LAB 5: Securing Windows XP
Although Windows XP is more secure out-of-the-box than Windows 2000, you'll have to make quite a few changes to Windows XP if you want it to run securely. These recommendations are from http://www.microsoft.com/technet/security/prodtech/windowsxp/secwinxp/default.mspx and http://www.tweakhound.com/xp/security/page_1.htm
Materials Needed:
Activity
Step 1: Install Windows |
||||||||||||
Make sure that Windows was installed from a reliable source
convert <partition letter>: /fs:ntfs For example, to format partition D as an NTFS partition, enter: convert d: /fs:ntfs
|
||||||||||||
Step 2: Administer the
accounts |
||||||||||||
·
Use a strong password for all administrator accounts ·
Rename the Administrator account and disable the Guest account Go to Administrative
Tools, then go to either Computer Management and
Local Users and Groups or Domain Security Policy. Then go to Active Directory
Users and Groups (depending on the particular version of Windows): ·
Rename the default Administrator account to an innocuous name,
change the account description to "User account," enter a
ridiculously long (up to 104 characters) and as difficult to guess a password
as possible. Write the password down on the piece of paper that you keep in
your personal possession, e.g., in your wallet or purse whenever you are at
work. Never share this password with others and do not leave the slip of
paper on which this password is written anywhere where others might see it.
Use the default Administrator account, which in Windows does not lock after
excessive bad logon attempts, only for emergency access. ·
Create one additional account that is a member of the
Administrators group for yourself and another for each person who needs to
administer your system. Create an unprivileged account for each
Administrator, also. Use the unprivileged account when you are engaged in
normal activities such as Web surfing, obtaining FTP access, and downloading
mail. Use the “superuser” account only when you are
involved in system administration duties. ·
Create a new, unprivileged account named
"Administrator." Ensure that this account is in the Guest group
only. Look at your logs frequently to determine whether people are trying to
logon to this account, which is a decoy account designed to deflect genuine
attacks against your system. ·
Leave the Guest account disabled. ·
Limit the membership in the Enterprise Admins, Schema Admins, and
Administrator groups, all of which have almost unlimited power. Go to Administrative
Tools, then go to either Domain Security Policy or Local Security Policy
(depending on the particular version of Windows 2000), then go to Security
Settings:
Go to Account
Policies, then Password Policy to set the following parameter values:
Go to Account
Policies, then go to Account Lockout Policy to set the following parameters: Go to
Domain Security Policy, then go to Active Directory Users and Groups or Local
Security Policy, then go to Computer Management (again depending on the
particular version of Windows you are running). Find the Users and Groups
Container and double-click on it. For each user account, set the following
Account Options: ·
User must change password at next logon. ·
User cannot change password. ·
Password never expires. ·
Account is disabled. |
||||||||||||
Step 3: Locking down the
system and data |
||||||||||||
·
Lock down access to the system drive. In general, do not
assign anything more than Read-Execute permissions to Everyone,
but always assign Full Control to Creator Owner and Administrators. ·
Assign Everyone Read-Execute access to c:\%systemroot%
(which by default is c:\windows), c:\%systemroot%\system 32 ·
Avoid sharing partitions if you do not need to do so.
For each share, allow Creator Owner and Administrator to have Full Control.
Remove Everyone's access (but do not assign No Access), then assign
Authenticated Users the Change level of share access. To check or change
share permissions, or to delete shares, go from Administrative Tools to the
Distributed File System to the DFS root. Open up the tree under DFS root
until you get to the share you want to get to, and then right click to
Properties. ·
Turn off Simple File Sharing (Start -> Control Panel
-> Folder Options (View Tab) |
||||||||||||
Step 4: Limit Services |
||||||||||||
Ensure
that the bare number of services that you need are running. Disable any
unnecessary services by going to Administrative Tools, then Services.
