Chapter 3: Security Settings for Windows XP Clients

Updated: April 13, 2006

Overview

This chapter describes in detail the primary security settings that are configured through Group Policy in a Microsoft® Windows® 2000 or Windows Server™ 2003 Active Directory® directory service domain. Implement the prescribed policy settings to ensure that the desktop and laptop computers in your organization that run Microsoft Windows XP Professional with Service Pack 2 (SP2) are configured securely. Guidance is not provided for all available policy settings in Windows XP, just those that are directly relevant to the security of the computer.

As described in Chapter 1, "Introduction to the Windows XP Security Guide," the guidance that is presented in this chapter is specific to the Enterprise Client (EC) and the Specialized Security – Limited Functionality (SSLF) environments that are defined in this guide. In some instances, this chapter recommends policy settings for laptops that are different than those for desktops because portable computers are mobile and not always connected to domain controllers in your environment through your organization’s network. It is also assumed that laptop users sometimes work at different times when on-site technical support is not available. For these reasons, policy settings that require connectivity to a domain controller or that govern logon hours are different for laptop client computers.

Policy settings that are not specified for specific environments are sometimes defined at the domain level, as described in Chapter 2, "Configuring the Active Directory Domain Infrastructure." Other policy settings that are listed as Not Defined in this chapter are treated in this manner because the default value is sufficiently secure for that particular environment. Also, undefined policy settings in these Group Policy objects (GPOs) facilitate the deployment of applications that need to modify settings during installation. For example, enterprise management tools may need to assign specific user rights to the local service accounts on managed computers. The guidance in this chapter consists of recommendations, and you should always carefully consider your business needs before you make any changes in your environment.

The following table defines the infrastructure (.inf) files that are available with this guidance. The files contain all of the baseline security setting prescriptions for the two environments that are discussed in this chapter.

Table 3.1 Baseline Security Templates

For more detailed information about the policy settings that are discussed in this chapter, see the companion guide, Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP, which is available for download at https://go.microsoft.com/fwlink/?LinkId=15159.

Account Policy Settings

Account policy setting information is not provided in this chapter. These settings are discussed in Chapter 2, "Configuring the Active Directory Domain Infrastructure," of this guide.

Local Policy Settings

Local policy settings may be configured on any computer that runs Windows XP Professional through either the Local Security Policy Console or through the Active Directory domain-based GPOs. Local policy settings include those for Audit policy, user rights assignments, and security options.

Audit Policy Settings

An Audit policy determines the security events to report to administrators so that user or system activity in specified event categories is recorded. The administrator can monitor security-related activity, such as who accesses an object, when users log on to or log off from computers, or if changes are made to an Audit policy setting. For all of these reasons, Microsoft recommends that you form an Audit policy for an administrator to implement in your environment.

However, before you implement an Audit policy you must decide which event categories need to be audited in your environment. The audit settings you choose within the event categories define your Audit policy. When you define audit settings for specific event categories, an administrator can create an Audit policy that will meet the security needs of your organization.

If no audit settings are configured, it will be difficult or impossible to determine what took place during a security incident. However, if audit settings are configured so that too many authorized activities generate events, the Security event log will fill up with useless data. The information in the following sections is designed to help you decide what to monitor and how to collect relevant audit data for your organization.

You can configure the Audit policy settings in Windows XP at the following location in the Group Policy Object Editor:

Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy

The following table summarizes the Audit policy setting recommendations for both desktop and laptop client computers in the two types of secure environments that are discussed in this chapter. The Enterprise Client environment is referred to as EC, and the Specialized Security – Limited Functionality environment is referred to as SSLF. You should review these recommendations and adjust them as appropriate for your organization. However, be very cautious about audit settings that can generate a large volume of traffic. For example, if you enable either success or failure auditing for Audit privilege use, so many audit events will be generated that it may not be feasible to find other types of entries in the Security event log. Such a configuration could also have a significant impact on performance. More detailed information about each of the settings is provided in the following subsections.

Table 3.2 Audit Policy Setting Recommendations

Audit account logon events

If this policy setting is enabled, events for credential validation are generated. These events occur on the computer that is authoritative for the credentials. For domain accounts the domain controller is authoritative, and for local accounts the local computer is authoritative. In domain environments, most of the Account Logon events occur in the Security log of the domain controllers that are authoritative for the domain accounts. However, these events can occur on other computers in the organization depending on the accounts that are used to log on.

In this guidance, the Audit account logon events setting is configured to Success only for the EC environment and to Success and Failure for the SSLF environment.

Audit account management

This policy setting is used to track attempts to create new users or groups, rename users or groups, enable or disable user accounts, change account passwords, and enable auditing for Account Management events. If you enable this Audit policy setting, administrators can track events to detect malicious, accidental, and authorized creation of user and group accounts.

The Audit account management setting is configured to Success for the EC environment and to Success and Failure for the SSLF environment.

Audit directory service access

This policy setting can only be enabled to perform audit tasks on domain controllers. For this reason, the setting is not defined at the workstation level. This policy setting does not apply to computers that run Windows XP Professional. Therefore, ensure that the Audit directory service access setting is configured to Not Defined for the two environments that are discussed in this chapter.

Audit logon events

This policy setting generates events that record the creation and destruction of logon sessions. These events occur on the computer that is accessed. For interactive logons, these events would be generated on the computer that was logged on to. If a network logon was performed to access a share, these events would be generated on the computer that hosts the resource that was accessed.

If you configure the Audit logon events setting to No auditing, it is difficult or impossible to determine which user has either accessed or attempted to access computers in the organization.

The Audit logon events setting is configured to log Success events for the EC environment. This policy setting is configured to Success and Failure events for the SSLF environment.

Audit object access

By itself, this policy setting will not cause any events to be audited. It determines whether to audit the event of a user who accesses an object—for example, a file, folder, registry key, or printer—that has a specified system access control list (SACL).

A SACL is comprised of access control entries (ACEs). Each ACE contains three pieces of information:

• The security principal (user, computer, or group) to be audited.
• The specific access type to be audited, called an access mask.
• A flag to indicate whether to audit failed access events, successful access events, or both.

If you configure the Audit object access setting to Success, an audit entry is generated each time that a user successfully accesses an object with a specified SACL. If you configure this policy setting to Failure, an audit entry is generated each time that a user unsuccessfully attempts to access an object with a specified SACL.

Organizations should define only the actions they want enabled when they configure SACLs. For example, you might want to enable the Write and Append Data auditing setting on executable files to track when they are changed or replaced, because computer viruses, worms, and Trojan horses typically target executable files. Similarly, you might want to track when sensitive documents are accessed or changed.

The Audit object access setting is configured to No Auditing for the EC environment and to Failure for the SSLF environment. You must enable this setting for the following procedures to take effect.

The following procedures detail how to manually set up audit rules on a file or folder and how to test each audit rule for each object in the specified file or folder. The testing procedure may be automated by means of a script file.

To define an audit rule for a file or folder

1. Locate the file or folder using Windows Explorer and select it.
2. Click the File menu and select Properties.
3. Click the Security tab, and then click the Advanced button.
4. Click the Auditing tab.
5. Click the Add button, and the Select User, Computer, or Group dialog box will display.
6. Click the Object Types... button, and in the Object Types dialog box select the object types you want to find.Note: The User, Group, and Built-in security principal object types are selected by default.
7. Click the Locations... button, and in the Location: dialog box select either your domain or local computer.
8. In the Select User or Group dialog box, type the name of the group or user you want to audit. Then, in the Enter the object names to select dialog box, type Authenticated Users (to audit the access of all authenticated users) and click OK. The Auditing Entry dialog box will display.
9. Determine the type of access you want to audit on the file or folder using the Auditing Entry dialog box.Note: Remember that each access may generate multiple events in the event log and cause it to grow rapidly.
10. In the Auditing Entry dialog box, next to List Folder / Read Data, select Successful and Failed, and then click OK.
11. The audit entries you have enabled will display under the Auditing tab of the Advanced Security Setting dialog box.
12. Click OK to close the Properties dialog box.

To test an audit rule for the file or folder

1. Open the file or folder.
2. Close the file or folder.
3. Start the Event Viewer. Several Object Access events with Event ID 560 will appear in the Security event log.
4. Double-click the events as needed to view their details.

Audit policy change

This policy setting determines whether to audit every incident of a change to user rights assignment policies, Windows Firewall policies, Trust policies, or changes to the Audit policy itself. The recommended settings would let you see any account privileges that an attacker attempts to elevate—for example, by adding the Debug programs privilege or the Back up files and directories privilege.

The Audit policy change setting is configured to Success for the two environments that are discussed in this chapter. The setting value for Failure is not included because it will not provide meaningful access information in the Security event log.

Audit privilege use

This policy setting determines whether to audit each instance of a user exercising a user right. If you configure this value to Success, an audit entry is generated each time that a user right is exercised successfully. If you configure this value to Failure, an audit entry is generated each time that a user right is exercised unsuccessfully. This policy setting can generate a very large number of event records.

The Audit privilege use setting is configured to No Auditing for computers in the EC environment and to Failure for the SSLF environment to audit all unsuccessful attempts to use privileges.

Audit process tracking

This policy setting determines whether to audit detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access. Enabling Audit process tracking will generate a large number of events, so typically it is set to No Auditing. However, this setting can provide a great benefit during an incident response from the detailed log of the processes started and the time when they were launched.

The Audit process tracking setting is configured to No Auditing for the two environments that are discussed in this chapter.

Audit system events

This policy setting is very important because it allows you to monitor system events that succeed and fail, and provides a record of these events that may help determine instances of unauthorized system access. System events include starting or shutting down computers in your environment, full event logs, or other security-related events that affect the entire system.

The Audit system events setting is configured to Success for both of the environments that are discussed in this chapter.

User Rights Assignment Settings

In conjunction with many of the privileged groups in Windows XP Professional, a number of user rights may be assigned to certain users or groups that typical users do not have.

To set the value of a user right to No One, enable the setting but do not add any users or groups to it. To set the value of a user right to Not Defined, do not enable the setting.

You can configure the user rights assignment settings in Windows XP at the following location in the Group Policy Object Editor:

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment

The following table summarizes user rights assignment setting recommendations for user rights that begin with the letters A through E. Recommendations are provided for both desktop and laptop client computers in the two types of secure environments that are discussed in this chapter. More detailed information about each of the settings is provided in the following subsections.

Recommendations for user rights that begin with the rest of the letters in the alphabet are summarized in Table 3.4, and additional detailed information about those user rights is provided in the subsections that follow that table.

Note: Many features in Internet Information Server (IIS) require certain accounts such as IIS_WPG, IIS IUSR_<ComputerName>, andIWAM_<ComputerName> to have specific privileges. For more information about what user rights are required by accounts that are related to IIS, see “IIS and Built-in Accounts (IIS 6.0)” at https://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/3648346f-e4f5-474b-86c7-5a86e85fa1ff.mspx.

User Rights A – E

Table 3.3 User Rights Assignment Setting Recommendations – Part 1

Access this computer from network

This policy setting allows other users on the network to connect to the computer and is required by various network protocols that include Server Message Block (SMB)–based protocols, NetBIOS, Common Internet File System (CIFS), and Component Object Model Plus (COM+).

The Access this computer from network setting is configured to Not Defined for the EC environment and to Administrators for the SSLF environment.

Act as part of the operating system

This policy setting allows a process to assume the identity of any user and thus gain access to the resources that the user is authorized to access.

For this reason, the Act as part of the operating system setting is restricted to No One for both of the environments that are discussed in this chapter.

Adjust memory quotas for a process

This policy setting allows a user to adjust the maximum amount of memory that is available to a process. The ability to adjust memory quotas is useful for system tuning, but it can be abused. In the wrong hands, it could be used to launch a denial of service (DoS) attack.

