How to Configure Windows XP SP2 Network Protection Technologies in a Small Business Environment

  • Article

Published: December 10, 2004 | Updated : July 21, 2006

On This Page

Introduction
Before You Begin
Applying Security Patches
Updating Existing Group Policy Objects
Configuring Group Policy Objects
About Internet Explorer Security Settings
Applying New Configurations with GPUpdate
Related Information

Introduction

The Active Directory® directory service provides a means to centrally manage the security configuration of workstations and servers within a small business. This service provides a more secure and easier to manage workstation environment.

This article addresses the central management of workstations that run Microsoft® Windows® XP with Service Pack 2 (SP2). It depends solely on Active Directory to apply Group Policy objects (GPOs) on the workstations to manage security settings.

Objective of this Document

Different organizations have different security needs. Regardless of how tight the security requirements might be for each customer, they should be able to use the concepts within this article to assist in their efforts to manage workstation security.

Before You Begin

You must be logged on as a member of the Domain Admins group to complete the following procedures.

Note   If you are unable to make changes to a workstation or server, a Group Policy may be the reason. In such cases, you will need to make the changes at the Group Policy level.

Complete the tasks in this document to configure the Windows XP SP2 network protection technologies with Group Policy:

  • Applying Security Patches

  • Updating Existing Group Policy Objects (GPOs)

  • Configuring Security Center Settings

  • Configuring Windows Firewall Settings

  • Configuring Internet Explorer settings

  • Configuring Internet Communication Management settings

  • Applying settings with GPUpdate

Applying Security Patches

Microsoft recommends that you apply the most current security patches and service packs on all your Windows workstations and servers. It is always a good practice to back up your computer or important files before patching.

Note   Some of the functionality within this article and some critical security features depend on some of the more recent patches/hotfixes. If the domain controllers are not current they may not have the administrative templates needed for the Windows XP SP2 workstation within the GPO. Without the administrative templates the new SP2 security features will not be available.

Updating Existing Group Policy Objects

The best way to manage GPOs in Active Directory is with the Microsoft Group Policy Management Console (GPMC), which can be downloaded from the Microsoft Web site at www.microsoft.com/windowsserver2003/gpmc/gpmcintro.mspx. It is an alternative to using the Microsoft Management Console (MMC) with the Group Policy Object Editor (GPOE) snap-in.

The GPMC also uses the Group Policy Object Editor to edit GPOs.

  1. Within the GPMC, double-click the GPO you wish to update with the new administrative template. The GPO will open in the GPOE.

  2. Click OK and then click Finish. This action applies the new template.

  3. Repeat for each GPO.

Configuring Group Policy Objects

Perform the following procedures to configure GPOs in your environment.

Configuring Security Center Settings

It is possible to enable the Security Center on each workstation under Group Policy control. The Security Center, if installed, can inform each workstation user the status of their Windows Firewall, antivirus, and Automatic Updates settings. By default, Group Policy does not enable this feature.

  1. Open the GPMC and double click the GPO you wish to use to enforce Security Center on each workstation.

  2. Within the selected GPO, open Computer Configuration, Administrative Templates, Windows Components, and then Security Center.

  3. Double-click Turn on Security Center (Domain PCs only).

  4. Enable this setting.

  5. Click OK.

Configuring Windows Firewall Settings

This section describes the Windows Firewall settings in a GPO and the recommended settings for a small business environment.

  1. Within the selected GPO, open Computer Configuration, Administrative Templates, Network, Network Connections, Windows Firewall, and then Domain Profile.

  2. Double-click each setting and configure according to the information in the following table.

    Note   After you enable Define program exceptions in the domain profile, you must enter all the programs that are to be allowed to make connections to your computers before you click OK.

Table 1. Windows Firewall Recommended Settings for Small Businesses

Setting

Description

Domain profile

Protect all network connections

Specifies that all network connections have Windows Firewall enabled.

Enabled.

Do not allow exceptions

Specifies that all unsolicited traffic is dropped, including excepted traffic.

Not configured.

Define program exceptions

Defines excepted traffic in terms of program file names.

Enabled and configured with the programs (applications and services) used by Windows XP SP2–based computers in your network.

