Enabled

Enabling the Restrictions for Unauthenticated RPC clients setting configures the RPC Runtime on an RPC server to restrict unauthenticated RPC clients from connecting to RPC servers that are running on a computer. A client will be considered an authenticated client if it uses a named pipe to communicate with the server or if it uses RPC Security. RPC interfaces that have specifically asked to be accessible by unauthenticated clients may be exempt from this restriction, depending on the selected value for this policy. Enabling this setting makes the following values available: ● None. This value allows all RPC clients to connect to RPC servers running on the computer on which the policy is applied. ● Authenticated. This value allows only authenticated RPC clients to connect to RPC servers running on the computer on which the policy is applied. Interfaces that have asked to be exempt from this restriction will be granted an exemption. ● Authenticated without exceptions. This value allows only authenticated RPC clients to connect to RPC servers running on the computer on which the policy is applied. No exceptions are allowed.

Because unauthenticated RPC communication can create a security vulnerability, this appendix recommends configuring this setting to Enabled and the RPC Runtime Unauthenticated Client Restriction to Apply value be set to Authenticated for all environments defined in this guide.

Note: RPC applications that do not authenticate unsolicited inbound connection requests may not work properly when this configuration is applied. Ensure you test applications before widely deploying this setting. Although the Authenticated value for this setting is not completely secure, it can be useful for providing application compatibility in your environment.

211 RPC Endpoint Mapper Client Authentication Table A.19: Client Authentication Settings

Enterprise client Enterprise client High security High security desktop laptop desktop laptop Disabled Disabled Enabled Enabled

Enabling the RPC Endpoint Mapper Client Authentication setting forces clients that communicate with this computer to provide authentication prior to the RPC communication being established. System\Internet Communication Management\Internet Communication settings There are several configuration settings available in the Internet Communication settings group. This appendix recommends that many of these settings be restricted, primarily to help improve the confidentiality of the data on your computer systems. If these settings are not restricted, information could be intercepted and used by attackers. Although the actual occurrence of this type of attack today is rare, configuring these settings properly now helps protect your environment against future attacks. Use the Group Policy Object Editor to configure the proper Administrative Template. The prescribed settings are found at the following location: Administrative Templates\System\Internet Communication Management\Internet Communication settings Turn off the Publish to Web task for files and folders Table A.20: Turn Off the Publish To Web Task Settings

Enterprise client Enterprise client High security High security desktop laptop desktop laptop Enabled Enabled Enabled Enabled

This setting specifies whether the tasks Publish this file to the Web, Publish this folder to the Web, and Publish the selected items to the Web are available from File and Folder Tasks in Windows folders. The Web Publishing Wizard is used to download a list of providers and allow users to publish content to the Web. Configuring this setting to Enabled removes these options from the File and Folder tasks in Windows folders.

212 Turn off Internet download for Web publishing and online ordering wizards Table A.21: Turn Off Internet Download Settings

Enterprise client Enterprise client High security High security desktop laptop desktop laptop Enabled Enabled Enabled Enabled

Configuring the Turn off Internet download for Web publishing and online ordering wizards setting controls whether Windows will download a list of providers for the Web publishing and online ordering wizards. Enabling this setting prevents Windows from downloading providers; only the service providers that are cached in the local registry will display.

Turn off the Windows Messenger Customer Experience Improvement Program Table A.22: Turn Off the Windows Messenger Customer Program Settings

Enterprise client Enterprise client High security High security desktop laptop desktop laptop Enabled Enabled Enabled Enabled

The Turn off the Windows Messenger Customer Experience Improvement Program setting specifies whether Windows Messenger collects anonymous information about how the Windows Messenger software and service is used. Configuring this setting to Enabled ensures that Windows Messenger will not collect usage information, and that the user settings to enable the collection of usage information will not display. Turn off Search Companion content file updates Table A.23: Turn Off Search Companion Update Settings

Enterprise client Enterprise client High security High security desktop laptop desktop laptop Enabled Enabled Enabled Enabled

The Turn off Search Companion content file updates setting specifies whether Search Companion should automatically download content updates during local and Internet searches. By configuring this setting to Enabled, you prevent Search Companion from downloading content updates during searches.

Note: Internet searches will still send the search text and information about the search to Microsoft and the chosen search provider. Selecting Classic Search will turn off the Search Companion feature completely. You can select Classic Search by clicking Start, Search, Change Preferences, and then clicking Change Internet Search Behavior.

213 Turn off printing over HTTP Table A.24: Turn Off HTTP Printing Settings

Enterprise client Enterprise client High security High security desktop laptop desktop laptop Enabled Enabled Enabled Enabled

This setting allows you to disable printing over HTTP from this client. Printing over HTTP allows a client to print to printers on the intranet as well as the Internet. Enabling this setting prevents this client from printing to Internet printers over HTTP. Information transmitted when printing over HTTP is not protected and can be intercepted by malicious users. For this reason, it is not often used in enterprises or high security environments. Turning this feature off helps ensure that it does not get used accidentally, which could potentially compromise security with an insecure print job.

Note: This setting affects the client side of Internet printing only. It does not prevent a computer from acting as an Internet Printing server and making its shared printers available via HTTP.

