Securing Windows XP Professional Clients in a Windows Server Environment

On This Page

Introduction
Before You Begin
Downloading the Windows XP Security Templates
Creating New Group Policy Objects and Importing the Security Templates
Ensuring Policies Apply to Your Desktop and Laptop Computers
Verifying New Settings
Enabling the Microsoft Internet Connection Firewall
Installing Antivirus Software
Maintaining a Current Patch Level
Converting Your File Systems to NTFS
Related Information

Introduction

The threat of intruders and malicious code such as viruses and worms continues to grow. This makes it critical for organizations of all sizes to take immediate action to increase the security of their desktop and laptop computers. A virus is an intrusive program that infects computer files by inserting in those files copies of self-replicating code, while a worm is a program that runs independently, traveling from computer to computer across network connections. This document explains how to implement the security measures recommended in the Microsoft Windows XP Security Guide in a small or medium business environment with the Microsoft Active Directory directory service.

The goal of this document is to provide you with clear and concise instructions for you to download the Windows XP Security Templates, configure the Active Directory domain infrastructure on the domain controllers in your network, and create new Group Policy objects (GPOs) in order to import security templates to help to improve the security of the computers on your network. Information is also provided on verifying the new settings, installing distributed firewall and antivirus software, maintaining a current patch level, and converting your file systems to NTFS. All of the step-by-step instructions in this document were developed using the default "Start menu" view in Windows XP.

The following list provides an overview of the topics and tasks this document covers:

  • Downloading preconfigured security templates to automatically make changes to your system to make them more secure.

  • Configuring the Active Directory domain infrastructure to manage the security level across all Windows XP Professional computers on your network.

  • Applying policies to your desktop and laptop computers.

  • Verifying the new settings.

  • Installing antivirus software.

  • Converting the file systems on your computers to the NTFS file system, which provides a higher level of security than the FAT file systems.

  • Configure your system to use Internet Connection Firewall (ICF), which can help prevent outsiders from getting access to your computer through the Internet.

  • Keeping your system up-to-date with security patches.

These recommendations will help to ensure that desktop and laptop systems running Windows XP Professional SP1 in your environment are more secure from the majority of current security threats, while ensuring that users can continue to be efficient and productive on their computers. In addition to the detailed step-by-step guidance in this document, you will find information about the top security recommendations that Microsoft offers to all of company's customers, from the home user to the enterprise.

Note: Implementing the recommendations in this guidance will help to enable your Windows XP desktops and laptops to communicate more securely with other computers running Windows XP, as well as Microsoft Windows 2000, and Windows Server 2003. However, Windows XP desktops and laptops may have difficulty sharing files, folders, or printers with other computers running Microsoft Windows 98 or Windows NT 4.0. Windows 98 and Windows NT 4.0 are older operating systems that are more difficult to secure against today's security threats.

IMPORTANT: All the step-by-step instructions included in this document were developed by using the Start menu that appears by default when you install your operating system. If you have modified your Start menu, the steps might differ slightly.

Before You Begin

As with any security recommendations, this guidance strives to find the right balance between enhanced security and usability. The recommendations provided here will work successfully for Windows XP Professional deployments in a wide variety of environments. However, there are several key points that you should note before implementing these recommendations.

This document does not address the wide variety of needs and configurations that may be required in a large corporation. In addition, the guidance may not fully address the specific security needs of some organizations.

Meeting the Service Pack Requirement

The recommendations in this document apply only to computers running Windows XP Professional with Service Pack 1 (SP1) or SP1 (a) that are members of an Active Directory-based domain. If Service Pack 1 is not installed on a particular computer or if you do not know whether it is installed, you can go to the Windows Update page on the Microsoft Web site at https://go.microsoft.com/fwlink/?LinkID=22630, and have Windows Update scan your computer for available updates. If Service Pack 1 shows up as an available update, install it before proceeding with the procedures in this document.

Avoid Using Accounts With Administrative Privileges

A common issue in many organizations is the prevalence of users that run their laptop or desktop with administrative credentials. It is a best practice for all user accounts to be members of the Users group. Users should not be allowed to log in routinely using accounts that are members of the Administrators group. By enforcing this change, users will not be able to install unapproved software that may contain viruses or other types of potentially dangerous code.

Implementing this requirement may be challenging, but using Windows XP Professional with logo certified applications makes this easier. Applications that are not logo certified may not run correctly for users without administrative privileges. To find a list of logo certified applications, look for software labeled "Designed for Windows XP" on the Windows Catalog page of the Microsoft Web site at https://go.microsoft.com/fwlink/?LinkId=22382.