Allow local program exceptions

Enables local configuration of program exceptions.

Disabled.

Allow remote administration exception

Enables remote configuration using tools.

Disabled, unless you want to remotely administer your computers with MMC snap-ins.

Allow file and print sharing exception

Specifies whether file and printer sharing traffic is allowed.

Disabled.

Allow ICMP exceptions

Specifies the types of ICMP messages that are allowed.

Disabled.

Allow Remote Desktop exception

Specifies whether the computer can accept a Remote Desktop–based connection request.

Enabled.

Allow UPnP framework exception

Specifies whether the computer can receive unsolicited UPnP messages.

Disabled.

Prohibit notifications

Disables notifications.

Disabled.

Allow logging

Enables a log of traffic and configures log file settings.

Not configured.

Prohibit unicast response to multicast or broadcast requests

Discards the unicast packets received in response to a multicast or broadcast request message.

Enabled.

Define port exceptions

Specifies excepted traffic in terms of TCP and UDP.

Disabled.

Allow local port exceptions

Allows local configuration of port exceptions.

Disabled.

For more details, see "How to Configure Windows Firewall in a Small Business Environment using Group Policy" at www.microsoft.com/technet/security/smallbusiness/prodtech/windowsxp/fwgrppol.mspx.

About Internet Explorer Security Settings

Security policy settings allow you to manage specific scenarios that might affect the security of Internet Explorer. In most cases, you will want to prevent specific behavior and therefore must ensure that the security features are enabled. Microsoft recommends Internet Explorer 6 because its new features increase security of the browser.

Security Zones

Internet Explorer categorizes Web sites into four security zones, each of which provides different levels of security. The security zones are Internet, Local intranet, Trusted sites, and Restricted sites. Each zone can be independently configured with preset security levels ranging from High to Low. Internet Explorer also provides the ability to define a custom set of security options for each security zone. Microsoft has defined default security settings for each zone. The following table provides a description of each security zone and Microsoft’s default security settings for each.

Table 2. Security Zone Descriptions and Default Security Settings

Security zone

Default security level

Description

Internet zone

Medium

The Internet zone consists of all Web sites that are not included in the other zones.

Note   The threat from the Internet is very real. Microsoft feels so strongly about protecting users from Internet threats that you cannot actually set the security level to Low, even with the advanced Custom Level button.

Local intranet zone

Medium-low

All sites in this zone should be inside the firewall.

Trusted sites zone

Low

Sites in the Trusted sites zone are allowed to perform a wider range of operations and prompts users to make fewer security decisions. Sites should only be added to this zone if you trust all of its content never to perform any harmful operations on your computers.
For the Trusted sites zone, Microsoft strongly recommends that you use the Hypertext Transmission Protocol, Secure (HTTPS) protocol or otherwise ensure that connections to the site are completely secure.

Restricted sites zone

High

This zone is designed to allow the adding of sites that are considered untrustworthy. It controls and restricts Web features, but does not block site access. Sites can be added by the user or enforced by Group Policy. To block access to Web sites you must use a proxy server that supports that feature.

Increasing Security

Each security zone contains more than 30 settings that can be individually modified to increase specific areas of functionality. Most settings offer the option to be either enabled, disabled, or to prompt the user. Microsoft recommends customers limit the number of user prompted option settings in all security zones. Strong information security policies limit user permissions and prevent users from taking actions that may lead to security compromises. Security zone settings should be defined and set per zone—using a single set of definitions for all zones is never recommended. The following table provides a “sampling” of a few default settings between security zones. These and other settings can be modified to meet organizational needs.

Table 3. Security Zone Policy Settings

Security zone

Policy settings

Internet Zone

Use Pop-up Blocker = Enabled
Automatic prompting for ActiveX controls = Disabled
Download signed ActiveX controls = Prompt
File download = Enabled

Local Intranet Zone

Use Pop-up Blocker = Disabled
Automatic prompting for ActiveX controls = Enabled
Download signed ActiveX controls = Prompt
File download = Enabled

Trusted Sites Zone

Use Pop-up Blocker = Disabled
Automatic prompting for ActiveX controls = Enabled
Download signed ActiveX controls = Enabled
File download = Enabled