Turn off downloading of print drivers over HTTP Table A.25: Turn Off HTTP Print Driver Downloads Settings

Enterprise client Enterprise client High security High security desktop laptop desktop laptop Enabled Enabled Enabled Enabled

The Turn off downloading of print drivers over HTTP setting controls whether the computer can download print driver packages over HTTP. To set up HTTP printing, printer drivers not available in the standard operating system installation might need to be downloaded over HTTP. This appendix recommends configuring this setting to Enabled to prevent print drivers from being downloaded over HTTP.

Note: This setting does not prevent the client from printing to printers on the intranet or the Internet over HTTP. It only prohibits downloading drivers that are not already installed locally.

Turn off Windows Update device driver searching Table A.26: Turn Off Windows Update Device Driver Search Settings

Enterprise client Enterprise client High security High security desktop laptop desktop laptop Disabled Disabled Enabled Enabled

The Turn off Windows Update device driver searching policy specifies whether Windows searches Windows Update for device drivers when no local drivers for a device are present. Because there is some risk to downloading any device drivers from the Internet, this appendix recommends configuring the setting to Enabled for high security environments and Disabled for enterprise environments. The reason for this recommendation is

214 because the types of attacks that can exploit a driver download will typically be mitigated by proper enterprise resource and configuration management.

Note: See also Turn off Windows Update device driver search prompt in Administrative Templates/System, which governs whether an administrator is prompted before searching Windows Update for device drivers if a driver is not found locally.

Windows Firewall\Domain Profile The settings in this section configure the Windows Firewall Domain Profile. Windows Firewall can dynamically determine whether or not the computer is in a domain environment and apply a specific firewall configuration based on that determination. This capability allows you to deploy separate firewall settings based on the computer's location. Whenever a domain environment is detected, the Domain Profile is used. You may choose to configure this profile to be less restrictive than the Standard Profile because a domain environment often provides additional layers of protection. Standard Profile configuration information is provided later in this appendix. Use the Group Policy Object Editor to configure the proper Administrative Template. The prescribed settings are found at the following location: Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile Windows Firewall: Protect all network connections (Domain Profile) Table A.27: Domain Profile Protect All Network Connections Settings

Enterprise client Enterprise client High security High security desktop laptop desktop laptop Enabled Enabled Enabled Enabled

The Windows Firewall: Protect all network connections setting turns on Windows Firewall, which replaces Internet Connection Firewall on all computers that are running Windows XP SP2. This appendix recommends configuring this setting to Enabled to protect all network connections for computers in all environments. If this setting is configured as Disabled, Windows Firewall is turned off and all other settings for Windows Firewall are ignored.

Note: If you enable this policy setting, Windows Firewall runs and ignores the Computer Configuration\Administrative Templates\Network\Network Connections\Prohibit use of Internet Connection Firewall on your DNS domain network policy setting.

215 Windows Firewall: Do not allow exceptions (Domain Profile) Table A.28: Domain Profile Do Not Allow Exceptions Settings

Enterprise client Enterprise client High security High security desktop laptop desktop laptop Not Recommended Not Recommended Not Recommended Not Recommended

The Windows Firewall: Do not allow exceptions setting specifies that Windows Firewall blocks all unsolicited incoming messages. This policy setting overrides all other Windows Firewall policy settings that allow such messages. If you enable this policy setting in the Windows Firewall component of Control Panel, the Don't allow exceptions check box is selected and administrators cannot clear it. Many environments contain applications and services that must be allowed to receive inbound unsolicited communications as part of their normal operation. In those cases, you may need to consider configuring this policy to Disabled to allow those applications and services to run properly. However, before making any change to this policy, you should test the environment to determine exactly what to allow and what to disallow.

Note: This setting provides a strong defense against external attackers and should be set to Enabled in situations where you require complete protection from external attacks such as the outbreak of a new network worm. Setting this policy to Disabled allows Windows Firewall to apply other policy settings that allow unsolicited incoming messages.

Windows Firewall: Define program exceptions (Domain Profile) Table A.29: Domain Profile Define Program Exceptions Settings

Enterprise client Enterprise client High security High security desktop laptop desktop laptop Recommended Recommended Recommended Recommended

Some applications may need to open and use network ports that are not normally allowed by Windows Firewall. The Windows Firewall: Define program exceptions setting allows you to view and change the program exceptions list defined by Group Policy. Setting this policy to Enabled allows you to view and change the program exceptions list. If you add a program to this list and set its status to Enabled, that program can receive unsolicited incoming messages on any port that it asks Windows Firewall to open, even if that port is blocked by another policy setting. If you configure this policy setting as Disabled, the program exceptions list defined by Group Policy is deleted.

Note: If you type an invalid definition string, Windows Firewall adds it to the list without checking for errors. Because the entry is not checked, you can add programs that you have not installed yet. You can also accidentally create multiple exceptions for the same program with conflicting Scope or Status values.

