Introduction

The Microsoft Windows XP Professional operating system includes a variety of technologies that communicate with the Internet to provide increased ease of use and functionality. Browser and e-mail technologies are obvious examples, but there are also technologies such as Automatic Updates that help users obtain the latest software and product information, including bug fixes and security patches. These technologies provide many benefits, but they also involve communication with Internet sites, which administrators might want to control.

Control of this communication can be achieved through a variety of options built into individual components, into the operating system as a whole, and into server components designed for managing configurations across your organization. For example, as an administrator, you can use Group Policy to control the way some components communicate. For some components, you can direct all communication to the organization’s own internal Web site instead of to an external site on the Internet.

This white paper provides information about the communication that flows between components in Windows XP Professional with Service Pack 2 (SP2 or SP3) and sites on the Internet, and describes steps to take to limit, control, or prevent that communication in an organization with many users. The white paper is designed to assist you, the administrator, in planning strategies for deploying and maintaining Windows XP Professional with SP2 or SP3 in a way that helps to provide an appropriate level of security and privacy for your organization’s networked assets.

This white paper provides guidelines for controlling components in the following set of operating systems:

• Windows XP Professional with SP2 or SP3 on user computers. The focus is on the installation or configuration steps needed for these computers.

  Note   This white paper does not cover desktop products other than Windows XP Professional with SP2 or SP3. For example, it does not cover Windows XP Home Edition or Windows XP Media Center Edition.

• Windows Server™ 2003 on servers. The white paper does not focus on these computers, but it provides information for using these servers as part of your deployment or maintenance strategies. For instance, it describes ways of using Group Policy on a server running Windows Server 2003 to control the behavior or configuration of users’ computers running Windows XP with  SP2 or SP3. In many instances, procedures that can be used on a server running Windows Server 2003 can also be used on a server running Windows 2000.

The white paper is organized around individual components found in Windows XP Professional with  SP2 or SP3, so that you can easily find detailed information for any component you are interested in.

This white paper provides links to privacy statements for a number of individual components in Windows XP Professional with SP2 or SP3. You can read the overall privacy statement for Windows XP Professional with SP2 or SP3 on the Microsoft Web site at:

https://go.microsoft.com/fwlink/?LinkId=25243

What This White Paper Covers and What It Does Not Cover

This section describes the following:

• Types of components covered in this white paper

• Types of components not covered in this white paper

• Security basics that are beyond the scope of this white paper, with listings of some other sources of information about these security basics

Types of Components Covered in This White Paper

This white paper provides:

• Information about components that in the normal course of operation send information to or receive information from one or more sites on the Internet. An example of this type of component is Windows Error Reporting. If a user chooses to use this component, it sends information to a site on the Internet.

• Information about components that routinely display buttons or links that make it easy for a user to initiate communication with one or more sites on the Internet. An example of this type of component is Event Viewer. If a user opens an event in Event Viewer and clicks a link, the user is prompted with a message box that says, "Event Viewer will send the following information across the Internet. Is this OK?" If the user clicks OK, information about the event is sent to a Web site, which replies with any additional information that might be available about that event.

• Brief descriptions of components like Microsoft Internet Explorer and Microsoft Outlook® Express that are designed to communicate with the Internet. It is beyond the scope of this white paper to describe all aspects of maintaining appropriate levels of security in an organization where users connect to sites on the Internet, download items from the Internet, send and receive e-mail, and perform similar actions. This white paper does, however, provide basic information about how components such as Internet Explorer and Outlook Express work, and it provides suggestions for other sources of information about balancing your organization’s requirements for communication across the Internet with your organization’s requirements for protection of networked assets.

Types of Components Not Covered in This White Paper

This white paper does not provide:

• Information about managing or working with applications, scripts, utilities, Web interfaces, Microsoft ActiveX® controls, extensible user interfaces, the .NET Framework, and application programming interfaces (APIs). These are either applications, or are layers that support applications, and as such provide extensions that go beyond the operating system itself.

  Windows Installer is not covered in this white paper, although Windows Installer includes some technology that (if you choose) you can use for installing drivers or other software from the Internet. Such Windows Installer packages are not described here because they are like a script or utility that is created specifically for communication across the Internet.

  You must work with your software provider to learn what you can do to mitigate any risks that are part of using particular applications (including Web-based applications), scripts, utilities, and other software that runs on Windows XP with SP2 or SP3.

• Information about components that store local logs that could potentially be sent to someone or could potentially be made available to support personnel. This information is similar to any other type of information that can be sent through e-mail or across the Internet in other ways. You must work with your support staff to provide guidelines about the handling of logs and any other similar information you might want to protect.

Security Basics That are Beyond the Scope of This White Paper

This white paper is designed to assist you, the administrator, in planning strategies for deploying and maintaining Windows XP Professional with SP2 or SP3 in a way that helps provide an appropriate level of security and privacy for your organization’s networked assets. The white paper does not describe security basics, that is, strategies and risk-management methods that provide a foundation for security across your organization. It is assumed you are actively evaluating and studying these security basics as a standard part of network administration.

Some of the security basics that are a standard part of network administration include:

• Monitoring. This includes using a variety of software tools, including tools to assess which ports are open on servers and clients.

• Virus-protection software.

• The principle of least privilege (for example, not logging on as an administrator if logging on as a user is just as effective).

• The principle of running only the services and software that are necessary—that is, stopping unnecessary services and keeping computers (especially servers) free of unnecessary software.

• Strong passwords, that is, requiring all users and administrators to choose passwords that are not easily cracked.

• Risk assessment as a basic element in creating and implementing security plans.

• Software deployment and maintenance routines to help ensure that your organization’s software is running with the latest security updates and patches.

• Defense-in-depth. In this context, defense-in-depth (also referred to as in-depth defense) means redundancy in security systems. An example is using firewall settings together with Group Policy to control a particular type of communication with the Internet.

Other Sources of Information About Security Basics

The following books and Web sites are a few of the many sources of information about the security basics described previously:

• Howard, Michael, et al. Designing Secure Web-Based Applications for Microsoft Windows 2000. Redmond, WA: Microsoft Press, 2000.

• Howard, Michael, and David LeBlanc. Writing Secure Code. Redmond, WA: Microsoft Press, 2002.

• Kaufman, C., R. Perlman, and M. Speciner. Network Security: Private Communication in a Public World. Upper Saddle River, New Jersey: Prentice-Hall Inc., 2002.

• Smith, B., B. Komar, and the Microsoft Security Team. Microsoft® Windows® Security Resource Kit. Redmond, WA: Microsoft Press, 2003.

• For more information, see the Microsoft Press Web site at:

  https://go.microsoft.com/fwlink/?LinkId=29168

• The Security Center on the Microsoft Web site at:

  https://www.microsoft.com/technet/security/default.mspx

• The Prescriptive Architecture Guides on the Microsoft Web site at:

  https://go.microsoft.com/fwlink/?linkid=29413

• The Web page focused on security for Windows on the Microsoft Windows Web site at:

  https://www.microsoft.com/windows/security/

• The Web page focused on security on the Microsoft Developer Network (MSDN®) Web site at:

  https://msdn.microsoft.com/security/

• The Web page focused on security on the Microsoft TechNet Web site at:

  https://www.microsoft.com/technet/security/