For this reason, the Adjust memory quotas for a process setting is restricted to Administrators, Local Service, and Network Service for both computer types for the SSLF environment and configured to Not Defined for computers for the EC environment.

Allow log on locally

This policy setting determines which users can interactively log on to computers in your environment. Logons that are initiated by pressing the CTRL+ALT+DEL key sequence on the client computer keyboard require this user right. Users who attempt to log on through Terminal Services or Microsoft Internet Information Services (IIS) also require this user right.

The Guest account is assigned this user right by default. Although this account is disabled by default, Microsoft recommends that you enable this setting through Group Policy. However, this user right should generally be restricted to the Administrators and Users groups. Assign this user right to the Backup Operators group if your organization requires that they have this capability.

The Allow log on locally setting is restricted to the Users and Administrators groups for the two environments that are discussed in this chapter.

Allow log on through Terminal Services

This policy setting determines which users or groups have the right to log on as a Terminal Services client. Remote desktop users require this user right. If your organization uses Remote Assistance as part of its help desk strategy, create a group and assign it this user right through Group Policy. If the help desk in your organization does not use Remote Assistance, then assign this user right only to the Administrators group or use the restricted groups feature to ensure that no user accounts are part of the Remote Desktop Users group.

Restrict this user right to the Administrators group, and possibly the Remote Desktop Users group, to prevent unwanted users from gaining access to computers on your network by means of the new Remote Assistance feature in Windows XP Professional.

The Allow log on through Terminal Services setting is configured to Not Defined for the EC environment. For additional security this policy setting is configured to No One for the SSLF environment.

Backup files and directories

This policy setting allows users to circumvent file and directory permissions to back up the system. This user right is enabled only when an application (such as NTBACKUP) attempts to access a file or directory through the NTFS file system backup application programming interface (API). Otherwise, the assigned file and directory permissions apply.

The Back up files and directories setting is configured to Not Defined for computers in the EC environment. This policy setting is configured to the Administrators group for the SSLF environment.

Bypass traverse checking

This policy setting allows users who do not have the special “Traverse Folder” access permission to “pass through” folders when they navigate an object path in the NTFS file system or in the registry. This user right does not allow users to list the contents of a folder, but only allows them to traverse directories.

The Bypass traverse checking setting is configured to Not Defined for computers in the EC environment. It is configured to the Administrators and Users groups for the SSLF environment.

Change the system time

This policy setting determines which users and groups can change the time and date on the internal clock of the computers in your environment. Users who are assigned this user right can affect the appearance of event logs. When a computer’s time setting is changed, logged events reflect the new time, not the actual time that the events occurred.

The Change the system time setting is configured to the Administrators group for both of the environments that are discussed in this chapter.

Note: Discrepancies between the time on the local computer and on the domain controllers in your environment may cause problems for the Kerberos authentication protocol, which could make it impossible for users to log on to the domain or obtain authorization to access domain resources after they are logged on. Also, problems will occur when Group Policy is applied to client computers if the system time is not synchronized with the domain controllers.

Create a pagefile

This policy setting allows users to change the size of the pagefile. By making the pagefile extremely large or extremely small, an attacker could easily affect the performance of a compromised computer.

The Create a pagefile setting is configured to the Administrators for all computers for both the EC environment and the SSLF environment.

Create permanent shared objects

This policy setting allows users to create directory objects in the object manager. This user right is useful to kernel-mode components that extend the object namespace. However, components that run in kernel mode have this user right inherently. Therefore, it is typically not necessary to specifically assign this user right.

The Create permanent shared objects setting is configured to Not Defined for the EC environment and to No One for the SSLF environment.

Create a token object

This policy setting allows a process to create an access token, which may provide elevated rights to access sensitive data. In environments where security is a high priority, this user right should not be assigned to any users. Any processes that require this capability should use the Local System account, which is assigned this user right by default.

The Create a token object setting is configured to Not Defined for the EC environment and to No One for the SSLF environment.

Debug programs

This policy setting determines which users can attach a debugger to any process or to the kernel, which provides complete access to sensitive and critical operating system components. This user right is required when administrators want to take advantage of patches that support “in-memory patching,” also known as “hotpatching.” For more information about the latest features in the Microsoft Package Installer, see “The Package Installer (Formerly Called Update.exe) for Microsoft Windows Operating Systems and Windows Components” at https://www.microsoft.com/technet/prodtechnol/windowsserver2003/deployment/winupdte.mspx. Because an attacker could exploit this user right, it is assigned only to the Administrators group by default.

Note: Microsoft released several security patches in October 2003 that used a version of Update.exe that required the administrator to have the Debug programs user right. Administrators who did not have this user right were unable to install these patches until they reconfigured their user rights. For more information, see the Microsoft Knowledge Base article “Windows Product Updates may stop responding or may use most or all the CPU resources” at https://support.microsoft.com/default.aspx?kbid=830846.

The Debug programs user right is very powerful. Therefore, this policy setting is configured to Administrators for the EC environment and maintained at its default setting of No One for the SSLF environment.

Deny access to this computer from the network

This policy setting prohibits users from connecting to a computer from across the network, which would allow users to access and potentially modify data remotely. In a high security environment, there should be no need for remote users to access data on a computer. Instead, file sharing should be accomplished through the use of network servers.

The Deny access to this computer from the network setting is configured to the Support_388945a0 and Guest accounts for computers in both of the environments that are discussed in this chapter.

Deny log on as a batch job

This policy setting prohibits user logon through a batch-queue facility, a feature in Windows Server 2003 that is used to schedule jobs to run automatically one or more times in the future.

The Deny log on as a batch job setting is configured to Not Defined for the EC environment and to Support_388945a0 and Guest for the SSLF environment.

Deny log on locally

This policy setting prohibits users from local logon to the computer console. If unauthorized users could log on locally to a computer, they could download malicious code or elevate their privileges on the computer. (If attackers have physical access to the console, there are other risks to consider.) This user right should not be assigned to those users who need physical access to the computer console.

The Deny log on locally setting is configured to Not Defined for the EC environment and to Support_388945a0 and Guest for the SSLF environment. Also, any service accounts for the SSLF environment that are added to the computer should be assigned this user right to prevent their abuse.

Deny log on through Terminal Services

This policy setting prohibits users from logging on to computers in your environment through Remote Desktop connections. If you assign this user right to the Everyone group, you also prevent members of the default Administrators group from using Terminal Services to log on to computers in your environment.

The Deny log on through Terminal Services setting is configured to Not Defined for the EC environment and to the Everyone group for the SSLF environment.

Enable computer and user accounts to be trusted for delegation

This policy setting allows users to change the Trusted for Delegation setting on a computer object in Active Directory. Abuse of this privilege could allow unauthorized users to impersonate other users on the network.

For this reason, the Enable computer and user accounts to be trusted for delegation setting is configured to Not Defined for the EC environment and to No One for the SSLF environment.

User Rights F –T

Table 3.4 User Rights Assignment Setting Recommendations – Part 2

This table summarizes user rights assignment setting recommendations for user rights that begin with the letters F through T. More detailed information about each of the settings is provided in the following subsections.

Force shutdown from a remote system

This policy setting allows users to shut down Windows XP–based computers from remote locations on the network. Anyone that has been assigned this user right can cause a denial of service (DoS) condition, which would make the computer unavailable to service user requests. Therefore, Microsoft recommends that only highly trusted administrators be assigned this user right.

The Force shutdown from a remote system setting is configured to the Administrators group for both of the environments that are discussed in this chapter.

Generate Security Audits

This policy setting determines which users or processes can generate audit records in the Security log. An attacker could use this capability to create a large number of audited events, which would make it more difficult for a system administrator to locate any illicit activity. Also, if the event log is configured to overwrite events as needed, any evidence of unauthorized activities could be overwritten by a large number of unrelated events.

For this reason, the Generate Security Audits setting is configured to the Local Service and Network Service groups for both of the environments that are discussed in this chapter.

Increase scheduling priority

This policy setting allows users to change the amount of processor time that a process utilizes. An attacker could use this capability to increase the priority of a process to real-time and create a denial of service condition for a computer.

For this reason, the Increase scheduling priority setting is configured to the Administrators group for both of the environments that are discussed in this chapter.

Load and unload device drivers

This policy setting allows users to dynamically load a new device driver on a system. An attacker could potentially use this capability to install malicious code that appears to be a device driver. This user right and membership in either the Power Users group or the Administrators group is required for users to add local printers or printer drivers in Windows XP.

Because this user right could be used by an attacker, the Load and unload device drivers setting is configured to the Administrators group for both of the environments that are discussed in this chapter.

Lock pages in memory

This policy setting allows a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. If this user right is assigned, significant degradation of system performance can occur.

For this reason, the Lock pages in memory setting is configured to No One for both of the environments that are discussed in this chapter.

Log on as a batch job

This policy setting allows accounts to log on using the task scheduler service. Because the task scheduler is often used for administrative purposes, it may be needed in the EC environment. However, its use should be restricted in the SSLF environment to prevent misuse of system resources or to prevent attackers from using the right to launch malicious code after gaining user level access to a computer.

Therefore, the Log on as a batch job user right is configured to Not Defined for the EC environment and to No One for the SSLF environment.

Log on as a service

This policy setting allows accounts to launch network services or to register a process as a service running on the system. This user right should be restricted on any computer in a SSLF environment, but because many applications may require this privilege, it should be carefully evaluated and tested before configuring it in an EC environment.

The Log on as a service setting is configured to Not Defined for the EC environment and to Network Service and Local Service for the SSLF environment.

Manage auditing and security log

This policy setting determines which users can change the auditing options for files and directories as well as clear the Security log.

Because this capability represents a relatively small threat, the Manage auditing and security log setting enforces the default value of the Administrators group for both of the environments that are discussed in this chapter.

Modify firmware environment variables

This policy setting allows users to configure the system-wide environment variables that affect hardware configuration. This information is typically stored in the Last Known Good Configuration. Modification of these values and could lead to a hardware failure that would result in a denial of service condition.

Because this capability represents a relatively small threat, the Modify firmware environment variables setting enforces the default value of the Administrators group for both of the environments that are discussed in this chapter.

Perform volume maintenance tasks

This policy setting allows users to manage the system's volume or disk configuration, which could allow a user to delete a volume and cause data loss as well as a denial of service condition.

The Perform volume maintenance tasks setting enforces the default value of the Administrators group for both of the environments that are discussed in this chapter.

Profile single process

This policy setting determines which users can use tools to monitor the performance of non-system processes. Typically, you do not need to configure this user right to use the Microsoft Management Console (MMC) Performance snap-in. However, you do need this user right if System Monitor is configured to collect data using Windows Management Instrumentation (WMI). Restricting the Profile single process user right prevents intruders from gaining additional information that could be used to mount an attack on the system.

The Profile single process setting is configured to Not defined for computers in the EC environment and to the Administrators group for the SSLF environment.

Profile system performance

This policy setting allows users to use tools to view the performance of different system processes, which could be abused to allow attackers to determine a system's active processes and provide insight into the potential attack surface of the computer.

The Profile system performance setting enforces the default of the Administrators group for both of the environments that are discussed in this chapter.

Remove computer from docking station

This policy setting allows the user of a portable computer to click Eject PC on the Start menu to undock the computer.

The Remove computer from docking station setting is configured to the Administrators and Users groups for both of the environments that are discussed in this chapter.

Replace a process level token

This policy setting allows one process or service to start another service or process with a different security access token, which can be used to modify the security access token of that sub-process and result in the escalation of privileges.

The Replace a process level token setting is configured to the default values of Local Service and Network Service for both of the environments that are discussed in this chapter.