216 Windows Firewall: Allow local program exceptions (Domain Profile) Table A.30: Domain Profile Allow Local Program Exceptions Settings

Enterprise client Enterprise client High security High security desktop laptop desktop laptop Not Recommended Not Recommended Disabled Disabled

The Windows Firewall: Allow local program exceptions setting allows administrators to use the Windows Firewall component in Control Panel to define a local program exceptions list. Disabling this policy setting does not allow administrators to define a local program exceptions list, and ensures that program exceptions only come from Group Policy. Setting this policy to Enabled allows local administrators to use Control Panel to define program exceptions locally. For enterprise client computers, there may be conditions that justify having the client define local program exceptions. These conditions may include applications that were not analyzed when creating the organization's firewall policy or new applications that require nonstandard port configuration. In those cases, you may choose to enable this setting, recognizing that the attack surface of the affected computers is increased. Windows Firewall: Allow remote administration exception (Domain Profile) Table A.31: Domain Profile Allow Remote Administration Exception Settings

Enterprise client Enterprise client High security High security desktop laptop desktop laptop Recommended Recommended Disabled Disabled

Many organizations take advantage of remote computer administration in their daily operations. However, some attacks have exploited the ports typically used by remote administration programs; Windows Firewall can block these ports. To provide flexibility for remote administration, the Windows Firewall: Allow remote administration exception setting is available. Configuring this setting to Enabled allows the computer to receive the unsolicited incoming messages associated with remote administration on TCP ports 135 and 445. This policy setting also allows SVCHOST.EXE and LSASS.EXE to receive unsolicited incoming messages and allows hosted services to open additional dynamically-assigned ports, typically in the range of 1024 to 1034 but potentially anywhere from 1024 to 65535. Enabling this setting also requires you to specify the IP addresses or subnets from which these incoming messages are allowed. If you configure this policy setting as Disabled, Windows Firewall makes none of the described exceptions. This appendix recommends you enable this setting for enterprise computers if necessary, and to always disable the setting for high security computers. Computers in your environment should accept remote administration requests from as few computers as possible. To maximize the protection provided by the Windows Firewall, make sure to specify only the necessary IP addresses and subnets of computers used for remote administration.

217

Note: If any policy setting opens TCP port 445, Windows Firewall allows inbound ICMP echo request messages (such as those sent by the Ping utility), even if the Windows Firewall: Allow ICMP exceptions policy setting would block them. Policy settings that can open TCP port 445 include Windows Firewall: Allow file and printer sharing exception, Windows Firewall: Allow remote administration exception, and Windows Firewall: Define port exceptions.

Windows Firewall: Allow file and printer sharing exception (Domain Profile) Table A.32: Domain Profile Allow File and Printer Sharing Exception Settings

Enterprise client Enterprise client High security High security desktop laptop desktop laptop Disabled Disabled Disabled Disabled

This setting allows file and printer sharing by configuring Windows Firewall to open UDP ports 137 and 138 and TCP ports 139 and 445. If you enable this policy setting, Windows Firewall opens these ports so that the computer can receive print jobs and requests for access to shared files. You must specify the IP addresses or subnets from which these incoming messages are allowed. If you disable this policy setting, Windows Firewall blocks these ports and prevents the computer from sharing files and printers. Because the computers in your environment running Windows XP will not normally be sharing files and printers, this appendix recommends you configure this setting as Disabled in all environments.

Note: If any policy setting opens TCP port 445, Windows Firewall allows inbound ICMP echo request messages (such as those sent by the Ping utility), even if the Windows Firewall: Allow ICMP exceptions policy setting would block them. Policy settings that can open TCP port 445 include Windows Firewall: Allow file and printer sharing exception, Windows Firewall: Allow remote administration exception, and Windows Firewall: Define port exceptions.

Windows Firewall: Allow ICMP exceptions (Domain Profile) Table A.33: Domain Profile Allow ICMP Exceptions Settings

Enterprise client Enterprise client High security High security desktop laptop desktop laptop Not Recommended Not Recommended Not Recommended Not Recommended

The Windows Firewall: Allow ICMP exceptions setting defines the set of Internet Control Message Protocol (ICMP) message types that Windows Firewall allows. Utilities can use ICMP messages to determine the status of other computers. For example, Ping uses the echo request message. If you set this policy setting to Enabled, you must specify which ICMP message types Windows Firewall allows the computer to send or receive. When you set this policy to Disabled, Windows Firewall blocks all unsolicited incoming ICMP message types and the listed outgoing ICMP message types. As a result, utilities that use the blocked ICMP messages will not be able to send those messages to or from the computer.

218 Many attacker tools take advantage of computers that accept ICMP message types and use these messages to mount a variety of attacks. However, some applications require some ICMP messages in order to function properly. For that reason, this appendix recommends that you configure this setting to Disabled whenever possible. If your environment requires some ICMP messages to get through Windows Firewall, configure the setting with the appropriate message types.

Note: If any policy setting opens TCP port 445, Windows Firewall allows inbound ICMP echo request messages (such as those sent by the Ping utility), even if the Windows Firewall: Allow ICMP exceptions policy setting would block them. Policy settings that can open TCP port 445 include Windows Firewall: Allow file and printer sharing exception, Windows Firewall: Allow remote administration exception, and Windows Firewall: Define port exceptions.

