How to Configure Windows XP SP2 Network Protection Technologies in an Active Directory Environment
On This Page
Introduction
Before You Begin
Adding Hotfixes to Management Workstations and Windows Small Business Server 2003
Updating Existing Group Policy Objects
Configuring Security Center Settings
Configuring Windows Firewall Settings
Configuring Internet Explorer Security Settings
Configuring Internet Communication Management Settings
Configuring DCOM Access Settings
Configuring RPC Settings
Related Information
Introduction
Group Policy settings are applied based on your organizations implementation of Microsoft Active Directory, and they help protect your computer environment with standard configuration settings across categories of users and computers. New Group Policy network protection settings for Microsoft Windows XP Service Pack 2 (SP2) include:
Windows Firewall. Configure these policy settings to turn the firewall on or off, manage program and port exceptions, and define exceptions for specific scenarios such as to allow remote administration on target computers.
Internet Explorer. With these new policy settings, you can configure Microsoft Internet Explorer security settings. Furthermore, with policy settings, you can enable or disable Internet Explorer security features for various processes.
Internet Communication Management. You can configure these settings to control how various components in Windows XP SP2 communicate over the Internet for tasks that involve exchange of information between computers in an organization and the Internet.
DCOM Security. You configure these settings to control security settings for Distributed Component Object Model (DCOM). The DCOM infrastructure includes new access control restrictions to help minimize the security risks posed by network attacks.
SecurityCenter. You configure these settings to centrally administer Windows Security Center. Security Center is a new feature in Windows XP SP2 that allows you to monitor computers in your organization to ensure that they comply with the latest security updates and to provide user alerts if a computer poses a security risk.
Remote Procedure Call (RPC). You can configure the RPC policy settings to block remote anonymous access to RPC interfaces on the system, and to prevent anonymous access to the RPC Endpoint Mapper interface.
This document explains how to deploy the network protection Group Policy settings to help to secure Windows XP SP2 client computers.
For a complete list of recommended settings, see the following:
- "Windows XP Security Guide Appendix A: Additional Guidance for Windows XP Service Pack 2" on the Microsoft TechNet Web site at https://go.microsoft.com/fwlink/?linkid=35465
You perform tasks on Group Policy objects (GPOs) in an Active Directory domain. Some of these tasks can be run from a domain controller but usually they are performed on a Windows XP SP2 client computer that contains Active Directory management tools.
Note: For more information about how to deploy GPO, see the following:
- "Designing a Managed Environment: Staging Group Policy Deployments" on the Microsoft Windows Server System Web site at https://go.microsoft.com/fwlink/?linkid=35498
To configure network protection in an Active Directory environment, you perform these tasks:
Add hotfixes to management workstations
Update Existing GPOs
Configure Security Center settings
Configure Windows Firewall settings
Configure Internet Explorer settings
Configure Internet Communication Management settings
Configure DCOM Security settings
Configure RPC settings
IMPORTANT: The instructions in this document were developed with the Start menu that appears by default when you install your operating system. If you have modified your Start menu, the steps might differ slightly.
For definitions of security-related terms, see the following:
- "Microsoft Security Glossary" on the Microsoft Web site at https://go.microsoft.com/fwlink/?LinkId=35468
Before You Begin
Windows XP SP2 can be used as a Windows domain client in an Active Directory domain using domain controllers running any editions of:
Microsoft Windows Server 2003
Microsoft Windows Small Business Server 2003
Microsoft Windows 2000 Server SP3 or later
Before you install hotfixes, make sure that you have backed up your computer, including a backup of the registry.
For more information on how to backup the registry, see the following:
- Microsoft Knowledge Base article 322756 on the Microsoft Help and Support Web site at https://go.microsoft.com/fwlink/?linkid=36365
Adding Hotfixes to Management Workstations and Windows Small Business Server 2003
If you manage Group Policy Object settings on computers that run earlier operating systems or service packs (for example, Windows XP with SP1 or Windows Server 2003), you must install a hotfix (KB842933) so policy settings appear correctly in the Group Policy Object Editor.
If you are using Small Business Server 2003 (SBS 2003) an additional hotfix (KB872769) must be applied because by default SBS 2003 turns off the Windows Firewall. The hotfix resolves this issue.
Note: The hotfixes listed are not included as part of Windows Update and you must install them separately. The hotfixes must be applied to all affected systems individually.
KB842933 applies to the following:
Microsoft Windows Server 2003, Web Edition
Microsoft Windows Server 2003, Standard Edition
Microsoft Windows Server 2003, Enterprise Edition
Microsoft Windows Server 2003, 64-Bit Enterprise Edition
Microsoft Windows XP Professional SP1
Microsoft Windows Small Business Server 2003, Premium Edition
Microsoft Windows Small Business Server 2003, Standard Edition
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Server
Microsoft Windows 2000 Professional
KB872769 applies to the following:
Microsoft Windows Small Business Server 2003, Standard Edition
Microsoft Windows Small Business Server 2003, Premium Edition
Note: To obtain these hotfixes and for more information, see the following:
Microsoft Knowledge Base Article 842933 on the Microsoft Help and Support Web site at https://go.microsoft.com/fwlink/?linkid=35474
Microsoft Knowledge Base Article 872769 on the Microsoft Help and Support Web site at https://go.microsoft.com/fwlink/?linkid=35477
Requirements to perform this task
Credentials: You must log on to the client computer as a member of the Domain Administrators security group or Local Administrators security group.
Tools: The appropriate downloaded hotfix for your operating system as explained in the Knowledge Base articles 842933 and 872769.
Adding Hotfix 842933 to Windows Small Business Server 2003, Windows 2000 Server SP3 or later, Windows XP SP1, or Windows Server 2003
To add the hotfix
From the Windows desktop, click Start, click Run, type the path and filename of the downloaded hotfix, and then click OK.
On the Welcome to KB842933 Setup Wizard page, click Next.
On the License page, click I Agree, and then click Next.
On the Completing the KB842933 Setup Wizard page, to finish the hotfix installation and restart the computer, click Finish.
Repeat the above steps for all systems where it applies (servers and management workstations).
Adding Hotfix 872769 to Windows Small Business Server 2003
To add the hotfix
From the Windows desktop, click Start, click Run, type the path and filename of the downloaded 872769 hotfix, and then click OK.
On the Welcome to KB872769 Setup Wizard page, click Next.
On the License page, click I Agree, and then click Next.
On the Completing the KB872769 Setup Wizard page, to finish the hotfix installation and restart the computer, click Finish.
Updating Existing Group Policy Objects
Windows XP SP2 adds additional settings in the administrative templates. To configure these new settings, each GPO must be updated with the new administrative templates found in Windows XP SP2. Unless the Group Policy Objects are updated, settings related to the Windows Firewall will not be available.
You can update GPOs with the Microsoft Management Console (MMC) with the Group Policy Object Editor Snap-in installed on a computer with Windows XP SP2 installed.
After a GPO has been updated, you can configure the network protection settings that are appropriate for your computers running Windows XP SP2.
Requirements to perform this task
Credentials: You must log on to a Windows XP SP2 computer that is an Active Directory domain client, as a member of the Domain Admins, or the Group Policy Creator/Owner security group.
Tools: Microsoft Management Console (MMC) with the Group Policy Object Editor snap-in installed.
Updating Group Policy Objects
To update Group Policy objects
From the Windows XP SP2 desktop, click Start, click Run, type mmc, and then click OK.
On the File menu, click Add/Remove Snap-in.
On the Standalone tab, click Add.
In the Available Standalone Snap-ins list, click Group Policy Object Editor, and click Add.
In the Select Group Policy Object dialog box, click Browse.
Figure 1 Browse for a Group Policy Object
In the Browse for a Group Policy Object dialog box, select the Group Policy object that you want to update with the new Windows Firewall settings.
Click OK, and then click Finish to close the Group Policy Wizard.
This applies the new administrative template to the selected GPO.
In the Add Standalone Snap-in dialog box, click Close.
In the Add/Remove Snap-in dialog box, click OK
Close the MMC, Click File then exit do not save changes to the console settings.
Note: Although you do not save console changes, the above procedure imports the new administrative templates from Windows XP SP2 into the GPO. The templates must be imported into each defined GPO.
Repeat the steps for every GPO that is being used to apply Group Policy to computers that have Windows XP SP2 installed.
Note: To update your GPOs for network environments that use Active Directory and Windows XP SP1, Microsoft recommends that you use the Group Policy Management Console, a free download. For more information, see the following:
- "[Enterprise Management with the Group Policy Management Console](https://go.microsoft.com/fwlink/?linkid=35479)" on the Microsoft Windows Server System Web site at https://go.microsoft.com/fwlink/?linkID=35479
Configuring Security Center Settings
The Security Center is a new service in Windows XP SP2 that provides a central location to change security settings, learn more about security, and ensure that users’ computers are up-to-date with the essential security settings that are recommended by Microsoft.
In a Windows domain environment, you can use Group Policy to enable the Security Center to monitor users’ computers to help ensure that they have the latest security updates and to notify users if their computers may be at risk.
The Security Center service runs as a background process and checks the state of the following components on the user’s computer:
Firewall. The Security Center checks whether Windows Firewall is on or off and also checks for the presence of some other software firewalls. To check for other firewalls, Security Center queries for specific Windows Management Instrumentation (WMI) providers, which have been made available by participating vendors.
Virus protection. The Security Center checks for the presence of antivirus software. To check for the presence of antivirus software, Security Center queries for specific WMI providers that are made available by participating vendors. If the information is available, the Security Center service also determines whether the software is up to date and whether a real-time scan is turned on.
Automatic Updates. The Security Center checks to ensure that Automatic Updates is set to the recommended setting, which automatically downloads and installs critical updates to the user’s computer. If Automatic Updates is turned off or is not set to the recommended settings, the Security Center provides appropriate recommendations.
If a component is found to be missing or out of compliance with your Security Policy, the Security Center alerts you with a red icon in the notification area of your taskbar and by provides an Alert message at logon. This message contains links to open the Security Center user interface, which provides information about the problem and recommendations for fixing it.
If you run firewall or antivirus software that is not detected by Security Center, you can set the Security Center to bypass alerting for that component.
You can use a Group Policy setting to centrally manage the Security Center feature for computers in a Windows domain.
If you enable the Turn on Security Center (Domain PCs only) policy setting, Security Center monitors essential security settings (firewall, antivirus, and automatic updates), and notifies users when their computers might be at risk. By default, the Turn on Security Center (Domain PCs only) policy setting is not enabled, which means it is turned off When the Security Center is turned off, neither the notifications nor the Security Center status section are displayed.
Requirements to perform this task
Credentials: You must log on to a Windows XP SP2 computer that is an Active Directory domain client, as a member of the Domain Admins security group and open a Group Policy Object.
Tools: Microsoft Management Console (MMC) with the Group Policy Object Editor snap-in installed.
Configuring the Security Center Settings
Use this setting to allow users of computers that run Windows XP SP2 to use the Security Center for alerts about firewalls, antivirus software, and automatic updates.
To configure the SecurityCenter settings
From the Windows XP SP2 desktop, click Start, click Run, type mmc, and then click OK.
On the File menu, click Add/Remove Snap-in.
On the Standalone tab, click Add.
In the Available Standalone Snap-ins list, locate then click Group Policy Object Editor, and click Add.
In the Select Group Policy Object dialog box, click Browse.
Select the Group Policy Object you want to configure from the list. Click OK, then click Finish to close the Group Policy Wizard.
Click Close to exit the Add Standalone Snap-in dialog box, then click OK to exit the Add/Remove Snap-in dialog box and return to the management console.
In the console tree, open Computer Configuration, Administrative Templates, Windows Components, and then Security Center.
Figure 2 SecurityCenter settings
Double-click Turn on SecurityCenter (Domain PCs only), click Enabled, and then click OK.
Applying Configuration with GPUpdate
The GPUpdate utility refreshes Active Directory–based Group Policy settings, which includes security settings. After you configure Group Policy, you can wait for the settings to apply to client computers by the standard refresh cycles. By default these refresh cycles are every 90 minutes, with a random offset of + or - 30 minutes.
To refresh Group Policy between standard cycles, use the GPUpdate utility.
Running GPUpdate
To run GPUpdate
From the Windows XP desktop, click Start, and then click Run.
In the Open box, type cmd, and then click OK.
Note: For a complete description of the available options when using GPUpdate, see the following:
- Microsoft Knowledge Base article 298444 on the Microsoft Help and Support Web site at https://go.microsoft.com/fwlink/?linkid=35504
At the command prompt, type GPUpdate, and then press ENTER.
Figure 3 GPUpdate on a command line
To close the command prompt, type Exit and press ENTER.
Verifying Security Center Settings Are Applied
To verify SecurityCenter settings are applied
From the Windows XP desktop, click Start, and then click Control Panel.
Under Pick a category, click SecurityCenter.
Verify that Security Center starts.
Note: If your configuration settings are not applied, you must troubleshoot Group Policy application. To troubleshoot Group Policy application, see the following:
- "Troubleshooting Group Policy in Windows Server 2003" on the Microsoft Download Center Web site at https://go.microsoft.com/fwlink/?linkid=35481
Configuring Windows Firewall Settings
There are three sets of Windows Firewall settings to configure:
Allow authenticated IPSec bypass. This setting is used when an organization uses Internet Protocol Security (IPSec) to protect traffic and enables the Windows Firewall.
Domain profile. These settings are used by computers when they are connected to a network that contains domain controllers for the domain of which the computers are a member.
Standard profile. These settings are used by computers when they are not connected to your network, for example, when you travel with a laptop computer.
If you do not configure standard profile settings, the default values remain unchanged. Microsoft recommends that you configure both domain and standard profile settings and that you enable the Windows Firewall for both profiles. The only exception is if you are already using a third-party host firewall product.
If you already use a third-party host firewall product, then Microsoft recommends that you disable Windows Firewall.
If you decide to disable Windows Firewall across your entire organization network, which contains a mixture of computers running Windows XP SP2, Windows XP SP1, and Windows XP with no service packs installed, then you should configure these Group Policy settings:
Prohibit use of Internet Connection Firewall on your DNS domain network set to Enabled
Domain profile – Windows Firewall: Protect all network connections set to Disabled
Standard profile – Windows Firewall: Protect all network connections set to Disabled
Note: This standard profile setting ensures that Windows Firewall is not used, whether the computers are connected to your organization network or not. To ensure that Windows Firewall is not used on your organization network, but is used when the computers are not connected to the network, change this setting to Enabled.
The standard profile settings are typically more restrictive than the domain profile, because the standard profile settings do not include applications and services that are only used in a managed domain environment.
In a GPO, both the domain profile and standard profile contain the same set of Windows Firewall settings. Windows XP SP2 relies on network determination to apply the correct profile.
Note: For more information about network determination, see the following:
- "Network Determination Behavior for Network-Related Group Policy Settings" on the Microsoft TechNet Web site at https://go.microsoft.com/fwlink/?linkid=35480
This section describes the possible Windows Firewall settings in a GPO and the recommended settings for an enterprise environment and demonstrates how to enable four types of settings.
Requirements to perform this task
Credentials: You must log on to a Windows XP SP2 computer that is an Active Directory domain client, as a member of the Domain Admins security group and open a Group Policy Object that you modified in the previous task.
Tools: Microsoft Management Console (MMC) with the Group Policy Object Editor snap-in installed
Note: To open a GPO you use either an MMC with the Group Policy Object Editor snap-in included, or the Active Directory Users and Computers console. To use the Active Directory Users and Computers console on a Windows XP client computer, you must run adminpak.msi from the Windows Server 2003 CD
Configuring Windows Firewall Settings using Group Policy
You use the Group Policy Object Editor snap-in or Active Directory Users and Computers to modify the Windows Firewall settings in the appropriate GPOs.
After you have configured the Windows Firewall settings, the next refresh of Computer Configuration Group Policy downloads the new Windows Firewall settings and applies them to computers running Windows XP SP2.
To configure Windows Firewall settings
From the Windows XP SP2 desktop, click Start, click Run, type mmc, and then click OK.
On the File menu, click Add/Remove Snap-in.
On the Standalone tab, click Add.
In the Available Standalone Snap-ins list, locate then click Group Policy Object Editor, and click Add.
In the Select Group Policy Object dialog box, click Browse.
Select the Group Policy Object you want to configure and click OK then Finish toexit the Group Policy Wizard.
Click Close to exit the Add Standalone Snap-in dialog box, then click OK to exit the Add/Remove Snap-in dialog box and return to the management console.
In the console tree, open Computer Configuration, Administrative Templates, Network, Network Connections, and then Windows Firewall.
Figure 4 Windows Firewall options in a Group Policy
Double-click Windows Firewall: Allow authenticated IPSec bypass.
Figure 5 Allow authenticated IPSec bypass
Table 1 summarizes the Allow authenticated IPSec bypass options.
Table 1 Allow authenticated IPSec bypass settings for an enterprise
Setting
Description
Notes
Not Configured
This GPO will not change the current configuration of Windows Firewall
Enabled
Windows Firewall does not process IPSec-secured traffic except from users or groups listed in the policy.
The syntax to list users and groups uses the SDDL standard. For more information, see the following:
"Security Descriptor Definition Language" on the MSDN Web site at https://go.microsoft.com/fwlink/?linkid=35503
Disabled
Windows Firewall processes IPSec-secured traffic.
Use the information in table 1 and click either Enabled or Disabled.
Note: If you click Enabled, you can create a list of users or groups that are allowed to send IPSec secured traffic to your computer.
Click OK.
Select either Domain Profile or Standard Profile.
Figure 6 Windows Firewall settings in a Group Policy
Table 2 summarizes the Windows Firewall Group Policy recommended settings for the domain and standard profiles.
Table 2 Windows Firewall recommended settings for an enterprise
Setting
Description
Domain Profile
Standard Profile
Protect all network connections
Specifies that all network connections have Windows Firewall enabled
Enabled
Enabled
Do not allow exceptions
Specifies that all unsolicited incoming traffic is dropped, which includes excepted traffic
Not configured
Enabled, unless you must configure program exceptions
Define program exceptions
Defines excepted traffic in terms of program file names
Enabled and configured with the programs (applications and services) used by the computers running Windows XP with SP2 on your network
Enabled and configured with the programs (applications and services) used by the computers running Windows XP with SP2 on your network
Allow local program exceptions
Allows local configuration of program exceptions
Disabled, unless you want local administrators to configure program exceptions locally
Disabled
Allow remote administration exception
Allows remote configuration using tools
Disabled, unless you want to be able to remotely administer your computers with MMC snap-ins
Disabled
Allow file and print sharing exception
Specifies whether file and printer sharing traffic is allowed
Disabled, unless the computers that run Windows XP SP2 share local resources
Disabled
Allow ICMP exceptions
Specifies the types of ICMP messages that are allowed
Disabled, unless you wish to use the ping command to troubleshoot
Disabled
Allow Remote Desktop exception
Specifies whether the computer can accept a Remote Desktop-based connection request
Enabled
Enabled
Allow UPnP framework exception
Specifies whether the computer can receive unsolicited UPnP messages
Disabled
Disabled
Prohibit notifications
Disables notifications
Disabled
Disabled
Allow logging
Allows you to log traffic and configure log file settings
Not configured
Not configured
Prohibit unicast response to multicast or broadcast requests
Discards the unicast packets received in response to a multicast or broadcast request message
Enabled
Enabled
Define port exceptions
Specifies excepted traffic in terms of TCP and UDP
Disabled
Disabled
Allow local port exceptions
Allows local configuration of port exceptions
Disabled
Disabled
Enabling Exceptions for Ports
To enable exceptions for ports
In either the Domain Profile or Standard Profile settings area, double-click Windows Firewall: Define port exceptions.
Figure 7 Windows Firewall: Define port exceptions Properties
Click Enabled, and then click Show.
Figure 8 Show Contents
Click Add.
Figure 9 Add Item
Type the port information that you want to block or enable with this syntax:
port:transport:scope:status:name
Where port is the port number, transport is TCP or UDP, scope is either * (for all systems) or a list of the computers that are allowed to access the port, status is either enabled or disabled, and name is a text string used as a label for this entry.
When using scope, host names, Domain Name System (DNS) names, or DNS suffixes are not supported. For IPv4 address ranges, you can specify the range using a dotted decimal subnet mask or a prefix length. When you use a dotted decimal subnet mask, you can specify the range as an IPv4 network ID (such as 10.47.81.0/255.255.255.0) or by using an IPv4 address within the range (such as 10.47.81.231/255.255.255.0). When you use a network prefix length, you can specify the range as an IPv4 network ID (such as 10.47.81.0/24) or by using an IPv4 address within the range (such as 10.47.81.231/24).
For more information on TCP/IP addressing and subnetting, see the following:
- Microsoft Knowledge Base article 164015 on the Microsoft Help and Support Web site at https://go.microsoft.com/fwlink/?linkid=36370
Note: If you have any spaces between the entries in the list of sources or any other invalid characters, the scope is ignored and the setting behaves as if it were disabled. Please double-check your scope syntax before saving changes.
This example uses a port exception named WebTest and enables TCP port 80 for all connections.
Click OK to close Add Item.
Figure 10 Show Contents
Click OK to close Show Contents.
Click Close to close Windows Firewall: Define port exceptions Properties.
Note: When Do not allow exceptions is selected, any Port Exceptions are ignored.
Enabling Exceptions for Programs
To enable exceptions for programs
In either the Domain Profile or Standard Profile settings area, double-click Windows Firewall: Define program exceptions.
Figure 11 Windows Firewall: Define program exceptions Properties
Click Enabled, and then click Show.
Figure 12 Show Contents
Click Add.
Figure 13 Add Item
Type the program information that you want to block or enable, with this syntax:
path:scope:status:name
Where path is the program path and file name, scope is either * (for all systems) or a list of the computers that are allowed to access the program, status is either enabled or disabled, and name is a text string used as a label for this entry.
This example enables Windows Messenger for all connections.
For more information on TCP/IP addressing and subnetting, see the following:
- Microsoft Knowledge Base article 164015 on the Microsoft Help and Support Web site at https://go.microsoft.com/fwlink/?linkid=36370
Click OK to close Add Item.
Figure 14 Show Contents
Click OK to close Show Contents.
Click Close to close Windows Firewall: Define program exceptions Properties.
Configuring Basic ICMP Options
For information on ICMP, see the following:
- "Internet Control Message Protocol (ICMP)" on the Microsoft Windows XP Web site at https://go.microsoft.com/fwlink/?linkid=35499
To configure basic ICMP options
In either the Domain or Standard Profile settings area, double-click Windows Firewall: Allow ICMP exceptions.
Click Enabled.
Figure 15 Windows Firewall: Allow ICMP exceptions Properties
Select the appropriate ICMP exception(s) to enable. This example selects Allow inbound echo request.
Click OK to close Windows Firewall: Allow ICMP exceptions Properties.
Logging Dropped Packets and Successful Connections
To log dropped packets and successful connections
In either the Domain or Standard Profile settings area, double-click Windows Firewall: Allow Logging.
Figure 16 Windows Firewall: Allow logging Properties
Click Enabled, select Log dropped packets and Log successful connections type a log file path and name, and then click OK.
Note: The location that you save your log file to must be secured to prevent deletion or any tampering with the log.
Close Group Policy Editor.
If prompted to save console settings, click No.
Applying Configuration with GPUpdate
The GPUpdate utility refreshes Active Directory–based Group Policy settings, which include security settings. After you configure Group Policy, you can wait for the settings to apply to client computers by the standard refresh cycles. By default these refresh cycles are every 90 minutes, with a random offset of + or - 30 minutes.
To refresh Group Policy between standard cycles, use the GPUpdate utility.
Running GPUpdate
To run GPUpdate
From the Windows XP desktop, click Start, and then click Run.
In the Open box, type cmd, and then click OK.
Note: For a complete description of the available options when using GPUpdate, see the following:
- Microsoft Knowledge Base article 298444 on the Microsoft Help and Support Web site at https://go.microsoft.com/fwlink/?linkid=35504
At the command prompt, type GPUpdate, and then press ENTER.
Figure 17 GPUpdate on a command line
To close the command prompt, type Exit and press ENTER.
Verifying Windows Firewall Settings Are Applied
Note: When you use Group Policy to configure Windows Firewall the settings might not allow local administrators to change some elements of the configuration. Some tabs and options in the Windows Firewall dialog box are unavailable on user's local computers.
To verify Windows Firewall settings are applied
From SecurityCenter, under Manage security settings for, click Windows Firewall.
Click the General, Exceptions, and Advanced tabs, and verify that the desired configuration is applied to Windows Firewall on the computer and then click OK to close Windows Firewall.
Note: If your configuration settings are not applied, you must troubleshoot Group Policy application. To troubleshoot Group Policy application, see the following:
- "Troubleshooting Group Policy in Windows Server 2003" on the Microsoft Download Center Web site at https://go.microsoft.com/fwlink/?linkid=35481
Configuring Internet Explorer Security Settings
For Windows XP SP2, you can manage all Internet Explorer security settings for both computer and user configurations with new Group Policy settings.
Windows XP SP2 uses two primary areas of policy settings:
Security Features
URL Actions
Security Features policy settings allow you to manage specific scenarios that might affect security of Internet Explorer. In most cases, you will want to prevent specific behavior; therefore you must ensure that the security feature is enabled. For example, it is possible that malicious code run in the Local Machine zone instead of the Internet zone can attempt to elevate its own permissions. To help prevent such attacks, you can use the Protection from Zone Elevation policy setting.
For each of the Security Features policy settings, you can specify policy settings that control the behavior of the security features, by:
Internet Explorer processes
A list of defined processes
All processes regardless of where they are initiated from
A Uniform Resource Locator (URL) Action refers to an action that a browser can take that might pose a security risk to the local computer, such as an attempt to run a Java applet or an ActiveX control. URL Actions correspond to security settings in the registry that identify the action to take for that feature in the security zone where the URL resides. URL Action settings include enable, disable, prompt, and others as appropriate.
To provide security management of URL Actions in Internet Explorer, you use the new Security Page Group Policy settings under Internet Control Panel. By using Group Policy to control security for URL Actions, you can create standard Internet Explorer configurations for all users and computers in your organization.
To provide security, you can enable policies for all URL zones with the security zone template policy settings. For each of the URL Action template policy settings, you can specify one of the following security levels:
Low. This is typically used for URL security zones that contain Web sites that are fully trusted by the user. This is the default security level for the Trusted Sites zone.
Medium-low. This might be used for URL security zones that contain Web sites that are unlikely to cause damage to your computer or data. This is the default security level for the Intranet zone.
Medium. This might be used for URL security zones that contain Web sites that are neither trusted nor untrusted. This is the default security level for the Internet zone.
High. This is used for URL security zones that contain Web sites that could potentially cause damage to users’ computers or data. This is the default security level for Restricted Sites zone.
For more information about Security Features controls, see the following:
- "Changes in Functionality in Microsoft Windows XP Service Pack 2" on the Microsoft TechNet Web site at https://go.microsoft.com/fwlink/?linkid=35487
Requirements to perform this task
Credentials: You must log on to a Windows XP SP2 computer that is an Active Directory domain client, as a member of the Domain Admins security group and open a Group Policy Object.
Tools: Microsoft Management Console (MMC) with the Group policy Object Editor snap-in installed
Configuring Internet Explorer Security Settings
To configure Internet Explorer settings
From the Windows XP SP2 desktop, click Start, click Run, type mmc, and then click OK.
On the File menu, click Add/Remove Snap-in.
On the Standalone tab, click Add.
In the Available Standalone Snap-ins list, locate then click Group Policy Object Editor, and click Add.
In the Select Group Policy Object dialog box, click Browse.
Select the Group Policy Object you want to configure and click OK then Finish toexit the Group Policy Wizard.
Click Close to exit the Add Standalone Snap-in dialog box, and then click OK to exit the Add/Remove Snap-in dialog box and return to the management console.
In the console tree, open Computer Configuration, Administrative Templates, Windows Components, Internet Explorer, and then Security Features.
Figure 18 Internet Explorer Group Policy security settings
Use the information in table 3 to configure the Internet Explorer Security settings.
Table 3 Internet Explorer Security Features settings
Setting
Description
Default Configuration
Recommended Configuration for an Enterprise Environment
Binary Behavior Security Restriction Policy
Controls whether the Binary Behavior Security Restriction setting is prevented or allowed
Not configured
Add any approved behaviors for your organization to the Admin-Approved behaviors list in the #package#behavior notation
MK Protocol Security Restriction
Reduces attack surface area by preventing the MK protocol
Not configured
Enabled for all processes
Local Machine Zone Lockdown Security
Helps to mitigate attacks that use the Local Machine zone to load malicious HTML code
Not configured
Enabled for all processes
Consistent MIME Handling
Determines whether Internet Explorer requires that all file-type information provided by Web servers be consistent
Not configured
Enabled for all processes
MIME Sniffing Safety Feature
Determines whether Internet Explorer MIME sniffing prevents promotion of a file of one type to a more dangerous file type
Not configured
Enabled for all processes
Object Caching Protection
Defines whether a reference to an object is accessible when the user navigates within the same domain or to a new domain
Not configured
Enabled for all processes
Scripted Windows Security Restrictions
Restricts popup windows and prohibits scripts from displaying windows in which the title and status bars are not visible to the user or obfuscate other title and status bars
Not configured
Enabled for all processes
Protection from Zone Elevation
Helps protect the Local Machine security zone
Not configured
Enabled for all processes
Information Bar
Manages whether the Information Bar is displayed for Internet Explorer processes when file or code installs are restricted
Not configured
Enabled for all processes
Restrict ActiveX Install
Allows you to block ActiveX control installation prompts for Internet Explorer processes
Not configured
Enabled for all processes
Restrict File Download
Allows you to block file download prompts that are not user initiated
Not configured
Enabled for all processes
Add-on Management
Allows you to ensure that any Internet Explorer add-ons that are not listed in the Add-on List policy setting are denied
Not configured
Enabled for all add-ons unless specifically allowed in the add-on list
Network Protocol Lockdown
Specifies a restricted protocol list for the Internet, intranet, trusted sites, restricted sites, and Local Machine security zones
Not configured
Enable specific protocols for each security zone
Expand Internet Control Panel
Figure 19 Internet Control Panel settings
Enable each setting to prevent users from gaining access to the listed Internet Explorer configuration pages. To do this, double-click each setting, click Enabled, and then click OK.
Expand Security Page.
Figure 20 Internet Control Panel Security Page settings
There are two ways to configure Security zones; you can use templates or choose each setting per zone.
Either:Use the information in table 4 to use Zone Templates to configure each security zone. Double-click each template option and then click Enabled.
Or
Use the information in table 5 to configure each security zone separately
Table 4 Internet Control Panel settings per-Security Zone
Setting
Recommended Configuration
Recommended Level
Internet Zone Template
Enabled
Medium
Intranet Zone Template
Enabled
Medium-Low
Trusted Sites Zone Template
Enabled
Low
Restricted Sites Zone Template
Enabled
High
Local Machine Zone Template
Enabled
Low
Locked-Down Local Machine Zone Template
Enabled
High
Table 5 Internet Control Panel settings per-Security Zone
Setting
Description
Default Configuration
Download signed ActiveX controls
Manages the download of signed ActiveX controls from the URL zone of the HTML page that contains the control.
Not configured
Download unsigned ActiveX controls
Manages the download of unsigned ActiveX controls from the URL zone of the HTML page that contains the control.
Not configured
Initialize and script ActiveX controls not marked as safe
Manages the execution of ActiveX controls and plug-ins from HTML pages in the zone.
Not configured
Run ActiveX controls and plug-ins
Determines if the ActiveX control object safety is overridden or enforced for pages in the URL security zone. Object safety should be overridden only if all ActiveX controls and scripts that might interact with them on pages in the zone can be trusted not to breach security. This is an aggregate of URLACTION_ACTIVEX_OVERRIDE_DATA_SAFETY and URLACTION_ACTIVEX_OVERRIDE_SCRIPT_SAFETY.
Not configured
Allow active scripting
Determines if script code on the pages in the URL security zone is run or not.
Not configured
Scripting of Java applets
Determines whether or not script code on HTML pages in the URL security zone is allowed to use Java applets if the properties, methods, and events of the applet are exposed to scripts.
Not configured
Script ActiveX controls marked safe for scripting
Determines if scripts can be used for safe ActiveX controls.
Not configured
Access data sources across domains
Determines if the resource is allowed to access data sources across domains.
Not configured
Allow paste operations via script
Determines if scripts can do paste operations.
Not configured
Submit non-encrypted form data
Determines if HTML forms on pages in the URL security zone, or submitted to servers in the zone, are allowed. Aggregate of the URLACTION_HTML_SUBMIT_FORMS_FROM and URLACTION_HTML_SUBMIT_FORMS_TO flags.
Not configured
Allow font downloads
Determines if HTML font downloads are allowed.
Not configured
User data persistence
Determines if user data persistence is enabled.
Not configured
Navigate sub-frames across different domains
Determines if subframes are allowed to navigate across different domains.
Not configured
Applying Configuration with GPUpdate
The GPUpdate utility refreshes Active Directory–based Group Policy settings, which include security settings. After you configure Group Policy, you can wait for the settings to apply to client computers by the standard refresh cycles. By default these refresh cycles are every 90 minutes, with a random offset of + or - 30 minutes.
To refresh Group Policy between standard cycles, use the GPUpdate utility.
Running GPUpdate
To run GPUpdate
From the Windows XP desktop, click Start, and then click Run.
In the Open box, type cmd, and then click OK.
Note: For a complete description of the available options when using GPUpdate, see the following:
- Microsoft Knowledge Base article 298444 on the Microsoft Help and Support Web site at https://go.microsoft.com/fwlink/?linkid=35504
At the command prompt, type GPUpdate, and then press ENTER.
Figure 21 GPUpdate on a command line
To close the command prompt, type Exit and press ENTER.
Verifying Internet Explorer Security Settings Are Applied
Note: When you use Group Policy to configure Internet Explorer the settings might not allow local administrators to change some elements of the configuration. Some tabs and options in the dialog boxes are unavailable on user's local computers.
Verifying Internet Explorer Security Settings Are Applied
To verify Internet Explorer settings are applied
From Security Center, under Manage security settings for, click Internet Options.
Click the Security, Privacy, and Advanced tabs, and verify that the desired configuration is applied to Internet Explorer on the computer and then click OK to close Internet Properties.
Note: If your configuration settings are not applied, you must troubleshoot Group Policy application. To troubleshoot Group Policy application, see the following:
- "Troubleshooting Group Policy in Windows Server 2003" on the Microsoft Download Center Web site at https://go.microsoft.com/fwlink/?linkid=35481
Configuring Internet Communication Management Settings
Windows XP SP2 provides new Group Policy settings, which are designed primarily to control the way in which components in Windows XP SP2 communicates with the Internet. Group Policy settings allow you to manage the ability to:
Order picture prints online
Use online storage space
Publish to the Web
In Windows XP SP2, users can click tasks in Windows Explorer to order picture prints online (Online Print Wizard), sign up for a service that offers online storage space (Add Network Place Wizard), or publish files that can be viewed in a browser (Web Publishing Wizard) as well as other tasks. The task or wizard obtains the names and URLs of these service providers from two sources: a list stored locally (in the registry) and a list stored on a Microsoft Web site. By default, Windows displays providers from a list on the Microsoft Web site in addition to providers listed in the registry.
You can use the following Group Policy settings to control the way in which these wizards and tasks work and to control the way in which these components communicate with the Internet:
Turn off the "Publish to Web" task for files and folders. This policy setting specifies whether the tasks needed to publish items to the Web are available from File and Folder Tasks in Windows folders. The tasks include Publish this file to the Web, Publish this folder to the Web, and Publish the selected items to the Web.
Turn off Internet download for Web publishing and online ordering wizards. This policy setting specifies whether Windows should download a list of providers for the Web Publishing Wizard, the Add Network Place Wizard, and the Online Print Wizard. By default, Windows displays providers downloaded from a Windows Web site in addition to providers specified in the registry.
Turn off the "Order Prints" picture task. This policy setting specifies whether the Order Prints Online task is available from Picture Tasks in Windows folders. This setting disables the Online Print Ordering Wizard.
These policy settings are available for both User and Computer Configuration.
For more information about how to control the use of the Add Network Place Wizard and the Web Publishing Wizard, see the following:
- "Using Windows XP Professional with Service Pack 2 in a Managed Environment: Controlling Communication with the Internet" on the Microsoft TechNet Web site at https://go.microsoft.com/fwlink/?LinkId=35489
Requirements to perform this task
Credentials: You must log on to a Windows XP SP2 computer that is an Active Directory domain client, as a member of the Domain Admins security group and open a Group Policy Object.
Tools: Microsoft Management Console (MMC) with the Group Policy Object Editor snap-in installed.
Configuring Internet Communication Management Settings
To configure Internet Communication Management settings
From the Windows XP SP2 desktop, click Start, click Run, type mmc, and then click OK.
On the File menu, click Add/Remove Snap-in.
On the Standalone tab, click Add.
In the Available Standalone Snap-ins list, locate then click Group Policy Object Editor, and click Add.
In the Select Group Policy Object dialog box, click Browse.
Select the Group Policy Object you want to configure and click OK then Finish toexit the Group Policy Wizard.
Click Close to exit the Add Standalone Snap-in dialog box, then click OK to exit the Add/Remove Snap-in dialog box and return to the management console.
In the console tree, open Computer Configuration, Administrative Templates, System, and then Internet Communication Management.
Figure 22 Internet Communication Management settings
Configure the Restrict Internet communication setting to Disabled to disable all settings under Internet Communication settings, or Enabled to enable all settings under Internet Communication settings.
To configure each setting individually, expand Internet Communication settings, and then use table 6 to configure the settings.
Table 6 Recommended Internet Communication settings
Setting
Description
Recommended Setting
Turn off the Publish to Web task for files and folders
Specifies whether the tasks, Publish this file to the Web, Publish this folder to the Web, and Publish the selected items to the Web are available from File and Folder Tasks in Windows folders
Enabled
Turn off Internet download for Web publishing and online ordering wizards
Controls whether Windows downloads a list of providers to the publish on the Web and order online wizards
Enabled
Turn off the Windows Messenger Customer Experience Improvement
Program
Specifies whether Windows Messenger collects anonymous information about how the Windows Messenger software and service is used
Enabled
Turn off Search Companion content file updates
Specifies whether Search Companion should automatically download content updates during local and Internet searches
Enabled
Turn off printing over HTTP
Allows you to disable printing over HTTP from this client
Enabled
Turn off downloading of print drivers over HTTP
Controls whether the computer can download print driver packages over HTTP
Enabled
Turn off Windows Update device driver searching
Specifies whether Windows searches Windows Update for device drivers when no local drivers for a device are present
Disabled
Note: Table 6 includes all the recommended settings for Internet Communication.
Applying Configuration with GPUpdate
The GPUpdate utility refreshes Active Directory–based Group Policy settings, which includes security settings. After you configure Group Policy, you can wait for the settings to apply to client computers by the standard refresh cycles. By default these refresh cycles are every 90 minutes, with a random offset of + or - 30 minutes.
To refresh Group Policy between standard cycles, use the GPUpdate utility.
Running GPUpdate
To run GPUpdate
From the Windows XP desktop, click Start, and then click Run.
In the Open box, type cmd, and then click OK.
Note: For a complete description of the available options when using GPUpdate, see the following:
- Microsoft Knowledge Base article 298444 on the Microsoft Help and Support Web site at https://go.microsoft.com/fwlink/?linkid=35504
At the command prompt, type GPUpdate, and then press ENTER.
Figure 23 GPUpdate on a command line
To close the command prompt, type Exit and press ENTER.
Verifying Internet Communication Management Settings Are Applied
To verify Internet Communication Management settings are applied
Click Start, and then click My Pictures.
Verify under Picture Tasks that Order prints online does not appear.
Verify under File and Folder Tasks that Publish this folder to the Web does not appear.
Close My Pictures.
Note: If your configuration settings are not applied, you must troubleshoot Group Policy application. To troubleshoot Group Policy application, see the following:
- "Troubleshooting Group Policy in Windows Server 2003" on the Microsoft Download Center Web site at https://go.microsoft.com/fwlink/?linkid=35481
Configuring DCOM Access Settings
The Microsoft Component Object Model (COM) is a system for creating software applications that can interact. DCOM allows these applications to be distributed across locations. The DCOM wire protocol transparently provides support for communication between COM components.
Note: For more information on DCOM security, see the following:
- “Best Practices for Mitigating RPC and DCOM Vulnerabilities” on the Microsoft TechNet web site at https://go.microsoft.com/fwlink/?linkid=36371
Many COM applications include some security-specific code but use weak settings, often allowing unauthenticated access between components. In Windows XP SP2, a change has been made in COM to provide computer wide access controls that govern access to all call, activation, or launch requests on the computer. Windows XP SP2 provides a minimum authorization standard that must be passed to access any COM server on the computer.
Note: For more information on COM fixes in Windows XP SP2, see the following:
- “ Com+ fixes in Windows XP Service Pack 2” at https://support.microsoft.com/default.aspx?scid=kb;en-us;838211
Computer wide access control lists (ACL) are checked on each DCOM request. If the check fails, the request is denied. There is a computer wide ACL for:
Launch and activation permissions. These control authorization to start a COM server during COM activation if the server is not already running and have four access rights:
Local Launch
Remote Launch
Local Activate
Remote Activate
Access permissions. These control authorization to call a running COM server and have two access rights:
Local Calls
Remote Calls
Note: A local COM message arrives by way of the Local Call, while a remote COM message arrives by way of a Remote Call.
The permissions can be configured through the Component Services Microsoft Management Console (MMC) and provides a minimum security standard that must be passed, regardless of the settings of the specific COM server application.
Note: By default, Windows Firewall blocks this MMC snap-in on a computer running Windows XP SP2, if you receive a security alert to this effect you must click unblock.
The default Windows XP SP2 computer restriction settings appear in table 7.
Table 7 Default DCOM access control restrictions
Permission |
Administrator |
Everyone |
Anonymous |
---|---|---|---|
Launch and Activation |
Local Launch Local Activate Remote Launch Remote Activate |
Local Launch Local Activate |
No permissions set |
Access |
No permissions set |
Local Call Remote Call |
Local Call |
The default settings enable all local scenarios to work without modification to the software or the operating system. The defaults also enable most COM client scenarios and disables remote activations by non-administrators to installed COM servers.
If you implement a COM server and expect to support remote activation by a non-administrative COM client or remote unauthenticated calls, then you must change the default configuration for this feature.
Note: Although this document explains how to modify the default settings, if you do so you might increase the vulnerability of your computer to attack.
Requirements to perform this task
Credentials: You must log on to a Windows XP SP2 computer that is an Active Directory domain client, as a member of the Domain Admins security group and open a Group Policy Object.
Tools: Microsoft Management Console (MMC) with the Group Policy Object Editor snap-in installed.
Configuring DCOM Settings
To configure DCOM settings
From the Windows XP SP2 desktop, click Start, click Run, type mmc, and then click OK.
On the File menu, click Add/Remove Snap-in.
On the Standalone tab, click Add.
In the Available Standalone Snap-ins list, locate then click Group Policy Object Editor, and click Add.
In the Select Group Policy Object dialog box, click Browse.
Select the Group Policy Object you want to configure and click OK then Finish toexit the Group Policy Wizard.
Click Close to exit the Add Standalone Snap-in dialog box, then click OK to exit the Add/Remove Snap-in dialog box and return to the management console.
In the console tree, open Computer Configuration, Windows Settings, Security Settings, Local Policies, and then Security Options.
Figure 24 Security Options
Double-click DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax.
Note: For more information on SDDL, see the following:
- "Security Descriptor Definition Language" on the MSDN Web site at https://go.microsoft.com/fwlink/?linkid=35503
Figure 25 DCOM: Machine Access Restrictions
Click Edit Security.
Figure 26 Access Permissions
To grant access to all of your computers for particular users of DCOM applications in the enterprise, click Add.
Figure 27 Select Users, Computers, or Groups
Type the users name and then click OK.
Click OK to close the Access Permission dialog box and then click OK to close the DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax box.
Double-click DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax, and then click Edit Security. To grant launch or activation permissions to all of your computers for particular users of DCOM applications in the enterprise, click Add.
Type the users name and then click OK.
Click OK to close the Access Permission dialog box and then click OK to close the DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax box.
Close the console.
Applying Configuration with GPUpdate
The GPUpdate utility refreshes Active Directory–based Group Policy settings, which includes security settings. After you configure Group Policy, you can wait for the settings to apply to client computers by the standard refresh cycles. By default these refresh cycles are every 90 minutes, with a random offset of + or - 30 minutes.
To refresh Group Policy between standard cycles, use the GPUpdate utility.
Running GPUpdate
To run GPUpdate
From the Windows XP desktop, click Start, and then click Run.
In the Open box, type cmd, and then click OK.
Note: For a complete description of the available options when using GPUpdate, see the following:
- Microsoft Knowledge Base article 298444 on the Microsoft Help and Support Web site at https://go.microsoft.com/fwlink/?linkid=35504
At the command prompt, type GPUpdate, and then press ENTER.
Figure 28 GPUpdate on a command line
To close the command prompt, type Exit and press ENTER.
Verifying DCOM Security Settings Are Applied
To verify DCOM settings are applied
Click Start and then click Control Panel.
Click Performance and Maintenance.
Under or pick a Control Panel icon, click Administrative Tools.
In Administrative Tools, double-click Component Services.
In the Component Services console, double-click Component Services, double-click Computers, right-click My Computer and then click the Properties.
Click COM Security, click both the Edit Defaults buttons and verify that the desired configuration for DCOM is applied and then click OK to close COM Security.
Close Component Services and then close Administrative tools.
Close the Control Panel.
Note: If your configuration settings are not applied, you must troubleshoot Group Policy application. To troubleshoot Group Policy application, see the following:
- "Troubleshooting Group Policy in Windows Server 2003" on the Microsoft Download Center Web site at https://go.microsoft.com/fwlink/?linkid=35481
Configuring RPC Settings
Windows XP SP2 includes changes to the RPC service which are designed to help make RPC interfaces secure by default and reduce the attack surface of Windows XP. Two new policy settings have been added:
Restrictions for Unauthenticated RPC clients. This policy setting allows you to modify the behavior of all RPC interfaces on the system and, by default, eliminates remote anonymous access to RPC interfaces on the system, with some exceptions.
RPC Endpoint Mapper Client Authentication. This policy setting allows you to direct RPC clients that must communicate with the Endpoint Mapper Service to authenticate, provided that the RPC call for which the endpoint needs to be resolved has authentication information.
When you require RPC calls to perform authentication, even a relatively low level of authentication can help protect an interface from attack. This is a particularly useful against worms which rely on exploitable buffer overruns that can be invoked remotely by using anonymous connections.
For more information on RPC security, see the following:
- “Best Practices for Mitigating RPC and DCOM Vulnerabilities” on the Microsoft TechNet Web site at https://go.microsoft.com/fwlink/?linkid=36371
Requirements to perform this task
Credentials: You must log on to a Windows XP SP2 computer that is an Active Directory domain client, as a member of the Domain Admins security group and open a Group Policy Object.
Tools: Microsoft Management Console (MMC) with the Group Policy Object Editor snap-in installed.
Configuring RPC Settings
When you enable the Restrictions for Unauthenticated RPC clients policy setting, you can configure RPC Runtime Unauthenticated Client to Apply with one of these options:
Authenticated (Default). This option allows only authenticated RPC clients to connect to RPC servers that run on the computer on which the policy setting is applied. Interfaces that have asked to be exempt from this restriction are granted an exemption. This option represents the RPC_RESTRICT_REMOTE_CLIENT_DEFAULT (1) value.
Authenticated without exceptions. This option allows only authenticated RPC clients to connect to RPC servers running on the computer on which the policy setting is applied; it does not permit exceptions. If you select this option, a system cannot receive remote anonymous calls using RPC; it provides the highest level of security. This option represents the RPC_RESTRICT_REMOTE_CLIENT_HIGH (2) value.
None. This option allows all RPC clients to connect to RPC servers that run on the computer on which the policy is applied. If you select this option, the system bypasses the new RPC interface restriction. This option is equivalent to the RPC behavior in previous versions of Windows. This option represents the RPC_RESTRICT_REMOTE_CLIENT_NONE (0) value.
When you enable the RPC Endpoint Mapper Client Authentication policy setting, RPC clients that must communicate with the Endpoint Mapper Service Authentication, provided that the RPC call for which the endpoint needs to be resolved has authentication information.
When you disable the RPC Endpoint Mapper Client Authentication policy setting, RPC Clients that must communicate with the Endpoint Mapper Service do not authenticate. The Endpoint Mapper Service on computers running Microsoft Windows NT 4.0 operating systems cannot process authentication information supplied in this manner. This means that if you enable this setting on a client computer that client cannot communicate with a Windows NT 4.0 server that uses RPC if endpoint resolution is needed.
To configure RPC settings
From the Windows XP SP2 desktop, click Start, click Run, type mmc, and then click OK.
On the File menu, click Add/Remove Snap-in.
On the Standalone tab, click Add.
In the Available Standalone Snap-ins list, locate then click Group Policy Object Editor, and click Add.
In the Select Group Policy Object dialog box, click Browse.
Select the Group Policy Object you want to configure from the list. Click OK, then click Finish to close the Group Policy Wizard.
Click Close to exit the Add Standalone Snap-in dialog box, then click OK to exit the Add/Remove Snap-in dialog box and return to the management console.
In the console tree, open Computer Configuration, Administrative Templates, System, and then Remote Procedure Call.
Figure 29 RPC settings
Use the configuration information above and double click Restrictions for Unauthenticated RPC clients, click Enabled, then choose Authenticated without exceptions, and then click OK.
Use the configuration information above and double click RPC Endpoint Mapper Client Authentication, click Enabled, and then click OK.
Close the Group Policy Object.
Applying Configuration with GPUpdate
The GPUpdate utility refreshes Active Directory–based Group Policy settings, which includes security settings. After you configure Group Policy, you can wait for the settings to apply to client computers by the standard refresh cycles. By default these refresh cycles are every 90 minutes, with a random offset of + or - 30 minutes.
To refresh Group Policy between standard cycles, use the GPUpdate utility.
Running GPUpdate
To run GPUpdate
From the Windows XP desktop, click Start, and then click Run.
In the Open box, type cmd, and then click OK.
Note: For a complete description of the available options when using GPUpdate, see the following:
- Microsoft Knowledge Base article 298444 on the Microsoft Help and Support Web site at https://go.microsoft.com/fwlink/?linkid=35504
At the command prompt, type GPUpdate, and then press ENTER.
Figure 30 GPUpdate on a command line
To close the command prompt, type Exit and press ENTER.
Verifying RPC Settings Are Applied
This procedure contains information about how to edit the registry. Before you edit the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, see the following:
- Microsoft Knowledge Base article 256986 on the Microsoft Help and Support Web site at https://go.microsoft.com/fwlink/?linkid=35500
Verifying RPC Settings Are Applied
To verify RPC settings are applied
Click Start and then click Run.
Type Regedit then click OK.
In the Registry Editor, double-click HKEY_LOCAL_MACHINE then double click SOFTWARE\Policies\Microsoft\Windows NT\Rpc.
Verify that there are the following entries in the registry:
EnableAuthEPResolution REG_DWORD 0x000000001
RestrictRemoteClientsIn REG_DWORD 0x000000002
Close the Registry Editor.
Note: If your configuration settings are not applied, you must troubleshoot Group Policy application. To troubleshoot Group Policy application, see the following:
- "Troubleshooting Group Policy in Windows Server 2003" on the Microsoft Download Center Website at https://go.microsoft.com/fwlink/?linkid=35481
Related Information
For more information about Windows XP SP2 network protection, see the following:
"Changes to Functionality in Microsoft Windows XP Service Pack 2, Part 2: Network Protection Technologies" on the Microsoft TechNet Web site at https://go.microsoft.com/fwlink/?linkid=35486
"Managing Windows XP Service Pack 2 Features Using Group Policy" on the Microsoft TechNet Web site at https://go.microsoft.com/fwlink/?linkid=35485
"Recommendations for managing Group Policy administrative template (.adm) files" on the Microsoft Help and Support Web site at https://go.microsoft.com/fwlink/?linkid=35502
For more information about Windows XP SP2 security, see the following:
"Windows XP Security Guide, Updated for Service Pack 2" on the Microsoft Download Center Web site at https://go.microsoft.com/fwlink/?linkid=35309
"Windows XP Security Guide Appendix A: Additional Guidance for Windows XP Service Pack 2" on the Microsoft TechNet Web site at https://go.microsoft.com/fwlink/?linkid=35465
"Using Group Policy to Deploy Windows XP Service Pack 2 (SP2)" on the Microsoft TechNet Web site at https://go.microsoft.com/fwlink/?linkid=35501
For definitions of security-related terms, see the following:
- "Microsoft Security Glossary" on the Microsoft Web site at https://go.microsoft.com/fwlink/?linkid=35468