Restore files and directories

This policy setting determines which users can bypass file, directory, registry, and other persistent object permissions when restoring backed up files and directories on computers that run Windows XP in your environment. This user right also determines which users can set valid security principals as object owners; it is similar to the Back up files and directories user right.

The Restore files and directories setting is configured to Not Defined for the EC environment and to the Administrators group for the SSLF environment.

Shut down the system

This policy setting determines which users who are logged on locally to the computers in your environment can shut down the operating system with the Shut Down command. Misuse of this user right can result in a denial of service condition. In high security environments, Microsoft recommends that this right only be assigned to the Administrators and Users groups.

The Shut down the system setting is configured to the Administrators and Users groups for both of the environments that are discussed in this chapter.

Take ownership of files or other objects

This policy setting allows users to take ownership of files, folders, registry keys, processes, or threads. This user right bypasses any permissions that are in place to protect objects and give ownership to the specified user.

The Take ownership of files or other objects setting is configured to the default value of the Administrators group for both of the environments that are discussed in this chapter.

Security Option Settings

The security option settings that are applied through Group Policy on computers that run Windows XP in your environment are used to enable or disable capabilities and features such as floppy disk drive access, CD-ROM drive access, and logon prompts. These settings are also used to configure various other settings, such as those for the digital signing of data, administrator and guest account names, and how driver installation works.

You can configure the security option settings in the following location in the Group Policy Object Editor:

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

Not all of the settings that are included in this section exist on all types of systems. Therefore, the settings that comprise the Security Options portion of Group Policy that are defined in this section may need to be manually modified on systems in which these settings are present to make them fully operable. Alternatively, the Group Policy templates can be edited individually to include the appropriate setting options so that the prescribed settings will take full effect.

The following sections provide security option setting recommendations, and are grouped by type of object. Each section includes a table that summarizes the settings, and detailed information is provided in the subsections that follow each table. Recommendations are provided for both desktop and laptop client computers in the two types of secure environments that are discussed in this chapter—the Enterprise Client (EC) environment and the Specialized Security – Limited Functionality (SSLF) environment.

Accounts

The following table summarizes the recommended security option settings for accounts. Additional information is provided in the subsections that follow the table.

Table 3.5 Security Option Setting Recommendations – Accounts

Accounts: Administrator account status

This policy setting enables or disables the Administrator account during normal operation. When a computer is booted into safe mode, the Administrator account is always enabled, regardless of how this setting is configured.

The Accounts: Administrator account status setting is configured to Not Defined for the EC environment and to Enabled for the SSLF environment.

Accounts: Guest account status

This policy setting determines whether the Guest account is enabled or disabled. The Guest account allows unauthenticated network users to gain access to the system.

The Accounts: Guest account status security option setting is configured to Disabled for the two environments that are discussed in this chapter.

Accounts: Limit local account use of blank passwords to console logon only

This policy setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If you enable this policy setting, local accounts with blank passwords will not be able to log on to the network from remote client computers. Such accounts will only be able to log on at the keyboard of the computer.

The Accounts: Limit local account use of blank passwords to console logon only setting is configured to Enabled for the two environments that are discussed in this chapter.

Accounts: Rename administrator account

The built-in local administrator account is a well-known account name that attackers will target. Microsoft recommends that you choose another name for this account, and that you avoid names that denote administrative or elevated access accounts. Be sure to also change the default description for the local administrator (through the Computer Management console).

The recommendation to use the Accounts: Rename administrator account setting applies to both of the environments that are discussed in this chapter.

Note: This policy setting is not configured in the security templates, nor is a new username for the account suggested in this guidance. Suggested usernames are omitted to ensure that organizations that implement this guidance will not use the same new username in their environments.

Accounts: Rename guest account

The built-in local guest account is another well-known name to hackers. Microsoft also recommends that you rename this account to something that does not indicate its purpose. Even if you disable this account (which is recommended), ensure that you rename it for added security.

The recommendation to use the Accounts: Rename guest account setting applies to both of the environments that are discussed in this chapter.

Note: This policy setting is not configured in the security templates, nor is a new username for the account suggested here. Suggested usernames are omitted to ensure that organizations that implement this guidance will not use the same new username in their environments.

Audit

The following table summarizes the recommended Audit settings. Additional information is provided in the subsections that follow the table.

Table 3.6 Security Option Setting Recommendations – Audit

Audit: Audit the access of global system objects

This policy setting creates a default System Access Control List (SACL) for system objects such as mutexes, events, semaphores, and MS-DOS® devices, and causes access to these system objects to be audited.

If the Audit: Audit the access of global system objects setting is enabled, a very large number of security events could quickly fill the Security event log. Therefore, this policy setting is configured to Not Defined for the EC environment and Disabled for the SSLF environment.

Audit: Audit the use of Backup and Restore privilege

This policy setting determines whether to audit the use of all user privileges, including Backup and Restore, when the Audit privilege use setting is in effect. If you enable both policies, an audit event will be generated for every file that is backed up or restored.

If the Audit: Audit the use of Backup and Restore privilege setting is enabled, a very large number of security events could quickly fill the Security event log. Therefore, this policy setting is configured to Not Defined for the EC environment and Disabled for the SSLF environment.

Audit: Shut down system immediately if unable to log security audits

This policy setting determines whether the system shuts down if it is unable to log Security events. It is a requirement for Trusted Computer System Evaluation Criteria (TCSEC)-C2 and Common Criteria certification to prevent auditable events from occurring if the audit system is unable to log them. Microsoft has chosen to meet this requirement by halting the system and displaying a stop message if the auditing system experiences a failure. When this policy setting is enabled, the system will be shut down if a security audit cannot be logged for any reason.

If the Audit: Shut down system immediately if unable to log security audits setting is enabled, unplanned system failures can occur. Therefore, this policy setting is configured to Not Defined for both of the environments that are discussed in this chapter.

Devices

The following table summarizes the recommended security option settings for devices. Additional information is provided in the subsections that follow the table.

Table 3.7 Security Option Setting Recommendations – Devices

Devices: Allow undock without having to log on

This policy setting determines whether a portable computer can be undocked if the user does not log on to the system. Enable this policy setting to eliminate a logon requirement and allow use of an external hardware eject button to undock the computer. If you disable this policy setting, a user who is not logged on must have been assigned the Remove computer from docking station user right (not defined in this guidance).

The Devices: Allow undock without having to log on setting is configured to Not Defined for the EC environment and to Disabled for the SSLF environment.

Devices: Allowed to format and eject removable media

This policy setting determines who is allowed to format and eject removable media. You can use this policy setting to prevent unauthorized users from removing data on one computer to access it on another computer on which they have local administrator privileges.

The Devices: Allow to format and eject removable media setting is restricted to the Administrators and Interactive Users groups for the EC environment, and to the Administrators group only for the SSLF environment for added security.

Devices: Prevent users from installing printer drivers

It is feasible for a hacker to disguise a Trojan horse program as a printer driver. The program may appear to users as if they must use it to print, but such a program could unleash malicious code on your computer network. To reduce the possibility of such an event, only administrators should be allowed to install printer drivers. However, because laptops are mobile devices, laptop users may need to occasionally install a printer driver from a remote source in order to continue their work. Therefore, this policy setting should be disabled for laptop users, but always enabled for desktop users.

The Devices: Prevent users from installing printer drivers setting is configured to Enabled for desktops in both of the environments that are discussed in this chapter and to Disabled for laptop users in both of the environments.

Devices: Restrict CD-ROM access to locally logged on user only

This policy setting determines whether the CD-ROM drive is accessible to both local and remote users simultaneously. If you enable this policy setting, only interactively logged on users are allowed to access media from the CD-ROM drive. When this policy setting is enabled and no one is logged on, the CD-ROM drive can be accessed over the network. If you enable this setting, the Windows Backup utility will fail if volume shadow copies were specified for the backup job. Any third-party backup products that use volume shadow copies will also fail.

The Devices: Restrict CD-ROM access to locally logged on user only setting is configured to Not Defined for the EC environment and to Disabled for the SSLF environment.

Devices: Restrict floppy access to locally logged on user only

This policy setting determines whether the floppy drive is accessible to both local and remote users simultaneously. If you enable this policy setting, only interactively logged on users are allowed to access floppy drive media. When this policy setting is enabled and no one is logged on, floppy drive media can be accessed over the network. If you enable this setting, the Windows Backup utility will fail if volume shadow copies were specified for the backup job. Any third-party backup products that use volume shadow copies will also fail.

The Devices: Restrict floppy access to locally logged on user only setting is configured to Not Defined for the EC environment and to Disabled for the SSLF environment.

Devices: Unsigned driver installation behavior

This policy setting determines what happens when an attempt is made to install a device driver (by means of the Setup API) that has not been approved and signed by the Windows Hardware Quality Lab (WHQL). This option prevents the installation of unsigned drivers or warns the administrator that an unsigned driver is about to be installed, which can prevent installation of drivers that have not been certified to run on Windows XP. If you configure this policy setting to the Warn but allow installation value, one potential problem is that unattended installation scripts will fail when they attempt to install unsigned drivers.

For this reason, the Devices: Unsigned driver installation behavior setting is configured to the Warn but allow installation for both of the environments that are discussed in this chapter.

Note: If you implement this policy setting, the client computers should be fully configured with all of your standard software applications before Group Policy is applied to mitigate the risk of installation errors that are caused by the setting.

Domain Member

The following table summarizes the recommended security option settings for domain members. Additional information is provided in the subsections that follow the table.

Table 3.8 Security Option Setting Recommendations – Domain Member

Domain member: Digitally encrypt or sign secure channel data (always)

This policy setting determines whether all secure channel traffic that is initiated by the domain member must be signed or encrypted. If a system is set to always encrypt or sign secure channel data, then it cannot establish a secure channel with a domain controller that is not capable of signing or encrypting all secure channel traffic, because all secure channel data is signed and encrypted.

The Domain member: Digitally encrypt or sign secure channel data (always) setting is configured to Enabled for both of the environments that are discussed in this chapter.

Domain member: Digitally encrypt secure channel data (when possible)

This policy setting determines whether a domain member may attempt to negotiate encryption for all secure channel traffic that it initiates. If you enable this policy setting, the domain member will request encryption of all secure channel traffic. If you disable this policy setting, the domain member will be prevented from negotiating secure channel encryption.

The Domain member: Digitally encrypt secure channel data (when possible) setting is configured to Enabled for both of the environments that are discussed in this chapter.

Domain member: Digitally sign secure channel data (when possible)

This policy setting determines whether a domain member may attempt to negotiate whether all secure channel traffic that it initiates must be digitally signed. Digital signatures protect the traffic from being modified by anyone who captures the data as it traverses the network.

The Domain member: Digitally sign secure channel data (when possible) setting is configured to Enabled for both of the environments that are discussed in this chapter.

Domain member: Disable machine account password changes

This policy setting determines whether a domain member may periodically change its computer account password. If you enable this policy setting, the domain member will be prevented from changing its computer account password. If you disable this policy setting, the domain member can change its computer account password as specified by the Domain Member: Maximum machine account password age setting, which by default is every 30 days. Computers that cannot automatically change their account passwords are potentially vulnerable, because an attacker may be able to determine the password for the system's domain account.

Therefore, the Domain member: Disable machine account password changes setting is configured to Disabled for both of the environments that are discussed in this chapter.

Domain member: Maximum machine account password age

This policy setting determines the maximum allowable age for a computer account password. By default, domain members automatically change their domain passwords every 30 days. If you increase this interval significantly or set it to 0 so that the computers no longer change their passwords, an attacker would have more time to undertake a brute force attack against one of the computer accounts.

Therefore, the Domain member: Maximum machine account password age setting is configured to 30 days for both of the environments that are discussed in this chapter.

