Review: Windows XP Security Guide
The Guide includes step-by-step instructions, and unlike some Microsoft documents, it doesn't focus exclusively on the typical enterprise network and ignore standalone systems or those deployed in smaller, unmanaged environments. There are three different scenarios covered: XP in the enterprise (with a Windows 2000 or Server 2003 domain), XP in the "high security" environment" (becoming more and more common), and XP as a standalone machine or in an "unmanaged" environment. This broadens the audience considerably and makes the Guide useful to IT administrators over a large scope of organizations.
You can read the Windows XP Security Guide on the Web or download the complete document at http://www.microsoft.com/technet/security/prodtech/winclnt/secwinxp/default.mspx
Chapter 1: A Guide to the Guide
If you're in a hurry, as most busy admins are these days, you might want to skip over this chapter or just skim it lightly. It's basically just a "guide to guide," telling you what is going to be addressed in later chapters, explaining who the target audience is, and setting forth Microsoft's security strategies and buzzwords (for instance, the "Get Secure, Stay Secure" initiative).
This chapter does have a handy list of all the downloadable tools and templates that are included in the Guide and shows the directory structure for the folder that contains the Guide and related files after you extract the WinZip archive in which the files are downloaded to your computer from the Microsoft site.
Also included in Chapter 1 are the hardware requirements for using the Guide, but given the very modest system recommendations (300MHz processor, 128MB RAM, 800X600 video resolution), it's unlikely this will be an issue. Do note that you'll need 1.5 GB of free disk space.
If you're looking for real information about XP security, you'll probably want to move on pretty quickly.
Chapter 2: Great Info on Configuring the AD Environment
The second chapter gets you into the "meat and potatoes" of securing XP by first correctly configuring your domain infrastructure. This chapter is focused on the Active Directory environment, so if you're using XP as a standalone or in a peer-to-peer network, you won't find much here that's for you. However, if you're struggling with the best way to organize your AD structure and design OUs for maximum security, you'll find many good recommendations that will help you to apply Group Policy as seamlessly as possible.
The Guide outlines how to create an OU hierarchy that starts with a Department OU and takes into account secured XP users, as well as OUs for different types of XP client machines (desktops and laptops), which may have different security requirements. There is a good explanation here of the order in which Group Policies are applied, with tips for how and when to use the No Override and Block Policy Inheritance options.
Also covered in this chapter are security templates, best practices for managing them, and step-by-step instructions for importing them. Administrative templates are addressed separately, and there are instructions for adding an administrative template to a GPO and where to find additional administrative templates (for example, the Office Resource Kit contains administrative templates for Office programs). The Guide is still a bit out of date, though, in that it references Office XP and doesn't mention Office 2003.
In keeping with the importance of strong passwords as a first line of defense against intrusion, this chapter goes into great detail about how to best configure password policies for the enterprise and high security environments (using the domain group policy object). There is an equally comprehensive section on configuring the account lockout policy in Active Directory.
Along with the instructions, there are many tips based on real world experience, such as this one: "While configuring the value for this setting [Account lockout duration] to never automatically unlock may seem like a good idea, doing so can increase the number of calls the help desk in your organization receives to unlock accounts that were locked by mistake. Configuring the value for this setting to 30 minutes for each of the lockdown levels decreases the chance of a denial of service (DoS) attack. This setting value also gives users the chance to log on again in 30 minutes if they are locked out of their accounts, a period of time they are more likely to accept without resorting to the help desk."
At the end of the chapter, there is an overview of some of the tools included with Windows XP that can be used when working with Group Policy Objects, and instructions on using the Resultant Set of Policies (RSoP) snap-in for the MMC, and the Gpupdate and GpResult command line tools.
Chapter 3: Everything You Always Wanted to Know about Windows XP Security Settings
This chapter goes over most of the security settings that can be configured for your XP machines via Group Policy. Again we are focused on the AD domain environment. A distinction is made between settings for desktop machines and those for laptops/portables.
There are detailed step-by-step instructions on how to configure audit policies, as well as background on how auditing works and the components of auditing: SACLs, ACEs, security principals, etc.
Next, the chapter goes into the intricacies of user rights assignment settings, clearing up some issues that often confuse administrators, such as the difference between setting the value of a user right to "no one" (by enabling the setting but not adding any users or groups to it) and setting the value to "not defined" (by not enabling the setting). Each relevant user right is explained and recommendations given for four different scenarios: enterprise client desktops, enterprise client laptops, high security desktops and high security laptops.
Likewise, there are detailed instructions for configuring the Security Options settings that you can use to enable or disable access to floppy and CD drives, administrator and guest account names, logon prompts, driver installation, and so forth. This is a long section that covers a large number of settings and, once again, contains separate recommendations for each of the four scenarios mentioned above.
The next section of this chapter deals with event log security settings. There is good information here on how to calculate the optimum size of your log files based on average security events per day and your requirements for how many days or weeks of data you want to have available. Recommendations for each setting are provided in the same format as those above (four computer type scenarios).
The restricted groups and system services settings are also outlined in detail, as are additional registry settings. There is a section on manual hardening and how to disable Dr. Watson and SSDP/UPNP, as well as a section on securing the file system (with some good information on using advanced permissions).
