How to Configure Windows XP SP2 Network Protection Technologies in an Active Directory Environment

On This Page

Introduction
Before You Begin
Adding Hotfixes to Management Workstations and Windows Small Business Server 2003
Updating Existing Group Policy Objects
Configuring Security Center Settings
Configuring Windows Firewall Settings
Configuring Internet Explorer Security Settings
Configuring Internet Communication Management Settings
Configuring DCOM Access Settings
Configuring RPC Settings
Related Information

Introduction

Group Policy settings are applied based on your organizations implementation of Microsoft Active Directory, and they help protect your computer environment with standard configuration settings across categories of users and computers. New Group Policy network protection settings for Microsoft Windows XP Service Pack 2 (SP2) include:

  • Windows Firewall. Configure these policy settings to turn the firewall on or off, manage program and port exceptions, and define exceptions for specific scenarios such as to allow remote administration on target computers.

  • Internet Explorer. With these new policy settings, you can configure Microsoft Internet Explorer security settings. Furthermore, with policy settings, you can enable or disable Internet Explorer security features for various processes.

  • Internet Communication Management. You can configure these settings to control how various components in Windows XP SP2 communicate over the Internet for tasks that involve exchange of information between computers in an organization and the Internet.

  • DCOM Security. You configure these settings to control security settings for Distributed Component Object Model (DCOM). The DCOM infrastructure includes new access control restrictions to help minimize the security risks posed by network attacks.

  • SecurityCenter. You configure these settings to centrally administer Windows Security Center. Security Center is a new feature in Windows XP SP2 that allows you to monitor computers in your organization to ensure that they comply with the latest security updates and to provide user alerts if a computer poses a security risk.

  • Remote Procedure Call (RPC). You can configure the RPC policy settings to block remote anonymous access to RPC interfaces on the system, and to prevent anonymous access to the RPC Endpoint Mapper interface.

This document explains how to deploy the network protection Group Policy settings to help to secure Windows XP SP2 client computers.

For a complete list of recommended settings, see the following:

You perform tasks on Group Policy objects (GPOs) in an Active Directory domain. Some of these tasks can be run from a domain controller but usually they are performed on a Windows XP SP2 client computer that contains Active Directory management tools.

Note:  For more information about how to deploy GPO, see the following:

To configure network protection in an Active Directory environment, you perform these tasks:

  • Add hotfixes to management workstations

  • Update Existing GPOs

  • Configure Security Center settings

  • Configure Windows Firewall settings

  • Configure Internet Explorer settings

  • Configure Internet Communication Management settings

  • Configure DCOM Security settings

  • Configure RPC settings

IMPORTANT: The instructions in this document were developed with the Start menu that appears by default when you install your operating system. If you have modified your Start menu, the steps might differ slightly.

For definitions of security-related terms, see the following:

Before You Begin

Windows XP SP2 can be used as a Windows domain client in an Active Directory   domain using domain controllers running any editions of:

  • Microsoft Windows Server 2003

  • Microsoft Windows Small Business Server 2003

  • Microsoft Windows 2000 Server SP3 or later    

Before you install hotfixes, make sure that you have backed up your computer, including a backup of the registry.

For more information on how to backup the registry, see the following:

Adding Hotfixes to Management Workstations and Windows Small Business Server 2003

If you manage Group Policy Object settings on computers that run earlier operating systems or service packs (for example, Windows XP with SP1 or Windows Server 2003), you must install a hotfix (KB842933) so policy settings appear correctly in the Group Policy Object Editor.

If you are using Small Business Server 2003 (SBS 2003) an additional hotfix (KB872769) must be applied because by default SBS 2003 turns off the Windows Firewall. The hotfix resolves this issue.

Note: The hotfixes listed are not included as part of Windows Update and you must install them separately. The hotfixes must be applied to all affected systems individually.

KB842933 applies to the following:

  • Microsoft Windows Server 2003, Web Edition

  • Microsoft Windows Server 2003, Standard Edition

  • Microsoft Windows Server 2003, Enterprise Edition

  • Microsoft Windows Server 2003, 64-Bit Enterprise Edition

  • Microsoft Windows XP Professional SP1

  • Microsoft Windows Small Business Server 2003, Premium Edition

  • Microsoft Windows Small Business Server 2003, Standard Edition

  • Microsoft Windows 2000 Advanced Server

  • Microsoft Windows 2000 Server

  • Microsoft Windows 2000 Professional

KB872769 applies to the following:

Requirements to perform this task

  • Credentials: You must log on to the client computer as a member of the Domain Administrators security group or Local Administrators security group.

  • Tools: The appropriate downloaded hotfix for your operating system as explained in the Knowledge Base articles 842933 and 872769.

Adding Hotfix 842933 to Windows Small Business Server 2003, Windows 2000 Server SP3 or later, Windows XP SP1, or Windows Server 2003

To add the hotfix

  1. From the Windows desktop, click Start, click Run, type the path and filename of the downloaded hotfix, and then click OK.

  2. On the Welcome to KB842933 Setup Wizard page, click Next.

  3. On the License page, click I Agree, and then click Next.

  4. On the Completing the KB842933 Setup Wizard page, to finish the hotfix installation and restart the computer, click Finish.

  5. Repeat the above steps for all systems where it applies (servers and management workstations).

Adding Hotfix 872769 to Windows Small Business Server 2003

To add the hotfix

  1. From the Windows desktop, click Start, click Run, type the path and filename of the downloaded 872769 hotfix, and then click OK.

  2. On the Welcome to KB872769 Setup Wizard page, click Next.

  3. On the License page, click I Agree, and then click Next.

  4. On the Completing the KB872769 Setup Wizard page, to finish the hotfix installation and restart the computer, click Finish.

Updating Existing Group Policy Objects

Windows XP SP2 adds additional settings in the administrative templates. To configure these new settings, each GPO must be updated with the new administrative templates found in Windows XP SP2. Unless the Group Policy Objects are updated, settings related to the Windows Firewall will not be available.

You can update GPOs with the Microsoft Management Console (MMC) with the Group Policy Object Editor Snap-in installed on a computer with Windows XP SP2 installed.

After a GPO has been updated, you can configure the network protection settings that are appropriate for your computers running Windows XP SP2.

Requirements to perform this task

  • Credentials: You must log on to a Windows XP SP2 computer that is an Active Directory domain client, as a member of the Domain Admins, or the Group Policy Creator/Owner security group.

  • Tools: Microsoft Management Console (MMC) with the Group Policy Object Editor snap-in installed.

Updating Group Policy Objects

To update Group Policy objects

  1. From the Windows XP SP2 desktop, click Start, click Run, type mmc, and then click OK.

  2. On the File menu, click Add/Remove Snap-in.

  3. On the Standalone tab, click Add.

  4. In the Available Standalone Snap-ins list, click Group Policy Object Editor, and click Add.

  5. In the Select Group Policy Object dialog box, click Browse.

    Figure 1  Browse for a Group Policy Object

    Figure 1  Browse for a Group Policy Object

  6. In the Browse for a Group Policy Object dialog box, select the Group Policy object that you want to update with the new Windows Firewall settings.

  7. Click OK, and then click Finish to close the Group Policy Wizard.

    This applies the new administrative template to the selected GPO.

  8. In the Add Standalone Snap-in dialog box, click Close.

  9. In the Add/Remove Snap-in dialog box, click OK

  10. Close the MMC, Click File then exit do not save changes to the console settings.

    Note: Although you do not save console changes, the above procedure imports the new administrative templates from Windows XP SP2 into the GPO. The templates must be imported into each defined GPO.

  11. Repeat the steps for every GPO that is being used to apply Group Policy to computers that have Windows XP SP2 installed.

Note: To update your GPOs for network environments that use Active Directory and Windows XP SP1, Microsoft recommends that you use the Group Policy Management Console, a free download. For more information, see the following:

  - "[Enterprise Management with the Group Policy Management Console](https://go.microsoft.com/fwlink/?linkid=35479)" on the Microsoft Windows Server System Web site at https://go.microsoft.com/fwlink/?linkID=35479

Configuring Security Center Settings

The Security Center is a new service in Windows XP SP2 that provides a central location to change security settings, learn more about security, and ensure that users’ computers are up-to-date with the essential security settings that are recommended by Microsoft.

In a Windows domain environment, you can use Group Policy to enable the Security Center to monitor users’ computers to help ensure that they have the latest security updates and to notify users if their computers may be at risk.

The Security Center service runs as a background process and checks the state of the following components on the user’s computer:

  • Firewall. The Security Center checks whether Windows Firewall is on or off and also checks for the presence of some other software firewalls. To check for other firewalls, Security Center queries for specific Windows Management Instrumentation (WMI) providers, which have been made available by participating vendors.

  • Virus protection. The Security Center checks for the presence of antivirus software. To check for the presence of antivirus software, Security Center queries for specific WMI providers that are made available by participating vendors. If the information is available, the Security Center service also determines whether the software is up to date and whether a real-time scan is turned on.

  • Automatic Updates. The Security Center checks to ensure that Automatic Updates is set to the recommended setting, which automatically downloads and installs critical updates to the user’s computer. If Automatic Updates is turned off or is not set to the recommended settings, the Security Center provides appropriate recommendations.

If a component is found to be missing or out of compliance with your Security Policy, the Security Center alerts you with a red icon in the notification area of your taskbar and by provides an Alert message at logon. This message contains links to open the Security Center user interface, which provides information about the problem and recommendations for fixing it.

If you run firewall or antivirus software that is not detected by Security Center, you can set the Security Center to bypass alerting for that component.

You can use a Group Policy setting to centrally manage the Security Center feature for computers in a Windows domain.

If you enable the Turn on Security Center (Domain PCs only) policy setting, Security Center monitors essential security settings (firewall, antivirus, and automatic updates), and notifies users when their computers might be at risk. By default, the Turn on Security Center (Domain PCs only) policy setting is not enabled, which means it is turned off When the Security Center is turned off, neither the notifications nor the Security Center status section are displayed.

Requirements to perform this task

  • Credentials: You must log on to a Windows XP SP2 computer that is an Active Directory domain client, as a member of the Domain Admins security group and open a Group Policy Object.

  • Tools: Microsoft Management Console (MMC) with the Group Policy Object Editor snap-in installed.

Configuring the Security Center Settings

Use this setting to allow users of computers that run Windows XP SP2 to use the Security Center for alerts about firewalls, antivirus software, and automatic updates.

To configure the SecurityCenter settings

  1. From the Windows XP SP2 desktop, click Start, click Run, type mmc, and then click OK.

  2. On the File menu, click Add/Remove Snap-in.

  3. On the Standalone tab, click Add.

  4. In the Available Standalone Snap-ins list, locate then click Group Policy Object Editor, and click Add.

  5. In the Select Group Policy Object dialog box, click Browse.

  6. Select the Group Policy Object you want to configure from the list. Click OK, then click Finish to close the Group Policy Wizard.

  7. Click Close to exit the Add Standalone Snap-in dialog box, then click OK to exit the Add/Remove Snap-in dialog box and return to the management console.

  8. In the console tree, open Computer Configuration, Administrative Templates, Windows Components, and then Security Center.

    Cc700817.adprte02(en-us,TechNet.10).gif

    Figure 2   SecurityCenter settings

  9. Double-click Turn on SecurityCenter (Domain PCs only), click Enabled, and then click OK.

Applying Configuration with GPUpdate

The GPUpdate utility refreshes Active Directory–based Group Policy settings, which includes security settings. After you configure Group Policy, you can wait for the settings to apply to client computers by the standard refresh cycles. By default these refresh cycles are every 90 minutes, with a random offset of + or - 30 minutes.

To refresh Group Policy between standard cycles, use the GPUpdate utility.

Running GPUpdate

To run GPUpdate

  1. From the Windows XP desktop, click Start, and then click Run.

  2. In the Open box, type cmd, and then click OK.

    Note: For a complete description of the available options when using GPUpdate, see the following:

  3. At the command prompt, type GPUpdate, and then press ENTER.

    Cc700817.adprte03(en-us,TechNet.10).gif

    Figure 3   GPUpdate on a command line

  4. To close the command prompt, type Exit and press ENTER.

Verifying Security Center Settings Are Applied

To verify SecurityCenter settings are applied

  1. From the Windows XP desktop, click Start, and then click Control Panel.

  2. Under Pick a category, click SecurityCenter.

  3. Verify that Security Center starts.

    Note: If your configuration settings are not applied, you must troubleshoot Group Policy application. To troubleshoot Group Policy application, see the following:

Configuring Windows Firewall Settings

There are three sets of Windows Firewall settings to configure:

  • Allow authenticated IPSec bypass. This setting is used when an organization uses Internet Protocol Security (IPSec) to protect traffic and enables the Windows Firewall.

  • Domain profile. These settings are used by computers when they are connected to a network that contains domain controllers for the domain of which the computers are a member.

  • Standard profile. These settings are used by computers when they are not connected to your network, for example, when you travel with a laptop computer.

If you do not configure standard profile settings, the default values remain unchanged. Microsoft recommends that you configure both domain and standard profile settings and that you enable the Windows Firewall for both profiles. The only exception is if you are already using a third-party host firewall product.

If you already use a third-party host firewall product, then Microsoft recommends that you disable Windows Firewall.

If you decide to disable Windows Firewall across your entire organization network, which contains a mixture of computers running Windows XP SP2, Windows XP SP1, and Windows XP with no service packs installed, then you should configure these Group Policy settings:

  • Prohibit use of Internet Connection Firewall on your DNS domain network set to Enabled

  • Domain profile – Windows Firewall: Protect all network connections set to Disabled

  • Standard profile – Windows Firewall: Protect all network connections set to Disabled

    Note: This standard profile setting ensures that Windows Firewall is not used, whether the computers are connected to your organization network or not. To ensure that Windows Firewall is not used on your organization network, but is used when the computers are not connected to the network, change this setting to Enabled.

The standard profile settings are typically more restrictive than the domain profile, because the standard profile settings do not include applications and services that are only used in a managed domain environment.

In a GPO, both the domain profile and standard profile contain the same set of Windows Firewall settings. Windows XP SP2 relies on network determination to apply the correct profile.

Note: For more information about network determination, see the following:

This section describes the possible Windows Firewall settings in a GPO and the recommended settings for an enterprise environment and demonstrates how to enable four types of settings.

Requirements to perform this task

  • Credentials: You must log on to a Windows XP SP2 computer that is an Active Directory domain client, as a member of the Domain Admins security group and open a Group Policy Object that you modified in the previous task.

  • Tools: Microsoft Management Console (MMC) with the Group Policy Object Editor snap-in installed

    Note: To open a GPO you use either an MMC with the Group Policy Object Editor snap-in included, or the Active Directory Users and Computers console. To use the Active Directory Users and Computers console on a Windows XP client computer, you must run adminpak.msi from the Windows Server 2003 CD

Configuring Windows Firewall Settings using Group Policy

You use the Group Policy Object Editor snap-in or Active Directory Users and Computers to modify the Windows Firewall settings in the appropriate GPOs.

After you have configured the Windows Firewall settings, the next refresh of Computer Configuration Group Policy downloads the new Windows Firewall settings and applies them to computers running Windows XP SP2.

To configure Windows Firewall settings

  1. From the Windows XP SP2 desktop, click Start, click Run, type mmc, and then click OK.

  2. On the File menu, click Add/Remove Snap-in.

  3. On the Standalone tab, click Add.

  4. In the Available Standalone Snap-ins list, locate then click Group Policy Object Editor, and click Add.

  5. In the Select Group Policy Object dialog box, click Browse.

  6. Select the Group Policy Object you want to configure and click OK then Finish toexit the Group Policy Wizard.

  7. Click Close to exit the Add Standalone Snap-in dialog box, then click OK to exit the Add/Remove Snap-in dialog box and return to the management console.

  8. In the console tree, open Computer Configuration, Administrative Templates, Network, Network Connections, and then Windows Firewall.

    Cc700817.adprte04(en-us,TechNet.10).gif

    Figure 4   Windows Firewall options in a Group Policy

  9. Double-click Windows Firewall: Allow authenticated IPSec bypass.

    Figure 5   Allow authenticated IPSec bypass

    Figure 5   Allow authenticated IPSec bypass

    Table 1 summarizes the Allow authenticated IPSec bypass options.

    Table 1   Allow authenticated IPSec bypass settings for an enterprise

    Setting

    Description

    Notes

    Not Configured

    This GPO will not change the current configuration of Windows Firewall

     

    Enabled

    Windows Firewall does not process IPSec-secured traffic except from users or groups listed in the policy.

    The syntax to list users and groups uses the SDDL standard. For more information, see the following:

    "Security Descriptor Definition Language" on the MSDN Web site at https://go.microsoft.com/fwlink/?linkid=35503

    Disabled

    Windows Firewall processes IPSec-secured traffic.

     
  10. Use the information in table 1 and click either Enabled or Disabled.

    Note: If you click Enabled, you can create a list of users or groups that are allowed to send IPSec secured traffic to your computer.

  11. Click OK.    

  12. Select either Domain Profile or Standard Profile.

    Cc700817.adprte06(en-us,TechNet.10).gif

    Figure 6   Windows Firewall settings in a Group Policy

    Table 2 summarizes the Windows Firewall Group Policy recommended settings for the domain and standard profiles.

    Table 2   Windows Firewall recommended settings for an enterprise

    Setting

    Description

    Domain Profile

    Standard Profile

    Protect all network connections

    Specifies that all network connections have Windows Firewall enabled

    Enabled

    Enabled

    Do not allow exceptions

    Specifies that all unsolicited incoming traffic is dropped, which includes excepted traffic

    Not configured

    Enabled, unless you must configure program exceptions

    Define program exceptions

    Defines excepted traffic in terms of program file names

    Enabled and configured with the programs (applications and services) used by the computers running Windows XP with SP2 on your network

    Enabled and configured with the programs (applications and services) used by the computers running Windows XP with SP2 on your network

    Allow local program exceptions

    Allows local configuration of program exceptions

    Disabled, unless you want local administrators to configure program exceptions locally

    Disabled

    Allow remote administration exception

    Allows remote configuration using tools

    Disabled, unless you want to be able to remotely administer your computers with MMC snap-ins

    Disabled

    Allow file and print sharing exception

    Specifies whether file and printer sharing traffic is allowed

    Disabled, unless the computers that run Windows XP SP2 share local resources

    Disabled

    Allow ICMP exceptions

    Specifies the types of ICMP messages that are allowed

    Disabled, unless you wish to use the ping command to troubleshoot

    Disabled

    Allow Remote Desktop exception

    Specifies whether the computer can accept a Remote Desktop-based connection request

    Enabled

    Enabled

    Allow UPnP framework exception

    Specifies whether the computer can receive unsolicited UPnP messages

    Disabled

    Disabled

    Prohibit notifications

    Disables notifications

    Disabled

    Disabled

    Allow logging

    Allows you to log traffic and configure log file settings

    Not configured

    Not configured

    Prohibit unicast response to multicast or broadcast requests

    Discards the unicast packets received in response to a multicast or broadcast request message

    Enabled

    Enabled

    Define port exceptions

    Specifies excepted traffic in terms of TCP and UDP

    Disabled

    Disabled

    Allow local port exceptions

    Allows local configuration of port exceptions

    Disabled

    Disabled

Enabling Exceptions for Ports

To enable exceptions for ports

  1. In either the Domain Profile or Standard Profile settings area, double-click Windows Firewall: Define port exceptions.

    Figure 7   Windows Firewall: Define port exceptions Properties

    Figure 7   Windows Firewall: Define port exceptions Properties

  2. Click Enabled, and then click Show.    

    Cc700817.adprte08(en-us,TechNet.10).gif

    Figure 8   Show Contents

  3. Click Add.

    Figure 9   Add Item

    Figure 9   Add Item

  4. Type the port information that you want to block or enable with this syntax:

    port:transport:scope:status:name

    Where port is the port number, transport is TCP or UDP, scope is either * (for all systems) or a list of the computers that are allowed to access the port, status is either enabled or disabled, and name is a text string used as a label for this entry.

    When using scope, host names, Domain Name System (DNS) names, or DNS suffixes are not supported. For IPv4 address ranges, you can specify the range using a dotted decimal subnet mask or a prefix length. When you use a dotted decimal subnet mask, you can specify the range as an IPv4 network ID (such as 10.47.81.0/255.255.255.0) or by using an IPv4 address within the range (such as 10.47.81.231/255.255.255.0). When you use a network prefix length, you can specify the range as an IPv4 network ID (such as 10.47.81.0/24) or by using an IPv4 address within the range (such as 10.47.81.231/24).

    For more information on TCP/IP addressing and subnetting, see the following:

    Note: If you have any spaces between the entries in the list of sources or any other invalid characters, the scope is ignored and the setting behaves as if it were disabled. Please double-check your scope syntax before saving changes.

    This example uses a port exception named WebTest and enables TCP port 80 for all connections.

  5. Click OK to close Add Item.

    Cc700817.adprte10(en-us,TechNet.10).gif

    Figure 10   Show Contents

  6. Click OK to close Show Contents.

  7. Click Close to close Windows Firewall: Define port exceptions Properties.

    Note: When Do not allow exceptions is selected, any Port Exceptions are ignored.

Enabling Exceptions for Programs

To enable exceptions for programs

  1. In either the Domain Profile or Standard Profile settings area, double-click Windows Firewall: Define program exceptions.

    Figure 11   Windows Firewall: Define program exceptions Properties

    Figure 11   Windows Firewall: Define program exceptions Properties

  2. Click Enabled, and then click Show.

    Cc700817.adprte12(en-us,TechNet.10).gif

    Figure 12   Show Contents

  3. Click Add.

    Figure 13   Add Item

    Figure 13   Add Item

  4. Type the program information that you want to block or enable, with this syntax:

    path:scope:status:name

    Where path is the program path and file name, scope is either * (for all systems) or a list of the computers that are allowed to access the program, status is either enabled or disabled, and name is a text string used as a label for this entry.

    This example enables Windows Messenger for all connections.

    For more information on TCP/IP addressing and subnetting, see the following:

  5. Click OK to close Add Item.

    Cc700817.adprte14(en-us,TechNet.10).gif

    Figure 14   Show Contents

  6. Click OK to close Show Contents.

  7. Click Close to close Windows Firewall: Define program exceptions Properties.

Configuring Basic ICMP Options

For information on ICMP, see the following:

To configure basic ICMP options

  1. In either the Domain or Standard Profile settings area, double-click Windows Firewall: Allow ICMP exceptions.

  2. Click Enabled.

    Figure 15   Windows Firewall: Allow ICMP exceptions Properties

    Figure 15   Windows Firewall: Allow ICMP exceptions Properties

  3. Select the appropriate ICMP exception(s) to enable. This example selects Allow inbound echo request.

  4. Click OK to close Windows Firewall: Allow ICMP exceptions Properties.

Logging Dropped Packets and Successful Connections

To log dropped packets and successful connections

  1. In either the Domain or Standard Profile settings area, double-click Windows Firewall: Allow Logging.

    Figure 16   Windows Firewall: Allow logging Properties

    Figure 16   Windows Firewall: Allow logging Properties

  2. Click Enabled, select Log dropped packets and Log successful connections type a log file path and name, and then click OK.

    Note: The location that you save your log file to must be secured to prevent deletion or any tampering with the log.

  3. Close Group Policy Editor.

  4. If prompted to save console settings, click No.

Applying Configuration with GPUpdate

The GPUpdate utility refreshes Active Directory–based Group Policy settings, which include security settings. After you configure Group Policy, you can wait for the settings to apply to client computers by the standard refresh cycles. By default these refresh cycles are every 90 minutes, with a random offset of + or - 30 minutes.

To refresh Group Policy between standard cycles, use the GPUpdate utility.

Running GPUpdate

To run GPUpdate

  1. From the Windows XP desktop, click Start, and then click Run.

  2. In the Open box, type cmd, and then click OK.

    Note: For a complete description of the available options when using GPUpdate, see the following:

  3. At the command prompt, type GPUpdate, and then press ENTER.

    Cc700817.adprte17(en-us,TechNet.10).gif

    Figure 17   GPUpdate on a command line

  4. To close the command prompt, type Exit and press ENTER.

Verifying Windows Firewall Settings Are Applied

Note: When you use Group Policy to configure Windows Firewall the settings might not allow local administrators to change some elements of the configuration. Some tabs and options in the Windows Firewall dialog box are unavailable on user's local computers.

To verify Windows Firewall settings are applied

  1. From SecurityCenter, under Manage security settings for, click Windows Firewall.

  2. Click the General, Exceptions, and Advanced tabs, and verify that the desired configuration is applied to Windows Firewall on the computer and then click OK to close Windows Firewall.

    Note: If your configuration settings are not applied, you must troubleshoot Group Policy application. To troubleshoot Group Policy application, see the following:

Configuring Internet Explorer Security Settings

For Windows XP SP2, you can manage all Internet Explorer security settings for both computer and user configurations with new Group Policy settings.

Windows XP SP2 uses two primary areas of policy settings:

  • Security Features

  • URL Actions

Security Features policy settings allow you to manage specific scenarios that might affect security of Internet Explorer. In most cases, you will want to prevent specific behavior; therefore you must ensure that the security feature is enabled. For example, it is possible that malicious code run in the Local Machine zone instead of the Internet zone can attempt to elevate its own permissions. To help prevent such attacks, you can use the Protection from Zone Elevation policy setting.

For each of the Security Features policy settings, you can specify policy settings that control the behavior of the security features, by:

  • Internet Explorer processes

  • A list of defined processes

  • All processes regardless of where they are initiated from

A Uniform Resource Locator (URL) Action refers to an action that a browser can take that might pose a security risk to the local computer, such as an attempt to run a Java applet or an ActiveX control. URL Actions correspond to security settings in the registry that identify the action to take for that feature in the security zone where the URL resides. URL Action settings include enable, disable, prompt, and others as appropriate.

To provide security management of URL Actions in Internet Explorer, you use the new Security Page Group Policy settings under Internet Control Panel. By using Group Policy to control security for URL Actions, you can create standard Internet Explorer configurations for all users and computers in your organization.

To provide security, you can enable policies for all URL zones with the security zone template policy settings. For each of the URL Action template policy settings, you can specify one of the following security levels:

  • Low. This is typically used for URL security zones that contain Web sites that are fully trusted by the user. This is the default security level for the Trusted Sites zone.

  • Medium-low. This might be used for URL security zones that contain Web sites that are unlikely to cause damage to your computer or data. This is the default security level for the Intranet zone.

  • Medium. This might be used for URL security zones that contain Web sites that are neither trusted nor untrusted. This is the default security level for the Internet zone.

  • High. This is used for URL security zones that contain Web sites that could potentially cause damage to users’ computers or data. This is the default security level for Restricted Sites zone.

For more information about Security Features controls, see the following:

Requirements to perform this task

  • Credentials: You must log on to a Windows XP SP2 computer that is an Active Directory domain client, as a member of the Domain Admins security group and open a Group Policy Object.

  • Tools: Microsoft Management Console (MMC) with the Group policy Object Editor snap-in installed

Configuring Internet Explorer Security Settings

To configure Internet Explorer settings

  1. From the Windows XP SP2 desktop, click Start, click Run, type mmc, and then click OK.

  2. On the File menu, click Add/Remove Snap-in.

  3. On the Standalone tab, click Add.

  4. In the Available Standalone Snap-ins list, locate then click Group Policy Object Editor, and click Add.

  5. In the Select Group Policy Object dialog box, click Browse.

  6. Select the Group Policy Object you want to configure and click OK then Finish toexit the Group Policy Wizard.

  7. Click Close to exit the Add Standalone Snap-in dialog box, and then click OK to exit the Add/Remove Snap-in dialog box and return to the management console.

  8. In the console tree, open Computer Configuration, Administrative Templates, Windows Components, Internet Explorer, and then Security Features.

    Cc700817.adprte18(en-us,TechNet.10).gif

    Figure 18   Internet Explorer Group Policy security settings

  9. Use the information in table 3 to configure the Internet Explorer Security settings.

    Table 3   Internet Explorer Security Features settings

    Setting

    Description

    Default Configuration

    Recommended Configuration for an Enterprise Environment

    Binary Behavior Security Restriction Policy

    Controls whether the Binary Behavior Security Restriction setting is prevented or allowed

    Not configured

    Add any approved behaviors  for your organization to the Admin-Approved behaviors list in the #package#behavior notation

    MK Protocol Security Restriction

    Reduces attack surface area by preventing the MK protocol

    Not configured

    Enabled for all processes

    Local Machine Zone Lockdown Security

    Helps to mitigate attacks that use the Local Machine zone to load malicious HTML code

    Not configured

    Enabled for all processes

    Consistent MIME Handling

    Determines whether Internet Explorer requires that all file-type information provided by Web servers be consistent

    Not configured

    Enabled for all processes

    MIME Sniffing Safety Feature

    Determines whether Internet Explorer MIME sniffing prevents promotion of a file of one type to a more dangerous file type

    Not configured

    Enabled for all processes

    Object Caching Protection

    Defines whether a reference to an object is accessible when the user navigates within the same domain or to a new domain

    Not configured

    Enabled for all processes

    Scripted Windows Security Restrictions

    Restricts popup windows and prohibits scripts from displaying windows in which the title and status bars are not visible to the user or obfuscate other title and status bars

    Not configured

    Enabled for all processes

    Protection from Zone Elevation

    Helps protect the Local Machine security zone

    Not configured

    Enabled for all processes

    Information Bar

    Manages whether the Information Bar is displayed for Internet Explorer processes when file or code installs are restricted

    Not configured

    Enabled for all processes

    Restrict ActiveX Install

    Allows you to block ActiveX control installation prompts for Internet Explorer processes

    Not configured

    Enabled for all processes

    Restrict File Download

    Allows you to block file download prompts that are not user initiated

    Not configured

    Enabled for all processes

    Add-on Management

    Allows you to ensure that any Internet Explorer add-ons that are not listed in the Add-on List policy setting are denied

    Not configured

    Enabled for all add-ons unless specifically allowed in the add-on list

    Network Protocol Lockdown

    Specifies a restricted protocol list for the Internet, intranet, trusted sites, restricted sites, and Local Machine security zones

    Not configured

    Enable specific protocols for each security zone

  10. Expand Internet Control Panel

    Cc700817.adprte19(en-us,TechNet.10).gif

    Figure 19   Internet Control Panel settings

  11. Enable each setting to prevent users from gaining access to the listed Internet Explorer configuration pages. To do this, double-click each setting, click Enabled, and then click OK.

  12. Expand Security Page.

    Cc700817.adprte20(en-us,TechNet.10).gif

    Figure 20   Internet Control Panel Security Page settings

  13. There are two ways to configure Security zones; you can use templates or choose each setting per zone.
    Either:

    • Use the information in table 4 to use Zone Templates to configure each security zone. Double-click each template option and then click Enabled.

      Or

    • Use the information in table 5 to configure each security zone separately

      Table 4   Internet Control Panel settings per-Security Zone

      Setting

      Recommended Configuration

      Recommended Level

      Internet Zone Template

      Enabled

      Medium

      Intranet Zone Template

      Enabled

      Medium-Low

      Trusted Sites Zone Template

      Enabled

      Low

      Restricted Sites Zone Template

      Enabled

      High

      Local Machine Zone Template

      Enabled

      Low

      Locked-Down Local Machine Zone Template

      Enabled

      High

      Table 5   Internet Control Panel settings per-Security Zone

      Setting

      Description

      Default Configuration

      Download signed ActiveX controls

      Manages the download of signed ActiveX controls from the URL zone of the HTML page that contains the control.

      Not configured

      Download unsigned ActiveX controls

      Manages the download of unsigned ActiveX controls from the URL zone of the HTML page that contains the control.

      Not configured

      Initialize and script ActiveX controls not marked as safe

      Manages the execution of ActiveX controls and plug-ins from HTML pages in the zone.

      Not configured

      Run ActiveX controls and plug-ins

      Determines if the ActiveX control object safety is overridden or enforced for pages in the URL security zone. Object safety should be overridden only if all ActiveX controls and scripts that might interact with them on pages in the zone can be trusted not to breach security. This is an aggregate of URLACTION_ACTIVEX_OVERRIDE_DATA_SAFETY and URLACTION_ACTIVEX_OVERRIDE_SCRIPT_SAFETY.

      Not configured

      Allow active scripting

      Determines if script code on the pages in the URL security zone is run or not.

      Not configured

      Scripting of Java applets

      Determines whether or not script code on HTML pages in the URL security zone is allowed to use Java applets if the properties, methods, and events of the applet are exposed to scripts.

      Not configured

      Script ActiveX controls marked safe for scripting

      Determines if scripts can be used for safe ActiveX controls.

      Not configured

      Access data sources across domains

      Determines if the resource is allowed to access data sources across domains.

      Not configured

      Allow paste operations via script

      Determines if scripts can do paste operations.

      Not configured

      Submit non-encrypted form data

      Determines if HTML forms on pages in the URL security zone, or submitted to servers in the zone, are allowed. Aggregate of the URLACTION_HTML_SUBMIT_FORMS_FROM and URLACTION_HTML_SUBMIT_FORMS_TO flags.

      Not configured

      Allow font downloads

      Determines if HTML font downloads are allowed.

      Not configured

      User data persistence

      Determines if user data persistence is enabled.

      Not configured

      Navigate sub-frames across different domains

      Determines if subframes are allowed to navigate across different domains.

      Not configured

Applying Configuration with GPUpdate

The GPUpdate utility refreshes Active Directory–based Group Policy settings, which include security settings. After you configure Group Policy, you can wait for the settings to apply to client computers by the standard refresh cycles. By default these refresh cycles are every 90 minutes, with a random offset of + or - 30 minutes.

To refresh Group Policy between standard cycles, use the GPUpdate utility.

Running GPUpdate

To run GPUpdate

  1. From the Windows XP desktop, click Start, and then click Run.

  2. In the Open box, type cmd, and then click OK.

    Note: For a complete description of the available options when using GPUpdate, see the following:

  3. At the command prompt, type GPUpdate, and then press ENTER.

    Cc700817.adprte21(en-us,TechNet.10).gif

    Figure 21   GPUpdate on a command line

  4. To close the command prompt, type Exit and press ENTER.

Verifying Internet Explorer Security Settings Are Applied

Note: When you use Group Policy to configure Internet Explorer the settings might not allow local administrators to change some elements of the configuration. Some tabs and options in the dialog boxes are unavailable on user's local computers.

Verifying Internet Explorer Security Settings Are Applied

To verify Internet Explorer settings are applied

  1. From Security Center, under Manage security settings for, click Internet Options.

  2. Click the Security, Privacy, and Advanced tabs, and verify that the desired configuration is applied to Internet Explorer on the computer and then click OK to close Internet Properties.

    Note: If your configuration settings are not applied, you must troubleshoot Group Policy application. To troubleshoot Group Policy application, see the following:

Configuring Internet Communication Management Settings

Windows XP SP2 provides new Group Policy settings, which are designed primarily to control the way in which components in Windows XP SP2 communicates with the Internet. Group Policy settings allow you to manage the ability to:

  • Order picture prints online

  • Use online storage space

  • Publish to the Web

In Windows XP SP2, users can click tasks in Windows Explorer to order picture prints online (Online Print Wizard), sign up for a service that offers online storage space (Add Network Place Wizard), or publish files that can be viewed in a browser (Web Publishing Wizard) as well as other tasks. The task or wizard obtains the names and URLs of these service providers from two sources: a list stored locally (in the registry) and a list stored on a Microsoft Web site. By default, Windows displays providers from a list on the Microsoft Web site in addition to providers listed in the registry.

You can use the following Group Policy settings to control the way in which these wizards and tasks work and to control the way in which these components communicate with the Internet:

  • Turn off the "Publish to Web" task for files and folders. This policy setting specifies whether the tasks needed to publish items to the Web are available from File and Folder Tasks in Windows folders. The tasks include Publish this file to the Web, Publish this folder to the Web, and Publish the selected items to the Web.

  • Turn off Internet download for Web publishing and online ordering wizards. This policy setting specifies whether Windows should download a list of providers for the Web Publishing Wizard, the Add Network Place Wizard, and the Online Print Wizard. By default, Windows displays providers downloaded from a Windows Web site in addition to providers specified in the registry.

  • Turn off the "Order Prints" picture task. This policy setting specifies whether the Order Prints Online task is available from Picture Tasks in Windows folders. This setting disables the Online Print Ordering Wizard.

These policy settings are available for both User and Computer Configuration.

For more information about how to control the use of the Add Network Place Wizard and the Web Publishing Wizard, see the following:

Requirements to perform this task

  • Credentials: You must log on to a Windows XP SP2 computer that is an Active Directory domain client, as a member of the Domain Admins security group and open a Group Policy Object.

  • Tools: Microsoft Management Console (MMC) with the Group Policy Object Editor snap-in installed.

Configuring Internet Communication Management Settings

To configure Internet Communication Management settings

  1. From the Windows XP SP2 desktop, click Start, click Run, type mmc, and then click OK.

  2. On the File menu, click Add/Remove Snap-in.

  3. On the Standalone tab, click Add.

  4. In the Available Standalone Snap-ins list, locate then click Group Policy Object Editor, and click Add.

  5. In the Select Group Policy Object dialog box, click Browse.

  6. Select the Group Policy Object you want to configure and click OK then Finish toexit the Group Policy Wizard.

  7. Click Close to exit the Add Standalone Snap-in dialog box, then click OK to exit the Add/Remove Snap-in dialog box and return to the management console.

  8. In the console tree, open Computer Configuration, Administrative Templates, System, and then Internet Communication Management.

    Cc700817.adprte22(en-us,TechNet.10).gif

    Figure 22   Internet Communication Management settings

  9. Configure the Restrict Internet communication setting to Disabled to disable all settings under Internet Communication settings, or Enabled to enable all settings under Internet Communication settings.

  10. To configure each setting individually, expand Internet Communication settings, and then use table 6 to configure the settings.

    Table 6   Recommended Internet Communication settings

    Setting

    Description

    Recommended Setting

    Turn off the Publish to Web task for files and folders

    Specifies whether the tasks, Publish this file to the Web, Publish this folder to the Web, and Publish the selected items to the Web are available from File and Folder Tasks in Windows folders

    Enabled

    Turn off Internet download for Web publishing and online ordering wizards

    Controls whether Windows downloads a list of providers to the publish on the Web and order online wizards

    Enabled

    Turn off the Windows Messenger Customer Experience Improvement

    Program

    Specifies whether Windows Messenger collects anonymous information about how the Windows Messenger software and service is used

    Enabled

    Turn off Search Companion content file updates

    Specifies whether Search Companion should automatically download content updates during local and Internet searches

    Enabled

    Turn off printing over HTTP

    Allows you to disable printing over HTTP from this client

    Enabled

    Turn off downloading of print drivers over HTTP

    Controls whether the computer can download print driver packages over HTTP

    Enabled

    Turn off Windows Update device driver searching

    Specifies whether Windows searches Windows Update for device drivers when no local drivers for a device are present

    Disabled

    Note: Table 6 includes all the recommended settings for Internet Communication.

Applying Configuration with GPUpdate

The GPUpdate utility refreshes Active Directory–based Group Policy settings, which includes security settings. After you configure Group Policy, you can wait for the settings to apply to client computers by the standard refresh cycles. By default these refresh cycles are every 90 minutes, with a random offset of + or - 30 minutes.

To refresh Group Policy between standard cycles, use the GPUpdate utility.

Running GPUpdate

To run GPUpdate

  1. From the Windows XP desktop, click Start, and then click Run.

  2. In the Open box, type cmd, and then click OK.

    Note: For a complete description of the available options when using GPUpdate, see the following:

  3. At the command prompt, type GPUpdate, and then press ENTER.

    Cc700817.adprte23(en-us,TechNet.10).gif

    Figure 23   GPUpdate on a command line

  4. To close the command prompt, type Exit and press ENTER.

Verifying Internet Communication Management Settings Are Applied

To verify Internet Communication Management settings are applied

  1. Click Start, and then click My Pictures.

  2. Verify under Picture Tasks that Order prints online does not appear.

  3. Verify under File and Folder Tasks that Publish this folder to the Web does not appear.

  4. Close My Pictures.

    Note: If your configuration settings are not applied, you must troubleshoot Group Policy application. To troubleshoot Group Policy application, see the following:

Configuring DCOM Access Settings

The Microsoft Component Object Model (COM) is a system for creating software applications that can interact. DCOM allows these applications to be distributed across locations. The DCOM wire protocol transparently provides support for communication between COM components.

Note: For more information on DCOM security, see the following:

Many COM applications include some security-specific code but use weak settings, often allowing unauthenticated access between components. In Windows XP SP2, a change has been made in COM to provide computer wide access controls that govern access to all call, activation, or launch requests on the computer. Windows XP SP2 provides a minimum authorization standard that must be passed to access any COM server on the computer.

Note: For more information on COM fixes in Windows XP SP2, see the following:

Computer wide access control lists (ACL) are checked on each DCOM request. If the check fails, the request is denied. There is a computer wide ACL for:

  • Launch and activation permissions. These control authorization to start a COM server during COM activation if the server is not already running and have four access rights:

    • Local Launch

    • Remote Launch

    • Local Activate

    • Remote Activate

  • Access permissions. These control authorization to call a running COM server and have two access rights:

    • Local Calls

    • Remote Calls

Note: A local COM message arrives by way of the Local Call, while a remote COM message arrives by way of a Remote Call.

The permissions can be configured through the Component Services Microsoft Management Console (MMC) and provides a minimum security standard that must be passed, regardless of the settings of the specific COM server application.

Note: By default, Windows Firewall blocks this MMC snap-in on a computer running Windows XP SP2, if you receive a security alert to this effect you must click unblock.

The default Windows XP SP2 computer restriction settings appear in table 7.

Table 7   Default DCOM access control restrictions

Permission

Administrator

Everyone

Anonymous

Launch and Activation

Local Launch

Local Activate

Remote Launch

Remote Activate

Local Launch

Local Activate

No permissions set

Access

No permissions set

Local Call

Remote Call

Local Call

The default settings enable all local scenarios to work without modification to the software or the operating system. The defaults also enable most COM client scenarios and disables remote activations by non-administrators to installed COM servers.

If you implement a COM server and expect to support remote activation by a non-administrative COM client or remote unauthenticated calls, then you must change the default configuration for this feature.

Note: Although this document explains how to modify the default settings, if you do so you might increase the vulnerability of your computer to attack.

Requirements to perform this task

  • Credentials: You must log on to a Windows XP SP2 computer that is an Active Directory domain client, as a member of the Domain Admins security group and open a Group Policy Object.

  • Tools: Microsoft Management Console (MMC) with the Group Policy Object Editor snap-in installed.

Configuring DCOM Settings

To configure DCOM settings

  1. From the Windows XP SP2 desktop, click Start, click Run, type mmc, and then click OK.

  2. On the File menu, click Add/Remove Snap-in.

  3. On the Standalone tab, click Add.

  4. In the Available Standalone Snap-ins list, locate then click Group Policy Object Editor, and click Add.

  5. In the Select Group Policy Object dialog box, click Browse.

  6. Select the Group Policy Object you want to configure and click OK then Finish toexit the Group Policy Wizard.

  7. Click Close to exit the Add Standalone Snap-in dialog box, then click OK to exit the Add/Remove Snap-in dialog box and return to the management console.

  8. In the console tree, open Computer Configuration, Windows Settings, Security Settings, Local Policies, and then Security Options.

    Cc700817.adprte24(en-us,TechNet.10).gif

    Figure 24   Security Options

  9. Double-click DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax.

    Note: For more information on SDDL, see the following:

    Figure 25   DCOM: Machine Access Restrictions

    Figure 25   DCOM: Machine Access Restrictions

  10. Click Edit Security.

    Figure 26   Access Permissions

    Figure 26   Access Permissions

  11. To grant access to all of your computers for particular users of DCOM applications in the enterprise, click Add.

    Figure 27   Select Users, Computers, or Groups

    Figure 27   Select Users, Computers, or Groups

  12. Type the users name and then click OK.

  13. Click OK to close the Access Permission dialog box and then click OK to close the DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax box.

  14. Double-click DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax, and then click Edit Security. To grant launch or activation permissions to all of your computers for particular users of DCOM applications in the enterprise, click Add.

  15. Type the users name and then click OK.

  16. Click OK to close the Access Permission dialog box and then click OK to close the DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax box.

  17. Close the console.

Applying Configuration with GPUpdate

The GPUpdate utility refreshes Active Directory–based Group Policy settings, which includes security settings. After you configure Group Policy, you can wait for the settings to apply to client computers by the standard refresh cycles. By default these refresh cycles are every 90 minutes, with a random offset of + or - 30 minutes.

To refresh Group Policy between standard cycles, use the GPUpdate utility.

Running GPUpdate

To run GPUpdate

  1. From the Windows XP desktop, click Start, and then click Run.

  2. In the Open box, type cmd, and then click OK.

    Note: For a complete description of the available options when using GPUpdate, see the following:

  3. At the command prompt, type GPUpdate, and then press ENTER.

    Cc700817.adprte28(en-us,TechNet.10).gif

    Figure 28   GPUpdate on a command line

  4. To close the command prompt, type Exit and press ENTER.

Verifying DCOM Security Settings Are Applied

To verify DCOM settings are applied

  1. Click Start and then click Control Panel.

  2. Click Performance and Maintenance.

  3. Under or pick a Control Panel icon, click Administrative Tools.  

  4. In Administrative Tools, double-click Component Services.

  5. In the Component Services console, double-click Component Services, double-click Computers, right-click My Computer and then click the Properties.  

  6. Click COM Security, click both the Edit Defaults buttons and verify that the desired configuration for DCOM is applied and then click OK to close COM Security.

  7. Close Component Services and then close Administrative tools.

  8. Close the Control Panel.

    Note: If your configuration settings are not applied, you must troubleshoot Group Policy application. To troubleshoot Group Policy application, see the following:

Configuring RPC Settings

Windows XP SP2 includes changes to the RPC service which are designed to help make RPC interfaces secure by default and reduce the attack surface of Windows XP. Two new policy settings have been added:

  • Restrictions for Unauthenticated RPC clients. This policy setting allows you to modify the behavior of all RPC interfaces on the system and, by default, eliminates remote anonymous access to RPC interfaces on the system, with some exceptions.

  • RPC Endpoint Mapper Client Authentication. This policy setting allows you to direct RPC clients that must communicate with the Endpoint Mapper Service to authenticate, provided that the RPC call for which the endpoint needs to be resolved has authentication information.  

When you require RPC calls to perform authentication, even a relatively low level of authentication can help protect an interface from attack. This is a particularly useful against worms which rely on exploitable buffer overruns that can be invoked remotely by using anonymous connections.

For more information on RPC security, see the following:

Requirements to perform this task

  • Credentials: You must log on to a Windows XP SP2 computer that is an Active Directory domain client, as a member of the Domain Admins security group and open a Group Policy Object.

  • Tools: Microsoft Management Console (MMC) with the Group Policy Object Editor snap-in installed.

Configuring RPC Settings

When you enable the Restrictions for Unauthenticated RPC clients policy setting, you can configure RPC Runtime Unauthenticated Client to Apply with one of these options:

  • Authenticated (Default). This option allows only authenticated RPC clients to connect to RPC servers that run on the computer on which the policy setting is applied. Interfaces that have asked to be exempt from this restriction are granted an exemption. This option represents the RPC_RESTRICT_REMOTE_CLIENT_DEFAULT (1) value.

  • Authenticated without exceptions. This option allows only authenticated RPC clients to connect to RPC servers running on the computer on which the policy setting is applied; it does not permit exceptions. If you select this option, a system cannot receive remote anonymous calls using RPC; it provides the highest level of security. This option represents the RPC_RESTRICT_REMOTE_CLIENT_HIGH (2) value.

  • None. This option allows all RPC clients to connect to RPC servers that run on the computer on which the policy is applied. If you select this option, the system bypasses the new RPC interface restriction. This option is equivalent to the RPC behavior in previous versions of Windows. This option represents the RPC_RESTRICT_REMOTE_CLIENT_NONE (0) value.

When you enable the RPC Endpoint Mapper Client Authentication policy setting, RPC clients that must communicate with the Endpoint Mapper Service Authentication, provided that the RPC call for which the endpoint needs to be resolved has authentication information.

When you disable the RPC Endpoint Mapper Client Authentication policy setting, RPC Clients that must communicate with the Endpoint Mapper Service do not authenticate. The Endpoint Mapper Service on computers running Microsoft Windows NT 4.0 operating systems cannot process authentication information supplied in this manner. This means that if you enable this setting on a client computer that client cannot communicate with a Windows NT 4.0 server that uses RPC if endpoint resolution is needed.

To configure RPC settings

  1. From the Windows XP SP2 desktop, click Start, click Run, type mmc, and then click OK.

  2. On the File menu, click Add/Remove Snap-in.

  3. On the Standalone tab, click Add.

  4. In the Available Standalone Snap-ins list, locate then click Group Policy Object Editor, and click Add.

  5. In the Select Group Policy Object dialog box, click Browse.

  6. Select the Group Policy Object you want to configure from the list. Click OK, then click Finish to close the Group Policy Wizard.

  7. Click Close to exit the Add Standalone Snap-in dialog box, then click OK to exit the Add/Remove Snap-in dialog box and return to the management console.

  8. In the console tree, open Computer Configuration, Administrative Templates, System, and then Remote Procedure Call.

    Cc700817.adprte29(en-us,TechNet.10).gif

    Figure 29   RPC settings

  9. Use the configuration information above and double click Restrictions for Unauthenticated RPC clients, click Enabled, then choose Authenticated without exceptions, and then click OK.

  10. Use the configuration information above and double click RPC Endpoint Mapper Client Authentication, click Enabled, and then click OK.

  11. Close the Group Policy Object.

Applying Configuration with GPUpdate

The GPUpdate utility refreshes Active Directory–based Group Policy settings, which includes security settings. After you configure Group Policy, you can wait for the settings to apply to client computers by the standard refresh cycles. By default these refresh cycles are every 90 minutes, with a random offset of + or - 30 minutes.

To refresh Group Policy between standard cycles, use the GPUpdate utility.

Running GPUpdate

To run GPUpdate

  1. From the Windows XP desktop, click Start, and then click Run.

  2. In the Open box, type cmd, and then click OK.

    Note: For a complete description of the available options when using GPUpdate, see the following:

  3. At the command prompt, type GPUpdate, and then press ENTER.

    Cc700817.adprte30(en-us,TechNet.10).gif

    Figure 30   GPUpdate on a command line

  4. To close the command prompt, type Exit and press ENTER.

Verifying RPC Settings Are Applied

This procedure contains information about how to edit the registry. Before you edit the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, see the following:

Verifying RPC Settings Are Applied

To verify RPC settings are applied

  1. Click Start and then click Run.

  2. Type Regedit then click OK.

  3. In the Registry Editor, double-click HKEY_LOCAL_MACHINE then double click SOFTWARE\Policies\Microsoft\Windows NT\Rpc.  

  4. Verify that there are the following entries in the registry:

    EnableAuthEPResolution REG_DWORD 0x000000001

    RestrictRemoteClientsIn REG_DWORD 0x000000002

  5. Close the Registry Editor.

    Note: If your configuration settings are not applied, you must troubleshoot Group Policy application. To troubleshoot Group Policy application, see the following:

For more information about Windows XP SP2 network protection, see the following:

For more information about Windows XP SP2 security, see the following:

For definitions of security-related terms, see the following: