Chapter 1: Introduction to the Windows XP Security Guide
Updated: April 13, 2006
Welcome to the Windows XP Security Guide. This guide is designed to provide you with the best information available to assess and counter security risks that are specific to Microsoft® Windows® XP Professional with Service Pack 2 (SP2) in your environment. The chapters in this guide provide detailed information about how to configure enhanced security settings and features in Windows XP wherever possible to address identified threats in your environment. If you are a consultant, designer, or systems engineer who works in a Windows XP environment, this guide was designed with you in mind.
Microsoft engineering teams, consultants, support engineers, partners, and customers have reviewed and approved the information in this guide to make it:
Best practices to secure both client and server computers were developed by consultants and systems engineers who have implemented Windows XP Professional, Microsoft Windows Server™ 2003, and Windows 2000 in a variety of environments, and these best practices are detailed in this guide. Step-by-step security prescriptions, procedures, and recommendations are also provided to help you maximize security for computers in your organization that run Windows XP Professional with SP2.
If you want more in-depth discussion of the concepts behind this material, see Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP, the Microsoft Windows XP Resource Kit, the Microsoft Windows Server 2003 Resource Kit, the Microsoft Windows Security Resource Kit, and Microsoft TechNet.
This guide was originally created for Windows XP with SP1. This updated version reflects the significant security enhancements that Windows XP with SP2 provides, and it was developed and tested with computers that run Windows XP Professional with SP2. All references to Windows XP that are made in this guide refer to Windows XP with SP2 unless otherwise stated.
Whatever your environment, you are strongly advised to be serious about security matters. Many organizations underestimate the value of their information technology (IT) environment, often because they exclude substantial indirect costs. If an attack on the servers in your environment is severe enough, it could significantly damage the entire organization. For example, an attack that makes your Web site unavailable and causes a major loss of revenue or customer confidence might lead to the collapse of your organization’s profitability. When you evaluate security costs, you should include the indirect costs that are associated with any attack in addition to the costs of lost IT functionality.
Vulnerability, risk, and exposure analysis with regard to security informs you of the tradeoffs between security and usability that all computer systems are subject to in a networked environment. This guide documents the major security-related countermeasures that are available in Windows XP with SP2, the vulnerabilities that they address, and the potential negative consequences (if any) of each countermeasure’s implementation.
The guide then provides specific recommendations for hardening computers that run Windows XP with SP2 in three common environments:
This guide is organized for easy accessibility so that you can quickly find the information you need to determine what settings are suitable for your organization's computers that run Windows XP with SP2. Although this guide was designed for the enterprise customer, much of it is appropriate for organizations of any size.
To obtain the most value from this material, you will need to read the entire guide. The team that produced this guide hopes that you will find the material covered in it useful, informative, and interesting. For further information, you can also refer to the companion guide Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP, which is available for download at http://go.microsoft.com/fwlink/?LinkId=15159.
Who Should Read This Guide
This guide is primarily intended for consultants, security specialists, systems architects, and IT professionals who plan application or infrastructure development and the deployment of Windows XP workstations in an enterprise environment. This guide is not intended for home users. This guide is designed for individuals whose job roles include the following:
Skills and Readiness
The following knowledge and skills are required for administrators and architects who develop, deploy, and secure Windows XP client computers in an enterprise organization.
Scope of this Guide
This guide focuses on how to create and maintain a secure environment for desktops and laptops that run Windows XP Professional with SP2. The guide explains the different stages of how to secure three different environments and what each setting addresses for desktop and laptop computers that are deployed in each one. Information is provided for Enterprise Client (EC), Stand-Alone (SA), and Specialized Security – Limited Functionality (SSLF) environments.
Settings that are not specifically recommended as part of this guide are not documented. For a thorough discussion of all the security settings in Windows XP, refer to the companion guide Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP at http://go.microsoft.com/fwlink/?LinkId=15159.
The Enterprise Client (EC) environment consists of a Windows 2000 or Windows Server 2003 Active Directory domain. The client computers in this environment will be managed through Group Policy that is applied to sites, domains, and organizational units (OUs). Group Policy provides a centralized method to manage security policy across the environment.
The Stand-Alone Client (SA) environment includes client computers that cannot be joined to a domain or computers that are members of a Windows NT 4.0 domain. These client computers have to be configured through local policy settings. The management of stand-alone computers can be a considerably greater challenge than management of user accounts and policies in an Active Directory–based domain.
Specialized Security – Limited Functionality
The Specialized Security – Limited Functionality (SSLF) environment provides elevated security settings for client computers. When these security policy settings are applied, user functionality may be noticeably reduced because it is limited to only those specific functions that are required for the necessary tasks. Access is limited to approved applications, services, and infrastructure environments. To be clear, security policy settings for the SSLF environment only apply to a few systems at a very small number of organizations, such as military and intelligence agencies. These settings tend to favor security over manageability and usability; they should only be used on computers whose compromise could cause significant financial loss or loss of life. In other words, the SSLF settings are not a good choice for most organizations.
