Chapter 5: Securing Stand-Alone Windows XP Clients
Updated: April 13, 2006 OverviewMicrosoft® Windows® XP Professional–based computers that are not members of an Active Directory® directory service–based domain present some unique management challenges. This chapter discusses how to most effectively apply and manage the policy settings that are recommended in the previous chapters of this guide. The prescribed policy settings will help you ensure that stand-alone desktop and laptop computers in your organization that run Windows XP Professional are secure. The settings are applied by means of local policy, which applies to all users who log on to the client computer, including the local Administrator. This chapter does not provide guidance for all of the available policy settings in Windows XP. However, the prescribed policy settings will provide an operating environment that is secure from most current threats and allow users to continue to use their computers. Any policy settings that you apply should be based on the security goals of your organization. Windows XP in a Windows NT 4.0 DomainA specific example of a Windows XP client computer in a non-Active Directory domain environment would be a Windows XP–based computer in a Microsoft Windows NT® 4.0 domain. In such an environment, the Windows XP clients are treated as stand-alone computers. There is more management overhead in this type of environment because there is not a central location from which to manage the policy settings. Microsoft recommends that you install the Windows NT 4.0–based domain controllers with Service Pack 6a (SP6a) and the most recent updates. Windows NT 4.0 SP6a contains several updates for NTLM authentication. Without these updates, Windows XP–based computers in a Windows NT 4.0–based domain may experience domain or network connectivity and communication issues. The administrator should frequently check for updates. Windows XP Professional provides more policy settings than previous versions of Windows, which enables you to better customize user and computer settings. Several hundred new local policy settings are available in Windows XP Professional, in addition to those already available for Windows 2000 Professional. Local policy is a powerful management feature that allows you to lock down and fine tune your desktop computers. It also introduces the possibility of many different customized scenarios. Domain administrators are made members of the local Administrators group on all client computers that join the domain; therefore the Windows XP client computers will only be as secure as the domain to which they belong. Windows XP client computers in a legacy environment use a modified version of the security templates from Chapter 3, "Security Settings for Windows XP Clients" to ensure that they can communicate with the Windows NT 4.0 domain controllers. These policy settings are applied by means of the scripts that are described at the end of this chapter. To communicate to a Windows NT 4.0 domain controller, the following policy settings are modified under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options:
These policy settings are preconfigured in the legacy client security template files that are included with this guide. Local Group Policy Object SettingsEach Windows XP Professional operating system has one Local Group Policy object (LGPO). The policy settings are applied to the LGPO manually with the Group Policy Object Editor or through scripts. LGPOs contain fewer policy settings than domain–based GPOs, particularly under Security Settings. LGPOs do not support Folder Redirection, Remote Installation Service, or Group Policy Software Installation when they are configured as stand-alone client computers, but you can use them to provide a secure operating environment on such computers. The following table shows which Group Policy snap-in extensions open when the Group Policy snap-in is focused on an LGPO. Table 5.1 Group Policy Snap-in Extensions
Account PoliciesAccount policies include Password policy, Account Lockout policy, and Kerberos policy settings. Password policy can help secure most environments through its ability to require password complexity and frequent password changes. Account Lockout policy provides the ability to automatically disable an account after a series of unsuccessful logon attempts. Kerberos policy settings determine Kerberos-related attributes of domain user accounts, such as the Maximum lifetime for user ticket and Enforce user logon restrictions settings. However, these policy settings are not used for stand-alone client computers because they do not participate in a domain. Typically, account policies are set at the domain level and are thereby configured for domain client computers. For stand-alone Windows XP client computers, these policy settings need to be applied locally, similar to the policy settings that are described in Chapter 2, "Configuring the Active Directory Domain Infrastructure" of this guide. Local PoliciesLocal policies, under Computer Configuration\Windows Settings\Security Settings, will be applied to the client computer with the templates that are described in Chapter 3, "Security Settings for Windows XP Clients" of this guide. A combination of those templates and the ones that were created for the stand-alone client computers are used; you can automate the application of the security templates by means of scripts that you can apply to multiple computers in the environment. The next section describes the process for creating and deploying local policies. Importing Security Templates into Windows XPThere are several different templates that you can use to configure the stand-alone client computer by means of a script; you should use a template that supports the security requirements of the client. The previous section discussed local policy settings and how the Group Policy Object Editor is used to configure them. You can use the provided templates to automate the configuration