Windows Firewall: Allow Remote Desktop exception (Domain Profile) Table A.34: Domain Profile Allow Remote Desktop Exception Settings

Enterprise client Enterprise client High security High security desktop laptop desktop laptop Recommended Recommended Recommended Recommended

Many organizations use Remote Desktop connections in their normal troubleshooting procedures or operations. However, some attacks have occurred that exploited the ports typically used by Remote Desktop. To provide flexibility for remote administration, the Windows Firewall: Allow Remote Desktop exception setting is available. Enabling this setting configures Windows Firewall to open TCP port 3389 for inbound connections. You must also specify the IP addresses or subnets from which these incoming messages are allowed. If you disable this policy setting, Windows Firewall blocks this port and prevents the computer from receiving Remote Desktop requests. If an administrator attempts to open this port by adding it to a local port exceptions list, Windows Firewall does not open the port. Some attacks can exploit an open port 3389. To maintain the enhanced management capabilities provided by Remote Desktop, you should configure this setting to Enabled and specify the IP addresses and subnets of the computers used for remote administration. Computers in your environment should accept Remote Desktop requests from as few computers as possible. Windows Firewall: Allow UPnP framework exception (Domain Profile) Table A.35: Domain Profile Allow UPnP Framework Exception Settings

Enterprise client Enterprise client High security High security desktop laptop desktop laptop Not Recommended Not Recommended Not Recommended Not Recommended

The Windows Firewall: Allow UPnP framework exception setting allows a computer to receive unsolicited Plug and Play messages sent by network devices, such as routers with built-in firewalls. To receive these messages, Windows Firewall opens TCP port 2869 and UDP port 1900.

219 If you enable this policy setting, Windows Firewall opens these ports so that the computer can receive Plug and Play messages. You must specify the IP addresses or subnets from which these incoming messages are allowed. If you disable this policy setting, Windows Firewall blocks these ports and prevents the computer from receiving Plug and Play messages. Blocking UPnP network traffic effectively reduces the attack surface of computers in your environment. This appendix recommends that you configure this setting to Disabled unless you use UPnP devices on your network. Windows Firewall: Prohibit notifications (Domain Profile) Table A.36: Domain Profile Prohibit Notifications Settings

Enterprise client Enterprise client High security High security desktop laptop desktop laptop Not Recommended Not Recommended Not Recommended Not Recommended

Windows Firewall can display notifications to users when a program requests that Windows Firewall add the program to the program exceptions list. This situation occurs when programs attempt to open a port and are not allowed to do so based on current Windows Firewall rules. The Windows Firewall: Prohibit notifications setting configures whether these settings are shown to the users. If you set this policy to Enabled, Windows Firewall prevents the display of these notifications. If you set it to Disabled, Windows Firewall allows the display of these notifications. Often users will not be allowed to add applications and ports in response to these messages in enterprise or high security environments. In such cases, this message will inform the user of something over which they have no control. In those cases you should set this option to Enabled In other environments where the user is configured to allow exceptions, you should set this option to Disabled. Windows Firewall: Prohibit unicast response to multicast or broadcast requests (Domain Profile) Table A.37: Domain Profile Prohibit Unicast Response Settings

Enterprise client Enterprise client High security High security desktop laptop desktop laptop Enabled Enabled Enabled Enabled

The Windows Firewall: Prohibit unicast response to multicast or broadcast requests setting prevents a computer from receiving unicast responses to its outgoing multicast or broadcast messages. When this policy setting is enabled and the computer sends multicast or broadcast messages to other computers, Windows Firewall blocks the unicast responses sent by those other computers. When the setting is disabled and this computer sends a multicast or broadcast message to other computers, Windows Firewall waits up to three seconds for unicast responses from the other computers and then blocks all later responses. Typically, you would not want to receive unicast responses to multicast or broadcast messages. Such responses can indicate a denial of service (DoS) attack or an attacker attempting to probe a known live computer. This appendix recommends you configure this policy setting to Enabled to help prevent this type of attack.

220

Note: This policy setting has no effect if the unicast message is a response to a Dynamic Host Configuration Protocol (DHCP) broadcast message sent by the computer. Windows Firewall always permits those DHCP unicast responses. However, this policy setting can interfere with the NetBIOS messages that detect name conflicts.

Windows Firewall: Define port exceptions (Domain Profile) Table A.38: Domain Profile Define Port Exceptions Settings

Enterprise client Enterprise client High security High security desktop laptop desktop laptop Not Recommended Not Recommended Not Recommended Not Recommended

The Windows Firewall port exceptions list should be defined by Group Policy, which allows you to centrally manage and deploy your port exceptions and ensure that local administrators do not create less secure settings. The Windows Firewall: Define port exceptions policy setting allows you to centrally manage these settings. If you enable this policy setting, you can view and change the port exceptions list defined by Group Policy. To view and modify the port exceptions list, configure the policy setting to Enabled and then click the Show button. Note that if you type an invalid definition string, Windows Firewall adds it to the list without checking for errors, which means you can accidentally create multiple entries for the same port with conflicting Scope or Status values. If you disable this policy setting, the port exceptions list defined by Group Policy is deleted but other policy settings can continue to open or block ports. Also, if a local port exceptions list exists, it is ignored unless you enable the Windows Firewall: Allow local port exceptions policy setting. Environments with nonstandard applications that require specific ports to be open should consider deploying program exceptions. This appendix recommends enabling this setting and specifying a list of port exceptions only when program exceptions cannot be defined. Program exceptions allow the Windows Firewall to accept unsolicited network traffic only while the specified program is running, and port exceptions keep the specified ports open at all times.

