Adding and Securing a Computer Running Windows XP Professional by Using Windows Small Business Server 2003

On This Page

Introduction
Joining the Client Computer to the Domain
Securing the Client Computer in the Domain
Requirements to perform this task
Related Information

Introduction

Computers in your organization that run the Microsoft Windows XP Professional operating system and that are connected to the Internet but are not joined to your domain may be vulnerable to an attack, which is a deliberate attempt to compromise the security of a computer system or deprive others of the use of the system. These computers do not benefit from the security features provided by a domain that is secured by Microsoft Active Directory directory service and the Group Policy feature. Active Directory is a directory service in Windows Server 2003 that stores sensitive information about user accounts, such as user names and passwords. The Group Policy settings in Windows Server 2003 define the security settings that are applied by Active Directory.

Active Directory provides several features that help users connect more securely to network resources, whether these resources are hosted by servers or client computers in your domain. One of these features is authentication, or the process of validating the credentials of a person, computer process, or device. Authentication requires that the person, process, or device that is making a request provide a credential that proves it is what or who it says it is. Common forms of credentials are digital signatures, smart cards, biometric data, and a combination of user names and passwords. Active Directory requires users to enter their domain user name and password credentials when they log onto their computers.

Group Policy settings are applied based on your organization's implementation of Active Directory, and they help protect your computing environment by applying standard permissions across categories of users. Permissions include the authorization to perform operations associated with a specific shared resource, such as a file, directory, or printer. Permissions must be granted by the system administrator to individual user accounts or groups.

For more information, see "Creating a Strong Password Policy" in the Microsoft Windows Server 2003 Deployment Kit, available on the Web at https://go.microsoft.com/fwlink/?LinkId=31710.

This document explains how to add and secure computers running Windows XP Professional (called client computers) to a domain by using a domain controller running Microsoft Windows Small Business Server 2003. To do this, you will perform some tasks on the domain controller, and you will perform other tasks on the client computer. Most of the tasks require you to have either domain administrative credentials or local computer administrative credentials. The final tasks require the credentials of the newly created or existing user who will use the client computer. The approximate time you need to complete the tasks in this document on one client computer is approximately 45 minutes. Actual time needed depends on your system configuration.

Table 1 lists the basic tasks that you will perform to join a client computer to the domain and secure it in the domain:

Table 1 Tasks for adding and securing a client computer to a domain

For definitions of security-related terms, see the following:

• Microsoft Security Glossary on the Microsoft Web site at https://go.microsoft.com/fwlink/?LinkId=31701

Before You Begin

You can add up to 75 computers running Windows XP Professional to a domain by using Windows Small Business Server 2003. The computer running Windows Small Business Server 2003 must have a minimum of 4 gigabytes (GB) of disk space, a CPU speed of 300 megahertz (MHz), and 256 megabytes (MB) of RAM. Requirements will vary, depending on your system configuration. For more information about system requirements, see "System Requirements for Windows Small Business Server 2003" on the Microsoft Windows Small Business Server 2003 Web site at https://go.microsoft.com/fwlink/?LinkId=31711.

Completing the Add User Wizard

This section describes how to configure a domain user account and a domain computer account. A domain user is allowed to join the client computer to the domain, which includes attaching the client computer to the account created for that computer by the domain controller.

Requirements to perform this task

• Credentials: You must log on as a member of the Domain Administrators or the Domain Power Users security group.

To start the Add User Wizard

1. Log on to a computer running Windows Small Business Server 2003 as a member of the Domain Administrators or the Domain Power Users security group.

2. Click Start, and then click Server Management.

3. In the left pane under Standard Management, select To Do List.

4. Click the Start button next to Add Users and Computers.

To type the required information for the Add User Wizard

1. On the Welcome to the Add User Wizard page, click Next.

2. On the Template Selection page (Figure 1), select the appropriate template, and then click Next.

   These four templates are described as follows:

   • By completing the User Template, you provide a person with access to the Remote Web Workplace, network printers, shared folders, fax devices, e-mail, and the Internet.

   • The Mobile User Template provides access to all the functionality that is provided by the User Template, and also adds access to dial-up and virtual private network (VPN) connections.

   • The Power User Template provides access to all the functionality that is provided by the Mobile User Template, and also adds the ability to manage users, groups, shared folders, printers and faxes, plus the ability to log onto the server remotely.

   • The Administrator Template provides unrestricted access to the server and the domain.

   NOTE: Screen shots in this document reflect a test environment. The information that you see on your screen might differ slightly from the information shown in these screen shots.

   Figure 1 The Template Selection page of the Add User Wizard

   

3. On the User Information page, click Add, and then type the first name and last name of the user (Figure 2). The e-mail alias and telephone number of the user are not required information.

   You can also select a user from the menu. Users are listed on the menu if you previously created an account for them by using the Bulk Add User Wizard.