Domain member: Require strong (Windows 2000 or later) session key

When this policy setting is enabled, a secure channel may only be established with domain controllers that are capable of encrypting secure channel data with a strong (128-bit) session key.

To enable this policy setting, all domain controllers in the domain must be able to encrypt secure channel data with a strong key, which means all domain controllers must be running Microsoft Windows 2000 or later. If communication to non-Windows 2000 domains is required, Microsoft recommends that you disable this policy setting.

The Domain member: Require strong (Windows 2000 or later) session key setting is configured to Enabled for both of the environments that are discussed in this chapter.

Interactive Logon

The following table summarizes the recommended security option settings for interactive logon. Additional information is provided in the subsections that follow the table.

Table 3.9 Security Option Setting Recommendations – Interactive Logon

Interactive Logon: Do not display last user name

This policy setting determines whether the account name of the last user to log on to the client computers in your organization will be displayed in each computer's respective Windows logon screen. Enable this policy setting to prevent intruders from collecting account names visually from the screens of desktop or laptop computers in your organization.

The Interactive logon: Do not display last user name setting is configured to Enabled for the two environments that are discussed in this chapter.

Interactive Logon: Do not require CTRL+ALT+DEL

The CTRL+ALT+DEL key combination establishes a trusted path to the operating system when a user enters a username and password. When this policy setting is enabled, users are not required to use this key combination to log on to the network. However, this configuration poses a security risk because it provides an opportunity for users to log on with weaker logon credentials.

The Interactive logon: Do not require CTRL+ALT+DEL setting is configured to Disabled for the two environments that are discussed in this chapter.

Interactive Logon: Message text for users attempting to log on

This policy setting specifies a text message that displays to users when they log on. This text is often used for legal reasons—for example, to warn users about the ramifications of misusing company information or to warn them that their actions may be audited. The message text that is specified in the previous table is a recommended example for both the EC and SSLF environments.

The Interactive Logon: Message text for users attempting to log on setting is enabled with suitable text for both of the environments that are discussed in this chapter.

Note: Any warning that you display should first be approved by your organization's legal and human resources representatives. Also, the Interactive logon: Message text for users attempting to log on and the Interactive logon: Message title for users attempting to log on settings must both be enabled for either one to work properly.

Interactive Logon: Message title for users attempting to log on

This policy setting allows text to be specified in the title bar of the window that users see when they log on to the system. The reason for this policy setting is the same as for the previous message text setting. Organizations that do not use this policy setting are more legally vulnerable to trespassers who attack the system.

Therefore, the Interactive Logon: Message title for users attempting to log on setting is enabled with suitable text for both of the environments that are discussed in this chapter.

Note: Any warning that you display should first be approved by your organization's legal and human resources representatives. Also, the Interactive logon: Message text for users attempting to log on and the Interactive logon: Message title for users attempting to log on settings must both be enabled for either one to work properly.

Interactive Logon: Number of previous logons to cache (in case domain controller is not available)

This policy setting determines whether a user can log on to a Windows domain using cached account information. Logon information for domain accounts can be cached locally to allow users to log on even if a domain controller cannot be contacted. This policy setting determines the number of unique users for whom logon information is cached locally. The default value for this policy setting is 10. If this value is set to 0, the logon cache feature is disabled. An attacker who is able to access the file system of the server could locate this cached information and use a brute force attack to determine user passwords.

The Interactive logon: Number of previous logons to cache (in case domain controller is not available) setting is configured to 2 for both desktop and laptop computers in the EC environment and for the laptop computers in the SSLF environment. However, this policy setting is configured to 0 for desktops in the SSLF environment because these computers should always be securely connected to the organization’s network.

Interactive Logon: Prompt user to change password before expiration

This policy setting determines how far in advance users are warned that their password will expire. Microsoft recommends that you configure this policy setting to 14 days to sufficiently warn users when their passwords will expire.

The Interactive logon: Prompt user to change password before expiration setting is configured to 14 days for both of the environments that are discussed in this chapter.

Interactive Logon: Require Domain Controller authentication to unlock workstation

When this policy setting is enabled, a domain controller must authenticate the domain account used to unlock the computer. When this policy setting is disabled, cached credentials can be used to unlock the computer. Microsoft recommends that this policy setting be disabled for laptop users in both environments, because mobile users do not have network access to domain controllers.

The Interactive logon: Require Domain Controller authentication to unlock workstation setting is configured to Enabled for desktop computers in both the EC and SSLF environments. However, this policy setting is configured to Disabled for laptops in both of the environments, which allows these users to work when they are away from the office.

Interactive Logon: Smart card removal behavior

This policy setting determines what happens when the smart card for a logged on user is removed from the smart card reader. When configured to Lock Workstation, this policy setting locks the workstation when the smart card is removed, which allows users to leave the area, take their smart cards with them, and automatically lock their workstations. If you configure this policy setting to Force Logoff, users will be automatically logged off when the smart card is removed.

The Interactive logon: Smart card removal behavior setting is configured to the Lock Workstation option for both of the environments that are discussed in this chapter.

Microsoft Network Client

The following table summarizes the recommended security option settings for Microsoft network client computers. Additional information is provided in the subsections that follow the table.

Table 3.10 Security Option Setting Recommendations – Microsoft Network Client

Microsoft network client: Digitally sign communications (always)

This policy setting determines whether packet signing is required by the SMB client component. If you enable this policy setting, the Microsoft network client computer cannot communicate with a Microsoft network server unless that server agrees to sign SMB packets. In mixed environments with legacy client computers, set this option to Disabled because these computers will not be able to authenticate or gain access to domain controllers. However, you can use this policy setting in Windows 2000 or later environments.

The Microsoft network client: Digitally sign communications (always) setting is configured to Enabled for computers for both of the environments that are discussed in this chapter.

Note: When Windows XP computers have this policy setting enabled and they connect to file or print shares on remote servers, it is important that the setting is synchronized with its companion setting, Microsoft network server: Digitally sign communications (always), on those servers. For more details about these settings, see the "Microsoft network client and server: Digitally sign communications (four related settings)" section in Chapter 5 of the companion guide Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP, which is available for download at https://go.microsoft.com/fwlink/?LinkId=15159.

Microsoft network client: Digitally sign communications (if server agrees)

This policy setting determines whether the SMB client will attempt to negotiate SMB packet signing. The implementation of digital signing in Windows networks helps to prevent sessions from being hijacked. If you enable this policy setting, the Microsoft network client will use signing only if the server with which it communicates accepts digitally signed communication.

The Microsoft network client: Digitally sign communications (if server agrees) setting is configured to Enabled for the two environments that are discussed in this chapter.

Note: Enable this policy setting on SMB clients on your network to make them fully effective for packet signing with all clients and servers in your environment.

Microsoft network client: Send unencrypted password to third-party SMB servers

Disable this policy setting to prevent the SMB redirector from sending plaintext passwords during authentication to non-Microsoft SMB servers that do not support password encryption. Microsoft recommends that you disable this policy setting unless there is a strong business case to enable it. If this policy setting is enabled, unencrypted passwords will be allowed across the network.

The Microsoft network client: Send unencrypted password to third-party SMB servers setting is configured to Disabled for the two environments that are discussed in this chapter.

Microsoft Network Server

The following table summarizes the recommended security option settings for Microsoft network servers. Additional information is provided in the subsections that follow the table.

Table 3.11 Security Option Setting Recommendations – Microsoft Network Server

Microsoft network server: Amount of idle time required before suspending session

This policy setting allows you to specify the amount of continuous idle time that must pass in an SMB session before the session is suspended because of inactivity. Administrators can use this policy setting to control when a computer suspends an inactive SMB session. If client activity resumes, the session is automatically reestablished.

The Microsoft network server: Amount of idle time required before suspending session setting is configured to Enabled for a period of 15 minutes in both of the environments that are discussed in this chapter.

Microsoft network server: Digitally sign communications (always)

This policy setting determines if the server side SMB service is required to perform SMB packet signing. Enable this policy setting in a mixed environment to prevent downstream clients from using the workstation as a network server.

The Microsoft network server: Digitally sign communications (always) setting is configured to Enabled for both of the environments that are discussed in this chapter.

Microsoft network server: Digitally sign communications (if client agrees)

This policy setting determines if the server side SMB service is able to sign SMB packets if it is requested to do so by a client that attempts to establish a connection. If no signing request comes from the client, a connection will be allowed without a signature if the Microsoft network server: Digitally sign communications (always) setting is not enabled.

The Microsoft network server: Digitally sign communications (if client agrees) setting is configured to Enabled for the two environments that are discussed in this chapter.

Note: Enable this policy setting on SMB clients on your network to make them fully effective for packet signing with all clients and servers in your environment.

Network Access

The following table summarizes the recommended security option settings for network access. Additional information is provided in the subsections that follow the table.

Table 3.12 Security Option Setting Recommendations – Network Access

Network access: Allow anonymous SID/Name translation

This policy setting determines whether an anonymous user can request security identifier (SID) attributes for another user, or use a SID to obtain its corresponding username. Disable this policy setting to prevent unauthenticated users from obtaining usernames that are associated with their respective SIDs.

The Network access: Allow anonymous SID/Name translation setting is configured to Disabled for the two environments that are discussed in this chapter.

Network access: Do not allow anonymous enumeration of SAM accounts

This policy setting controls the ability of anonymous users to enumerate the accounts in the Security Accounts Manager (SAM). If you enable this policy setting, users with anonymous connections will be not be able to enumerate domain account user names on the workstations in your environment. This policy setting also allows additional restrictions on anonymous connections.

The Network access: Do not allow anonymous enumeration of SAM accounts setting is configured to Enabled for the two environments that are discussed in this chapter.

Network access: Do not allow anonymous enumeration of SAM accounts and shares

This policy setting controls the ability of anonymous users to enumerate SAM accounts as well as shares. If you enable this policy setting, anonymous users will not be able to enumerate domain account user names and network share names on the workstations in your environment.

The Network access: Do not allow anonymous enumeration of SAM accounts and shares setting is configured to Enabled for the two environments that are discussed in this chapter.

Network access: Do not allow storage of credentials or .NET Passports for network authentication

This policy setting controls the storage of authentication credentials and passwords on the local system.

The Network access: Do not allow storage of credentials or .NET Passports for network authentication setting is configured to Enabled for the two environments that are discussed in this chapter.

Network access: Let Everyone permissions apply to anonymous users

This policy setting determines what additional permissions are assigned for anonymous connections to the computer. If you enable this policy setting, anonymous Windows users are allowed to perform certain activities, such as enumerate the names of domain accounts and network shares. An unauthorized user could anonymously list account names and shared resources and use the information to guess passwords or perform social engineering attacks.

Therefore, the Network access: Let Everyone permissions apply to anonymous users setting is configured to Disabled for both of the environments that are discussed in this chapter.

Network access: Named Pipes that can be accessed anonymously

This policy setting determines which communication sessions, or pipes, will have attributes and permissions that allow anonymous access.

For the EC environment the Network access: Named Pipes that can be accessed anonymously setting is configured to Not Defined. However, the following default values are enforced for the SSLF environment:

• COMNAP
• COMNODE
• SQL\QUERY
• SPOOLSS
• LLSRPC
• Browser

Network access: Remotely accessible registry paths

This policy setting determines which registry paths will be accessible after referencing the WinReg key to determine access permissions to the paths.

For the EC environment the Network access: Remotely accessible registry paths setting is configured to Not Defined. However, for the SSLF environment the following default values are enforced:

• System\CurrentControlSet\Control\ProductOptions
• System\CurrentControlSet\Control\Print\Printers
• System\CurrentControlSet\Control\Server Applications
• System\CurrentControlSet\Control\ContentIndex
• System\CurrentControlSet\Control\Terminal Server
• System\CurrentControlSet\Control\Terminal Server\UserConfig
• System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration
• System\CurrentControlSet\Services\Eventlog
• Software\Microsoft\OLAP Server
• Software\Microsoft\Windows NT\CurrentVersion

Network access: Shares that can be accessed anonymously

This policy setting determines which network shares can be accessed by anonymous users. The default configuration for this policy setting has little effect because all users have to be authenticated before they can access shared resources on the server.