Note: If any policy setting opens TCP port 445, Windows Firewall allows inbound ICMP echo request messages (such as those sent by the Ping utility), even if the Windows Firewall: Allow ICMP exceptions policy setting would block them. Policy settings that can open TCP port 445 include Windows Firewall: Allow file and printer sharing exception, Windows Firewall: Allow remote administration exception, and Windows Firewall: Define port exceptions.

Windows Firewall: Allow local port exceptions (Domain Profile) Table A.39: Domain Profile Allow Local Port Exceptions Settings

Enterprise client Enterprise client High security High security desktop laptop desktop laptop Disabled Disabled Disabled Disabled

The Windows Firewall: Allow local port exceptions setting allows administrators to use the Windows Firewall component in Control Panel to define a local port exceptions

221 list. Windows Firewall can use two port exceptions lists; the other is defined by the Windows Firewall: Define port exceptions policy setting. If you enable this policy setting, the Windows Firewall component in Control Panel allows administrators to define a local port exceptions list. If you disable this policy setting, the Windows Firewall component in Control Panel does not allow administrators to define such a list. Typically, local administrators are not authorized to override organizational policy and establish their own port exceptions list in enterprise or high security environments. For that reason, this appendix recommends configuring this option as Disabled. Windows Firewall\Standard Profile The settings in this section configure the Windows Firewall Standard Profile. Windows Firewall can dynamically determine whether or not the computer is in a domain environment and apply a specific firewall configuration based on that determination. This capability allows you to deploy separate firewall settings based on the computer's location. Whenever a non-domain environment is detected, the Standard Profile is used. This profile is often more restrictive than the Domain Profile, which assumes a domain environment provides some basic level of security. The Standard Profile is expected to be used when a computer is on an untrusted network, such as a hotel network or a public wireless access point. Such environments pose unknown threats and require additional security precautions. For more information on how Windows XP uses Network Location Awareness (NLA) to determine what kind of network it is connected to, see the article "Network Determination Behavior for Network-Related Group Policy Settings" on the Microsoft Web site at www.microsoft.com/technet/community/columns/cableguy/cg0504.mspx. Use the Group Policy Object Editor to configure the proper Administrative Template. The prescribed settings are found at the following location: Administrative Templates\Network\Network Connections\Windows Firewall\Standard Profile Windows Firewall: Protect all network connections (Standard Profile) Table A.40: Standard Profile Protect All Network Connections Settings

Enterprise client Enterprise client High security High security desktop laptop desktop laptop Enabled Enabled Enabled Enabled

The Windows Firewall: Protect all network connections setting turns on Windows Firewall, which replaces Internet Connection Firewall on all computers that are running Windows XP SP2. Because all network connections should be protected by a firewall in all environments, this setting is configured to Enabled. If this setting is configured as Disabled, Windows Firewall is turned off and all other settings for Windows Firewall are ignored.

Note: If you enable this policy setting, Windows Firewall runs and ignores the Computer Configuration\Administrative Templates\Network\Network Connections\Prohibit use of Internet Connection Firewall on your DNS domain network policy setting.

222 Windows Firewall: Do not allow exceptions (Standard Profile) Table A.41: Standard Profile Do Not Allow Exceptions Settings

Enterprise client Enterprise client High security High security desktop laptop desktop laptop Recommended Recommended Recommended Recommended

The Windows Firewall: Do not allow exceptions setting specifies that Windows Firewall blocks all unsolicited incoming messages. This policy setting overrides all other Windows Firewall policy settings that allow such messages. If you enable this policy setting in the Windows Firewall component of Control Panel, the Don't allow exceptions check box is selected and administrators cannot clear it.

Note: This setting is a strong defense against external attackers and should be set to Enabled unless you make exceptions in other policy settings. Setting this policy to Disabled allows Windows Firewall to apply other policy settings that allow unsolicited incoming messages.

Windows Firewall: Define program exceptions (Standard Profile) Table A.42: Standard Profile Define Program Exceptions Settings

Enterprise client Enterprise client High security High security desktop laptop desktop laptop Recommended Recommended Recommended Recommended

Some applications may need to open and use network ports that are not normally allowed by Windows Firewall. The Windows Firewall: Define program exceptions setting allows you to view and change the program exceptions list defined by Group Policy. Setting this policy to Enabled allows you to view and change the program exceptions list. If you add a program to this list and set its status to Enabled, that program can receive unsolicited incoming messages on any port that it asks Windows Firewall to open, even if that port is blocked by another policy setting. If you configure this policy setting as Disabled, the program exceptions list defined by Group Policy is deleted.

Note: If you type an invalid definition string, Windows Firewall adds it to the list without checking for errors. This capability allows you to add programs that you have not installed yet, but you should note that you can accidentally create multiple entries for the same program with conflicting Scope or Status values.

223 Windows Firewall: Allow local program exceptions (Standard Profile) Table A.43: Standard Profile Allow Local Program Exceptions Settings

Enterprise client Enterprise client High security High security desktop laptop desktop laptop Not Recommended Not Recommended Disabled Disabled

The Windows Firewall: Allow local program exceptions setting allows administrators to use the Windows Firewall component in Control Panel to define a local program exceptions list. Disabling this policy setting ensures that the Windows Firewall component in Control Panel does not allow administrators to define such a list, and ensures that program exceptions only come from Group Policy. Setting the policy to Enabled allows local administrators to use Control Panel to define program exceptions locally. Windows Firewall: Allow remote administration exception (Standard Profile) Table A.44: Standard Profile Allow Remote Administration Exception Settings

Enterprise client Enterprise client High security High security desktop laptop desktop laptop Disabled Disabled Disabled Disabled

Many organizations take advantage of remote computer administration in their daily operations. However, some attacks have exploited the ports typically used by remote administration programs. In response, Windows Firewall can block these ports. To provide flexibility for remote administration, the Windows Firewall: Allow remote administration exception setting is available. Configuring this setting to Enabled allows the computer to receive the unsolicited incoming messages associated with remote administration on TCP ports 135 and 445. This policy setting also allows SVCHOST.EXE and LSASS.EXE to receive unsolicited incoming messages and allows hosted services to open additional dynamically-assigned ports, typically in the range of 1024 to 1034 but potentially anywhere from 1024 to 65535. Enabling this setting also requires you to specify the IP addresses or subnets from which these incoming messages are allowed. If you configure this policy setting as Disabled, Windows Firewall makes none of the described exceptions. This appendix recommends you disable this setting for all computers in the Standard Profile to avoid known attacks that specifically use exploits against TCP ports 135 and 445.

Note: If any policy setting opens TCP port 445, Windows Firewall allows inbound ICMP echo request messages (such as those sent by the Ping utility), even if the Windows Firewall: Allow ICMP exceptions policy setting would block them. Policy settings that can open TCP port 445 include Windows Firewall: Allow file and printer sharing exception, Windows Firewall: Allow remote administration exception, and Windows Firewall: Define port exceptions.

224 Windows Firewall: Allow file and printer sharing exception (Standard Profile) Table A.45: Standard Profile Allow File and Printer Sharing Exception Settings

Enterprise client Enterprise client High security High security desktop laptop desktop laptop Disabled Disabled Disabled Disabled

This setting allows file and printer sharing by configuring Windows Firewall to open UDP ports 137 and 138, and TCP ports 139 and 445. If you enable this policy setting, Windows Firewall opens these ports so that the computer can receive print jobs and requests for access to shared files. You must specify the IP addresses or subnets from which these incoming messages are allowed. If you disable this policy setting, Windows Firewall blocks these ports and prevents the computer from sharing files and printers. Because the computers in your environment running Windows XP will not normally be sharing files and printers, this appendix recommends you configure this setting as Disabled in all environments.

Note: If any policy setting opens TCP port 445, Windows Firewall allows inbound ICMP echo request messages (such as those sent by the Ping utility), even if the Windows Firewall: Allow ICMP exceptions policy setting would block them. Policy settings that can open TCP port 445 include Windows Firewall: Allow file and printer sharing exception, Windows Firewall: Allow remote administration exception, and Windows Firewall: Define port exceptions.

Windows Firewall: Allow ICMP exceptions (Standard Profile) Table A.46: Standard Profile Allow ICMP Exceptions Settings

Enterprise client Enterprise client High security High security desktop laptop desktop laptop Disabled Disabled Disabled Disabled

The Windows Firewall: Allow ICMP exceptions setting defines the set of Internet Control Message Protocol (ICMP) message types that Windows Firewall allows. Utilities can use ICMP messages to determine the status of other computers. For example, the Ping utility uses the echo request message. If you set this policy setting to Enabled, you must specify which ICMP message types Windows Firewall allows the computer to send or receive. When you set this policy to Disabled, Windows Firewall blocks all unsolicited incoming ICMP message types and the listed outgoing ICMP message types. As a result, utilities that use the blocked ICMP messages will not be able to send those messages to or from the computer. Many attacker tools take advantage of computers that accept ICMP message types and use these messages to mount a variety of attacks. However, some applications require some ICMP messages in order to function properly. For that reason, this appendix recommends that you configure this setting to Disabled whenever possible. Whenever the computer is on an untrusted network, this setting should be Disabled.

225

Note: If any policy setting opens TCP port 445, Windows Firewall allows inbound ICMP echo request messages (such as those sent by the Ping utility), even if the Windows Firewall: Allow ICMP exceptions policy setting would block them. Policy settings that can open TCP port 445 include Windows Firewall: Allow file and printer sharing exception, Windows Firewall: Allow remote administration exception, and Windows Firewall: Define port exceptions.

Windows Firewall: Allow Remote Desktop exception (Standard Profile) Table A.47: Standard Profile Allow Remote Desktop Exception Settings

Enterprise client Enterprise client High security High security desktop laptop desktop laptop Enabled Enabled Enabled Enabled

Many organizations use Remote Desktop connections in their normal troubleshooting procedures or operations. However, some attacks have occurred that exploited the ports typically used by Remote Desktop. To provide flexibility for remote administration, the Windows Firewall: Allow Remote Desktop exception setting is available. Enabling this setting configures Windows Firewall to open TCP port 3389 for inbound connections. You must also specify the IP addresses or subnets from which these incoming messages are allowed. If you disable this policy setting, Windows Firewall blocks this port and prevents the computer from receiving Remote Desktop requests. If an administrator attempts to open this port by adding it to a local port exceptions list, Windows Firewall does not open the port. Some attacks can exploit an open port 3389. To maintain the enhanced management capabilities provided by Remote Desktop, you should configure this setting to Enabled and specify the IP addresses and subnets of the computers used for remote administration. Computers in your environment should accept Remote Desktop requests from as few computers as possible. Windows Firewall: Allow UPnP framework exception (Standard Profile) Table A.48: Standard Profile Allow UPnP Framework Exception Settings

Enterprise client Enterprise client High security High security desktop laptop desktop laptop Disabled Disabled Disabled Disabled

The Windows Firewall: Allow UPnP framework exception setting allows a computer to receive unsolicited Plug and Play messages sent by network devices, such as routers with built-in firewalls. To receive these messages, Windows Firewall opens TCP port 2869 and UDP port 1900. If you enable this policy setting, Windows Firewall opens these ports so that the computer can receive Plug and Play messages. You must specify the IP addresses or subnets from which these incoming messages are allowed. If you disable this policy setting, Windows Firewall blocks these ports and prevents the computer from receiving Plug and Play messages.

226 Blocking UPnP network traffic effectively reduces a computer's attack surface. This setting should always be Disabled on untrusted networks. Windows Firewall: Prohibit notifications (Standard Profile) Table A.49: Standard Profile Prohibit Notifications Settings

Enterprise client Enterprise client High security High security desktop laptop desktop laptop Not Recommended Not Recommended Not Recommended Not Recommended

Windows Firewall can display notifications to users when a program requests that Windows Firewall add the program to the program exceptions list. This situation occurs when programs attempt to open a port and are not allowed to do so based on current Windows Firewall rules. The Windows Firewall: Prohibit notifications setting configures whether these settings are shown to users. If you set this policy to Enabled, Windows Firewall prevents the display of these notifications. If you set it to Disabled, Windows Firewall allows the display of these notifications. Often users will not be allowed to add applications and ports in response to these messages in enterprise or high security environments. In such cases, this message will inform the user of something over which they have no control. In those cases you should set this option to Enabled In other environments where the user is configured to allow exceptions, you should set this option to Disabled. Windows Firewall: Prohibit unicast response to multicast or broadcast requests (Standard Profile) Table A.50: Standard Profile Prohibit Unicast Response Settings

Enterprise client Enterprise client High security High security desktop laptop desktop laptop Enabled Enabled Enabled Enabled

The Windows Firewall: Prohibit unicast response to multicast or broadcast requests setting prevents a computer from receiving unicast responses to its outgoing multicast or broadcast messages. When this policy setting is enabled and the computer sends multicast or broadcast messages to other computers, Windows Firewall blocks the unicast responses sent by those other computers. When the setting is disabled and this computer sends a multicast or broadcast message to other computers, Windows Firewall waits as long as three seconds for unicast responses from the other computers and then blocks all later responses. Typically, you would not want unicast responses to multicast or broadcast messages. Such responses can indicate a denial of service (DoS) attack or an attacker attempting to probe a known live computer. This appendix recommends you configure this policy setting to Enabled to help prevent this type of attack.

Note: This policy setting has no effect if the unicast message is a response to a Dynamic Host Configuration Protocol (DHCP) broadcast message sent by the computer. Windows Firewall always permits those DHCP unicast responses. However, this policy setting can interfere with the NetBIOS messages that detect name conflicts.

227 Windows Firewall: Define port exceptions (Standard Profile) Table A.51: Standard Profile Define Port Exceptions Settings

Enterprise client Enterprise client High security High security desktop laptop desktop laptop Not Recommended Not Recommended Not Recommended Not Recommended

The Windows Firewall port exceptions list should be defined by Group Policy, which allows you to centrally manage and deploy your port exceptions and ensure that local administrators do not create less secure settings. The Windows Firewall: Define port exceptions policy setting allows you to centrally manage these settings. If you enable this policy setting, you can view and change the port exceptions list defined by Group Policy. To view and modify the port exceptions list, configure the policy setting to Enabled and then click the Show button. Note that if you type an invalid definition string, Windows Firewall adds it to the list without checking for errors, which means you can accidentally create multiple entries for the same port with conflicting Scope or Status values. If you disable this policy setting, the port exceptions list defined by Group Policy is deleted but other policy settings can continue to open or block ports. Also, if a local port exceptions list exists, it is ignored unless you enable the Windows Firewall: Allow local port exceptions policy setting. Environments with nonstandard applications that require specific ports to be open should consider deploying program exceptions. This appendix recommends enabling this setting and specifying a list of port exceptions only when program exceptions cannot be defined. Program exceptions allow the Windows Firewall to accept unsolicited network traffic only while the specified program is running, and port exceptions keep the specified ports open at all times.