An administrator must implement the recommendations in this document, but the settings provide the necessary functionality that will allow someone who is not a member of the Administrators group to run the laptop or desktop on a day-to-day basis. Once the security settings recommended in this document are implemented, they will apply to all users who log on to the desktop or laptop, including members of the local Administrators group.

Downloading the Windows XP Security Templates

A security template is a file that represents a recommended security configuration. Security templates are applied to a system by importing them to the desktop or laptop.

This following procedure shows you how to download the preconfigured security templates to secure your desktop and laptop systems.

The procedure below explains where you can obtain the Windows XP security templates and then how to store them on a domain controller in your computer network. Acquiring the templates will enable you to effectively use related procedures in this document to help improve the security of your computers.

Requirements

The following is required to complete this task:

  • Credentials: You must be logged on to both a domain controller and a member computer as a member of the Domain Admins group.

  • Tools: a Web browser, Windows Explorer.

  • To download the security templates

    1. From the member computer, open a Web browser and navigate to the Windows XP Security Guidepage of the Microsoft Download Center Web site at https://go.microsoft.com/fwlink/?LinkId=14840.

    2. At the bottom of the page, in the Files in this Download section, click Windows_XP_Security_Guide.exe.

    3. In the File Download dialog box, click Save.

    4. When prompted for a location, expand the Save in: drop-down list box, click Desktop, and then click Save.

    5. In the Download complete dialog box, click Close.

    6. Copy the downloaded file, Windows_XP_Security_Guide.exe, to the My Documents folder on the domain controller.

      Note: The step-by-step instructions for copying the file from your computer to the domain controller will vary depending on how your network is configured. You may need to open a new Explorer window that points to the C$ share on your domain controller by clicking Start, and then Run, and then typing \\Your_Domain_Controller_Name\c$.

    7. From the domain controller, click Start, select All Programs, select Accessories, and then click Windows Explorer.

    8. Use Windows Explorer to navigate to your My Documents folder, and then double-click the Windows_XP_Security_Guide.exe file.

    9. In the WinZip Self-Extractor dialog box, click Browse.

    10. Click My Documents and then click OK.

    11. In the WinZip Self-Extractor dialog box, click Unzip.

    12. After all the files have finished extracting, click OK.

    13. In the WinZip Self-Extractor window, click Close.

Configuring the Active Directory Domain Infrastructure

Group Policy is a feature of Active Directory that facilitates change and configuration management in Windows Server 2003 and Windows 2000 Server domains. However, you need to perform certain preliminary steps in your domain prior to applying Group Policy to the Windows XP Professional clients in your environment.

Use the following procedure to set up the Active Directory infrastructure for your computer network. Creating this structure will enable you to use related procedures in this document to help improve the security of your computers.

Requirements

The following is required to complete this task:

  • Credentials: You must be logged on to the domain controller as a member of the Domain Admins group.

  • Tools: The Active Directory Users and Computers snap-in.

  • To configure the Active Directory domain infrastructure
    Use the snap-in to create the following new branch of organizational units (OUs) in your domain as follows:

    • Secured Computers OU: This OU will contain the child OUs for each operating system running in your environment.

    • Windows XP OU: This OU will contain child OUs for each type of Windows XP client in your environment. Guidance is included here for desktop and laptop clients.

      Note: Even though identical security settings are applied to both desktop and laptop computers when you follow the instructions in this document, it includes instructions to create separate OUs for each to make it easier for you to configure additional security settings that may be specific to only one class of client computer in your environment.

    • Desktop OU: This OU contains desktop computers that remain connected constantly to your corporate network.

    • Laptop OU: This OU contains laptop computers for mobile users that are not always connected to your corporate network.

The OU structure you will create is summarized in the image below.

OU structure

  1. Click Start, click Control Panel, click Performance and Maintenance, double-click Administrative Tools, and then double-click Active Directory Users and Computers.

  2. Right-click the root container for the domain, hold your pointer over New, and then select Organizational Unit.

    Active Directory Users and Computers

    Note: Screen shots in this document reflect a test environment and the information might differ from the information displayed on your screen.