Restricted Sites Zone

Use Pop-up Blocker = Enabled
Automatic prompting for ActiveX controls = Disabled
Download signed ActiveX controls = Disabled
File download = Disabled

ActiveX® is a powerful extensibility Web development platform that enables rich user online experiences. Many enterprise customers use ActiveX controls for internal line-of-business applications, and therefore ActiveX must be enabled within Internet Explorer. Your security standards and acceptable use policies may require disabling ActiveX for the Internet zone. Turning off ActiveX controls, by either Group Policy or setting the security zone control to High, may cause Web sites to function incorrectly. Microsoft recommends organizations define policies to address this issue and prepare a strategy to permit access based on business justification.

ActiveX is a security concern because of its ability to run commands within the browser’s console. It is advisable that ActiveX only be allowed to run from trusted Web sites.

A more detailed explanation of security zones and configuration options can be found in "Setting Up Security Zones" at www.microsoft.com/windows/ie/using/howto/security/setup.mspx.

Privacy/Cookies

In the attempt to offer more robust personalized online experiences, some Web sites store information in small text files on your computer. These files are called cookies. Internet Explorer 6 has several mechanisms to control the use of cookies.

There are different types of cookies. First-party cookies are not readable by Web sites other than the issuing site. Another type of cookie is referred to as a third-party cookie, which is used by Web entities to record data about visitors. Third-party cookies are used by multiple Web sites. The data contained can range from user IDs and passwords to zip codes.

  • First-party cookies. Readable only by issuing site.

  • Third-party cookies. Read and written to by multiple Web sites.

Users may not know that they have any control over what data is stored within cookies. Simply clicking on a checkbox to remember a billing address can potentially leave unwanted data in a first-party or third-party cookie.

Each organization must determine their own policy regarding cookies. Microsoft recommends at least a setting of Medium. This setting blocks third-party cookies that do not have a compact privacy policy, blocks third-party cookies that use personally identifiable information without implicit consent, and restricts first-party cookies that use personally identifiable information without implicit consent. The High setting limits all cookies, and the other settings allow them under certain conditions. The Low setting allows all cookies without conditions.

Sites can be added to bypass the overall setting. The choices for adding a site are to Always Block or Always Allow. Regardless of whether you choose to be restrictive or less restrictive, you will be able to add sites. Group Policy can be used to enforce not only the cookie settings, but also the sites.

Note   Cookies cannot be controlled within each zone. The setting is expressed across all four security zones.

Pop-up Blocker

Pop-up Blocker blocks most unwanted pop-up windows. Pop-up windows that are opened when the user clicks a link will not be blocked. Pop-up Blocker can be configured on a per-zone basis, allowing sites to be blocked in one zone and not others. Group Policy can be used to enforce Pop-up Blocker within each zone and add a list of allowed sites.

Pop-ups can become cumbersome and so numerous and persistent that the browser can become practically unusable. Each time a pop-up is blocked it is noted within the Internet Explorer toolbar.

Note   Pop-up Blocker can be controlled within each zone, but the allowed sites are added across all four zones.

Internet Programs

Internet Explorer can be configured to launch other programs to send e-mail, manage contacts, or view page source. For example, when a user clicks on an e-mail address on a Web page, Internet Explorer opens the defined e-mail program with a new pre-addressed outgoing e-mail message. This functionality provides an efficient means of sending e-mail without having to open another program and manually entering the e-mail address. However, with this added functionality comes some potential risk. Users may experience unexpected behavior or functionality if one of these associated programs were changed from organization standard applications. Group Policy can be used to enforce settings for this list of programs, providing a level of assurance that an unwanted program won’t be launched.

Add-ons

Add-ons are small programs designed to perform specific functions and can be loaded on demand by a Web page. Toolbars and Browser Helper Objects (BHOs) are other kinds of programs that install extra buttons and features to extend functionality from within the browser. Microsoft recommends that organizations define a list of acceptable toolbars and BHOs, and use Group Policy to enforce those settings.

Many developers use the ActiveX platform to build tools to increase productivity or enhance functionality. Microsoft encourages the development community to continue offering these add-ons, but recognizes the need to deploy add-ons from trusted sources. Internet Explorer 6 offers Authenticode to validate the authenticity of an add-on through digital signatures. Microsoft recommends organizations only permit signed add-ons in the Internet zone. Sites in the Local intranet zone may not require Authenticode signing, because those add-ons are likely to be developed by trusted internal developers.

