Securing a Client Computer Running Microsoft Windows XP Professional in a Windows Server 2003 Active Directory Domain
On This Page
Introduction
Before You Begin
Preparing the Client Computer
Joining and Securing the Client Computer to a Domain
Verifying the New Settings of the Client Computer
Related Information
Introduction
This document explains how to safeguard a client computer running Microsoft Windows XP Professional with Microsoft security updates. It also explains how to configure the computer to prompt users to download and install security updates as soon as Microsoft releases them. A security update is a widely released fix for a product-specific, security-related issue. Security issues are rated based on their severity, which is indicated in Microsoft security bulletins as critical, important, moderate, or low.
You will also learn how to enable the Internet Connection Firewall (ICF) in Windows XP Professional, which you can use to help protect against external security threats by blocking malicious network traffic.
Finally, you will learn how to join the client computer to a domain. By performing these tasks, you help safeguard your computing environment from software, network, or Internet-based attacks.
People in your organization can use a client computer that is joined to a domain to enjoy a seamless network computing experience with the security benefits of Microsoft Active Directory, a directory service used to manage identities and broker relationships between distributed resources so they can work together. By adding users to the Active Directory they automatically belong to the Domain Users group and the organization gets the benefits of these users being restricted, as the Domain Users group usually has restrictive default permissions to most corporate resources.
Taking this security precaution allows you to provide users with the ability to be productive using the lowest level of privilege possible. If users need additional privileges on their computers, you can add them to a more powerful local user group, such as the local Power Users group, which would allow them to install certain programs. Alternatively, you can add users to the local Administrators group to provide them with unrestricted access locally on the client computer.
IMPORTANT: The instructions in this document were developed by using the Start menu that appears by default when you install your operating system. If you have modified your Start menu, the steps might differ slightly.
For explanations of security-related terms that you might encounter as you complete the above tasks, see the Microsoft Security Glossary on the Microsoft Web site at https://go.microsoft.com/fwlink/?LinkId=31701.
Before You Begin
To be able to perform the tasks in this document and help ensure that your server performs well, install Windows Server 2003, Standard Edition on a computer with a minimum of 512 megabytes (MB) of RAM, an 800-megahertz (MHz) processor, and an 8- gigabyte (GB) disk drive. Equip the computer with a 10/100 Ethernet network interface card.
Finally, the computer must be configured as a domain controller which deploys Active Directory. Organizations deploy Active Directory for a variety of reasons, and Active Directory deployment has many far-reaching implications. Before configuring your server as a domain controller, consider the impact of Active Directory deployment upon authentication, IT and human resources, and your overall security landscape. Carefully prepare and - depending upon the size of your organization - architect the deployment to maximize the benefits of the robust services that accompany Active Directory. For more information about creating a domain controller and using Active Directory, see the section, "Related Information" at the end of this document
If you have already deployed Active Directory, or if you have decided to deploy, ensure that you add domain users to the Active Directory before beginning this paper.
Additionally, make sure that your client computer is running Windows XP Professional. The client computer should have at least 256 megabytes (MB) of RAM, a 500-megahertz (MHz) processor, an 8-gigabyte (GB) disk drive, and a 10/100 Ethernet network adapter.
Preparing the Client Computer
This section provides step-by-step instructions for the following tasks:
Installing security updates on the client computer
Configuring Automatic Updates to prepare the security updates for installation
Enabling the Internet Connection Firewall (ICF).
Installing Security Updates on the Client Computer
To install security updates on the client computer (the computer running Windows XP Professional), you must complete the following procedures:
Visit the Windows Update Web site and install the controls.
Install the security updates.
Requirements to perform this task
- Credentials: You should be logged onto the client computer (the computer running Windows XP Professional) as a member of the local Administrators group.
To visit the Windows Update Web site and install the controls
Click Start, point to All Programs, and then click Windows Update.
If you are visiting the Windows Update Web site for the first time, a security warning notifies you that you must install the Windows Update ActiveX control signed by Microsoft (Figure 1). To install the control, click Yes.
Note: Screen shots in this document reflect a test environment. The information that you see on your screen might differ slightly from the information shown in these screen shots.
Figure 1 A security warning appears to first-time visitors to the Windows Update Web site
To install the security updates
In the details pane (on the right), click Scan for updates.
In the tree pane (on the left) there are three groups of options: Critical Updates and Service Packs (these are automatically selected), Windows XP (these are recommended updates), and Driver Updates (these should be installed according to your organization's testing plan).