The Network access: Shares that can be accessed anonymously setting is configured to Not Defined for the EC environment. However, ensure that this setting is configured to comcfg, dfs$ for the SSLF environment.

Note: It can be very dangerous to add other shares to this Group Policy setting. Any shares that are listed can be accessed by any network user, which could result in exposure or corruption of sensitive data.

Network access: Sharing and security model for local accounts

This policy setting determines how network logons that use local accounts are authenticated. The Classic option allows precise control over access to resources, including the ability to assign different types of access to different users for the same resource. The Guest only option allows you to treat all users equally. In this context, all users authenticate as Guest only to receive the same access level to a given resource.

Therefore, the Sharing and security model for local accounts setting uses the default Classic option for both of the environments that are discussed in this chapter.

Network Security

The following table summarizes the recommended security option settings for network security. Additional information is provided in the subsections that follow the table.

Table 3.13 Security Option Setting Recommendations – Network Security

Network security: Do not store LAN Manager hash value on next password change

This policy setting determines whether the LAN Manager (LM) hash value for the new password is stored when the password is changed. The LM hash is relatively weak and prone to attack compared to the cryptographically stronger Windows NT® hash.

For this reason, the Network security: Do not store LAN Manager hash value on next password change setting is configured to Enabled for both of the environments that are discussed in this chapter.

Note: Very old operating systems and some third-party applications may fail when this policy setting is enabled. Also you will need to change the password on all accounts after you enable this setting.

Network security: LAN Manager authentication level

This policy setting specifies the type of challenge/response authentication for network logons with non-Windows 2000 and Window XP Professional clients. LAN Manager authentication (LM) is the least secure method; it allows encrypted passwords to be cracked because they can be easily intercepted on the network. NT LAN Manager (NTLM) is somewhat more secure. NTLMv2 is a more robust version of NTLM that is available in Windows XP Professional, Windows 2000, and Windows NT 4.0 Service Pack 4 (SP4) or later. NTLMv2 is also available for Windows 95 and Windows 98 with the optional Directory Services Client.

Microsoft recommends that you configure this policy setting to the strongest possible authentication level for your environment. In environments that run only Windows 2000 Server or Windows Server 2003 with Windows XP Professional workstations, configure this policy setting to the Send NTLMv2 response only\refuse LM and NTLM option for the highest security.

The Network security: LAN Manager authentication level setting is configured to Send NTLMv2 response only\refuse LM for the EC environment. However, this policy setting is configured to the more restrictive Send NTLMv2 response only\refuse LM and NTLM for the SSLF environment.

Network security: LDAP client signing requirements

This policy setting determines the level of data signing that is requested on behalf of clients that issue LDAP BIND requests. Because unsigned network traffic is susceptible to man-in-the-middle attacks, an attacker could cause an LDAP server to make decisions that are based on false queries from the LDAP client.

Therefore, the value for the Network security: LDAP client signing requirements setting is configured to Negotiate signing for both of the environments that are discussed in this chapter.

Network security: Minimum session security for NTLM SSP based (including secure RPC) clients

This policy setting determines the minimum application-to-application communications security standards for clients. The options for this policy setting are:

• Require message integrity
• Require message confidentiality
• Require NTLMv2 session security
• Require 128-bit encryption

If all of the computers on your network can support NTLMv2 and 128-bit encryption (for example, Windows XP Professional SP2 and Windows Server 2003 SP1), all four setting options may be selected for maximum security.

All four options are enabled for the Network security: Minimum session security for NTLM SSP based (including secure RPC) clients setting in both of the environments that are discussed in this chapter.

Network security: Minimum session security for NTLM SSP based (including secure RPC) servers

This policy setting is similar to the previous setting, but affects the server side of communication with applications. The options for the setting are the same:

• Require message integrity
• Require message confidentiality
• Require NTLMv2 session security
• Require 128-bit encryption

If all of the computers on your network can support NTLMv2 and 128-bit encryption (for example, Windows XP Professional SP2 and Windows Server 2003 SP1), all four options may be selected for maximum security.

All four options are enabled for the Network security: Minimum session security for NTLM SSP based (including secure RPC) servers setting in both of the environments that are discussed in this chapter.

Recovery Console

The following table summarizes the recommended security option settings for the recovery console. Additional information is provided in the subsections that follow the table.

Table 3.14 Security Option Setting Recommendations – Recovery Console

Recovery console: Allow automatic administrative logon

The recovery console is a command-line environment that is used to recover from system problems. If you enable this policy setting, the administrator account is automatically logged on to the recovery console when it is invoked during startup. Microsoft recommends that you disable this policy setting, which will require administrators to enter a password to access the recovery console.

The Recovery console: Allow automatic administrative logon setting is configured to Disabled for the two environments that are discussed in this chapter.

Recovery console: Allow floppy copy and access to all drives and all folders

This policy setting makes the Recovery Console SET command available, which allows you to set the following recovery console environment variables:

• AllowWildCards. Enables wildcard support for some commands (such as the DEL command).
• AllowAllPaths. Allows access to all files and folders on the computer.
• AllowRemovableMedia. Allows files to be copied to removable media, such as a floppy disk.
• NoCopyPrompt. Does not prompt when overwriting an existing file.

The Recovery console: Allow floppy copy and access to all drives and all folders setting is configured to Not Defined for the EC environment. However, for maximum security, this setting is configured to Disabled for the SSLF environment.

Shutdown

The following table summarizes shutdown security option setting recommendations. Additional information is provided in the subsections that follow the table.

Table 3.15 Security Option Setting Recommendations – Shutdown

Shutdown: Allow system to be shut down without having to log on

This policy setting determines whether a computer can be shut down when a user is not logged on to it. If this policy setting is enabled, the shutdown command is available on the Windows logon screen. Microsoft recommends that you disable this policy setting to restrict the ability to shut down the computer to users with credentials on the system.

The Shutdown: Allow system to be shut down without having to log on setting is configured to Not Defined for the EC environment and to Disabled for the SSLF environment.

Shutdown: Clear virtual memory pagefile

This policy setting determines whether the virtual memory pagefile is cleared when the system is shut down. When this policy setting is enabled, the system pagefile is cleared each time that the system shuts down gracefully. If you enable this security setting, the hibernation file (Hiberfil.sys) is also zeroed out when hibernation is disabled on a portable computer system. It will take longer to shut down and restart the server, and will be especially noticeable on servers with large paging files.

For these reasons, the Shutdown: Clear virtual memory pagefile setting is configured to Disabled for all computer types in both of the environments that are discussed in this chapter.

System Cryptography

The following table summarizes the recommended security option settings for system cryptography. Additional information is provided after the table.

Table 3.16 Security Option Setting Recommendations – System Cryptography

System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing

This policy setting determines whether the Transport Layer Security/Secure Sockets Layer (TL/SS) Security Provider supports only the TLS_RSA_WITH_3DES_EDE_CBC_SHA cipher suite. Although this policy setting increases security, most public Web sites that are secured with TLS or SSL do not support these algorithms. Client computers that have this policy setting enabled will also be unable to connect to Terminal Services on servers that are not configured to use the FIPS compliant algorithms.

The System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing setting is configured to Not Defined for the EC environment and to Disabled for the SSLF environment.

Note: If you enable this policy setting, computer performance will be slower because the 3DES process is performed on each block of data in the file three times. This policy setting should only be enabled if your organization is required to be FIPS compliant.

System Objects

The following table summarizes the recommended security option settings for system objects. Additional information is provided in the subsections that follow the table.

Table 3.17 Security Option Setting Recommendations – System Objects

System objects: Default owner for objects created by members of the Administrators group

This policy setting determines whether the Administrators group or the Object Creator group is the default owner of new system objects.

To provide greater accountability, the System objects: Default owner for objects created by members of the Administrators group setting is configured to the Object Creator group for the two environments that are discussed in this chapter.

System objects: Require case insensitivity for non-Windows subsystems

This policy setting determines whether case insensitivity is enforced for all subsystems. The Microsoft Win32® subsystem is case insensitive. However, the kernel supports case sensitivity for other subsystems, such as the Portable Operating System Interface for UNIX (POSIX). Because Windows is case insensitive (but the POSIX subsystem will support case sensitivity), failure to enforce this policy setting makes it possible for a user of the POSIX subsystem to create a file with the same name as another file by using mixed case to label it. Such a situation may block access to these files by another user who uses typical Win32 tools, because only one of the files will be available.

To ensure consistency of file names, the System objects: Require case insensitivity for non-Windows subsystems setting is configured to Not Defined for the EC environment and to Enabled for the SSLF environment.

System objects: Strengthen default permissions of internal system objects

This policy setting determines the strength of the default discretionary access control list (DACL) for objects. The setting helps secure objects that can be located and shared among processes and its default configuration strengthens the DACL, because it allows users who are not administrators to read shared objects but does not allow them to modify any that they did not create.

Therefore, the System objects: Strengthen default permissions of internal system objects (for example, Symbolic Links) setting is configured to the default setting of Enabled for both of the environments that are discussed in this chapter.

Event Log Security Settings

The event log records events on the system, and the Security log records audit events. The event log container of Group Policy is used to define attributes that are related to the Application, Security, and System event logs, such as maximum log size, access rights for each log, and retention settings and methods. The settings for the Application, Security, and System event logs are configured in the member server baseline policy (MSBP) and applied to all member servers in the domain.

You can configure the event log settings in the following location in the Group Policy Object Editor:

Computer Configuration\Windows Settings\Security Settings\Event Log

This section provides details about the prescribed settings for the environments that are discussed in this chapter. For a summary of the prescribed settings in this section, see the Microsoft Excel® workbook "Windows XP Security Guide Settings." For information about the default settings and a detailed explanation of each of the settings discussed in this section, see the companion guide, Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP, which is available at https://go.microsoft.com/fwlink/?LinkId=15159. The companion guide also includes detailed information about the potential for lost event log data when the log sizes are set to very large values.

The following table summarizes the recommended event log security settings for both desktop and laptop clients in the two types of environments that are discussed in this chapter—the Enterprise Client (EC) environment and the Specialized Security – Limited Functionality (SSLF) environment. More detailed information about each of the settings is provided in the following subsections.

Table 3.18 Event Log Security Setting Recommendations

Maximum application log size

This policy setting specifies the maximum size of the Application event log, which has a maximum capacity of 4 GB. However, this size is not recommended because of the risk of memory fragmentation, which causes slow performance and unreliable event logging. Requirements for the Application log size vary, and depend on the function of the platform and the need for historical records of application-related events.

The Maximum application log size setting is configured to 16384 KB for all computers in the two environments that are discussed in this chapter.

Maximum security log size

This policy setting specifies the maximum size of the Security event log, which has a maximum capacity of 4 GB. However, this size is not recommended because of the risk of memory fragmentation, which causes slow performance and unreliable event logging. Requirements for the Security log size vary, and depend on the function of the platform and the need for historical records of application-related events.

The Maximum security log size setting is configured to 81920 KB for all computers in the two environments that are discussed in this chapter.

Maximum system log size

This policy setting specifies the maximum size of the System event log, which has a maximum capacity of 4 GB. However, this size is not recommended because of the risk of memory fragmentation, which leads to slow performance and unreliable event logging. Requirements for the application log size vary depending on the function of the platform and the need for historical records of application related events.

The Maximum system log size setting is configured to 16384 KB for all computers in the two environments that are discussed in this chapter.