process for many client computers in either a network-connected or stand-alone environment. This section will explain the process of how to automate the configuration of security policies. ConfigurationA security template is a file that represents a security configuration. To apply security templates to a local computer, you can import them into the LGPO. The templates that were created in Chapter 3, "Security Settings for Windows XP Clients" will be used to configure the local policies. The administrator will use the Microsoft Management Console (MMC) Security Configuration and Analysis snap-in, the Security Templates snap-in, and Secedit.exe to create the account policies and merge the two security templates on the stand-alone computer. Creating a Security DatabaseTo automate the process of importing security settings on a stand-alone client computer, you must create a reference database to write to the local security policy. The baseline database was created with the MMC Security Configuration and Analysis snap-in. The following steps were used to create the XP Default Security.sdb database. The database used the Setup security.inf file as the template to establish the default policy settings for the stand-alone client computer. To create a new default security database
This process creates a database file with the default security settings that will be used in the automation process. Copy the security database to the same folder to which you copied the scripts and the information files. The custom scripts will be used to configure the database, which will configure the local security policy. The administrator can use similar steps to create a custom database instead of using the one that is provided with this guide. Creating Custom TemplatesYou can use the MMC Security Templates snap-in to define security policy settings in the templates, which you can then apply to a local computer. The following steps were performed to create the Standalone-EC-Account.inf and Standalone-SSLF-Account.inf templates by using the policy settings from the Account Policy tables in Chapter 2, "Configuring the Active Directory Domain Infrastructure." To create a custom template
After the files are created, you can find them under %windir%\security\templates. Copy the security templates to the same folder in which you created the Security database to run the scripts. These files will be used in the next phase to automate the import of the templates. Applying the PolicyThe Secedit.exe tool is useful when you need to configure security on multiple computers. You can call the Secedit.exe tool at a command prompt, from a batch file, or from the automatic task scheduler to automatically create and apply templates. You can also run it dynamically from a command prompt. The scripts that are provided with this guide use the Secedit.exe tool to merge and apply local policy to client computers. Manually Applying the Local PolicyTo apply all of the policy settings in the stand-alone security template’s .inf file that is included with this guide, use the MMC Security Configuration and Analysis snap-in instead of the Local Computer Policy snap-in. It is not possible to import the security template with the Local Computer Policy snap-in because it does not allow you to apply security policy settings for system services. To import and apply the security template, use the Security Configuration and Analysis snap-in to complete the steps in the following procedures. To import a security template
All the policy settings in the template will be imported, after which they can be reviewed or applied. To apply the policy settings
You will have to import both templates for each environment. All pertinent policy settings from the security template will be applied to the client computer's local policy. The following sections describe the policy settings that are applied through local policy. SeceditThis tool configures and analyzes system security; to do so, it compares your current configuration to at least one template. The syntax for using the Secedit.exe tool is as follows: secedit /configure /db <FileName> [/cfg <FileName>] [/overwrite][/areas <Area1> <Area2> ...][/log <FileName>] [/quiet] The following list explains the parameters of the Secedit.exe tool.
Automated ScriptsIt is always easier to use a script to apply identical policy settings to many client computers. You can use the Secedit.exe tool described earlier in this chapter to automate the application of local policy with a simple script. Copy the script and all associated files to a subdirectory on the local hard disk, and then execute the script from the subdirectory. You can use the following script to import security templates into the LGPO to secure the stand-alone Windows XP client computers in your environment. Important: Be certain that the security database file XP Default Security.sdb is not marked Read Only. For the following script to function correctly it must be able to make changes to that file. Note: Some parts of the following code snippet have been displayed in multiple lines only for better readability. These should be entered in a single line. REM (c) Microsoft Corporation 1997-2005 The following tables list the scripts and associated files that are included with this guide. For each environment, there are files for both desktop and laptop client computers. Table 5.3 Stand-Alone Scripts and Files
Table 5.4 Legacy Scripts and Files
SummaryWindows XP local policy is a very useful way to provide consistent security policy settings to Windows XP systems that are not members of an Active Directory domain. To deploy local policy effectively, ensure that you are aware of how it can be applied, that all of your client computers are configured with the appropriate settings, and that you have defined appropriate security for each computer in your environment. More InformationThe following links provide additional information about Windows XP Professional security-related topics.
|
|