Highlight the name of each unnecessary service, double click, and then under
Service Status click on Stop and under Startup Type set this to Manual. The
following are services that are usually not needed in Windows XP: · Alerter · ClipBook · Computer Browser · Error Reporting Service · FTP (not installed by default) · IIS Admin Service (not installed by default, this is needed for IIS Web servers) · Indexing Service · Messenger · Net Logon (leave on if logging into domains) · NetMeeting Remote Desktop Sharing (unless NetMeeting is necessary, this also disables Remote Desktop sharing) · Network DDE · Network DDE DSDM · Network Provisioning Service (May be needed for Wireless Provisioning Services (WPS)) · QoS RSVP · Remote Registry · Routing and Remote Access (leave on if you need RAS, VPN, dial-on-demand connections, or routing protocols) · Secondary Logon · Server (This disables file and printer shares from your computer) · SNMP (not installed by default) · TCP/IP NetBIOS Helper · Telnet (not installed by default) · Terminal Services · Universal Plug and Play Device Host · Windows Installer Service · Worldwide Web Publishing Service (this is needed for IIS Web servers) |
||||||||||||
Step 5: Limit Rights |
||||||||||||
Ensure
that rights are given only as they are needed. Check User Rights by going to
Administrative Tools, and then go to either Domain Security Policy or Local
Security Policy (depending on the version of Windows your system runs). Next,
go to Security Settings, then to Local Policies, and finally to User Rights
Assignment. Double click on the User Rights Assignment container. To assign
or revoke a right, double click on the right of your choice, then add or
remove the right to/from the user or group of your choice. Ensure at a minimum
that the Everyone group does not have any of the following rights: —
Act as part of the operating system —
Add workstations to domain —
Backup files and directories —
Create a pagefile —
Create a token object —
Debug programs —
Enable computer and user accounts to be trusted for
delegation —
Force shutdown from a remote system —
Increase quotas —
Increase scheduling priority —
Load and unload device drivers —
Lock pages in memory —
Logon as a batch job —
Logon as a service —
Logon locally —
Manage auditing and security log —
Modify firmware environment variables —
Replace a process-level token —
Restore files and directories —
Shut down the system —
Take ownership of files and other objects Set the following
Security Options by going to Administrative Tools. Then go to either Domain
Security Policy or Local Security Policy (depending on the version of Windows
your system runs). Then go to Security Settings, then to Local Policies, and
finally to Security Options. Double click on the Security Options container.
Double click on the option of your choice to either enable or disable it. ·
Enable "Security restrictions for anonymous." ·
Enable "Clear Virtual Memory Pagefile
When System Shuts Down." ·
But do not choose "Shut Down the Computer when the
Security Log is Full," "Recovery Console: Allow Automatic
Administrative Logon," and "Allow Server Operators to Schedule
Tasks." |
||||||||||||
Step 6: Logging |
||||||||||||
·
Enable a baseline of logging. Go to Administrative
Tools, then either Domain Security Policy or Local Security Policy (depending
on the version of Windows 2000 your system runs), then to Security Settings,
then to Local Policies, then to Audit Policy. Double click on the Audit
Policy container to view the audit options. To enable any type of auditing,
double click on the name and in the sheet that will appear (under Audit these
Attempts) click on both Success and Failure. At a minimum enable "Audit
account logon events." If you need higher levels of auditing, you may
choose to enable additional types of auditing such as "Audit logon
events," "Audit account management," "Audit policy
change," and "Audit privilege use." ·
Set logging properties for the Security Log properly. Go
to Administrative Tools, then Event Viewer. Click on Security and right click
to Properties. Set Maximum Log size to about 8000K and (under When maximum
log size is reached) click on "Overwrite as needed."
|
||||||||||||
Step 7: Other |
||||||||||||
· Remove Spyware · Stop using Internet Explorer (consider using Firefox as an alternative) · Stop using Outlook Express (consider using Thunderbird as an alternative) · Stop viewing HTML email / block external images · Stop using File Sharing Programs (P2P) · Use caution when using Instant Messaging · KEEP YOUR WINDOWS AND ALL PROGRAMS UPDATED |