Securing Microsoft Windows XP Professional

By Zeb Bowden and Marc DeBonis

Version 1.3 - 062404

 

Background

 

Windows XP is the newest desktop class operating system from Microsoft Corporation.  Multiple versions of the XP operating system exist, however this document assumes you are using XP Professional; some of the suggestions in this paper may not be applicable in other XP versions. The core architecture of Windows XP is built on the proven, stable code base of Windows 2000/NT. The user interface has been revamped in XP, giving users a more 3-D experience along with other “eye candy” such as fading and new icons. On the security front, Windows XP provides some built-in features to help protect against common threats such as worms and viruses. One of the most important security related features of Windows XP is that it has a built-in firewall installed. The Windows XP operating system is designed to be more secure “out of the box”. More secure is of course a relative term and while XP does to a better job of locking down the workstation by default, it is no where close to being completely secure. This document is provided to help you tighten the security of your XP system, while maintaining system usability.

 

Why should you care about computer security?

Computer security should be the concern of every person who owns or operates a computer.  If you’re not big on ethics, or aren’t convinced, you may wish to review this link:

 

Acceptable Use of Information Systems at Virginia Tech - http://www.policies.vt.edu/acceptableuse.php

 

In particular, line two of the document states in part:

 

“…You are responsible for all activities on your userid or that originate from your system…”

 

This clause negates the argument “There is nothing on my computer anybody would want.”  If not for the data on your system they can and will use your system to break into other people’s systems.  When the trail winds its way back, somebody will come knocking on your door.  Don’t be surprised that the FBI doesn’t shed a tear when you tell them that the only copy of your term paper is on your computer and they tag-and-bag every piece of electronic equipment in your dorm room.  Strong stuff, but it happens every day.

Don’t forget the social implications of your system becoming compromised.  How long will your friends continue to read messages you send when your system spews out infected email, day after day?  Or, when the assignment you turn into the professor infects his/her system with a nasty virus?  Worked hard on that paper or your mp3 collection?  Too bad that trojan you just ran from somebody you don’t even know is deleting every single file on your machine.  Avoid all of that terrible stuff by following this guide.

 

Assumptions

  • You have a valid, legally licensed copy of Windows XP Professional
  • Windows XP Professional is the only operating system installed on your computer
  • You have administrator rights to the system
  • The computer has a clean, freshly installed system
  • You understand the basics of the Windows operating system (opening windows, right-clicking, etc.)
  • The computer is a standalone system not connected to a domain
  • The computer has Internet access and networking is set up correctly
  • You have access to a VTnet 2004 CD

 

 

Enable the Built-in Internet Connection Firewall (ICF)

Firewalls are used to provide a “protective” boundary between your computer and the Internet. Windows XP Professional conveniently has a firewall built-in called Internet Connection Firewall (ICF). Do not allow the term “firewall” to lull you into a false sense of security. Firewalls are not the ultimate solution to every security problem; rather they provide an additional layer of protection for your system.

 

1.        Log in as an Administrator

2.        Go to Start->Control Panel

3.        Click on “Network and Internet Connections”

4.        Click “Network Connections”

5.        Right click on a network connection and select “Properties”

6.        Select the “Advanced” tab

7.        Check the box next to “Protect my computer and network by limiting or preventing access to this computer form the Internet”.

8.        Press “OK”.

9.        Repeat steps 5-8 for each connection listed.

 

 

Make the File System More Secure

The next thing you need to do is make sure that your hard drive partitions are formatted with NTFS (NT File System).  This file system is more secure than the FAT or FAT32 partition schemes.

 

To check your hard drive partitions:

  1. Log in as an Administrator.
  2. Open the Start menu, right click on “My Computer” and choose explore.
  3. Right click each drive letter (except for removable drives, like A and the cdrom) and choose properties.
  4. Under the general tab, note the File system type.  If it is FAT, record that drive letter.
  5. Click cancel to close the properties window.
  6. Follow steps 1 – 5 for each drive letter, noting which ones are labeled FAT.