Configuring Group Policy for Internet Explorer 6

All Internet Explorer 6 security features can be configured and secured by Group Policy. There are a large number of GPO–based security settings to manage various IE components, so for the purposes of this document we have focused on the four primary branches (a, b, c, and d in the following procedure). The Group Policy Object Editor provides details about the ramifications of all the settings under the four branches. Read each description carefully and test the effectiveness of the desired settings before implementation.

  1. Open the Group Policy Management Console.

  2. Create a new Group Policy object (GPO); for example, Internet Explorer 6.

  3. Internet Explorer policies are contained within the following four branches of the policy tree in the Group Policy Object Editor. Configure each policy object in all four branches to match your organizational requirements.

    1. Computer Configuration, Administrative Templates, Windows Components, Internet Explorer

      Within this branch are extra security policies to lock down security settings beyond what is already available within the browser itself. One of the more useful policies is Security Zones: Do not allow users to change policies. This policy is disabled by default in the GPO. When enabled, it blocks the user from changing any of the security settings within the browser settings. Microsoft recommends setting this to Enabled. Even local Administrators cannot change these settings once configured by Group Policy. There are a handful of other policies that can be enabled, some are for security and others are not. Read the descriptions carefully before enabling.

    2. Computer Configuration, Administrative Templates, System, Internet Communication Settings

      This branch is specifically for Window XP SP2. It contains 20 new policies ranging from Web publishing features to multimedia support. One policy, Turn off Internet File Association service, keeps the browser from opening applications associated with file extensions when content is downloaded from a Web site. This function is similar to that of the operating system automatically opening Notepad.exe for files with the .txt file name extension. Another policy, Turn off printing over HTTP, is designed to restrict a user from printing over the Internet/intranet using HTTP. This policy does not affect their ability to host a HTTP printer of their own. Read the descriptions carefully before enabling.

    3. User Configuration, Windows Settings, Internet Explorer Maintenance, Security, Programs

      These two sections contain settings/policies that affect the security of the browser. Both sections contain user-level settings that are found within the individual browser security/privacy settings. Using the minimum Microsoft defaults is recommended, but configurations should be set to meet organizational requirements.

      Note   Sites can be added to all the zones except the Internet. Pick sites to be added to Local Intranet, Trusted, and Restricted zones carefully, because they apply to all workstations and servers linked with the GPO.

    4. User Configuration, Administrative Templates, Windows Components, Internet Explorer

      This branch contains detailed settings for restricting browser settings changes, instead of completely restricting users from making any changes. These settings apply to changes for items such as Temporary Internet File controls and changing the home page. This branch contains many setting options, and Microsoft recommends administrators read and test their affects before using in a production environment.

  4. When you are done with the policy editor, link the new GPO to all your domains with Windows workstations and servers.

  5. Configure Security Filtering for the GPO according to the groups, users, and computers that should be affected by this GPO. Some policies are designed for computers and others only apply to users.

Applying New Configurations with GPUpdate

The GPUpdate utility refreshes Active Directory–based Group Policy settings. After configuring Group Policy, you can wait for the settings to apply to client computers by the standard refresh cycles. By default these refresh cycles are every 90 minutes, with a random offset of plus or minus 30 minutes. This procedure can help make testing policy pushes to workstations faster.

To refresh Group Policy between standard cycles, use the GPUpdate utility as follows:

  1. From the Windows XP SP2 desktop, click Start, and then click Run.

  2. In the Open box, type cmd and then click OK. A command prompt window will display.

  3. At the command prompt, type GPUpdate and then click OK. You should see the message shown in the following screen shot:

    XPNPT01.GIF

    To close the command prompt, type exit and then press the ENTER key.

For definitions of security-related terms, see the following:

For more information about Windows XP SP2 network protection, see the following:

For more information about Windows XP SP2 security, see the following:

For more information about Group Policy, see the following:

Download

Get the How to Configure Windows XP SP2 Network Protection Technologies in a Small Business Environment