Prevent local guests group from accessing application log

This policy setting determines whether guests are prevented from accessing the Application event log. By default in Windows Server 2003, guest access is prohibited on all systems. Therefore, this policy setting has no real effect on default system configurations. However, it is considered a defense-in-depth setting with no side effects.

The Prevent local guests group from accessing application log setting is configured to Enabled for the two environments that are discussed in this chapter.

Prevent local guests group from accessing security log

This policy setting determines whether guests are prevented from accessing the Security event log. A user must be assigned the Manage auditing and security log user right (not defined in this guidance) to access the Security log. Therefore, this policy setting has no real effect on default system configurations. However, it is considered a defense-in-depth setting with no side effects.

The Prevent local guests group from accessing security log setting is configured to Enabled for the two environments that are discussed in this chapter.

Prevent local guests group from accessing system log

This policy setting determines whether guests are prevented from accessing the System event log. By default in Windows Server 2003, guest access is prohibited on all systems. Therefore, this policy setting has no real effect on default system configurations. However, it is considered a defense-in-depth setting with no side effects.

The Prevent local guests group from accessing system log setting is configured to Enabled for the two environments that are discussed in this chapter.

Retention method for application log

This policy setting determines the "wrapping" method for the Application log. It is imperative that the Application log is archived regularly if historical events are desirable for either forensics or troubleshooting purposes. Overwriting events as needed ensures that the log always stores the most recent events, although this configuration could result in a loss of historical data.

The Retention method for application log is configured to As Needed for both of the environments that are discussed in this chapter.

Retention method for security log

This policy setting determines the "wrapping" method for the Security log. It is imperative that the Security log is archived regularly if historical events are desirable for either forensics or troubleshooting purposes. Overwriting events as needed ensures that the log always stores the most recent events, although this configuration could result in a loss of historical data.

The Retention method for security log is configured to As Needed for both of the environments that are discussed in this chapter.

Retention method for system log

This policy setting determines the "wrapping" method for the System log. It is imperative that the System log is archived regularly if historical events are desirable for either forensics or troubleshooting purposes. Overwriting events as needed ensures that the log always stores the most recent events, although this configuration could result in a loss of historical data.

The Retention method for system log is configured to As Needed for both of the environments that are discussed in this chapter.

Restricted Groups

The Restricted Groups setting allows you to manage the membership of groups in Windows XP Professional through Active Directory Group Policy. First, review the needs of your organization to determine the groups you want to restrict. For this guidance, the Backup Operators and Power Users groups are restricted in both of the environments but only the Remote Desktop Users group is restricted for the SSLF environment. Although members of the Backup Operators and Power Users groups have less system access than members in the Administrators group, they can still access the system in powerful ways.

Note: If your organization uses any of these groups, then carefully control their membership and do not implement the guidance for the Restricted Groups setting. If your organization adds users to the Power Users group, you may want to implement the optional file system permissions that are described in the “Securing the File System” section later in this chapter.

Table 3.19 Restricted Groups Recommendations

You can configure the Restricted Groups setting in the following location in the Group Policy Object Editor:

Computer Configuration\Windows Settings\Security Settings\Restricted Groups\

Administrators may configure restricted groups for a GPO by adding the desired group directly to the Restricted Groups node of the GPO namespace.

When a group is restricted, you can define its members and any other groups to which it belongs. If you do not specify these group members, the group is left totally restricted. Groups can only be restricted by using security templates.

To view or modify the Restricted Groups setting

1. Open the Security Templates Management Console.Note: The Security Templates Management Console is not added to the Administrative Tools menu by default. To add it, start the Microsoft Management Console (mmc.exe) and add the Security Templates Add-in.
2. Double-click the configuration file directory, and then the configuration file.
3. Double-click the Restricted Groups item.
4. Right-click Restricted Groups and then select Add Group.
5. Click the Browse button, the Locations button, select the locations you want to browse, and then click OK.Note: Typically, this will result in a local computer appearing at the top of the list.
6. Type the group name in the Enter the object names to select text box and then click the Check Names button. – Or – Click the Advanced button, and then the Find Now button to list all available groups.
7. Select the groups you want to restrict, and then click OK.
8. Click OK on the Add Groups dialog box to close it.

In this guidance, the settings were removed for all members—users and groups—of the Power Users and Backup Operators groups to totally restrict them in both environments. Also, for the SSLF environment, all members were removed for the Remote Desktop Users group. Microsoft recommends that you restrict any built-in group you do not plan to use in your organization.

Note: The configuration of Restricted Groups that is described in this section is very simple. Versions of Windows XP SP1 or later, as well as Windows Server 2003, support more complex designs. For more information, see the Microsoft Knowledge Base article “Updates to Restricted Groups ("Member of") Behavior of User-Defined Local Groups” at https://support.microsoft.com/default.aspx?kbid=810076.

System Services

When Windows XP Professional is installed, default system services are created and configured to run when the system starts. Many of these system services do not need to run in the environments that are discussed in this chapter.

There are additional optional services available with Windows XP Professional, such as IIS, that are not installed during the default installation of the operating system. You can add these optional services to an existing system through Add/Remove Programs in Control Panel, or you can create a customized automated installation of Windows XP Professional.

Important: Remember that any service or application is a potential point of attack. Therefore, any unneeded services or executable files should be disabled or removed in your environment.

You can configure the system services settings in the following location in the Group Policy Object Editor:

Computer Configuration\Windows Settings\Security Settings\System Services

An administrator can set the startup mode of the system services and change the security settings for each of them.

Important: Versions of the graphical tools that can be used to edit services that were included with pre-Windows 2003 versions of the Windows operating system automatically apply permissions to each service when you configure any of the properties of a service. Tools such as the Group Policy Object Editor and the MMC Security Templates snap-in use the Security Configuration Editor DLL to apply these permissions. If the default permissions are changed, a variety of problems will occur for many services. Microsoft recommends that you not alter the permissions on services that are included with Windows XP or Windows Server 2003, because the default permissions are already quite restrictive.The Windows Server 2003 version of the Security Configuration Editor DLL does not force you to configure permissions when you edit the properties of a service. For more information see the companion guide, Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP,which is available at https://go.microsoft.com/fwlink/?LinkId=15159.

The following table summarizes the recommended system services settings for both desktop and laptop clients in the two types of environments that are discussed in this chapter—the Enterprise Client (EC) environment and the Specialized Security – Limited Functionality (SSLF) environment. More detailed information about each of the settings is provided in the following subsections.

Table 3.20 System Services Security Setting Recommendations

Alerter

This service notifies selected users and computers of administrative alerts. You can use this service to send alert messages to specified users who are connected to your network.

The Alerter service is configured to Disabled to prevent information from being sent across the network. This configuration ensures greater security for the two environments that are discussed in this chapter.

Note: The functionality of uninterruptible power supply (UPS) alert message systems can be affected if you disable this service.

ClipBook

This service allows the Clipbook Viewer to create and share “pages” of data that may be viewed by remote computers. The service depends on the Network Dynamic Data Exchange (NetDDE) service to create the actual file shares that other computers can connect to; the Clipbook application and service allow you to create the pages of data to share. Any services that explicitly depend on this service will fail. However, you can use Clipbrd.exe to view the local clipboard, which is where data is stored when a user selects text and then clicks Copy on the Edit menu or presses CTRL+C.

The ClipBook service is configured to Disabled to ensure greater security for the two environments that are discussed in this chapter.

Computer Browser

This service maintains an up-to-date list of computers on your network and supplies the list to programs that request it. The service is used by Windows-based computers that need to view network domains and resources.

To ensure greater security, the Computer Browser service is set to Not Defined for the EC environment and to Disabled for the SSLF environment.

Fax

This service is a Telephony API (TAPI)-compliant service that provides fax capabilities on the clients in your environment. The service allows users to send and receive faxes from their desktop applications through either a local fax device or a shared network fax device.

The Fax service is configured to Not Defined for the computers in the EC environment. However, this service is set to Disabled for the SSLF environment to ensure greater security.

FTP Publishing

This service provides connectivity and administration through the MMC IIS snap-in. Microsoft recommends that you not install this service on Windows XP clients in your environment unless there is a business need for the service.

The FTP Publishing service is configured to Disabled for the two environments that are discussed in this chapter.

IIS Admin

This service allows administration of IIS components, such as FTP, Applications Pools, Web sites, and Web service extensions. Disable this service to prevent users from running Web or FTP sites on their computers, which are not needed on most Windows XP client computers.

The IIS Admin service is configured to Disabled for the two environments that are discussed in this chapter.

Indexing Service

This service indexes the contents and properties of files on local and remote computers and provides rapid access to files through a flexible querying language. The service also enables you to “quick search” documents on local and remote computers and provides a search index for content that is shared on the Web.

The Indexing Service is configured to Not Defined for the computers in the EC environment. However, this service is set to Disabled for the SSLF environment to ensure greater security.

Messenger

This service transmits and sends Alerter service messages between clients and servers. This service is not related to Windows Messenger or MSN Messenger, and is not a requirement for Windows XP client computers.

For this reason, the Messenger service is configured to Disabled for the two environments that are discussed in this chapter.

NetMeeting Remote Desktop Sharing

This service allows an authorized user to access a client remotely through Microsoft NetMeeting over an organization’s intranet. This service must be explicitly enabled in NetMeeting. You can also disable this feature in NetMeeting, shut down the service by means of a Windows tray icon, or disable this feature in Group Policy by configuring the Disable Remote Desktop Sharing setting, which is discussed in Chapter 4, "Administrative Templates for Windows XP." Microsoft recommends that you disable this service to prevent access to your clients from remote locations.

The NetMeeting Remote Desktop Sharing service is configured to Disabled for the two environments that are discussed in this chapter.

Remote Desktop Help Session Manager

This service manages and controls the Remote Assistance feature in the Help and Support Center application (Helpctr.exe).

The Remote Desktop Help Session Manager service is configured to Not Defined for the EC environment and to Disabled for the SSLF environment.

Routing and Remote Access

This service provides multi-protocol LAN-to-LAN, LAN-to-WAN, VPN, and NAT routing services. This service also provides dial-up and VPN remote access services.

The Routing and Remote Access service is configured to Disabled for both of the environments that are discussed in this chapter.

SNMP Service

This service allows incoming Simple Network Management Protocol (SNMP) requests to be serviced by the local computer. SNMP Service includes agents that monitor activity in network devices and report to the network console workstation.

The SNMP Service is configured to Disabled for both of the environments that are discussed in this chapter.

SNMP Trap Service

This service receives trap messages that are generated by local or remote SNMP agents and forwards the messages to SNMP management programs that run on your computer. The SNMP Service, when configured for an agent, generates trap messages if any specific events occur. These messages are sent to a trap destination.

The SNMP Trap Service is configured to Disabled for both of the environments that are discussed in this chapter.

SSDP Discovery Service

This service provides the Universal Plug and Play host service with the ability to locate and identify UPnP network devices. If you disable the SSDP Discovery Service, the system will be prevented from finding UPnP devices on the network and the Universal Plug and Play host service will fail to find and interact with UPnP devices.

The SSDP Discovery Service is configured to Disabled for both of the environments that are discussed in this chapter.

Task Scheduler

This service enables you to configure and schedule automated tasks on your computer. The service monitors whatever criteria you choose and carries out the task when the criteria have been met.

The Task Scheduler service is configured to Not Defined for the EC environment and to Disabled for the SSLF environment.

Telnet

This service for Windows provides ASCII terminal sessions to Telnet clients. The service supports two types of authentication and the following four types of terminals: ANSI, VT-100, VT-52, and VTNT. However, this service is not a requirement for most Windows XP clients.

The Telnet service is configured to Disabled for the two environments that are discussed in this chapter.