4. Type or select a name in the Logon name drop-down list box.

   Figure 2 Specifying user information in the Add User Wizard

   

5. Type and confirm a password for the new user. It is recommended that you use a strong password. If you have chosen to use a strong password, Windows Small Business Server 2003 requires that the password conforms to specific guidelines. Click OK.

   For information about creating strong passwords, see "Creating a Strong Password Policy" in the Microsoft Windows Server 2003 Deployment Kit, available on the Web at https://go.microsoft.com/fwlink/?LinkId=31710.

6. Optionally, you can decide to change the password by selecting the box next to Change Password at next Log on, and then click Next.

   For information about changing passwords, see "Change the user password" in the section, "Completing the New Domain Client Setup" later in this document.

7. On the Set Up Client Computers page, make sure that Set up computers now is selected, and then click Next.

8. On the Client Computer Names page (Figure 3), type the name of the client computer that you want to join to the domain in the Client computer name text box, and then click Add. Alternately, you can accept the predefined computer name in Accounts will be created for, and the computer name will be changed when it joins the domain. When you are finished, click Next.

   Figure 3 Specifying the name of the client computer in the Add User Wizard

   

9. On the Client Applications page, select the applications that are appropriate for the user to access, and then click Next.

   You can also add and configure additional applications by clicking Edit Applications to start the Set Up Client Applications Wizard.

10. On the Mobile Client and Offline Use page, you can optionally add the Connection Manager to facilitate dial-up and VPN access, and then click Next.

11. On the Completing the Add User Wizard page, click Finish. (You might have to wait for several minutes while the wizard finishes.)

12. When the Finishing Your Installation dialog box appears (Figure 4), it displays the Uniform Resource Locator (URL) that you need to finish setting up the client computer. Make sure to write it down for later use, and then click OK.

    NOTE: The URL in Figure 4, https://UTOPIA/ConnectComputer is an example only. Do not use this URL.

    Figure 4 The Finishing Your Installation dialog box in the Add User Wizard

    

13. On the Add User Wizard page, click Close.

14. In the Add User Wizard dialog box, click Yes to add more users and computers, or click No to finish and close the wizard.

Joining the Client Computer to the Domain

By following the steps in the previous section, "Completing the Add User Wizard," you created the credentials for the user of the client computer (the computer running Windows XP Professional). You must know this user information and also be logged onto the client computer as a member of the local Administrators security group to join the computer to your domain, and associate the computer with its domain account.

Requirements to perform this task

• Credentials: You must be logged on to the client computer as a member of the local Administrators security group.

To connect to the Network Configuration Web page

1. Log on to the client computer as a member of the local Administrators security group.

2. Click Start, and then click Internet to open Microsoft Internet Explorer.

3. In the Address text box, type the URL mentioned in step 12 of the previous task, "Completing the Add User Wizard," and then click Go.

4. On the Network Configuration Web page (Figure 5), click Connect to the network now.

   Figure 5 The Network Configuration Web page

   

5. If you are prompted by a Security Warning dialog box (Figure 6), click Yes to install and run the Small Business Server Network and Configuration Wizard (Figure 7).

   Figure 6 A Security Warning dialog box might appear

   

To complete the Small Business Network Configuration Wizard

• In the User name text box (Figure 7), type the user name that you chose when you created a new user in the section, "Completing the Add User Wizard."

  Figure 7 The Small Business Server Network Configuration Wizard

  

• In the Password text box, type the password you chose when you created the new user, and then click Next.

• On the Assign users to this computer and migrate their profiles page (Figure 8), click Add.

  The user that you designated earlier will automatically appear in the Users assigned to this computer area. Too add more users, choose from the Available Users list.

  Figure 8 Assigning users to the client computer

  

• If the new user has already been using the computer with a local account, you can select his or her account from the Current User Settings list and then migrate or apply the local account settings to his or her domain account. Click Next.

• On the Computer Name page (Figure 9), select the computer name from the list under Available Computer Names, and then click Next.

  NOTE: The example list of computer names consists of domain computer accounts that have already been created.

  Figure 9 Selecting a computer name for the client computer

  

• On the Completing the Network Configuration Wizard page, verify that the summary is accurate, and then click Finish (Figure 10).

  Figure 10 Verifying the tasks that the wizard will perform

  

• To complete the process of joining the client computer to the domain, you must now restart the client computer. A dialog box appears to let you Pause before the restart, or Continue past the 15-second waiting period.

Securing the Client Computer in the Domain

After you join the client computer to your domain, it is a best practice to remove any non-domain Administrators from the local Administrators security group on the client computer. (Members of the Domain Administrators security group are also members of the local Administrators group.) Then, disable the local "Administrator" account on the client computer. It is no longer necessary to keep this account active on the client computer because administrative access is now controlled by Active Directory. This is a security best practice because it minimizes the number of accounts that could potentially modify the computer's configuration or settings. This section explains how to perform these tasks.