One section of this chapter deals with configuring ICF (the Internet Connection Firewall). This information pertains to XP without SP2, so if you've updated your XP machines, you'll want to look to the appendix, where the changes wrought by SP2 (including the replacement of ICF with the Windows Firewall) are discussed.
Chapter 4: Understanding Administrative Templates at Last?
This chapter is devoted exclusively to how to use administrative templates to apply security settings. Many administrators don't really understand how these templates (.adm files) work, changing the registry to control operating system components and applications.
Included are templates for configuring more security for Windows components such as NetMeeting, Internet Explorer, terminal services, Windows Messenger, and Windows Update (there is also a discussion of Software Update Services or SUS, which is now known as Windows Update Services or WUS).
There is a long section in this chapter on using administrative templates to configure Office XP. Unfortunately, this is not the latest version of Office (although many organizations are still using it and will find the information helpful). For information on new .adm files for Office 2003 with SP1, see http://www.microsoft.com/downloads/details.aspx?FamilyID=ba8bc720-edc2-479b-b115-5abb70b3f490&displaylang=en
Also included are detailed instructions on using the administrative templates in the System category, which autoplay settings, logon settings, group policy processing settings, registry policy processing settings, remote assistance settings, and error reporting settings. The remaining sections of the chapter deal with User Configuration settings, such as those for Internet Explorer, Outlook Express, Windows Explorer and System tools (for example, how to prevent access to registry editing tools or prompt for a password upon resuming from hibernate or suspend modes).
The chapter provides one of the most detailed guides you'll find anywhere about using the administrative templates to control XP's behavior.
Chapter 5: When XP Stands Alone
If you're interested in securing your standalone XP machine, up to this point you've probably been yawning. This chapter is for you - it addresses the special problems inherent in implementing security for a computer that doesn't belong to an Active Directory domain. You'll also want to check out the Appendix, since SP2 added a lot of security settings for standalone clients. In addition to true standalone machines, XP computers in NT 4.0 domain environments are also discussed.
This chapter explains the use of the local GPO and how to apply policies using the GPO Editor or using scripts. You can access the security policy portion of the local policy via Control Panel | Administrative Tools | Local Security Policy, but to edit other portions of the local policy, you'll need to run gpedit.msc.
The next section explains how to import security templates into XP to configure a standalone client. There are step-by-step instructions for creating a security database and creating a custom template, as well as instructions for manually applying a local security policy. This chapter also covers how to use the secedit command line tool and how to use automated scripts to apply identical settings to multiple computers. This chapter will be useful to anyone who wants to secure an XP machine that is not part of an Active Directory domain.
Chapter 6: Software Restriction Policies Explained
A useful addition to Windows XP Professional is the ability to use software restriction policies to control which applications can be run on the computer. Unfortunately, many administrators don't fully understand how this feature works, and so they don't take advantage of its power. This chapter offers a good explanation of the concepts and architecture before going into the details of software restriction policy options and how to design and deploy software restrictions.
There is a thorough explanation of the four types of rules that can be used to identify software for the purpose of applying software restriction policies (hash rule, certificate rule, path rule, and zone rule). There are also step-by-step instructions, with screenshots, that show you how to create the rules. A handy table summarizes which type of rule is best for each of several common tasks.
The chapter goes "under the hood" to discuss how the behavior of a software restriction policy is determined by two different enforcement options: DLL Checking and the Skip Administrators option. Again, practical instructions are included so you know exactly how to implement each of these options as well as what they do.
Finally, there is a whole section devoted to designing a software restriction policy, with handy tips regarding factors to consider in regard to different policy decisions (for example, whether to apply the policy to a site, domain or OU). This section contains a list of best practices with vital information such as what to do if you accidentally lock down a workstation with software restriction policy during the design phase. There is a step-by-step guide that covers the entire process of designing a software restriction policy and then applying it as a Group Policy Object to the computers on your network.
Chapter 7: All Good Things Must Come to an End
This last chapter is the shortest and contains basic summary information, but it's worth checking out for the links to common questions and answers, downloads and additional information in the "More Information" section at the end.
Appendix: More Than Just an Afterthought if You've Deployed SP2
The addendum is the "what's new" in this Security Guide; it covers the changes made to Windows XP security with the installation of Service Pack 2. It starts with an overview of SP2 that is probably familiar to those administrators who have deployed it on their networks, but you might not be aware of the new administrative templates that are included with SP2 (which work only with XP systems that have SP2 applied).
New computer configuration settings for Internet Explorer, terminal services, Windows Update and System settings are discussed, as well as settings used to configure the new Windows Firewall Domain and Standard profiles (the Domain profile is used when a domain environment is detected, and the Standard profile is used if a non-domain environment is detected). XP uses Network Location Awareness (NLA) to determine the type of network to which it is connected. Also included in this appendix are discussions of new user configuration settings for Attachment Manager.
The appendix will be invaluable to administrators who have installed SP2 on their network clients, providing them with much greater control, through Group Policy, over the new Windows Firewall and other security mechanisms added to XP by SP2.
The updated Windows XP Security Guide is a "must have" for all administrators who run XP machines on their networks. It's a lengthy document, but it's well organized and unlike many of the "uber-technical" documents that Microsoft puts out, it's easy to understand and full of step-by-step instructions. It gathers together in one document most of the information you need for using the tools built into Windows (primarily Group Policy) to make XP a more secure operating system in keeping with the particular security needs of your organization.