Terminal Services

This service provides a multi-session environment that allows client devices to access a virtual Windows desktop session and Windows-based programs that run on the server. In Windows XP, this service allows remote users to be connected interactively to a computer and to display desktops and applications on remote computers.

The Terminal Services service is configured to Not Defined for the EC environment and to Disabled for the SSLF environment.

Universal Plug and Play Host

This service supports peer-to-peer Plug and Play functionality for network devices. The UPnP specification is designed to simplify device and network service installation and management. UPnP accomplishes device and service discovery and control through driver-less, standards-based protocol mechanisms. Universal Plug and Play devices can auto-configure network addressing, announce their presence on a network subnet, and enable the exchange of device and service descriptions. A Windows XP computer can act as a UPnP control point to discover and control the devices through a Web or application interface.

The Universal Plug and Play service is configured to Not Defined for the EC environment and to Disabled for the SSLF environment.

World Wide Web Publishing

This service provides Web connectivity and administration through the MMC IIS snap-in. The service provides HTTP services for applications on the Windows platform and contains a process manager and a configuration manager. However, this service is not a requirement for most Windows XP clients.

The World Wide Web Publishing service is configured to Disabled for the two environments that are discussed in this chapter.

Additional Registry Settings

Additional registry value entries were created for the baseline security template files that are not defined within the Administrative Template (.adm) file for both of the security environments that are discussed in this chapter.

These settings are embedded within the security templates (in the “Security Options” section) to automate their implementation. If the policy is removed, these settings are not automatically removed with it; they must be manually changed with a registry editing tool such as Regedt32.exe.

This guide includes additional settings that are added to the Security Configuration Editor (SCE) by modifying the Sceregvl.inf file (located in the %windir%\inf folder) and re-registering the Scecli.dll file. The original security settings as well as the additional ones appear under Local Policies\Security Options in the snap-ins and tools that are listed earlier in this chapter. You should update the Sceregvl.inf file and re-register Scecli.dll as described in the subsection “How to Modify the Security Configuration Editor User Interface” that follows this one for any computers that require you to edit the security templates and Group Policies that are provided with this guide.

The following table summarizes the additional registry setting recommendations for both desktop and laptop clients in the two types of environments that are discussed in this chapter—the Enterprise Client (EC) environment and the Specialized Security – Limited Functionality (SSLF) environment.

Additional information about each of the settings is provided in the subsections that follow the table. For information about the default settings and a detailed explanation of each of the settings, see the companion guide, Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP, which is available at https://go.microsoft.com/fwlink/?LinkId=15159.

Table 3.21 Additional Registry Settings

(AutoAdminLogon) Enable Automatic Logon

The registry value entry AutoAdminLogon was added to the template file in the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ registry key. The entry appears as MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended) in the SCE.

This setting is separate from the Welcome screen feature in Windows XP; if that feature is disabled, this setting is not disabled. If you configure a computer for automatic logon, anyone who can physically gain access to the computer can also gain access to everything that is on the computer, including any network or networks to which the computer is connected. Also, if you enable automatic logon, the password is stored in the registry in plaintext, and the specific registry key that stores this value is remotely readable by the Authenticated Users group. For these reasons the setting is configured to Not Defined for the EC environment, and the default Disabled setting is explicitly enforced for the SSLF environment.

For additional information, see the Microsoft Knowledge Base article "How to turn on automatic logon in Windows XP," which is available online at https://support.microsoft.com/default.aspx?scid=315231.

(DisableIPSourceRouting) IP source routing protection level

The registry value entry DisableIPSourceRouting was added to the template file in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\ registry key. The entry appears as MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) in the SCE.

IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should take through the network. This setting is configured to Not Defined for the EC environment and to Highest Protection, source routing is completely disabled for the SSLF environment.

(EnableDeadGWDetect) Allow automatic detection of dead network gateways

The registry value entry EnableDeadGWDetect was added to the template file in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\ registry key. The entry appears as MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways (could lead to DoS) in the SCE.

When dead gateway detection is enabled, the IP may change to a backup gateway if a number of connections experience difficulty. This setting is configured to Not Defined for the EC environment and to Disabled for the SSLF environment.

(EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes

The registry value entry EnableICMPRedirect was added to the template file in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\ registry key. The entry appears as MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes in the SCE.

Internet Control Message Protocol (ICMP) redirects cause the stack to plumb host routes. These routes override the Open Shortest Path First (OSPF)-generated routes. This setting is configured to Not Defined for the EC environment and to Disabled for the SSLF environment.

(Hidden) Hide the Computer from Network Neighborhood Browse Lists

The registry value entry Hidden was added to the template file in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Lanmanserver\Parameters\ registry key. The entry appears as MSS: (Hidden) Hide Computer From the Browse List (not recommended except for highly secure environments) in the SCE.

You can configure a computer so that it does not send announcements to browsers on the domain. If you do so, you hide the computer from the Browse list, which means that the computer will stop announcing itself to other computers on the same network. An attacker who knows the name of a computer can more easily gather additional information about the system. You can enable this setting to remove one method that an attacker might use to gather information about computers on the network. Also, this setting can help reduce network traffic when enabled. However, the security benefits of this setting are small because attackers can use alternative methods to identify and locate potential targets. For this reason, Microsoft recommends that you enable this setting only in high security environments.

This setting is configured to Not Defined for the EC environment and to Enabled for the SSLF environment.

For additional information, see the Microsoft Knowledge Base article "HOW TO: Hide a Windows 2000-Based Computer from the Browser List," which is available online at https://support.microsoft.com/default.aspx?scid=321710.

(KeepAliveTime) How often keep-alive packets are sent in milliseconds

The registry value entry KeepAliveTime was added to the template file in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\ registry key. The entry appears as MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds (300,000 is recommended) in the SCE.

This value controls how often TCP attempts to verify that an idle connection is still intact by sending a keep-alive packet. If the remote computer is still reachable, it acknowledges the keep-alive packet. This setting is configured to Not Defined for the EC environment and to 30000 or 5 minutes for the SSLF environment.

(NoDefaultExempt) Enable NoDefaultExempt for IPSec Filtering

The registry value entry NoDefaultExempt was added to the template file in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\IPSEC\ registry key. The entry appears as MSS: (NoDefaultExempt) Enable NoDefaultExempt for IPSec Filtering (recommended) in the SCE.

The default exemptions to IPsec policy filters are documented in the Microsoft Windows 2000 and Windows XP online help. These filters make it possible for Internet Key Exchange (IKE) and the Kerberos authentication protocol to function. The filters also make it possible for the network Quality of Service (QoS) to be signaled (RSVP) when the data traffic is secured by IPsec, and for traffic that IPsec might not secure such as multicast and broadcast traffic.

IPsec is increasingly used for basic host-firewall packet filtering, particularly in Internet-exposed scenarios, and the affect of these default exemptions has not been fully understood. Therefore, some IPsec administrators may create IPsec policies that they think are secure, but are not actually secure against inbound attacks that use the default exemptions. Microsoft recommends that you enforce the default setting in Windows XP with SP 2, Multicast, broadcast, and ISAKMP are exempt, for both of the environments that are discussed in this chapter.

For additional information, see the Microsoft Knowledge Base article "IPSec Default Exemptions Can Be Used to Bypass IPsec Protection in Some Scenarios," which is available online at https://support.microsoft.com/default.aspx?scid=811832.

(NoDriveTypeAutoRun) Disable Autorun for all drives

The registry value entry NoDriveTypeAutoRun was added to the template file in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ registry key. The entry appears as MSS: (NoDriveTypeAutoRun) Disable Autorun for all drives (recommended) in the SCE.

Autorun starts to read from a drive on your computer as soon as media is inserted into it. As a result, the setup file of programs and the sound on audio media starts immediately. This setting is configured to 255, disable autorun for all drives for both of the environments that are discussed in this chapter.

(NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers

The registry value entry NoNameReleaseOnDemand was added to the template file in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netbt\Parameters\ registry key. The entry appears as MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers in the SCE.

NetBIOS over TCP/IP is a network protocol that among other things provides a way to easily resolve NetBIOS names that are registered on Windows–based systems to the IP addresses that are configured on those systems. This setting determines whether the computer releases its NetBIOS name when it receives a name-release request. It is set to Not Defined for the EC environment and Enabled for the SSLF environment.

(NtfsDisable8dot3NameCreation) Enable the computer to stop generating 8.3 style filenames

The registry value entry NtfsDisable8dot3NameCreation was added to the template file in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\FileSystem\ registry key. The entry appears as MSS: (NtfsDisable8dot3NameCreation) Enable the computer to stop generating 8.3 style filenames (recommended) in the SCE.

Windows Server 2003 supports 8.3 file name formats for backward compatibility with16-bit applications. The 8.3 file name convention is a naming format that allows file names up to eight characters long. This setting is configured to Not Defined for the EC environment and to Enabled for the SSLF environment.

(PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses

The registry value entry PerformRouterDiscovery was added to the template file in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\ registry key. The entry appears as MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS) in the SCE.

This setting is used to enable or disable the Internet Router Discovery Protocol (IRDP), which allows the system to detect and configure default gateway addresses automatically as described in RFC 1256 on a per-interface basis. This setting is configured to Not Defined for the EC environment and to Enabled for the SSLF environment.

(SafeDllSearchMode) Enable Safe DLL Search Order

The registry value entry SafeDllSearchMode was added to the template file in the HKEY_LOCAL_MACHINE\ SYSTEM\CurrentControlSet\Control\Session Manager\ registry key. The entry appears as MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended) in the SCE.

The DLL search order can be configured to search for DLLs that are requested by running processes in one of two ways:

• Search folders specified in the system path first, and then search the current working folder.
• Search current working folder first, and then search the folders specified in the system path.

When enabled, the registry value is set to 1. With a setting of 1, the system first searches the folders that are specified in the system path and then searches the current working folder. When disabled the registry value is set to 0 and the system first searches the current working folder and then searches the folders that are specified in the system path. This setting is configured to Enabled for both of the environments that are discussed in this chapter.

(ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires

The registry value entry ScreenSaverGracePeriod was added to the template file in the HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ registry key. The entry appears as MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended) in the SCE.

Windows includes a grace period between when the screen saver is launched and when the console is actually locked automatically when screen saver locking is enabled. This setting is configured to 0 seconds for both of the environments that are discussed in this chapter.

(SynAttackProtect) Syn attack protection level

The registry value entry SynAttackProtect was added to the template file in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\ registry key. The entry appears as MSS: (SynAttackProtect) Syn attack protection level (protects against DoS) in the SCE.

This setting causes TCP to adjust retransmission of SYN-ACKs. When you configure this value, the connection responses time out more quickly if a connect request (SYN) attack is detected. This setting is configured to Not Defined for the EC environment and to Connections timeout sooner if attack is detected for the SSLF environment.

(TCPMaxConnectResponseRetransmissions) SYN-ACK retransmissions when a connection request is not acknowledged

The registry value entry TCPMaxConnectResponseRetransmissions was added to the template file in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\ registry key. The entry appears as MSS: (TcpMaxConnectResponseRetransmissions) SYN-ACK retransmissions when a connection request is not acknowledged in the SCE.

This setting determines the number of times that TCP retransmits a SYN before the attempt to connect is aborted. The retransmission time-out is doubled with each successive retransmission in a given connect attempt. The initial time-out value is three seconds. This setting is configured to Not Defined for the EC environment and to 3 & 6 seconds, half-open connections dropped after 21 seconds for the SSLF environment.

(TCPMaxDataRetransmissions) How many times unacknowledged data is retransmitted

The registry value entry TCPMaxDataRetransmissions was added to the template file in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\ registry key. The entry appears as MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default) in the SCE.