 

Now convert any FAT partitions on your system:

  1. Go to Start->Run
  2. Type cmd and click OK.  You should now be at a command prompt.
  3. Type “vol driveletter:” (without the quotes), where “driveletter” is each drive letter you noted above. Note the volume label  (note: not all drives have a label, if yours does have a label it will be listed in the first line of the output)
  4. Type “convert driveletter: /FS:NTFS /V” (without the quotes), where “driveletter” is each drive letter you noted above.
  5. Hit return to run the command. If prompted for a label name, enter the name you recorded in step 3, if your volume had no label just press return.
  6. Follow steps 1 – 5 for each FAT partition.  You may have to reboot the system to finish these operations.

 

 

Tighten Local Security Policies

Windows XP allows you easy access to the basic security functionality of your system.  The following suggested changes will make your system much more secure.

 

1.        Log in as an Administrator

2.        Go to Start->Programs->Administrative Tools->Local Security Policy

2.1     If you do not see the Administrative Tools folder, you will need to enable it

2.2.1      Right click the Start Menu and select properties

2.2.2            In the Taskbar and Start Menu Properties window, click customize and then click the Advanced tab

2.2.3            In the Start Menu Items box scroll down to the System Administrative Tools section, check the box to the left of Display on All Programs Menu

2.3     Restart at step 2

3         Expand Account Policies by clicking the + box

4         Select “Password Policy”

5         Double-click each policy setting to bring up a new window to make the following changes:

5.2     Enforce password history - 5 passwords remembered

5.3     Maximum password age - 0 days

5.4     Minimum password age - 1 days

5.5     Minimum password length - 8 characters

5.6     Passwords must meet complexity requirements - Enabled

5.7     Store password using reversible encryption for all users in the domain - Disabled

6         Select “Account Lockout Policy”

6.2     Account lockout duration - 30 minutes

6.3     Account lockout threshold - 5 invalid logon attempts

6.4     Reset account lockout counter after - 30 minutes

7         Expand Local Policies by clicking the + box

8         Select “Audit Policy”

8.2     Audit account logon events- Success, Failure

8.3     Audit account management- Success, Failure

8.4     Audit directory service access- No auditing

8.5     Audit logon events – Success, Failure

8.6     Audit object access – Failure

8.7     Audit policy change – Success, Failure

8.8     Audit privilege use - No auditing

8.9     Audit process tracking - No auditing

8.10  Audit system events – Success, Failure

9         Select “User Rights Assignment.”  If no change is noted, do not alter policy setting. SUPPORT_xxx refers to a built-in help and support account included with Windows XP, the xxx will be replaced with a different string of letters and numbers on your machine.