  3. Type Secured Computers OU to name the new OU and click OK.

  4. Right-click the Secured Computers OU, hold your pointer over New, and then select Organizational Unit.

  5. Type Windows XP OU to name the new OU, and click OK.

  6. Right-click the Windows XP OU, hold your pointer over New, and then select Organizational Unit.

  7. Type Desktop OU to name the new OU, and click OK.

  8. Right-click the Windows XP OU, hold your pointer over New, and then select Organizational Unit.

  9. Type Laptop OU to name the new OU, and click OK.

  10. Move all of the desktop computers that are running Windows XP from their current location to the Desktop OU by dragging them from their current OU to the new one.

  11. Move all of the laptop computers that are running Windows XP from their current location to the Laptop OU by dragging them from their current OU to the new one.

    Note: The default location for new computer objects in Active Directory is the Computers container.

The new OU structure should look like what you see in the following image.

new OU structure

Creating New Group Policy Objects and Importing the Security Templates

The next step to improving the security of your computers is to configure many of the built-in security settings. While this may seem like a daunting task, step-by-step instructions for using the Enterprise Client-Desktop.inf and the Enterprise Client-Laptop.inf files that are included with the Windows XP Security Guide are provided below to perform this task.

These policies will configure settings to ensure that only valid users can connect to the computer, only administrators can back up and restore files on the computer, and that only administrators can add new drivers to the system.

Use the following procedure to create new GPOs to use while configuring security measures for the desktop computers on your network. The GPOs will enable you to use related procedures in this document to help improve the security of your computers.

Requirements

The following is required to complete this task:

  • Credentials: You must be logged on to the domain controller as a member of the Domain Admins group.

  • Tools: The Active Directory Users and Computers snap-in and the command prompt.

  • To create the GPO for desktop computers

    1. Reopen the Active Directory Users and Computers snap-in if needed by clicking Start, clicking Control Panel, clicking Performance and Maintenance, double-clicking Administrative Tools, and then double-clicking Active Directory Users and Computers.

      a. Navigate to the Desktop OU.

    2. Right-click the Desktop OU and select Properties.

      Active Directory Users and Computers

    3. In the Desktop OU Properties dialog box, click the Group Policy tab, and then click New.

    4. Type XP Desktop Policy to name the GPO, and then click Edit.

      Desktop OU Properties

    5. The Group Policy Object Editor tool will open and display the GPO that you just created in the Group Policy Object Links box.

    6. Under Computer Configuration, expand the Windows Settings folder, right-click Security Settings, and then select Import Policy.

      Group Policy Object Editor

    7. In the Import Policy From dialog box, expand the Templates folder in the drop-down list box, and then navigate to \My Documents\Windows XP Security Guide\Tools and Templates\Security Guide\Security Templates\.

    8. Select the Enterprise Client - Desktop.inf security template and click Open.

      Note: If you do not see the Enterprise Client - Desktop.inf file, you may have saved it to a different location. Extract the files from the Windows_XP_Security_Guide.exe self-extracting file again if this is the case.

      Import Policy From

    9. Close the Group Policy Object Editor tool.

    10. Close the Desktop OU Properties dialogue box.

Use the following procedure to create new GPOs to use while configuring security measures for the laptop computers on your network. The GPOs will enable you to use related procedures in this document to help improve the security of your computers.

  • To create the GPO for laptop computers

    1. Reopen the Active Directory Users and Computers snap-in if needed by clicking Start, clicking Control Panel, clicking Performance and Maintenance, double-clicking Administrative Tools, and then double-clicking Active Directory Users and Computers.

    2. Right-click the Laptop OU and then select Properties.

    3. In the Laptop OU Properties dialog box, click the Group Policy tab, and then click New.

    4. Type XP Laptop Policy to name the GPO, and then click Edit.

    5. The Group Policy Object Editor tool will open and display the GPO that you just created in the Group Policy Object Links box.

    6. Under Computer Configuration, expand the Windows Settings folder, right-click Security Settings, and then select Import Policy.

    7. On the Import Policy From dialog box, expand the Templates folder in the drop-down list box, and then navigate to \My Documents\Windows XP Security Guide\Tools and Templates\Security Guide\Security Templates\.

    8. Select the Enterprise Client - Laptop.inf security template and click Open.

      Note: If you do not see the Enterprise Client - Laptop.inf file, you may have saved it to a different location. Extract the files from the Windows_XP_Security_Guide.exe self-extracting file again if this is the case.

    9. Close the Group Policy Object Editor tool.

    10. Close the Laptop OU Properties dialogue box.

    11. Wait for replication to complete between all of your domain controllers so that the new group policy will be available to the client computers regardless of which domain controller is used for logon.

