LAB 5: Securing Windows XP

 

Although Windows XP is more secure out-of-the-box than Windows 2000, you'll have to make quite a few changes to Windows XP if you want it to run securely. These recommendations are from http://www.microsoft.com/technet/security/prodtech/windowsxp/secwinxp/default.mspx  and http://www.tweakhound.com/xp/security/page_1.htm

 

Materials Needed:

 

Activity

Step 1: Install Windows

Make sure that Windows was installed from a reliable source

  • Format each partition as an NTFS partition. If any volume is FAT-formatted, enter:

convert <partition letter>: /fs:ntfs

For example, to format partition D as an NTFS partition, enter:

convert d: /fs:ntfs


Step 2: Administer the accounts

·          Use a strong password for all administrator accounts

·          Rename the Administrator account and disable the Guest account

 

Go to Administrative Tools, then go to either Computer Management and Local Users and Groups or Domain Security Policy. Then go to Active Directory Users and Groups (depending on the particular version of Windows):

·          Rename the default Administrator account to an innocuous name, change the account description to "User account," enter a ridiculously long (up to 104 characters) and as difficult to guess a password as possible. Write the password down on the piece of paper that you keep in your personal possession, e.g., in your wallet or purse whenever you are at work. Never share this password with others and do not leave the slip of paper on which this password is written anywhere where others might see it. Use the default Administrator account, which in Windows does not lock after excessive bad logon attempts, only for emergency access.

·          Create one additional account that is a member of the Administrators group for yourself and another for each person who needs to administer your system. Create an unprivileged account for each Administrator, also. Use the unprivileged account when you are engaged in normal activities such as Web surfing, obtaining FTP access, and downloading mail. Use the “superuser” account only when you are involved in system administration duties.

·          Create a new, unprivileged account named "Administrator." Ensure that this account is in the Guest group only. Look at your logs frequently to determine whether people are trying to logon to this account, which is a decoy account designed to deflect genuine attacks against your system.

·          Leave the Guest account disabled.

·          Limit the membership in the Enterprise Admins, Schema Admins, and Administrator groups, all of which have almost unlimited power.

 

Go to Administrative Tools, then go to either Domain Security Policy or Local Security Policy (depending on the particular version of Windows 2000), then go to Security Settings:

Go to Account Policies, then Password Policy to set the following parameter values:

Enforce password history

24

Maximum password age

90 days

Minimum password age

5 days

Minimum password length

8

Passwords must meet complexity requirements

Enabled

Store passwords using reversible encryption

Yes, if there are shares

Go to Account Policies, then go to Account Lockout Policy to set the following parameters:
Account lockout duration — 480 min
Account lockout threshold — 5
Reset account lockout after — 480 min

Go to Domain Security Policy, then go to Active Directory Users and Groups or Local Security Policy, then go to Computer Management (again depending on the particular version of Windows you are running). Find the Users and Groups Container and double-click on it. For each user account, set the following Account Options:

·          User must change password at next logon.
— Ensure this is clicked whenever a new account is created to help ensure privacy of user passwords.

·          User cannot change password.
— Do not click on this.

·          Password never expires.
— Do not click on this except in the case of the default Administrator account and special accounts that have been installed for the sake of applications.

·          Account is disabled.
— Be sure to confirm that the following accounts are disabled:
Guest, accounts of employees who are no longer with your organization, accounts of employees who are on leave, and (unless your system is running an IIS web server) the IUSR_ and IWAM_ accounts. Disable these accounts by clicking on Account is Disabled for each if they are not already marked with a red "X."

Step 3: Locking down the system and data

·          Lock down access to the system drive. In general, do not assign anything more than Read-Execute permissions to Everyone, but always assign Full Control to Creator Owner and Administrators.

·          Assign Everyone Read-Execute access to c:\%systemroot% (which by default is c:\windows), c:\%systemroot%\system 32

·          Avoid sharing partitions if you do not need to do so. For each share, allow Creator Owner and Administrator to have Full Control. Remove Everyone's access (but do not assign No Access), then assign Authenticated Users the Change level of share access. To check or change share permissions, or to delete shares, go from Administrative Tools to the Distributed File System to the DFS root. Open up the tree under DFS root until you get to the share you want to get to, and then right click to Properties.

·          Turn off Simple File Sharing (Start -> Control Panel -> Folder Options (View Tab)

Step 4: Limit Services

Ensure that the bare number of services that you need are running. Disable any unnecessary services by going to Administrative Tools, then Services. Highlight the name of each unnecessary service, double click, and then under Service Status click on Stop and under Startup Type set this to Manual. The following are services that are usually not needed in Windows XP:

·          Alerter

·          ClipBook

·          Computer Browser

·          Error Reporting Service

·          FTP (not installed by default)

·          IIS Admin Service (not installed by default,  this is needed for IIS Web servers)

·          Indexing Service

·          Messenger

·          Net Logon (leave on if logging into domains)

·          NetMeeting Remote Desktop Sharing (unless NetMeeting is necessary, this also disables Remote Desktop sharing)

·          Network DDE

·          Network DDE DSDM

·          Network Provisioning Service (May be needed for Wireless Provisioning Services (WPS))

·          QoS RSVP

·          Remote Registry

·          Routing and Remote Access (leave on if you need RAS, VPN, dial-on-demand connections, or routing protocols)

·          Secondary Logon

·          Server (This disables file and printer shares from your computer)

·          SNMP (not installed by default)

·          TCP/IP NetBIOS Helper

·          Telnet (not installed by default)

·          Terminal Services

·          Universal Plug and Play Device Host

·          Windows Installer Service

·          Worldwide Web Publishing Service (this is needed for IIS Web servers)

Step 5: Limit Rights

Ensure that rights are given only as they are needed. Check User Rights by going to Administrative Tools, and then go to either Domain Security Policy or Local Security Policy (depending on the version of Windows your system runs). Next, go to Security Settings, then to Local Policies, and finally to User Rights Assignment. Double click on the User Rights Assignment container. To assign or revoke a right, double click on the right of your choice, then add or remove the right to/from the user or group of your choice. Ensure at a minimum that the Everyone group does not have any of the following rights:

      Act as part of the operating system

      Add workstations to domain

      Backup files and directories

      Create a pagefile

      Create a token object

      Debug programs

      Enable computer and user accounts to be trusted for delegation

      Force shutdown from a remote system

      Increase quotas

      Increase scheduling priority

      Load and unload device drivers

      Lock pages in memory

      Logon as a batch job

      Logon as a service

      Logon locally

      Manage auditing and security log

      Modify firmware environment variables

      Replace a process-level token

      Restore files and directories

      Shut down the system

      Take ownership of files and other objects

 

Set the following Security Options by going to Administrative Tools. Then go to either Domain Security Policy or Local Security Policy (depending on the version of Windows your system runs). Then go to Security Settings, then to Local Policies, and finally to Security Options. Double click on the Security Options container. Double click on the option of your choice to either enable or disable it.

·          Enable "Security restrictions for anonymous."

·          Enable "Clear Virtual Memory Pagefile When System Shuts Down."

·          But do not choose "Shut Down the Computer when the Security Log is Full," "Recovery Console: Allow Automatic Administrative Logon," and "Allow Server Operators to Schedule Tasks."

Step 6: Logging

·          Enable a baseline of logging. Go to Administrative Tools, then either Domain Security Policy or Local Security Policy (depending on the version of Windows 2000 your system runs), then to Security Settings, then to Local Policies, then to Audit Policy. Double click on the Audit Policy container to view the audit options. To enable any type of auditing, double click on the name and in the sheet that will appear (under Audit these Attempts) click on both Success and Failure. At a minimum enable "Audit account logon events." If you need higher levels of auditing, you may choose to enable additional types of auditing such as "Audit logon events," "Audit account management," "Audit policy change," and "Audit privilege use."

·          Set logging properties for the Security Log properly. Go to Administrative Tools, then Event Viewer. Click on Security and right click to Properties. Set Maximum Log size to about 8000K and (under When maximum log size is reached) click on "Overwrite as needed."

  • Check your system's logs regularly (daily, if possible) to determine whether your system has been attacked. If your system appears to have been attacked, contact your Division Liaison as soon as possible.

Step 7: Other

·        Remove Spyware

·        Stop using Internet Explorer (consider using Firefox as an alternative)

·        Stop using Outlook Express (consider using Thunderbird as an alternative)

·        Stop viewing HTML email / block external images

·        Stop using File Sharing Programs (P2P)

·        Use caution when using Instant Messaging

·        KEEP YOUR WINDOWS AND ALL PROGRAMS UPDATED