This setting controls the number of times that TCP retransmits an individual data segment (non-connect segment) before the connection is aborted. The retransmission time-out is doubled with each successive retransmission on a connection. It is reset when responses resume. The base time-out value is dynamically determined by the measured round-trip time on the connection. This setting is configured to Not Defined for the EC environment and to 3 for the SSLF environment.

(WarningLevel) Percentage threshold for the security event log at which the system will generate a warning

The registry value entry WarningLevel was added to the template file in the HKEY_LOCAL_MACHINE\ SYSTEM\CurrentControlSet\Services\Eventlog\Security\ registry key. The entry appears as MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning in the SCE.

This setting became available with SP3 for Windows 2000, and is a new feature that can generate a security audit in the Security event log when the log reaches a user-defined threshold. This setting is configured to Not Defined for the EC environment and to 90 for the SSLF environment.

Note: If log settings are configured to Overwrite events as needed or Overwrite events older than x days, this event will not be generated.

How to Modify the Security Configuration Editor User Interface

The Security Configuration Editor (SCE) set of tools is used to define security templates that can be applied to individual computers or any number of computers through Group Policy. Security templates can contain password policies, lockout policies, Kerberos authentication protocol policies, audit policies, event log settings, registry values, service startup modes, service permissions, user rights, group membership restrictions, registry permissions, and file system permissions. The SCE appears in a number of MMC snap-ins and administrator tools. It is used by the Security Templates snap-in and the Security Configuration and Analysis snap-in. The Group Policy Object Editor snap-in uses it for the Security Settings portion of the Computer Configuration tree, and it is also used for the Local Security Settings, Domain Controller Security Policy, and the Domain Security Policy tools.

This guide includes additional settings that are added to the SCE. To add these settings, you need to modify the Sceregvl.inf file, which is located in the %systemroot%\inf folder, and then re-register the Scecli.dll file.

Important: The customized version of the Sceregvl.inf file that is created by the following procedures uses features that are only available in Windows XP Professional with SP 2 and Windows Server 2003. Do not try to install the customized file on older versions of Windows.

After the Sceregvl.inf file is modified and registered, the custom registry values are exposed in the SCE user interfaces on that computer. You will see the new settings at the bottom of the list of items in the SCE—they are all preceded by the text "MSS:" MSS stands for Microsoft Solutions for Security, the name of the group that created this guide. You can then create security templates or policies that define these new registry values and that can be applied to any computer, regardless of whether the Sceregvl.inf file was modified on the target computer or not. Subsequent launches of the SCE will expose your custom registry values.

A number of the new settings that will appear in the SCE are not documented in this guide because they are typically not configured for end-user systems. For further information about these new settings you can refer to the companion guide Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP, which is available for download at https://go.microsoft.com/fwlink/?LinkId=15159.

Instructions about how to modify the SCE user interface are provided in the following procedures. There are manual instructions that you should follow if you have already made other customizations to the SCE. A script is provided to add the settings with little user interaction, and although the script has built-in error detection and recovery features it may fail. If it does fail, you should determine the cause of the failure and either correct the problem or follow the manual instructions. Another script is provided that you can use to restore the SCE user interface to its default state. This script will remove all custom settings and return the SCE to the way it appears in a default installation of Windows XP with SP2 or Windows Server 2003 with SP1.

To manually update Sceregvl.inf

1. Use a text editor such as Notepad to open the Values-sceregvl.txt file from the SCE Update folder of the download for this guide.
2. Open another window in the text editor and then open the %systemroot%\inf\sceregvl.inf file.
3. Navigate to the bottom of the “[Register Registry Values]” section in the sceregvl.inf file. Copy and paste the text from the Values-sceregvl.txt file, without any page breaks, into this section of the sceregvl.inf file.
4. Close the Values-sceregvl.txt file and open the Strings-sceregvl.txt file from the SCE Update folder of the download.
5. Navigate to the bottom of the “[Strings]” section in the sceregvl.inf file. Copy and paste the text from the Strings-sceregvl.txt file, without any page breaks, into this section of the sceregvl.inf file.
6. Save the sceregvl.inf file and close the text editor.
7. Open a command prompt and execute the command regsvr32 scecli.dll to re-register the DLL file.

Subsequent launches of the SCE will display these custom registry values.

To automatically update sceregvl.inf

1. The Values-sceregvl.txt, Strings-sceregvl.txt, and Update_SCE_with_MSS_Regkeys.vbs files that are located in the SCE Update folder of the download for this guide must all be in the same location for the script to function.
2. Execute the Update_SCE_with_MSS_Regkeys.vbs script on the computer you wish to update.
3. Follow the onscreen prompts.

This procedure will remove only the custom entries that were made with the script that is described in the previous procedure, Update_SCE_with_MSS_Regkeys.vbs.

To reverse the changes made by the Update_SCE_with_MSS_Regkeys.vbs script

1. Execute the Rollback_SCE_for_MSS_Regkeys.vbs script on the computer you wish to update.
2. Follow the onscreen prompts.

This procedure will remove any custom entries that you may have added to the SCE user interface, including those from this guide and others that may have been provided in earlier versions of this guide or in other security guides.

To restore the SCE to its default state for Windows XP with SP2 or Windows Server 2003 with SP1

1. The sceregvl_W2K3_SP1.inf.txt, sceregvl_XPSP2.inf.txt, and Restore_SCE_to_Default.vbs files that are located in the SCE Update folder of the download for this guide must all be in the same location for the script to function.
2. Execute the Restore_SCE_to_Default.vbs script on the computer you wish to update.
3. Follow the onscreen prompts.

Additional Security Settings

Although most of the countermeasures that were used to harden the client systems in the two environments that are discussed in this chapter were applied through Group Policy, there are additional settings that are difficult or impossible to apply with Group Policy. For a detailed explanation of each of the countermeasures discussed in this section, see the companion guide, Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP, which is available at https://go.microsoft.com/fwlink/?LinkId=15159.

Manual Hardening Procedures

This section describes how some additional countermeasures were implemented manually to secure the Windows XP clients for each of the security environments that are defined in this guide.

Disable Dr. Watson: Disable Automatic Execution of Dr. Watson System Debugger

Some organizations may feel that system debuggers such as the Dr. Watson tool that is included with Windows could be exploited by knowledgeable attackers. For instructions about how to disable the Dr. Watson system debugger, see the Microsoft Knowledge Base article "How to disable Dr. Watson for Windows," which is available online at https://support.microsoft.com/default.aspx?scid=188296.

Disable SSDP/UPNP: Disable SSDP/UPNP

Some organizations may feel that the Universal Plug and Play features that are included with subcomponents of Windows XP should be completely disabled. Although the Universal Plug and Play host service is disabled in this guide, other applications such as Windows Messenger will use the Simple Service Discovery Protocol (SSDP) discovery service process to identify network gateways or other network devices. You can ensure that no applications use the SSDP and UPnP features that are included with Windows XP by adding a REG_DWORD registry value called UPnPMode to the HKEY_LOCAL_MACHINE\Software\Microsoft\DirectPlayNATHelp\DPNHUPnP\ registry key and setting its value to 2.

For more information, see the Microsoft Knowledge Base article "Traffic Is Sent After You Turn Off the SSDP Discover Service and Universal Plug and Play Device Host," which is available online at https://support.microsoft.com/default.aspx?scid=317843.

Securing the File System

The NTFS file system has been improved with each new version of Microsoft Windows. The default permissions for NTFS are adequate for most organizations. The settings that are discussed in this section are for organizations that use laptops and desktops in the Specialized Security – Limited Functionality (SSLF) environment that is defined in this guide.

File system security settings may be modified through Group Policy. You can configure the file system settings in the following location in the Group Policy Object Editor:

Computer Configuration\Windows Settings\Security Settings\File System

Note: Any changes to the default file system security settings should be thoroughly tested in a lab environment before they are deployed in a large organization. There have been cases in which file permissions have been altered to a point that required the affected computers to be completely rebuilt.

The default file permissions in Windows XP are sufficient for most situations. However, if you are not going to block membership of the Power Users group with the Restricted Groups feature or if you are going to enable the Network access: Let Everyone permissions apply to anonymous users setting, you may want to apply the optional permissions that are described in the next paragraph. These optional permissions are very specific, and they apply additional restrictions to certain executable tools that a malicious user with elevated privileges may use to further compromise the system or network.

Note that these permission changes do not affect multiple folders or the root of the system volume. It can be very risky to change permissions in that manner, and doing so can often cause system instability. All of the files are located in the %SystemRoot%\System32\ folder, and they are all given the following permissions: Administrators: Full Control, System: Full Control.

• regedit.exe
• arp.exe
• at.exe
• attrib.exe
• cacls.exe
• debug.exe
• edlin.exe
• eventcreate.exe
• eventtriggers.exe
• ftp.exe
• nbtstat.exe
• net.exe
• net1.exe
• netsh.exe
• netstat.exe
• nslookup.exe
• ntbackup.exe
• rcp.exe
• reg.exe
• regedt32.exe
• regini.exe
• regsvr32.exe
• rexec.exe
• route.exe
• rsh.exe
• sc.exe
• secedit.exe
• subst.exe
• systeminfo.exe
• telnet.exe
• tftp.exe
• tlntsvr.exe

For your convenience, these optional permissions are already configured in the security template called Optional-File-Permissions.inf, which is included with the downloadable version of this guide.

Advanced Permissions

You can set file permissions with more control than they initially appear to offer in the Permissions dialog box. To do so, click the Advanced button. The following table describes these advanced permissions.

Table 3.22 Advanced File Permissions and Descriptions

The following three additional terms are used to describe the inheritance of permissions that are applied to files and folders:

• Propagate refers to the propagation of inheritable permissions to all subfolders and files. Any child objects of an object inherit the parent object's security settings, provided the child object is not protected from accepting permission inheritance. If there is a conflict, the explicit permissions on the child object will override the permissions that are inherited from the parent object.
• Replace refers to the replacement of existing permissions on all subfolders and files with inheritable permissions. The parent object's permission entries will override any security settings on the child object, regardless of the child object's settings. The child object will have identical access control entries as the parent object.
• Ignore refers to not allowing permissions on a file or folder (or key) to be replaced. Use this configuration option if you do not want to configure or analyze security for this object or any of its child objects.

Summary

This chapter described in detail the primary security settings and recommended configurations for each setting to secure computers that run Windows XP Professional with SP2 in the two environments that are discussed in this chapter. When you consider the security policies for your organization, remember the trade-offs between security and user productivity. Although users need protection from malicious code and attackers, they also need to perform their jobs without overly restrictive security policies that frustrate their efforts.

More Information

The following links provide additional information about Windows XP Professional security-related topics.

• For more information about how to maintain security for Windows XP Professional, see the Help and Support tool that is included with Windows XP and the Microsoft Windows XP Security and Privacy Web site at https://www.microsoft.com/windowsxp/using/security/default.mspx.
• For more information about the security features in Windows XP SP2, see "Security Information for Windows XP Service Pack 2" at https://www.microsoft.com/technet/prodtechnol/winxppro/maintain/xpsp2sec.mspx.
• For more information about security settings available in Windows XP SP2, see the Microsoft TechNet article “Security Setting Descriptions” at https://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/dd980ca3-f686-4ffc-a617-50c6240f5582.mspx.
• For more information about secure channels, see the Windows 2000 Magazine article "Secure Channels in NT 4.0" at https://msdn.microsoft.com/archive/en-us/dnarntmag00/html/secure.asp.
• For more information about security for the Windows operating system, see the Microsoft Windows Security Resource Kit at https://www.microsoft.com/MSPress/books/6815.aspx.
• For more information about the Encrypting File System feature of Windows XP and Windows Server 2003, see "Encrypting File System in Windows XP and Windows Server 2003" at https://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx.