Chapter 5: Securing Stand-Alone Windows XP Clients

Updated: April 13, 2006

Overview

Microsoft® Windows® XP Professional–based computers that are not members of an Active Directory® directory service–based domain present some unique management challenges. This chapter discusses how to most effectively apply and manage the policy settings that are recommended in the previous chapters of this guide. The prescribed policy settings will help you ensure that stand-alone desktop and laptop computers in your organization that run Windows XP Professional are secure. The settings are applied by means of local policy, which applies to all users who log on to the client computer, including the local Administrator.

This chapter does not provide guidance for all of the available policy settings in Windows XP. However, the prescribed policy settings will provide an operating environment that is secure from most current threats and allow users to continue to use their computers. Any policy settings that you apply should be based on the security goals of your organization.

Windows XP in a Windows NT 4.0 Domain

A specific example of a Windows XP client computer in a non-Active Directory domain environment would be a Windows XP–based computer in a Microsoft Windows NT® 4.0 domain. In such an environment, the Windows XP clients are treated as stand-alone computers. There is more management overhead in this type of environment because there is not a central location from which to manage the policy settings. Microsoft recommends that you install the Windows NT 4.0–based domain controllers with Service Pack 6a (SP6a) and the most recent updates. Windows NT 4.0 SP6a contains several updates for NTLM authentication. Without these updates, Windows XP–based computers in a Windows NT 4.0–based domain may experience domain or network connectivity and communication issues. The administrator should frequently check for updates.

Windows XP Professional provides more policy settings than previous versions of Windows, which enables you to better customize user and computer settings. Several hundred new local policy settings are available in Windows XP Professional, in addition to those already available for Windows 2000 Professional. Local policy is a powerful management feature that allows you to lock down and fine tune your desktop computers. It also introduces the possibility of many different customized scenarios. Domain administrators are made members of the local Administrators group on all client computers that join the domain; therefore the Windows XP client computers will only be as secure as the domain to which they belong.

Windows XP client computers in a legacy environment use a modified version of the security templates from Chapter 3, "Security Settings for Windows XP Clients" to ensure that they can communicate with the Windows NT 4.0 domain controllers. These policy settings are applied by means of the scripts that are described at the end of this chapter.

To communicate to a Windows NT 4.0 domain controller, the following policy settings are modified under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options:

• Domain member: Require strong (Windows 2000 or later) session key – Disabled
• Microsoft network client: Digitally sign communications (always) – Disabled

These policy settings are preconfigured in the legacy client security template files that are included with this guide.

Local Group Policy Object Settings

Each Windows XP Professional operating system has one Local Group Policy object (LGPO). The policy settings are applied to the LGPO manually with the Group Policy Object Editor or through scripts. LGPOs contain fewer policy settings than domain–based GPOs, particularly under Security Settings. LGPOs do not support Folder Redirection, Remote Installation Service, or Group Policy Software Installation when they are configured as stand-alone client computers, but you can use them to provide a secure operating environment on such computers.

The following table shows which Group Policy snap-in extensions open when the Group Policy snap-in is focused on an LGPO.

Table 5.1 Group Policy Snap-in Extensions

Account Policies

Account policies include Password policy, Account Lockout policy, and Kerberos policy settings. Password policy can help secure most environments through its ability to require password complexity and frequent password changes. Account Lockout policy provides the ability to automatically disable an account after a series of unsuccessful logon attempts. Kerberos policy settings determine Kerberos-related attributes of domain user accounts, such as the Maximum lifetime for user ticket and Enforce user logon restrictions settings. However, these policy settings are not used for stand-alone client computers because they do not participate in a domain.

Typically, account policies are set at the domain level and are thereby configured for domain client computers. For stand-alone Windows XP client computers, these policy settings need to be applied locally, similar to the policy settings that are described in Chapter 2, "Configuring the Active Directory Domain Infrastructure" of this guide.

Local Policies

Local policies, under Computer Configuration\Windows Settings\Security Settings, will be applied to the client computer with the templates that are described in Chapter 3, "Security Settings for Windows XP Clients" of this guide. A combination of those templates and the ones that were created for the stand-alone client computers are used; you can automate the application of the security templates by means of scripts that you can apply to multiple computers in the environment. The next section describes the process for creating and deploying local policies.

Importing Security Templates into Windows XP

There are several different templates that you can use to configure the stand-alone client computer by means of a script; you should use a template that supports the security requirements of the client. The previous section discussed local policy settings and how the Group Policy Object Editor is used to configure them. You can use the provided templates to automate the configuration process for many client computers in either a network-connected or stand-alone environment. This section will explain the process of how to automate the configuration of security policies.

Configuration

A security template is a file that represents a security configuration. To apply security templates to a local computer, you can import them into the LGPO. The templates that were created in Chapter 3, "Security Settings for Windows XP Clients" will be used to configure the local policies. The administrator will use the Microsoft Management Console (MMC) Security Configuration and Analysis snap-in, the Security Templates snap-in, and Secedit.exe to create the account policies and merge the two security templates on the stand-alone computer.

Creating a Security Database

To automate the process of importing security settings on a stand-alone client computer, you must create a reference database to write to the local security policy. The baseline database was created with the MMC Security Configuration and Analysis snap-in. The following steps were used to create the XP Default Security.sdb database. The database used the Setup security.inf file as the template to establish the default policy settings for the stand-alone client computer.

To create a new default security database

1. On the Start menu, click Run, type mmc, and then click OK.
2. On the File menu, click New to create a new console.
3. On the File menu, click Add/Remove Snap-in. Then click the Stand-alone tab in the Add/Remove snap-in properties dialog box and click Add.
4. Select Security Configuration and Analysis, click Add, click Close, and then click OK.
5. Right-click the Security Configuration and Analysis scope item and then click Open Database.
6. Type a new database name (XP Default Security), and then click Open.
7. Select a security template to import (setup security.inf), and then click Open.
8. Right-click the Security Configuration and Analysis scope item, and then click Configure Computer Now.
9. In the Configure System dialog box, type the name of the log file you wish to use and then click OK.

This process creates a database file with the default security settings that will be used in the automation process. Copy the security database to the same folder to which you copied the scripts and the information files. The custom scripts will be used to configure the database, which will configure the local security policy. The administrator can use similar steps to create a custom database instead of using the one that is provided with this guide.

Creating Custom Templates

You can use the MMC Security Templates snap-in to define security policy settings in the templates, which you can then apply to a local computer. The following steps were performed to create the Standalone-EC-Account.inf and Standalone-SSLF-Account.inf templates by using the policy settings from the Account Policy tables in Chapter 2, "Configuring the Active Directory Domain Infrastructure."

To create a custom template

1. Click Start, Run, type mmc, and then click OK.
2. On the File menu, click New to create a new console.
3. On the File menu, click Add/Remove Snap-in. Then click the Stand-alone tab in the Add/Remove snap-in properties box and click Add.
4. Click Security Templates, click Add, click Close, and then click OK.
5. Open Security Templates.
6. Select the default folder to store the new template, and then click New Template.
7. In the Template name text box, type the name for your new security template.
8. In the Description text box, type a description of your new security template, and then click OK.
9. In the console tree, double-click the new security template to display the security areas and then navigate until the policy setting you want to configure displays in the details pane.
10. In the details pane, right-click the policy setting you want to configure and then click Properties.
11. In the Properties dialog box, select the Define this policy setting in the template check box, edit the settings, and then click OK.

After the files are created, you can find them under %windir%\security\templates. Copy the security templates to the same folder in which you created the Security database to run the scripts. These files will be used in the next phase to automate the import of the templates.

Applying the Policy

The Secedit.exe tool is useful when you need to configure security on multiple computers. You can call the Secedit.exe tool at a command prompt, from a batch file, or from the automatic task scheduler to automatically create and apply templates. You can also run it dynamically from a command prompt. The scripts that are provided with this guide use the Secedit.exe tool to merge and apply local policy to client computers.

Manually Applying the Local Policy

To apply all of the policy settings in the stand-alone security template’s .inf file that is included with this guide, use the MMC Security Configuration and Analysis snap-in instead of the Local Computer Policy snap-in. It is not possible to import the security template with the Local Computer Policy snap-in because it does not allow you to apply security policy settings for system services.

To import and apply the security template, use the Security Configuration and Analysis snap-in to complete the steps in the following procedures.

To import a security template

1. Launch the MMC Security Configuration and Analysis snap-in.
2. Right-click the Security Configuration and Analysis scope item.
3. Click Open Database.
4. Type a new database name, and then click Open.
5. Select a security template (.inf file) to import, and then click Open.

All the policy settings in the template will be imported, after which they can be reviewed or applied.

To apply the policy settings

1. Right-click the Security Configuration and Analysis scope item.
2. Select Configure Computer Now.
3. In the Configure Computer Now dialog box, type the name of the log file you wish to use, and then click OK.

You will have to import both templates for each environment. All pertinent policy settings from the security template will be applied to the client computer's local policy. The following sections describe the policy settings that are applied through local policy.

Secedit

This tool configures and analyzes system security; to do so, it compares your current configuration to at least one template. The syntax for using the Secedit.exe tool is as follows:

secedit /configure /db <FileName> [/cfg <FileName>] [/overwrite][/areas <Area1> <Area2> ...][/log <FileName>] [/quiet]

The following list explains the parameters of the Secedit.exe tool.

• /db <FileName>. Specifies the database that is used to perform the security configuration.
• /cfg <FileName>. Specifies a security template to import into the database before the computer is configured. Security templates are created using the Security Templates snap-in.
• /overwrite. Specifies that the database should be emptied before the security template is imported. If this parameter is not specified, the policy settings in the security template will accumulate in the database. If this parameter is not specified and policy settings in the template you wish to import conflict with existing policy settings in the database, the settings in the template will apply.
• /areas <Area1> <Area2>. Specifies the security areas to be applied to the system. If this parameter is not specified, all security policy settings that are defined in the database are applied to the system. To configure multiple areas, separate each area with a space. The following table shows the security areas that are supported.Table 5.2 Security Areas

  Area name	Description
  SECURITYPOLICY	Includes Account policies, Audit policies, event log settings, and security options.
  GROUP_MGMT	Includes Restricted Group settings.
  USER_RIGHTS	Includes user rights assignment settings.
  REGKEYS	Includes registry permissions.
  FILESTORE	Includes file system permissions.
  SERVICES	Includes system service settings.

• /log <FileName>. Specifies a file in which to log the status of the configuration process. If not specified, configuration data is logged in the Scesrv.log file, which is located in the %windir%\security\logs directory.
• /quiet. Specifies that the configuration process should occur and not prompt the user.

Automated Scripts

It is always easier to use a script to apply identical policy settings to many client computers. You can use the Secedit.exe tool described earlier in this chapter to automate the application of local policy with a simple script. Copy the script and all associated files to a subdirectory on the local hard disk, and then execute the script from the subdirectory.

You can use the following script to import security templates into the LGPO to secure the stand-alone Windows XP client computers in your environment.

Important: Be certain that the security database file XP Default Security.sdb is not marked Read Only. For the following script to function correctly it must be able to make changes to that file.

Note: Some parts of the following code snippet have been displayed in multiple lines only for better readability. These should be entered in a single line.

REM (c) Microsoft Corporation 1997-2005
REM Script for Securing Stand-Alone Windows XP Client Computers
REM
REM Name:        Standalone-EC-Desktop.cmd
REM Version:     2.0
REM This CMD file provides the proper secedit.exe syntax for importing the
REM security policy for a secure stand-alone Windows XP desktop client
REM computer. Please read the entire guide before using this CMD file.
REM Resets the Policy to Default Values
secedit.exe /configure /cfg %windir%\repair\secsetup.inf
/db secsetup.sdb /verbose
REM Sets the Account Settings
secedit.exe /configure /db "XP Default Security.sdb"
/cfg "Standalone-EC-Account.inf" /overwrite /quiet
REM Sets the Security Settings
secedit.exe /configure /db "XP Default Security.sdb"
/cfg "EC-Desktop.inf"
REM Deletes the Shared Folder
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer

MyComputer\NameSpace\DelegateFolders

{59031a47-3f72-44a7-89c5-5595fe6b30ee}" /f
REM Updates the Local Policy
gpupdate.exe /force

The following tables list the scripts and associated files that are included with this guide. For each environment, there are files for both desktop and laptop client computers.

Table 5.3 Stand-Alone Scripts and Files

Table 5.4 Legacy Scripts and Files

Summary

Windows XP local policy is a very useful way to provide consistent security policy settings to Windows XP systems that are not members of an Active Directory domain. To deploy local policy effectively, ensure that you are aware of how it can be applied, that all of your client computers are configured with the appropriate settings, and that you have defined appropriate security for each computer in your environment.

More Information

The following links provide additional information about Windows XP Professional security-related topics.

• For more information about the Security Configuration Manager, see https://technet2.microsoft.com/WindowsServer/en/Library/74d8fed6-cf2f-4ba4-94f3-fc95bad914b01033.mspx.
• For more information about Windows Server 2003 Group Policy, see https://technet2.microsoft.com/windowsserver/en/technologies/featured/gp/default.mspx.
• For information about troubleshooting Group Policy in Windows Server, see the "Troubleshooting Group Policy in Microsoft Windows Server" whitepaper athttps://www.microsoft.com/downloads/details.aspx?FamilyId=B24BF2D5-0D7A-4FC5-A14D-E91D211C21B2.
• For more information about Troubleshooting Group Policy application problems, see Knowledge Base article 250842 at https://support.microsoft.com/default.aspx?scid=250842.
• For more information about security tools and checklists, see Microsoft Security Tools at https://www.microsoft.com/technet/security/tools/default.mspx.
• For information about How To Identify Group Policy Objects in the Active Directory and SYSVOL, see Knowledge Base article 216359 at https://support.microsoft.com/default.aspx?scid=216359.
• For information about The role of Administrative Templates, see the Web page at https://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/adminad.mspx.