Ensuring Policies Apply to Your Desktop and Laptop Computers

You are now ready to apply the security settings to your desktop or laptop. To ensure the settings are applied, use the gpupdate.exe command. You can use the following procedure to force a refresh of Group Policy. Completing this procedure and restarting your system will ensure that you have successfully applied the security policies.

Requirements

The following is required to complete this task:

  • Credentials: You must be logged onto the desktop or laptop computer as a member of the Domain Admins group.

  • Tools: Command prompt, gpupdate.exe.

  • To run gpupdate

    1. Click Start, click Run, type cmd, and then click OK.

    2. At the command prompt, type gpupdate.exe /force, and press ENTER.

    3. When you receive the message OK to Reboot, type Y, and then press ENTER. In some cases you may not see this message, if you do not you need to manually restart the computer.

      gpupdate

      Once the system restarts, the security policies have been successfully applied. After pressing CTRL+ALT+DEL to log on, you should see a dialog box stating the following:

      It is an offense to continue without proper authorization.

      Click OK and log on to the computer as you would normally.

    4. In the Application Event Log, verify that the policy downloaded successfully by clicking Start, clicking Control Panel, clicking Performance and Maintenance, and then clicking Administrative Tools.

    5. In Administrative Tools, double-click Event Viewer.

    6. In Event Viewer, click Application Log, and then look for the most recent event that is defined with the following:

      • The Type called Information.

      • The Source called SceCli.

      • The Event ID number 704.

Verifying New Settings

Verify that the appropriate security settings have been applied to your local computer. Use the following procedure to view the local computer settings on your machine. Verifying the settings will ensure that the correct ones are in effect on your computer.

Requirements

The following is required to complete this task:

  • Credentials: You must be logged on as a member of the Domain Admins group.

  • Tools: The Local Security Policy snap-in, Control Panel.

  • To verify the security policy on your computer

    1. Click Start, click Control Panel, click Performance and Maintenance, click Administrative Tools, and then double-click Local Security Policy.

    2. In the Local Security Settings console tree, expand the Local Policies folder, and then click the Security Options folder.

      Local Security Settings

    3. On the right in the details pane of the Security Options folder, review the applied Security Options policy settings.

    4. You only need to verify that a few settings have been changed from their original values to the new, more secure ones. To do this, review the following settings carefully:

      1. Verify the policy called Devices: Allow undock without having to log on is configured to Disabled.

      2. Verify the policy called Interactive logon: Message text for users attempting to log on includes message text that begins: "This system is restricted to..."

      3. Verify the policy called Interactive logon: Number of previous logons to cache (in case domain controller is not available) is configured to the value 2.

Enabling the Microsoft Internet Connection Firewall

The Microsoft Internet Connection Firewall (ICF) is a feature included in Windows XP to help protect your system or network connection to the Internet. ICF is easily enabled if the Windows XP Network Setup Wizard detects that your system is directly connected to the Internet.

Use the following procedure to enable the ICF on the computers running Windows XP on your network. The firewall will add to the overall security of your network.

Requirements

The following is required to complete this task:

  • Credentials: You must be logged onto the desktop or laptop client computer as a member of the Domain Admins group.

  • Tools: Control Panel. **

  • To enable ICF

    1. On the Start menu, click Control Panel.

    2. In Control Panel, click Networking and Internet Connections, and then click Network Connections.

    3. Right-click the connection that you want to enable ICF on, and then click Properties.

    4. Click the Advanced tab, select the check box to Protect my computer and network by limiting or preventing access to this computer from the Internet, and then click OK.

      Local Area Connection properties

The changes will take effect immediately to start protecting your network connection by limiting or preventing access to the computer or network. While it is highly recommended that you enable ICF, it currently does not include all of the features of firewall products available from some third-party vendors. To find more information about ICF, see the "Protecting Clients From Network Attacks" document in the Security Guidance Kit. To find more information about helping to protect your network with a firewall, see the Microsoft Internet Security and Acceleration Serverpage on the Microsoft Web site at https://go.microsoft.com/fwlink/?LinkId=22495.

Installing Antivirus Software

Computer viruses are programs that are loaded on to your system without your knowledge or approval. Viruses and other forms of malicious software have been around for years. Today's viruses can replicate themselves and use the Internet and e-mail applications to spread across the world within hours.

Antivirus software continually scans your computer for viruses and helps detect and remove them. Installing antivirus software only solves part of the problem - keeping the antivirus signature files up to date is also critical to maintaining secure desktops or laptops.

User education regarding safe e-mail practices is another critical step in preventing virus attacks. Users should not open e-mail or an e-mail attachment unless they are expecting the file and can verify its source. Ensure that all e-mail attachments are scanned with antivirus software prior to executing them.

For more information about software vendors that provide antivirus software that is compatible with Windows XP, see List of Antivirus Software Vendors page Knowledge Base resource on the Microsoft Web site at https://go.microsoft.com/fwlink/?LinkId=22381.

Maintaining a Current Patch Level

To ensure that your laptops and desktops remain up to date, Microsoft strongly recommends that you keep your computers patched with all released security patches for Windows XP. With Windows XP, this is easy to do this is easy to do if your computers are connected to the Internet. Simply configure your computers to automatically download and install the latest updates from Microsoft using the following procedure.

The following procedure will set your machine up to receive automatic updates. Enabling your computer to receive automatic updates helps to protect it against new viruses and worms that could attempt to spread through the Internet to computers on your network.

Requirements

The following is required to complete this task:

  • Credentials: You must be logged onto the desktop or client computer as a member of the Domain Admins group.

  • Tools: Control Panel.

  • To configure your machine for automatic updates

    1. Click the Start menu, and then click Control Panel.

    2. Click Performance and Maintenance, and then double-click System.

    3. Click the Automatic Updates tab, and then select the check box labeled: Keep my computer up to date. With this setting enabled, Windows Update software may be automatically updated prior to applying any other updates.

    4. Under Settings, select the option to Automatically download the updates, and install them on the schedule that I specify.

    5. Select a day and time for the updates to occur, and then click OK to close the System Properties window.

      System Properties

Once you enable Automatic Updates, the new updates will automatically be applied to the computer according to the schedule you defined. You can set the automatic download time for any time, day or night. Just be sure your computer is on at that time. (To avoid slow-downs, Microsoft recommends that you choose a time when you will not be using the computer yourself. The computer will need to be turned on, however.) If you set up Automatic Updates to notify you, or if you forget to leave your computer on, you will see a notification balloon. Click the notification balloon to review and install the updates.

Converting Your File Systems to NTFS

A file system determines the way that directories and files are organized on the computer. During the Windows XP setup process, computers can either be configured to use the FAT32 or NTFS file system.

FAT32 is an older technology that previous versions of Windows use. The NTFS file system is faster and more secure than FAT32 and many other, older file systems. For optimal performance of the operating system, use NTFS to protect all of the file system partitions on your machine. Use the following two procedures to first verify the type of file system on your computer, and then, if needed, convert the file system to NTFS.

  • To check the file system type on your machine

    1. Click the Start menu, and then click My Computer.

    2. Right-click the drive letter you want to check, and then point to Properties and click it.

    3. The file system type should be NTFS. If it is not, you can use the convert.exe utility to convert from FAT6 or FAT32 to NTFS.

      Local Disk (C:) Properties

    Repeat this process for all partitions located on hard disks on the computer. Even if the file system was configured as FAT32 when the operating system was installed, you can easily convert it to NTFS to provide additional security.

    To convert the file system to NTFS, take note of the name of the disk, otherwise known as the volume label (Drive C in the previous image) and complete the following steps.

    The following procedure will convert your file system to NTFS. Converting your file system to NTFS provides your computer with a higher level of security.

  • To convert the file system to NTFS

    1. On the Start menu, click Run, type cmd, and then click OK.

    2. At the command prompt, type the following, where drive letter is the drive you want to convert:

      a. Convert drive letter : /fs:ntfs

    3. You will be prompted to enter the current volume label for the drive. Enter the volume label that was identified earlier, and then press ENTER.

    4. When the conversion is complete, type EXIT, and then press ENTER to close the command prompt.

      Note: If you are attempting to convert the drive where the operating system is installed, you may be prompted to schedule the conversion to occur the next time the system is restarted. If this occurs, type Y and restart the computer.

For more information about securing Windows XP, see the following:

For more information about related topics on securing Windows XP, see the following:

  • The Threats and Countermeasures Guide page on the Microsoft Web site at https://go.microsoft.com/fwlink/?LinkId=15159.

  • The "Develop Password Policy Guidelines" section in the "Selecting Secure Passwords" document in the Security Guidance Kit.

  • The "Enforce a Strong Password Policy on All Machines" section in the "Enforcing Strong Password Usage Throughout Your Organization" document in the Security Guidance Kit.