Requirements to perform this task

• Credentials: You must be logged on to the client computer as a local Administrator. Typically, this is the user called Administrator, but you could also log on as a Domain Administrator because members of the Domain Administrators group are also members of the local Administrators group.

Remove non-domain Administrators from the local Administrators group

• On the client computer, press CTRL+ALT+DEL.

• Next to User name, type a user name for a local Administrator account (such as Administrator) or for a Domain Administrator account (Figure 11).

• Next to Password, type the password that is associated with the account.

• Click Options, select the domain name from the Log on to list, and then click OK.

  Figure 11 Logging onto the client computer as a Domain Administrator

  

• In the Client Setup Wizard dialog box, click Postpone to close the wizard You will return to the Client Setup Wizard in the section, "Completing the Setup of the Client Computer" later in this document.

• Click Start, right-click My Computer, and then click Manage.

• In the tree pane on the left of the Computer Management console, expand Local Users and Groups, and then click Groups.

• In the details pane on the right, double-click Administrators.In the Administrators Properties dialog box (Figure 12) select the user name that you recently added by using the Add User Wizard, and then click Remove.

  IMPORTANT: Remove any non-domain Administrator accounts, such as the example in Figure 12, CONTOSO\ERemick. Do not remove DOMAINNAME\Domain Admins. Otherwise, you might lose administrator rights on the client computer.

  Figure 12 Removing non-domain Administrators from the local Administrators group

  

• Click OK.

Disable the user account called Administrator on the client computer

• In the tree pane of the Computer Management console, under Local Users and Groups, click Users (Figure 13).

• In the details pane of the Computer Management console, double-click the Administrator user account.

• Select Account is disabled, and then click OK.

  Figure 13 Disabling the user account called Administrator

  

• Close Computer Management, and then log off of the client computer.

Completing the Setup of the Client Computer

This section explains how to install and configure the software that you assigned to the client computer when you followed the steps in the section, "Completing the Add User Wizard" previously in this document. Because you postponed the software installation when you secured the client computer in the domain, it is time to go forward with this process by using the Client Setup Wizard. In addition, when you created the new user account, you specified that its password must be changed the first time that the person who will use the client computer logs on.

Requirements to perform this task

• Credentials: You must be logged on to the client computer as a Domain Administrator.

To log on to the client computer to complete software installation process

1. On the client computer, press CTRL+ALT+DEL.

2. Next to User name, type Administrator.

3. Next to Password, type the corresponding password for the Domain Administrator account.

4. In the Client Setup Wizard dialog box, click Start Now, and then click Next.

5. When the application installation and configuration process are completed, click Finish.

Change the user password

• On the Start menu, click Log off to log off as Administrator. Then, in the Log Off Windows dialog box, click Log off.

• With the person who will be the primary user of the computer present, press CTRL+ALT+DEL, supply the user name and password, and then click Log on

• Press CTRL+ALT+DEL again.

• Click Change Password.

• Next to Old Password, type the password that you had originally assigned to the account. (Figure 14).

• Next to New Password, the new user should type his or her password, and next to Confirm New Password, the user should type the password again.

  Figure 14 Changing the new user's password on the client computer

  

• Click OK, and then click Cancel to return to the user session.

Verifying the New Settings of the Client Computer

• By completing the following task, you can verify that you have successfully added the client computer to your domain.

To verify the local settings of the client computer

• While you are still logged on to the client computer that you added to your domain, press CTRL+ALT+DEL.

  The Windows Security dialog box displays the Logon Information of the user in the following format: DOMAIN NAME\user name.

• Click Cancel.

• Click Start, right-click My Computer, and then click Properties.

• In the System Properties dialog box, click the Computer Name tab.

• Verify that the Full computer name and Domain information are correct, and then click Cancel.

Related Information

For more information about adding a client computer to a domain by using Windows Small Business Server 2003, see the following:

• "Microsoft Windows Small Business Server 2003 Best Practices" on the Microsoft Download Center Web site at https://go.microsoft.com/fwlink/?LinkId=31712

• "Windows Small Business Server 2003 Resources" on the Microsoft TechNet Web site at https://go.microsoft.com/fwlink/?LinkId=31713

For more information about Windows client computer security, see the following:

• Windows Clients Security Center on the Microsoft TechNet Web site at https://go.microsoft.com/fwlink/?LinkId=31714

• Windows XP Security Guide on the Microsoft Downlad Center Web site at https://go.microsoft.com/fwlink/?LinkId=31740

For definitions of security-related terms, see the following:

• Microsoft Security Glossary on the Microsoft Web site at https://go.microsoft.com/fwlink/?LinkId=31701