Note: Certain updates, such as some updates for Windows XP Professional and Windows Media Player 9, must be installed separately and are marked with an asterisk next to their names.
In the Details pane, click Review and install updates.
Click Install Now.
If you are prompted, click Accept to accept any necessary license agreements.
Figure 2 Downloading and installing security updates
Figure 2 shows what the Windows Update - Web Page Dialog looks like during a typical update. The download size and installation time varies, depending on which updates your client computer needs, as well as your Internet connection speed. Updating your computer regularly will minimize the time required each time you download and install updates.
After the updates are installed, the Details pane displays a summary and status of the installed updates.
If prompted to restart your client computer, click OK.
You might have to update your computer several times, depending on the security updates that you are installing.
Note: Certain updates, such as those for Microsoft .NET Framework, have additional updates after installation.
Configuring Automatic Updates to Prepare Security Updates for Installation
You must perform some configuration tasks before you prepare security updates for installation.
Requirements to perform this task
- Credentials: You should be logged on to the client computer (the computer running Windows XP Professional) as a member of the local Administrators group.
To configure Automatic Updates on the client computer
Click Start, right-click My Computer, and then click Properties.
Click the Automatic Updates tab (Figure 3).
Figure 3 Configuring Automatic Updates on the client computer
On the Automatic Updates tab, choose whether or not users will be notified of security updates, and if so, how they are notified. You can keep your computer up-to-date automatically with the latest updates and enhancements by choosing to automatically download the updates, and install them on a specified schedule.
Note: These settings can also be configured through the Group Policy feature.
To accept and configure the settings you have selected, click OK.
Enable the Internet Connection Firewall (ICF)
There are certain requirements that help you enable the ICF.
Requirements to perform this task
- Credentials: You should be logged on to the client computer (the computer running Windows XP Professional) as a member of the local Administrators group.
Click the Start menu, and then click Control Panel.
Click Network and Internet Connections.
Click Network Connections.
Right-click Local Area Connection, and then click Properties (Figure 4).
Figure 4 Viewing the properties of your Local Area Connection (LAN)
Click the Advanced tab.
Select Protect my computer and network by limiting or preventing access to this computer from the Internet.
Click Settings.
Click the Services tab, and optionally enable preconfigured services or define necessary ports.
Click the Security Logging tab (Figure 5).
Select Log dropped packets and Log successful connections.
Note: These options help you determine the origin of data packets that are sent to your computer, as well as the connections that are made to your computer through the Internet.
Figure 5 Options that help you determine the origin of data packets and connections
Click OK twice.
Note: The padlock icon attached to Local Area Connection indicates that ICF is active.
Close Network Connections.
Joining and Securing the Client Computer to a Domain
This section provides step-by-step instructions for the following tasks:
Joining the client computer to a domain.
Disabling the local Administrator account.
Joining the Client Computer to a Domain
To join the client computer to a domain, you must complete the following procedures:
Get the computer name and workgroup information of the client computer.
Join the client computer to a domain.
Requirements to perform this task
- Credentials: You must be logged on to the client computer as a member of the local Administrators group.
To get the computer name and workgroup information of the client computer
Click Start, right-click My Computer, and then click Properties.
Click the Computer Name tab (Figure 6).
Figure 6 The Computer Name tab in the System Properties dialog box
Note the Full computer name and Workgroup information. Because you will need it later, it might be helpful to write down the computer name.
To join the client computer to a domain
Using the Network Identification Wizard, click Network ID.
On the Welcome to the Network Identification Wizard page, click Next.
On the Connecting to the Network. How do you use this computer? page, make sure that the option This computer is part of a business network, and I use it to connect to other computers at work is selected, and then click Next.
On the next page, Connecting to the Network. What kind of network do you use, make sure that My company uses a network with a domain is selected, and then click Next.
On the Network Information page, review the information, and then click Next.
On the User Account and Domain Information page (Figure 7), type the user name and password of an Active Directory user (any member of the Domain Users group), type the appropriate domain information, and then click Next.
Figure 7 The User Account and Domain Information page of the Network Identification Wizard
On the Computer Domain page (Figure 8), type your computer domain information, and then click Next.
Note: If you do not know your computer domain information or want to confirm it, you can find it by performing the procedure, "Get the computer name and workgroup information of the client computer" that appears earlier in this document, in the section, "Joining the Client Computer to a Domain." The computer name will contain the domain information that exists on the server.