9.2     Access this computer from the network - Remove Everyone, Remove Power Users

9.3     Act as part of the operating system                

9.4     Add workstations to domain            

9.5     Adjust memory quotas for a process – Administrators, LOCAL SERVICE, NETWORK SERVICE

9.6     Allow logon through Terminal Services – Administrators, Remote Desktop Users

9.7     Back up files and directories - Backup Operators, Administrators

9.8     Bypass traverse checking - Remove Everyone, Remove Power Users

9.9     Change the system time - Remove Power Users

9.10  Create a pagefile - Administrators

9.11  Create a token object                          

9.12  Create permanent shared objects                     

9.13  Debug programs - Administrators

9.14  Deny access to this computer from the network – Guest, SUPPORT_xxx                 

9.15  Deny logon as a batch job                

9.16  Deny logon as a service                    

9.17  Deny logon locally – Guest, SUPPORT_xxx   

9.18  Deny logon through Terminal Services          

9.19  Enable computer and user accounts to be trusted for delegation                              

9.20  Force shutdown from a remote system - Administrators

9.21  Generate security audits – LOCAL SERVICE, NETWORK SERVICE

9.22  Increase scheduling priority - Administrators                               

9.23  Load and unload device drivers - Administrators

9.24  Lock pages in memory                       

9.25  Log on as a batch job          - SUPPORT_xxx  

9.26  Log on as a service – NETWORK SERVICE

9.27  Log on locally – Remove Guest, Remove Power Users

9.28  Manage auditing and security log - Administrators

9.29  Modify firmware environment values – Administrators

9.30  Perform volume maintenance tasks - Administrators

9.31  Profile single process - Remove Power Users

9.32  Profile system performance - Administrators 

9.33  Remove computer from docking station - Remove Power Users

9.34  Replace a process level token – LOCAL SERVICE, NETWORK SERVICE                               

9.35  Restore files and directories - Backup Operators, Administrators

9.36  Shut down the system - Remove Power Users

9.37  Synchronize directory service data                  

9.38  Take ownership of files or other objects – Administrators

10       Select “Security Options”

10.2  Accounts: Administrator account status - Enabled

10.3              Accounts: Guest account status - Disabled

10.4              Accounts: Limit local account use of blank passwords to console logon only - Enabled

10.5              Accounts: Rename administrator account - <something unique> (REMEMBER THIS: see next section entitled “Segment the User Account from the Administrative”

10.6              Accounts: Rename guest account - <something unique>

10.7              Audit: Audit the access of global system objects - Disabled

10.8              Audit: Audit the use of Backup and Restore privilege - Disabled

10.9              Audit: Shut down system immediately if unable to log security audits - Disabled

10.10           Devices: Allow undock without having to log on - Enabled

10.11                       Devices: Allowed to format and eject removable media - Administrators

10.12                       Devices: Prevent users from installing printer drivers - Disabled

10.13                       Devices: Restrict CD-ROM access to locally logged-on user only - Disabled

10.14                       Devices: Restrict floppy access to locally logged-on user only - Disabled

10.15                       Devices: Unsigned driver installation behavior - Warn but allow installation

10.16                       Domain controller: Allow server operators to schedule tasks - Not defined

10.17                       Domain controller: LDAP server signing requirements - Not defined

10.18                       Domain controller: Refuse machine account password changes - Not defined

10.19                       Domain member: Digitally encrypt or sign secure channel data (always) - Enabled

10.20                       Domain member: Digitally encrypt secure channel data (when possible) - Enabled

10.21                       Domain member: Digitally sign secure channel data (when possible) - Enabled

10.22                       Domain member: Disable machine account password changes - Disabled

10.23                       Domain member: Maximum machine account password age - 30 days

10.24                       Domain member: Require strong (Windows 2000 or later) session key - Enabled

10.25                       Interactive logon: Do not display last user name - Enabled

10.26                       Interactive logon: Do not require CTRL+ALT+DEL - Disabled

10.27                       Interactive logon: Message text for users attempting to log on 

10.28                       Interactive logon: Message title for users attempting to log on

10.29           Interactive logon: Number of previous logons to cache (in case domain controller is not available) - 0 logons

10.30                       Interactive logon: Prompt user to change password before expiration - 0 days

10.31           Interactive logon: Require Domain Controller authentication to unlock workstation - Disabled

10.32                       Interactive logon: Smart card removal behavior - No Action

10.33                       Microsoft network client: Digitally sign communications (always) - Disabled

10.34                       Microsoft network client: Digitally sign communications (if server agrees) - Enabled

10.35           Microsoft network client: Send unencrypted password to third-party SMB servers - Disabled

10.36           Microsoft network server: Amount of idle time required before suspending session - 15 minutes

10.37                       Microsoft network server: Digitally sign communications (always) - Disabled

10.38                       Microsoft network server: Digitally sign communications (if client agrees) - Enabled

10.39                       Microsoft network server: Disconnect clients when logon hours expire - Enabled

10.40                       Network access: Allow anonymous SID/Name translation - Disabled

10.41                       Network access: Do not allow anonymous enumeration of SAM accounts - Enabled

10.42           Network access: Do not allow anonymous enumeration of SAM accounts and shares - Enabled

10.43           Network access: Do not allow storage of credentials or .NET Passports for network authentication - Enabled