Windows XP with SP2 provides the most dependable version of a Windows client operating system to date, with improved security and privacy features. Overall security has been improved in Windows XP to help ensure your organization can work in a safer and more secure computing environment. The Windows XP Security Guide consists of seven chapters, and chapters two through six discuss the procedures that are required to create such an environment. Each of these chapters builds on an end-to-end process that is designed to secure Windows XP–based computers.
Chapter 1: Introduction to the Windows XP Security Guide
This chapter includes an overview of the guide, descriptions of the intended audience, the problems that are discussed in the guide, and the overall intent of the guide.
Chapter 2: Configuring the Active Directory Domain Infrastructure
You can use Group Policy to manage user and computer environments in Windows Server 2003 and Windows 2000 domains. It is an essential tool for securing Windows XP, and can be used to apply and maintain a consistent Security policy across a network from a central location. This chapter discusses the preliminary steps that must be performed in your domain before you apply Group Policy to your Windows XP client computers.
Group Policy settings are stored in Group Policy objects (GPOs) on domain controllers. GPOs are linked to sites, domains, and OUs within the Active Directory structure. Because Group Policy is so closely integrated with Active Directory, it is important to have a basic understanding of your Active Directory structure and security implications before you implement Group Policy.
Chapter 3: Security Settings for Windows XP Clients
This chapter describes the security settings for Windows XP client computers that may be set through Group Policy in a Windows 2000 or Windows Server 2003 Active Directory domain. Guidance is not provided for all of the available settings—only those settings that will help secure an environment from most current threats are provided. The guidance also allows users to continue to perform typical job functions on their computers. The settings that you configure should be based on your organization’s security goals.
Chapter 4: Administrative Templates for Windows XP
In this chapter, settings that can be added to Windows XP by using Administrative Templates are discussed. Administrative Templates are Unicode files that you can use to configure the registry–based settings that govern the behavior of many services, applications, and operating system components. There are many Administrative Templates that can be used with Windows XP, and they contain hundreds of settings.
Chapter 5: Securing Stand-Alone Windows XP Clients
Although most of this guide focuses on the Enterprise Client (EC) and Specialized Security – Limited Functionality (SSLF) environments, this chapter also discusses the configuration of stand-alone Windows XP client computers. Microsoft recommends that Windows XP be deployed in an Active Directory domain infrastructure, but recognizes that it is not always possible to do so. This chapter provides guidance about how to apply the recommended configurations to Windows XP with SP2 client computers that are not members of a Windows 2000 or Windows Server 2003 domain.
Chapter 6: Software Restriction Policy for Windows XP Clients
This chapter provides a basic overview of software restriction policy, which provides administrators with a policy-driven mechanism to identify and limit the software that can be run in their domain. Administrators can use a software restriction policy to prevent unwanted programs from running and prevent viruses, Trojan horses, or other malicious code from spreading. Software restriction policies fully integrate with Active Directory and Group Policy, and they can also be used in an environment without a Windows Server 2003 domain infrastructure when applied to only the local computer.
Chapter 7: Conclusion
The final chapter reviews the important points of the guide in a brief overview of everything that is discussed in the previous chapters.
Appendix A: Key Settings to Consider
Although this guide discusses many security countermeasures and security settings, it is important to understand a small number of them are especially important. This appendix discusses the settings that will have the biggest impact on the security of computers that run Windows XP with SP2.
Appendix B: Testing the Windows XP Security Guide
This appendix explains how the Windows XP Security Guide was tested in a lab environment to ensure that the guidance works as expected.
A collection of security templates, scripts, and additional files is included with this guide to make it easier for your organization to evaluate, test, and implement the recommended countermeasures.
Security templates are text files that can be imported into domain–based Group Policies or applied locally with the Microsoft Management Console (MMC) Security Configuration and Analysis snap-in. Procedures that describe how to accomplish these tasks are detailed in Chapter 2, "Configuring the Active Directory Domain Infrastructure." You can use the scripts that are included with this guide to implement the recommended countermeasures on stand-alone workstations.
Also included in the download content is the Microsoft Excel® workbook "Windows XP Security Guide Settings," which documents the settings that are included in each of the security templates.
The files that accompany this guide are collectively referred to as tools and templates. These files are included in a .msi file within the self-extracting WinZip archive that contains this guide. The download version of the Windows XP Security Guide is available at http://go.microsoft.com/fwlink/?LinkId=14840. When you execute the .msi file, the following folder structure will be created in the location that you specify:
This guide uses the following style conventions.
Table 1.1 Style Conventions
This chapter introduced you to the Windows XP Security Guide and summarized the guide’s chapters. When you understand how the guide is organized, you are ready to take full advantage of the key security options that are built into Windows XP with SP2.
Effective, successful security operations require effort in all of the areas that are discussed in this guide, not just improvements in one. For this reason, it is highly recommended that you implement the recommendations in this guide that are appropriate for your organization as part of a wider defense-in-depth security architecture.
The following links provide additional information about Windows XP Professional security-related topics.