Figure 8 The Computer Domain page of the Network Identification Wizard
On the Domain User Name and Password page, type the credentials of an Active Directory user and the appropriate domain information, and then click OK.
Note: Any member of the Domain Users group can join a computer to the domain.
On the User Account page (Figure 9) you can add a user account. To do so, type a user name, type the domain information, and then click Next.
Figure 9 The User Account page of the Network Identification Wizard
On the Access Level page (Figure 10), you indicate the level of access a user has to network resources and privileges. The access levels are described in Figure 10. When making your selection, take into account the user's role in the organization and needs. We recommend that you select Restricted user, and then click Next.
Figure 10 The Access Level page of the Network Identification Wizard
Click Finish.
On the Computer Name Changes page, click OK.
On the System Properties page, click OK.
On the System Settings Change page, restart the computer by clicking Yes.
Disabling the Local Administrator Account of the Client Computer
You can disable the local Administrator account of the client computer by following the following procedure. Several other unnecessary user accounts are disabled by default.
Requirements to perform this task
Credentials: You must be logged on as a member of the local Administrators group other than the local Administrator account.
Note: Protect the Administrator account by renaming the default administrator account. This procedure removes any obvious information that can alert attackers that this account has elevated privileges. Although an attacker that discovered the default Administrator account would still need the password to use it, renaming the default Administrator account adds an additional layer of protection against elevation of privilege attacks. Use a fictitious first and last name, in the same format as your other user names. For specific steps, see the TechNet article located at: https://www.microsoft.com/technet/security/guidance
/sec_ad_admin_groups.mspx#XSLTsection124121120120
To disable the local Administrator account of the client computer
On the domain member client login by pressing CTRL+ALT+DELETE.
Continue login by entering appropriate credentials in the User name field. (The domain user, "Administrator," is a member of the local Administrators group.)
In the Password field, type the password that is associated with the local Administrators account.
Click Options.
To complete login, in the Log on to field, type or select the domain name, and then click OK.
Click Start, right-click My Computer, and then click Manage.
In the tree pane (on the left) of the Computer Management console, expand Local Users and Groups, and then select Users.
In the details pane (on the right), double-click the Administrator account.
Select Account is disabled, and then click OK.
Note: If you remove the client computer from the domain, remember to enable the local Administrator account before you proceed. To do this, perform steps 1 through 8, and then clear the Account is disabled check box.
Close the Computer Management console.
Log off of the client computer.
Verifying the New Settings of the Client Computer
By completing the following task, you can verify that you have successfully joined the client computer to your domain.
Verify the local settings of the client computer
On the client computer, press CTRL+ALT+DELETE.
In the User name field, type the user name of the person who will use the client computer (Figure 11).
In the Password field, type the password that is associated with the user account.
Click Options.
In Log on to, type or select the domain name, and then click OK.
Figure 11 Logging onto the domain
Click Start, right-click My Computer, and then click Properties.
In the System Properties dialog box, click the Computer Name tab.
Verify that the Full computer name and Domain information are correct, and then click Cancel.
Note: Information on the Automatic Updates tab cannot be modified by this user. It can only by modified by a member of the Domain Administrators group.
Related Information
For more information about joining computers to domains, see the following resources:
- "How to Join your Computer to a Domain" on the Microsoft TechNet Web site at https://go.microsoft.com/fwlink/?LinkId=31702
For more information about complex passwords, see the following:
- "Account Passwords and Policies" on the Microsoft TechNet Web site at https://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies
/security/bpactlck.mspx#XSLTsection123121120120)
For more information about domain controllers, see the following:
- "To install a domain controller" in the Microsoft Windows 2000 Datacenter Server Help, available on the Web at https://go.microsoft.com/fwlink/?LinkId=31705
For more information about using Active Directory directory service, see the following:
"Using Active Directory Service" in the Microsoft Windows 2000 Administrator's Pocket Consultant, available on the Web at https://go.microsoft.com/fwlink/?LinkId=31706
"Default groups" in the Microsoft Windows Server 2003, Standard Edition Help, available on the Web at https://go.microsoft.com/fwlink/?LinkId=31708
For more information about Windows Server 2003, Standard Edition, see the following:
- Microsoft Windows Server 2003, Standard Edition Help, available on the Web at https://go.microsoft.com/fwlink/?LinkId=31709
For definitions of security-related terms, see the following:
- Microsoft Security Glossary on the Microsoft Web site at https://go.microsoft.com/fwlink/?LinkId=31701