10.44                       Network access: Let Everyone permissions apply to anonymous users - Disabled

10.45           Network access: Named Pipes that can be accessed anonymously – Remove all

10.46           Network access: Remotely accessible registry paths – Remove all (unless actively using remote registry)

10.47                       Network access: Shares that can be accessed anonymously - Remove all

10.48           Network access: Sharing and security model for local accounts - Guest only - local users authenticate as Guest

10.49           Network security: Do not store LAN Manager hash value on next password change - Enabled

10.50                       Network security: Force logoff when logon hours expire - Enabled

10.51           Network security: LAN Manager authentication level - Send NTLMv2 response only/refuse LM

10.52                       Network security: LDAP client signing requirements - Negotiate signing

10.53           Network security: Minimum session security for NTLM SSP based (including secure RPC) clients - No minimum

10.54           Network security: Minimum session security for NTLM SSP based (including secure RPC) servers - No minimum

10.55                       Recovery console: Allow automatic administrative logon - Disabled

10.56                       Recovery console: Allow floppy copy and access to all drives and all folders - Disabled

10.57                       Shutdown: Allow system to be shut down without having to log on - Enabled

10.58                       Shutdown: Clear virtual memory pagefile - Enabled

10.59           System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing - Disabled

10.60           System objects: Default owner for objects created by members of the Administrators group - Object creator

10.61                       System objects: Require case insensitivity for non-Windows subsystems - Enabled

10.62           System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links) - Enabled    

11          Close the Local Policy Settings window when done.

 

Segment the User Account from the Administrative

One of the main challenges with managing an operating system is deciding how much authority to grant your normal user account.  The more authority your normal user account has, the more you can do with the system, including running malicious applications.  Take for example a trojan program you accidentally run.  If your user account can delete system files, so can the trojan.  If you can delete printers and send nasty email to the police, so can the trojan.  Accordingly, we want to segment the powerful rights we use infrequently from the common rights we use often.

 

  1. Log in as an Administrator.
  2. Go to Start->Programs->Administrative Tools-> Computer Management
  3. Open Local Users and Groups
  4. Click on the User folder
  5. Right-click the Administrator account, and choose to rename it.  Make it a non-obvious name.
  6. Right-click this renamed Administrator account and select “Set Password”, make the password hard to guess (use numbers, letters, and punctuation).  NEVER use a password that can be found in the dictionary!  DO NOT LOSE THE ADMINISTRATOR ACCOUNT NAME AND PASSWORD!
  7. Right-click the Guest account, and choose to rename it.  Make it a non-obvious name.
  8. Right-click this renamed Guest account, then select “Set Password.”  Make the password difficult to guess (use numbers, letters, and punctuation).  NEVER use a password that can be found in the dictionary!
  9. Remove the descriptions for the renamed Administrator and Guest accounts to make them more difficult to discover.
  10. Right-click the account called “HelpAssistant” and select “Properties”.
  11. Check the box next to “Account is disabled” to disable this account and select “OK”.

 

 

A note about the Guest account

 

The Guest account is disabled in Windows XP by default, which is a very good thing.  Enabling the guest account makes anonymous users guests.  If you share a folder, the default permissions are Everyone having full control.  If guest is enabled, guess what, Guest (i.e., anonymous) is included in Everyone!  You’ll soon have all kinds of fun as people find your open share and stick all kinds of terrible things on your system.  Always remove the share permissions from Everyone and add them to Authenticated Users.  This is a much safer policy.

 

Setup Normal User Accounts

 

During the installation process of Windows XP you were prompted to enter at least one username that would be created for you and you could use to manage your system. This user account was created and added as a member of the Administrators group. This is both insecure and unnecessary as you only need one administrator account. Follow the steps below to remove this account from the Administrators group and add it to the Users group so you can use this account for normal day-to-day use. Use user accounts for normal, day-to-day tasks.   DO NOT use the renamed Administrator account as your normal user account.  Logon with the renamed Administrator account to install programs, printers, create file shares, etc. and logout when you are done.

 

 

1.        Right click on the account that was created during the install of Windows XP and select “Properties”.

2.        Select the “Member Of” tab

3.        You should see “Administrators” listed in the “Member of” box, if you do not see “Administrators” then skip the rest of this section. If you do see “Administrators” then continue on to step 4.

4.        Select “Administrators” and then press the “Remove” button.

5.        Now press the “Add”  button

6.        This will pop up a “Groups” dialog box. Type “Users” in the “Enter the object names to select” box and press “OK”.

7.        Now press “OK” to close the properties box of the user. You should now login with this account for normal, day-to-day tasks.

 

Next, if you need to create more user accounts for other people to use your machine complete the following tasks.

1.        Right-click in the window with the accounts.  Select the “New User” option.

2.        Create a new user for yourself and for each person who will use the machine locally.

3.        For each new account, right click and select “Properties.”  Uncheck “User must change password at next logon.”

4.        For each new account, right click and select “Set Password.”  Make these passwords hard to guess as well.

 

Make the Local Logon Secure

By default Windows XP allows you to logon to your computer at the console simply by clicking the name of the account you wish to logon to. This is obviously insecure and should be changed.

 

  1. Log in as an Administrator
  2. Go to Start->Control Panel and open the User Accounts Control Panel
  3. Click “Change the way users log on or off”
  4. Uncheck the box next to “Use the Welcome Screen” and click “Apply Options”
  5. Close the User Accounts and the Control Panel windows.

 

 

 

Update Windows Components

The default install of Windows XP Professional is already out of date.  Microsoft and others have found problems with the XP software.  Microsoft provides three ways to update the base system.

 

1.                    Hotfixes, which fix a specific problem

2.                    Service Packs, which are collections of hotfixes

3.                    Windows Update, a web based service

 

You should take advantage of all three methods to keep the system up to date.  Be aware that all three methods are time sensitive, especially hotfixes.  Hotfixes come out constantly (4 - 6 per month).  You must be proactive when checking for software updates!  Don’t just follow the instructions below and move on.  Check your system for software updates at least once per month.

 

  1. Log in as an Administrator.
  2. Go to Start->Run
  3. Type “winver” and click OK
  4. This will bring up a screen with the current version of the operating system.  It should return Version 5.1 along with a build number and service pack number in parenthesis
  5. Get a VTnet 2004 CD and stick it in the cdrom drive.  If your system needs the latest service pack, VTnet will offer to install it.  The latest Service Pack to date is SP1.  Allow VTnet 2004 to install this Service Pack, if required.
  6. Once you’ve rebooted, log back in as Administrator
  7. Run winver again (steps 2 – 3).  It should return Version 5.1 with a build number and “Service Pack 1” in parenthesis.
  8. Go to Start->All Programs->Windows Update
  9. If necessary, click YES to allow the ActiveX script to run so it can check your system
  10. At the Welcome Screen click “Scan for Updates”
  11. Once it’s done checking your system, select “Review and install updates”
  12. Click the “Install Now” button to start download
  13. Watch download progress…
  14. When finished installing, reboot system
  15. Log in as an Administrator
  16. Point your web browser to http://opensource.w2k.vt.edu/daisy.php
  17. Select the Download link and follow the instructions to download daisy
  18. Close down all other programs and run daisy.exe
  19. It will figure out what hotfixes you need for your system, download and install them automatically
  20. Wait until you get a message saying Daisy is done
  21. Reboot the machine
  22. Run the program again
  23. Check the output.txt file in the temporary directory you installed Daisy to insure everything install correctly
  24. Run this program at least once a month to make sure you have the latest hotfixes on your system

 

<