Note: If any policy setting opens TCP port 445, Windows Firewall allows inbound ICMP echo request messages (such as those sent by the Ping utility), even if the Windows Firewall: Allow ICMP exceptions policy setting would block them. Policy settings that can open TCP port 445 include Windows Firewall: Allow file and printer sharing exception, Windows Firewall: Allow remote administration exception, and Windows Firewall: Define port exceptions.

Windows Firewall: Allow local port exceptions (Standard Profile) Table A.52: Standard Profile Allow Local Port Exceptions Settings

Enterprise client Enterprise client High security High security desktop laptop desktop laptop Disabled Disabled Disabled Disabled

The Windows Firewall: Allow local port exceptions setting allows administrators to use the Windows Firewall component in Control Panel to define a local port exceptions list. Windows Firewall can use two port exceptions lists; the other is defined by the Windows Firewall: Define port exceptions policy setting. If you enable this policy setting, the Windows Firewall component in Control Panel allows administrators to define a local port exceptions list. If you disable this policy setting, the Windows Firewall component in Control Panel does not allow administrators to define such a list.

228 Typically, local administrators do not have the authority to override organizational policy and establish their own port exceptions list in enterprise or high security environments. For that reason, this appendix recommends configuring this option as Disabled.

229 User Configuration Settings The remaining sections of this appendix discuss user configuration settings. Apply these settings through a GPO linked to an OU that contains user accounts.

Note: User configuration settings are applied to any client that a user logs on in a Microsoft Active Directory® directory service domain. Computer configuration settings apply to all clients governed by a GPO in Active Directory, regardless of which user logs on to the client. For this reason, the tables in this section contain only recommended settings for the Enterprise Client and the High Security environments defined in this guide. There are no laptop or desktop prescriptions for these settings.

Attachment Manager Use the Group Policy Object Editor to configure the proper Administrative Template. The prescribed settings are found at the following location: User Configuration\Administrative Templates\Windows Components\Attachment Manager Do not preserve zone information in file attachments Table A.53: Do Not Preserve Zone Information Settings

Enterprise Client High Security Disabled Disabled

The Do not preserve zone information in file attachments policy setting allows you to manage whether Windows marks file attachments from Internet Explorer or Outlook Express with information about their zone of origin (such as restricted, Internet, intranet, or local). This setting requires that files be downloaded to NTFS disk partitions to function correctly. If zone information is not preserved, Windows cannot make proper risk assessments based on the zone where the attachment came from. Setting this policy to Enabled does not mark file attachments with their zone information. Setting it to Disabled forces Windows to store file attachments with their zone information. Because dangerous attachments are often downloaded from untrusted Internet Explorer zones such as the Internet zone, this appendix recommends you configure this setting to Disabled to ensure that as much security information as possible is preserved with each file. Hide mechanisms to remove zone information Table A.54: Mechanisms to Remove Zone Information Settings

Enterprise Client High Security Enabled Enabled

The Hide mechanisms to remove zone information policy setting allows you to manage whether users can manually remove the zone information from saved file attachments by clicking the Unblock button in the file’s Property sheet or by selecting a check box in the Security Warning dialog. Removing the zone information allows users to open potentially dangerous file attachments that Windows has prevented users from opening.

230 Windows hides the check box and Unblock button when this policy setting is Enabled. When the setting is Disabled, Windows displays the check box and the Unblock button. Because dangerous attachments are often downloaded from untrusted Internet Explorer zones such as the Internet zone, this appendix recommends you configure this setting to Enabled to ensure that as much security information as possible is retained with each file.

Note: To configure whether files are saved with zone information, see the previous Do not preserve zone information in file attachment policy setting.

Notify antivirus programs when opening attachments Table A.55: Notify Antivirus Programs Settings

Enterprise Client High Security Enabled Enabled

Antivirus programs are becoming mandatory in most environments and are a strong line of defense against current attacks. The Notify antivirus programs when opening attachments policy setting allows you to manage the behavior for notifying registered antivirus programs. When Enabled, this policy setting configures Windows to call the registered antivirus program and have it scan file attachments when they are opened by users. If the antivirus scan fails, the attachments are blocked from being opened. If this policy setting is Disabled, Windows does not call the registered antivirus program when file attachments are opened. To help ensure that virus scanners examine every file before it is opened, this appendix recommends this policy be set to Enabled in all environments.

Note: An updated antivirus program must be installed for this setting to function properly. Many updated antivirus programs use new that are included with SP2.

231 Summary The numerous improvements related to manageability of security services in Windows XP SP2 allow administrators to implement more specific security settings across user and computer bases. This appendix illustrated the most important settings that you should use to improve security in a SP2 environment. Although not all possible settings are described in the appendix, the specified settings are the ones that can have a direct and profound impact on your environment. Remember that SP2 represents a significant change from previous versions of Windows, and there will likely be application compatibility issues in your environment. You should carefully test all recommended settings before you implement them. Although these settings have been exhaustively tested to ensure they work in the specified environments, there is no substitute for testing in your specific environment.

232